Jump to content
Nytro

Vanilla1 : write-what-where exploitation (ASLR, Full RELRO, Stack cookie)

By Nytro, in Reverse engineering & exploit development

Recommended Posts

Nytro Mentor

Nytro

Posted
Posted

[h=3]Vanilla1 : write-what-where exploitation (ASLR, Full RELRO, Stack cookie)[/h]Hello,

For today article, we're going to analyze and exploit a write-what-where with

ASLR, no PIE, full RELRO and stack cookie.

This is part of a set of challenges made by sm0k: Vanilla Dome Wargame .

Let's begin.

[h=2]The challenge[/h] Before any reversing attempt, we need to launch the program to see what it does.

vanilla1@VanillaDome ~ $ ls -lash
total 76K
4.0K drwxr-xr-x  2 root          root          4.0K Apr 29 14:15 .
4.0K drwxr-x--x 10 root          root          4.0K May 15 20:52 ..
4.0K -rw-r--r--  1 root          root           127 Mar 23 05:56 .bash_logout
4.0K -rw-r--r--  1 root          root           193 Mar 23 05:56 .bash_profile
4.0K -rw-r--r--  1 root          root          3.9K Apr 29 15:47 .bashrc
 44K -rw-r--r--  1 root          root           44K Apr 29 14:15 .gdbinit
8.0K -r-sr-sr-x  1 vanilla1crack vanilla1crack 6.7K Apr 29 12:28 Vanilla1
4.0K -r--------  1 vanilla1crack vanilla1crack   19 Apr 29 12:28 key
vanilla1@VanillaDome ~ $ ./Vanilla1
     Usage:./Vanilla1 <file>
vanilla1@VanillaDome ~ $ ./Vanilla1 key
vanilla1@VanillaDome ~ $ python -c 'print "a" * 1024' > /tmp/file.txt
vanilla1@VanillaDome ~ $ ./Vanilla1 /tmp/file.txt

Ok, it basically read some file and do stuffs with it ...

[h=2]Let's reverse it[/h] Opening GDB and disassembling main we get the following:

Dump of assembler code for function main:
   0x08048578 <+0>:    push   ebp
   0x08048579 <+1>:    mov    ebp,esp
   0x0804857b <+3>:    and    esp,0xfffffff0                   ; alignment
   0x0804857e <+6>:    sub    esp,0x1050                       ; there is a HUGE buffer and we have ebp = esp + 0x1050
   0x08048584 <+12>:    mov    eax,DWORD PTR [ebp+0x8]          ; argc
   0x08048587 <+15>:    mov    DWORD PTR [esp+0x1c],eax         ; n_arg = argc
   0x0804858b <+19>:    mov    eax,DWORD PTR [ebp+0xc]          ; argv
   0x0804858e <+22>:    mov    DWORD PTR [esp+0x18],eax         ; args = argv
   0x08048592 <+26>:    mov    eax,gs:0x14                      ; eax = stack cookie
   0x08048598 <+32>:    mov    DWORD PTR [esp+0x104c],eax       ; stack cookie (stored in gs:0x14)
   0x0804859f <+39>:    xor    eax,eax
   0x080485a1 <+41>:    cmp    DWORD PTR [esp+0x1c],0x1         ; if (n_arg <= 1) then error
   0x080485a6 <+46>:    jg     0x80485c4 <main+76>              ; else continue

   0x080485a8 <+48>:    mov    eax,DWORD PTR [esp+0x18]         ; args ptr
   0x080485ac <+52>:    mov    edx,DWORD PTR [eax]              ; program name
   0x080485ae <+54>:    mov    eax,0x8048790                    ; format = "\t Usage:%s <file>\n"
   ; printf ("\t Usage:%s <file>\n", argv[0]);
   0x080485b3 <+59>:    mov    DWORD PTR [esp+0x4],edx
   0x080485b7 <+63>:    mov    DWORD PTR [esp],eax
   0x080485ba <+66>:    call   0x8048434 <printf@plt>
   0x080485bf <+71>:    jmp    0x80486a9 <main+305>          ; bye

   ; memset (esp+0x38, 0x0, 0x1000);
   0x080485c4 <+76>:    mov    DWORD PTR [esp+0x34],0x0         ; fp = NULL;
   0x080485cc <+84>:    mov    DWORD PTR [esp+0x8],0x1000
   0x080485d4 <+92>:    mov    DWORD PTR [esp+0x4],0x0
   0x080485dc <+100>:    lea    eax,[esp+0x38]
   0x080485e0 <+104>:    mov    DWORD PTR [esp],eax
   0x080485e3 <+107>:    call   0x80483f4 <memset@plt>

