Note: In this exercise I will try to take it one step further and get a reverse shell on the system, event if this is not the main goal of Protostar exercises, I will try it anyway (You can just ignore the shell part anyway)
A word about Radare2 (The tool we will use today)
radare2 is an open source framework for reverse engineering and binaries analysis which implements a rich command line interface for disassembling, analyzing data, patching binaries, comparing data, searching, replacing, visualizing and more.
It has great scripting capabilities, it runs on all major platforms (GNU/Linux, .Windows *BSD, iOS, OSX, Solaris…) and it supports tons of architectures and file formats. But maybe above all of its features stands the ideology.
Problem source code
Of course as usual our target is to gain root shell on the system.
First let’s examine our target and see what we have
We will use a tool called rabin2 from radare2 to show us infos about the binary, also we want to see what security this binary has.
As you can clearly see, our binary is a 32bit ELF file, not stripped, the file isn’t protected with canaries , pic, nx or relro.
Now let’s run it and see what the program does.
So if we passed a short input it will give us ‘Try again?’ message, but if we passed a long input we will get a ‘segmentation fault’ and a success message ‘you have changed the ‘modified’ variable’
We noticed that the binary does not have any security on it, So we will disable our local kernel security to make it easier for us
Now it’s time to quickly go through the flow of the program, this time we’ll look at the disassembly (we won’t always have the source code). Open the program in debug mode using radare2:
-d – Open in the debug mode
aas – Analyze functions, symbols and more
Now continue untill main function
dcu stands for debug continue until
Now let’s enter the Visual Graph Mode by pressing VV. you can toggle views using p and P, move Left/Down/Up/Right using h/j/k/l respectively and jump to a function using g and the key shown next to the jump call (e.g gb).
Now let’s start exploiting this binary
We will use one two other radare2 tools rarun2 and ragg2
We’ll use a tool in radare’s framework called ragg2, which allows us to generate a cyclic pattern called De Bruijn Sequence and check the exact offset where our payload overrides the buffer.
We know that our binary is taking user input via stdin, instead of copy-pate our input to the shell, we’ll use rarun2.
Now we will create rarun2 profile
Now let’s debug the app using this profile
We executed our binary and passed the content of pattern.txt to stdin with rarun2 and received SIGNAL 11.
A signal is an asynchronous notification sent to a process or to a specific thread within the same process in order to notify it of an event that occurred.
The SIGSEGV (11) signal is sent to a process when it makes an invalid virtual memory reference, or segmentation fault, i.e. when it performs a segmentation violation.
Did you notice that now our prompt points to 0x41416241? This is an invalid address which represents ‘AAbA’ (ascii), a fragment from our pattern. radare allows us to find the offset of a given value in De Bruijn pattern.
Now that we know that the override of the return address occurs after 80 bytes, we can begin crafting our payload.
Now let’s double check that we control the $eip
Now we can see the $eip = 0x42424242 which is ‘BBBB’ in hex. So now we’re sure we control the eip.
Lets have a look on the Stack and CPU registers
drr debug register references (telescoping)
We noticed that $esp is the same every crash so we will use it
Before we fire our exploit we need to set our handler first, open new terminal and write
Now move to first terminal
And notice the reverse shell we get in the second terminal