[go: up one dir, main page]
Scribd
Upload
3 views3 pages

Exploit 1: Stack buffer overflow.

The document outlines the exploitation of a stack buffer overflow in an unprotected C program, revealing how to gain root privileges through a setuid binary. It details the analysis process using tools like r2 and checksec, and provides steps to calculate necessary addresses for the exploit. The conclusion emphasizes the successful exploitation and warns against keeping the vulnerable program on the system.

Uploaded by

elobf7114
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
3 views3 pages

Exploit 1: Stack buffer overflow.

The document outlines the exploitation of a stack buffer overflow in an unprotected C program, revealing how to gain root privileges through a setuid binary. It details the analysis process using tools like r2 and checksec, and provides steps to calculate necessary addresses for the exploit. The conclusion emphasizes the successful exploitation and warns against keeping the vulnerable program on the system.

Uploaded by

elobf7114
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as TXT, PDF, TXT or read online on Scribd
You are on page 1/ 3

Resume

Exploitation of a Stack buffer overflow in a program written in c containing no


protection countermeasures.

Program
File: Elf x86_64
Porection: NX
Info
You can download the binary here: vuln

Process
It is always important to use the 'file' command to know the type of file going
under analyze. We can see that it is an ELF x64 program.

A good habit is to inspect the file static before running it.

We will run the program in our sandbox and see what happens.

It seems that the program read the word we entered and send us a Hello, with our
word as argument.

Let's analyze this more in deep.

Using r2 we can observe that the main program allocates a buffer, takes input using
the read function and then print Hello and input as printf argument.

The logic next step when analyzing program is to have an overview of the different
functions. We see the shell function who is really weird.

The shell function seems to call execve and pass the argument /bin/bash. But what
is execve a quick look at the man pages can tell us the truth about this function.

The man page for execve.

We can see that execve is a syscall who take the path of what should be executed as
argument. In our case /bin/bash. This clearly means that we can have a shell if we
are able to execute the shell function.

But... Let's have another look to the file...

Wait... The binary file is has the setuid bit set, this means by exploiting it we
could gain root privileges. Since the file will run under the privileges of his
owner in our case root. This will so call execve who will execute /bin/bash and
this will drop us a root shell.

Before doing anything we will analyze current protections. I will use checksec tool
for this.

Perfect, seems the only protection is NX who stands for No-Executable Stack, since
we will not executing injected shellcode we dont care about this one for now.
Let's try to enter a enormous amount of A to trigger a seg fault by overflowing the
buffer.

We successfully overwriting the buffer, we will now need 3 informations to exploit


the program.

Input buffer
Return address
Address of shell function
The Return address minus the start of the input buffer will give us the offset and
we will overwrite the return address with the address of the shell funciton.

Let's hunt theses 3 addresses.

The input buffer


To obtain the input buffer address there multiple ways, my favorite is to break
after the read call and to analyze the stack.

Input buffer = 0x7ffecc4f6af0

The return address


To obtain the return address there also a way i love a lot, by breaking at ret and
analyzing the stack pointer you can obtain this return address.

Return address = 0x7ffecc4f6bf8

Calculating the offset


To calculate the offset i use a homemade program written in C who is a simple hex
calculator. This is really useful in multiple tasks.

This famous tool can be downloaded here HexaCalc

The offset is obtained by calculating the return address minus the input buffer
address.

Its then needed to convert the hexadecimal in decimal you can use rax2 who do an
awesome work. I greatly advise you to add rax2 in your arsenal.

Offset = 108

The shell address


Since protections like PIE is disabled on this binary we can use afl from radare2
tool to get the address of the shell function. Since it is not possible to use this
method when its a Position Independant Binary i will overview in next posts how to
bypass PIE protected binaries.

A really quick way to get this is by using also objdump tool.

Shell address = 0x000000000040118f

Exploit
Time to craft our exploit!
We will use iPython for this with pwntools, this way will be very fast and
straightforward.

First importing pwntools and launching the program.

Now we convert the shell address in a hex format.

We use the p64() cause this will reverse the address to little-endian and 8 bytes
address format such as 0x8f11400000000000, if you not use p64() from pwntools be
sure to remember the correct formatting.

Finally we will interact with the process to be able to use the shell dropped.

We are now root! Congrats we exploited our first stack buffer overflow on x86_64
elf.

Here is the code we exploited.

You can download the source code here: vuln.c

Attention
Please remove the program when you finished the exploitation its really dangerous
to keep them in your system since you were able to exploit this one, an attacker
could abuse the setuid binary and owning root in your own system!

Conclusion
We sucessfully exploit our first C program, this was quite straightforward but we
learned the basics. In the next post of this exploitation serie we will exploit a
protected program.

You might also like