Hello hackers! hope you are all doing well. I know I took some time off from posting writeups because of how busy I got over time (jk I was juz laaazyyyy). Anyways this challenge is something that was super interesting for me to do because I finally got to use shellcode. So I hope I spread some hacking wisdom out to the world to the best of my knowledge, without wasting any more of our time let's jump right into our question.
AWW! look how cute this code looks……OR IS IT?!
Although this code looks quite simple, it opens up the opportunity for us to overflow the buffer space since it uses the “gets” function and also injects shellcode into the system…BUT WHAT IS SHELLCODE THO?! 🤔
“In hacking, a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability”
In layman's terms, you inject a shellcode in the rwx area you get a shell to that system. Sounds easy right :).
Well, it's not thaaat simple! , you have to find a perfect spot on the stack with the correct number of bytes to be given for the payload for us to inject the shellcode. But on this specific challenge, we can simply have our shellcode on our stack and make it execute from the stack itself.
There is a website that gives us different types of shellcode depending upon the architecture that we use, its called http://shell-storm.org/shellcode/
For this specific challenge, I am going to use Linux/x86 — execve(/bin/sh) — 28 bytes by Jean-Pascal Pereira.
/opt/protostar/bin/stack5
Enough with the shellcode talk. let's disassemble the main and have a look
Here it does some “and $0xfffffff0,%esp” which we are clueless about so we will get there in a minute, after that it “sub $0x50,%esp” meaning it's allocation 0x50=80 bytes into the stack. After that “lea 0x10(%esp),%eax”, which is equivalent to “lea eax,[esp+0x10]” (I have not set my disassembly-flavor to intel which is why the above image has such a type of o/p), lea stands for Load Effective Adress, The LEA instruction computes a memory address using the same arithmetic that a MOV instruction uses. But unlike the MOV instruction, the LEA instruction just stores the computed address in its target register, instead of loading the contents of that address and storing it. And esp+10. This means from esp+0x10 our area for our buffer starts.
we can even cross-check this with simple math.
total space-lea(esp+0x10)= 0x50–0x10=0x40=64
Now, this is the buffer space that was given to us on our code :D.
Still don't quite catch it. Maybe my artwork will help you but before that, we need to understand how much space is “and $0xfffffff0,%esp” operation allocated for.
So for that, I keep a breakpoint just after that operation and inspect my registers.
This operation happens exactly after “mov ebp,esp” and on the inspection with the “i r” command we can clearly understand that there is a difference in 8 bytes from ebp to esp meaning 8 bytes gets allocated to esp from ebp.
Now keeping all this in mind, I drew my ‘MONA LISA’ of a stack..
EY..EY! DON’T LAUGH AT MY MASTERPIECE(ノಥ益ಥ)ノ ┻━┻.
EXPLOITATION:
Now for the juicy part HACKING!
Now since we know how the stack looks thanks to my artwork, we can finally decide on much bytes to be sent to reach the eip region/return area.
bufferspace+8bytes +ebp=64+8+4=76bytes
So we need 76 bytes to reach the eip region. But return to where???
This is where shellcodes come into play. We write our shellcode first into the buffer space and then pad it all to the eip/return region and return it to the shellcode area.
Our shellcode is of 28 bytes, our buffer is 64bytes which means after writing the shellcode I have 36 bytes of buffer space remaining.
bufferspace+8bytes +ebp=36+8+4=48bytes
Now we have to find tge start of the buffer space. As we can see on our Plan of attack! diagram, the start of buffer space os esp+0x10.
To find our esp address. Set a breakpoint at main and run the gdb.
Ok so our esp value ends with 60 and we add 0x10 to it and we get
So according to our calculations, this must be exactly where our buffer area starts.
Time to put up the payload!
payload:
Our payload is simple, write the shellcode in the buffer, padded it till eip region, and the return to the space where the shellcode was written so that the program will execute it
Now in order to send this payload, we have to copy this to a file and then cat it to the binary file.
BOOM! shell! ̿̿ ̿̿ ̿̿ ̿’̿’\̵͇̿̿\з= ( ▀ ͜͞ʖ▀) =ε/̵͇̿̿/’̿’̿ ̿ ̿̿ ̿̿ ̿̿
BUT! there is a catch to this. This won’t work all the time because of stack alignment and current directory and so on and so forth.
So what can we do about that? How do we rectify this situation? where else can we inject our code. FOOD FOR THOUGHT!(ㅅ´ ˘ `)♡
I will explain it in my upcoming posts. Until then take care, bye byee!
If you think this walkthrough helped you in any way please do leave a like and thank you once again for reading. :)
