Reverse Engineering Asked by Thành Vũ on June 3, 2021
Newbie here. Sorry for what you about to read .
I’m currently working on exploiting a binary on Ubuntu 18.04. Here is some information about the binary:
Its checksec information using pwntools:
Arch: i386-32-little
RELRO: Full RELRO
Stack: No canary found
NX: NX enabled
PIE: No PIE (0x8048000)
Its disassembled code:
./vulnprog: file format elf32-i386
Disassembly of section .init:
0804834c <_init>:
804834c: 53 push ebx
804834d: 83 ec 08 sub esp,0x8
8048350: e8 8b 00 00 00 call 80483e0 <__x86.get_pc_thunk.bx>
8048355: 81 c3 87 1c 00 00 add ebx,0x1c87
804835b: 8b 83 18 00 00 00 mov eax,DWORD PTR [ebx+0x18]
8048361: 85 c0 test eax,eax
8048363: 74 05 je 804836a <_init+0x1e>
8048365: e8 2e 00 00 00 call 8048398 <__gmon_start__@plt>
804836a: 83 c4 08 add esp,0x8
804836d: 5b pop ebx
804836e: c3 ret
Disassembly of section .plt:
08048370 <.plt>:
8048370: ff 35 e0 9f 04 08 push DWORD PTR ds:0x8049fe0
8048376: ff 25 e4 9f 04 08 jmp DWORD PTR ds:0x8049fe4
804837c: 00 00 add BYTE PTR [eax],al
...
Disassembly of section .plt.got:
08048380 <read@plt>:
8048380: ff 25 e8 9f 04 08 jmp DWORD PTR ds:0x8049fe8
8048386: 66 90 xchg ax,ax
08048388 <_exit@plt>:
8048388: ff 25 ec 9f 04 08 jmp DWORD PTR ds:0x8049fec
804838e: 66 90 xchg ax,ax
08048390 <puts@plt>:
8048390: ff 25 f0 9f 04 08 jmp DWORD PTR ds:0x8049ff0
8048396: 66 90 xchg ax,ax
08048398 <__gmon_start__@plt>:
8048398: ff 25 f4 9f 04 08 jmp DWORD PTR ds:0x8049ff4
804839e: 66 90 xchg ax,ax
080483a0 <__libc_start_main@plt>:
80483a0: ff 25 f8 9f 04 08 jmp DWORD PTR ds:0x8049ff8
80483a6: 66 90 xchg ax,ax
080483a8 <setvbuf@plt>:
80483a8: ff 25 fc 9f 04 08 jmp DWORD PTR ds:0x8049ffc
80483ae: 66 90 xchg ax,ax
Disassembly of section .text:
080483b0 <_start>:
80483b0: 31 ed xor ebp,ebp
80483b2: 5e pop esi
80483b3: 89 e1 mov ecx,esp
80483b5: 83 e4 f0 and esp,0xfffffff0
80483b8: 50 push eax
80483b9: 54 push esp
80483ba: 52 push edx
80483bb: 68 70 85 04 08 push 0x8048570
80483c0: 68 10 85 04 08 push 0x8048510
80483c5: 51 push ecx
80483c6: 56 push esi
80483c7: 68 ab 84 04 08 push 0x80484ab
80483cc: e8 cf ff ff ff call 80483a0 <__libc_start_main@plt>
80483d1: f4 hlt
80483d2: 66 90 xchg ax,ax
80483d4: 66 90 xchg ax,ax
80483d6: 66 90 xchg ax,ax
80483d8: 66 90 xchg ax,ax
80483da: 66 90 xchg ax,ax
80483dc: 66 90 xchg ax,ax
80483de: 66 90 xchg ax,ax
080483e0 <__x86.get_pc_thunk.bx>:
80483e0: 8b 1c 24 mov ebx,DWORD PTR [esp]
80483e3: c3 ret
80483e4: 66 90 xchg ax,ax
80483e6: 66 90 xchg ax,ax
80483e8: 66 90 xchg ax,ax
80483ea: 66 90 xchg ax,ax
80483ec: 66 90 xchg ax,ax
80483ee: 66 90 xchg ax,ax
080483f0 <deregister_tm_clones>:
80483f0: b8 0f a0 04 08 mov eax,0x804a00f
80483f5: 2d 0c a0 04 08 sub eax,0x804a00c
80483fa: 83 f8 06 cmp eax,0x6
80483fd: 76 1a jbe 8048419 <deregister_tm_clones+0x29>
80483ff: b8 00 00 00 00 mov eax,0x0
8048404: 85 c0 test eax,eax
8048406: 74 11 je 8048419 <deregister_tm_clones+0x29>
8048408: 55 push ebp
8048409: 89 e5 mov ebp,esp
804840b: 83 ec 14 sub esp,0x14
804840e: 68 0c a0 04 08 push 0x804a00c
8048413: ff d0 call eax
8048415: 83 c4 10 add esp,0x10
8048418: c9 leave
8048419: f3 c3 repz ret
804841b: 90 nop
804841c: 8d 74 26 00 lea esi,[esi+eiz*1+0x0]
08048420 <register_tm_clones>:
8048420: b8 0c a0 04 08 mov eax,0x804a00c
8048425: 2d 0c a0 04 08 sub eax,0x804a00c
804842a: c1 f8 02 sar eax,0x2
804842d: 89 c2 mov edx,eax
804842f: c1 ea 1f shr edx,0x1f
8048432: 01 d0 add eax,edx
8048434: d1 f8 sar eax,1
