Protostar is a series of exercises from Exploit Exercises. In addition to three final levels, it has four basic sections: network programming, format strings, heap overflows, and stack overflows.
This series of posts contains solutions and walkthroughs for the stack overflow levels (“Stack”). It assumes basic knowledge of systems programming and is meant to serve as a reference for those stuck on certain levels. This is the second of three posts for Stack.
First, we want to find the offset to the return address. We can explore using gdb and a breakpoint on main.
info frame: Shows the normal location of the saved instruction pointer, eip: 0xb7eacc76.
x/32xw $esp: Examines the current stack frame. The buffer starts at 0xbffff780 with 0x414141 (AAAA).
p 0xbffff7cc - 0xbffff780: Calculates &eip - &buffer, giving an offset to eip.
Using the offset calculated above, eip is redirected to the address of win() function.
Stack: Level 5
Description (full): Use buffer overflow to execute shellcode on a suid root program, stack5.
These utilities will be used in future solutions as well.
From a high level, this is our approach:
Store the shellcode in an environmental variable.
Find the approximate address of the environmental variable on the stack.
Overwriting the return address in stack5 with the address of the environmental variable, we execute the shellcode.
There are various ways to execute shellcode, but it’s more reliable to keep the shellcode in an environmental variable rather than the buffer in case it’s larger than the buffer (64 bytes).
The shellcode is a modified version of the code from Hacking: The Art of Exploitation. It runs the command /bin//sh -sli.
We’ll overwrite the return address with the address of our shellcode environmental variable.
Nothing happened! Let’s take a look with GDB.
The shell opens, but it exits immediately. The shellcode is executing, but there’s another issue: as documented here and here, opening shells from stdin is problematic.
Opening a shell through netcat
We know that our shellcode does run, but it can’t open a shell. However, there are a wide a wide array of exploits available besides running /bin/sh. We could dump /etc/shadow/ and use John the Ripper to crack the passwords. Another option is to open up a remote shell through netcat. We’ll use the netcat solution.