   ; fp = fopen (argv[1], "r");
   0x080485e8 <+112>:    mov    edx,0x80487a3                    ; "r"
   0x080485ed <+117>:    mov    eax,DWORD PTR [esp+0x18]         ; args
   0x080485f1 <+121>:    add    eax,0x4
   0x080485f4 <+124>:    mov    eax,DWORD PTR [eax]              ; eax = args[1];
   0x080485f6 <+126>:    mov    DWORD PTR [esp+0x4],edx
   0x080485fa <+130>:    mov    DWORD PTR [esp],eax
   0x080485fd <+133>:    call   0x8048424 <fopen@plt>
   0x08048602 <+138>:    mov    DWORD PTR [esp+0x34],eax
   0x08048606 <+142>:    cmp    DWORD PTR [esp+0x34],0x0         ; if (fp == NULL) then error
   0x0804860b <+147>:    je     0x80486a9 <main+305>
   0x08048611 <+153>:    jmp    0x8048682 <main+266>          ; else fgets

   ; value1 = atoll (buffer);
   0x08048613 <+155>:    lea    eax,[esp+0x1038]                 ; this is a small buffer (ebp-0x1050+0x1038 = ebp-0x18)
   0x0804861a <+162>:    mov    DWORD PTR [esp],eax
   0x0804861d <+165>:    call   0x8048414 <atoll@plt>
   0x08048622 <+170>:    mov    DWORD PTR [esp+0x30],eax
   ; fgets (sbuffer, 0x14, fp);
   0x08048626 <+174>:    mov    eax,DWORD PTR [esp+0x34]         ; eax = fp
   0x0804862a <+178>:    mov    DWORD PTR [esp+0x8],eax
   0x0804862e <+182>:    mov    DWORD PTR [esp+0x4],0x14
   0x08048636 <+190>:    lea    eax,[esp+0x1038]                 ; sbuffer
   0x0804863d <+197>:    mov    DWORD PTR [esp],eax
   0x08048640 <+200>:    call   0x80483e4 <fgets@plt>
   ; value2 = atoll(sbuffer);
   0x08048645 <+205>:    lea    eax,[esp+0x1038]
   0x0804864c <+212>:    mov    DWORD PTR [esp],eax
   0x0804864f <+215>:    call   0x8048414 <atoll@plt>
   0x08048654 <+220>:    mov    DWORD PTR [esp+0x2c],eax
   0x08048658 <+224>:    cmp    DWORD PTR [esp+0x30],0x0         ; if (value1 == 0) then fgets
   0x0804865d <+229>:    je     0x8048682 <main+266>

   0x0804865f <+231>:    cmp    DWORD PTR [esp+0x2c],0x0         ; if (value2 == 0) then fgets
   0x08048664 <+236>:    je     0x8048682 <main+266>

   ; insert (value2, value1, esp+0x38);
   0x08048666 <+238>:    lea    eax,[esp+0x38]
   0x0804866a <+242>:    mov    DWORD PTR [esp+0x8],eax
   0x0804866e <+246>:    mov    eax,DWORD PTR [esp+0x30]         ; eax = value1
   0x08048672 <+250>:    mov    DWORD PTR [esp+0x4],eax
   0x08048676 <+254>:    mov    eax,DWORD PTR [esp+0x2c]         ; eax = value2
   0x0804867a <+258>:    mov    DWORD PTR [esp],eax
   0x0804867d <+261>:    call   0x8048534 <insert>

   ; fgets (buffer, 0x14, fp);
   0x08048682 <+266>:    mov    eax,DWORD PTR [esp+0x34]         ; eax = fp
   0x08048686 <+270>:    mov    DWORD PTR [esp+0x8],eax
   0x0804868a <+274>:    mov    DWORD PTR [esp+0x4],0x14
   0x08048692 <+282>:    lea    eax,[esp+0x1038]                 ; buffer
   0x08048699 <+289>:    mov    DWORD PTR [esp],eax
   0x0804869c <+292>:    call   0x80483e4 <fgets@plt>
   0x080486a1 <+297>:    test   eax,eax                          ; if (still data) then loop
   0x080486a3 <+299>:    jne    0x8048613 <main+155>

   ; check cookie
   0x080486a9 <+305>:    mov    eax,0x0
   0x080486ae <+310>:    mov    edx,DWORD PTR [esp+0x104c]       ; stack cookie
   0x080486b5 <+317>:    xor    edx,DWORD PTR gs:0x14
   0x080486bc <+324>:    je     0x80486c3 <main+331>

   0x080486be <+326>:    call   0x8048444 <__stack_chk_fail@plt>
   0x080486c3 <+331>:    leave
   0x080486c4 <+332>:    ret  
End of assembler dump.

Articol complet:

http://binholic.blogspot.ro/2013/06/vanilla1-write-what-where-exploitation.html

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

×
Go to topic listing
×
×
  • Create New...