8048436: 74 1b je 8048453 <register_tm_clones+0x33>
8048438: ba 00 00 00 00 mov edx,0x0
804843d: 85 d2 test edx,edx
804843f: 74 12 je 8048453 <register_tm_clones+0x33>
8048441: 55 push ebp
8048442: 89 e5 mov ebp,esp
8048444: 83 ec 10 sub esp,0x10
8048447: 50 push eax
8048448: 68 0c a0 04 08 push 0x804a00c
804844d: ff d2 call edx
804844f: 83 c4 10 add esp,0x10
8048452: c9 leave
8048453: f3 c3 repz ret
8048455: 8d 74 26 00 lea esi,[esi+eiz*1+0x0]
8048459: 8d bc 27 00 00 00 00 lea edi,[edi+eiz*1+0x0]
08048460 <__do_global_dtors_aux>:
8048460: 80 3d 10 a0 04 08 00 cmp BYTE PTR ds:0x804a010,0x0
8048467: 75 13 jne 804847c <__do_global_dtors_aux+0x1c>
8048469: 55 push ebp
804846a: 89 e5 mov ebp,esp
804846c: 83 ec 08 sub esp,0x8
804846f: e8 7c ff ff ff call 80483f0 <deregister_tm_clones>
8048474: c6 05 10 a0 04 08 01 mov BYTE PTR ds:0x804a010,0x1
804847b: c9 leave
804847c: f3 c3 repz ret
804847e: 66 90 xchg ax,ax
08048480 <frame_dummy>:
8048480: b8 f8 9e 04 08 mov eax,0x8049ef8
8048485: 8b 10 mov edx,DWORD PTR [eax]
8048487: 85 d2 test edx,edx
8048489: 75 05 jne 8048490 <frame_dummy+0x10>
804848b: eb 93 jmp 8048420 <register_tm_clones>
804848d: 8d 76 00 lea esi,[esi+0x0]
8048490: ba 00 00 00 00 mov edx,0x0
8048495: 85 d2 test edx,edx
8048497: 74 f2 je 804848b <frame_dummy+0xb>
8048499: 55 push ebp
804849a: 89 e5 mov ebp,esp
804849c: 83 ec 14 sub esp,0x14
804849f: 50 push eax
80484a0: ff d2 call edx
80484a2: 83 c4 10 add esp,0x10
80484a5: c9 leave
80484a6: e9 75 ff ff ff jmp 8048420 <register_tm_clones>
080484ab <main>:
80484ab: 55 push ebp
80484ac: 89 e5 mov ebp,esp
80484ae: 83 ec 28 sub esp,0x28
80484b1: a1 08 a0 04 08 mov eax,ds:0x804a008
80484b6: 3d 39 05 00 00 cmp eax,0x539
80484bb: 74 07 je 80484c4 <main+0x19>
80484bd: 6a 01 push 0x1
80484bf: e8 c4 fe ff ff call 8048388 <_exit@plt>
80484c4: a1 08 a0 04 08 mov eax,ds:0x804a008
80484c9: 83 c0 01 add eax,0x1
80484cc: a3 08 a0 04 08 mov ds:0x804a008,eax
80484d1: a1 0c a0 04 08 mov eax,ds:0x804a00c
80484d6: 6a 00 push 0x0
80484d8: 6a 02 push 0x2
80484da: 6a 00 push 0x0
80484dc: 50 push eax
80484dd: e8 c6 fe ff ff call 80483a8 <setvbuf@plt>
80484e2: 83 c4 10 add esp,0x10
80484e5: 68 90 85 04 08 push 0x8048590
80484ea: e8 a1 fe ff ff call 8048390 <puts@plt>
80484ef: 83 c4 04 add esp,0x4
80484f2: 6a 40 push 0x40
80484f4: 8d 45 d8 lea eax,[ebp-0x28]
80484f7: 50 push eax
80484f8: 6a 00 push 0x0
80484fa: e8 81 fe ff ff call 8048380 <read@plt>
80484ff: 83 c4 0c add esp,0xc
8048502: 90 nop
8048503: 90 nop
8048504: c9 leave
8048505: c3 ret
8048506: 66 90 xchg ax,ax
8048508: 66 90 xchg ax,ax
804850a: 66 90 xchg ax,ax
804850c: 66 90 xchg ax,ax
804850e: 66 90 xchg ax,ax
08048510 <__libc_csu_init>:
8048510: 55 push ebp
8048511: 57 push edi
8048512: 56 push esi
8048513: 53 push ebx
8048514: e8 c7 fe ff ff call 80483e0 <__x86.get_pc_thunk.bx>
8048519: 81 c3 c3 1a 00 00 add ebx,0x1ac3
804851f: 83 ec 0c sub esp,0xc
8048522: 8b 6c 24 20 mov ebp,DWORD PTR [esp+0x20]
8048526: 8d b3 18 ff ff ff lea esi,[ebx-0xe8]
804852c: e8 1b fe ff ff call 804834c <_init>
8048531: 8d 83 14 ff ff ff lea eax,[ebx-0xec]
8048537: 29 c6 sub esi,eax
8048539: c1 fe 02 sar esi,0x2
804853c: 85 f6 test esi,esi
804853e: 74 25 je 8048565 <__libc_csu_init+0x55>
8048540: 31 ff xor edi,edi
8048542: 8d b6 00 00 00 00 lea esi,[esi+0x0]
8048548: 83 ec 04 sub esp,0x4
804854b: ff 74 24 2c push DWORD PTR [esp+0x2c]
804854f: ff 74 24 2c push DWORD PTR [esp+0x2c]
8048553: 55 push ebp
8048554: ff 94 bb 14 ff ff ff call DWORD PTR [ebx+edi*4-0xec]
804855b: 83 c7 01 add edi,0x1
804855e: 83 c4 10 add esp,0x10
8048561: 39 f7 cmp edi,esi
8048563: 75 e3 jne 8048548 <__libc_csu_init+0x38>
8048565: 83 c4 0c add esp,0xc
8048568: 5b pop ebx
8048569: 5e pop esi
804856a: 5f pop edi
804856b: 5d pop ebp
804856c: c3 ret
804856d: 8d 76 00 lea esi,[esi+0x0]
08048570 <__libc_csu_fini>:
8048570: f3 c3 repz ret
Disassembly of section .fini:
08048574 <_fini>:
8048574: 53 push ebx
8048575: 83 ec 08 sub esp,0x8
8048578: e8 63 fe ff ff call 80483e0 <__x86.get_pc_thunk.bx>
804857d: 81 c3 5f 1a 00 00 add ebx,0x1a5f
8048583: 83 c4 08 add esp,0x8
8048586: 5b pop ebx
8048587: c3 ret
I can see that there is a buffer overflow that could be exploited inside main() function and I tried to exploit it using some of the techniques I know: execute code on stack, ret2libc, ropgadget but none of them worked. As you can see the NX is enabled, the binary is dynamically linked so there are only 79 ROPgadgets, and because of ASLR being turned on I cannot use retlibc.
I tried ret2libc by crafting the input string so that it jumped to puts() function to print out the puts() address inside the memory in order to calculate the base of libc, after that I had to return to <_start> to inject the exploit string, with the address of system() function and ‘/bin/sh’ string in memory.
It could have been a ideal plan but you can see that at address 0x080484b6 in main the program compares eax, which is loaded with the value in 0x0804a008, to 0x539 to decide to continue. When I came back from puts() function after printing out the address of puts(), that value in 0x0804a008 had been increased by one, no longer be 0x539 so the program exited.
To fix that, I tried jumping to _read() function after returning from puts() to edit the value hold by 0x0804a008 but another problem arose: The read() function only read 64 bytes into the buffer so the length for me to inject addresses was only 20 bytes.
I’m getting stucked. I’ve been searching for days but haven’t found any case that being close to mine. Can you give me some advices on how should I get this done?
I'm not sure how much of a spoiler you want, so I'll keep it fairly short for now.
The buffer is too short
Your main problem is somewhat a hint towards the solution. The logic is, if your buffer is too small, then make a new one that can fit your entire payload.
By this, I mean you need to set up a stack pivot. A stack pivot allows you to move the stack frame somewhere else where there is more room, where you'll set up your full ROP chain(s). You can pivot to somewhere else on the stack, the heap, or even in the executable's read-write sections. A good choice for this is often the executable's .data
or .bss
segment, but find an offset within where nothing critical is overwritten.
In many cases, this can be achieved using a gadget that manipulates the stack pointer (e.g. pop esp
, sub esp, 0x28
, mov esp, edi
etc.). However, in this particular program, there's an instruction that is already used that can serve as a gadget for this.
You'll also need to write to your new stack location. The program already has a function imported that you can use for this. Then, use the pieces you already figured out (libc leak, call system
, etc.) can be put in place to complete the challenge.
Answered by multithr3at3d on June 3, 2021
Get help from others!
Recent Answers
Recent Questions
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP