Challenge example

Source code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "serve.h"

int fd_f;

int authentification(void) {
    char buf[20];
    char passwd[16] = "";  // array to store the secret pass

    FILE *fp = fopen(".passwd", "r");
    fread(passwd, 1, 15, fp);
    fclose(fp);
    passwd[15] = '\0';

    write(fd_f, "Password :\n",11);
    read(fd_f, buf, 1024);
    if (!strcmp(buf, passwd)) {
        return 1;
    } else {
        return 0;
    }
}

void admin(void){
    write(fd_f, "Congratulation\n", 15);
}

void serve(int fd_) {
    int auth;
    fd_f = fd_;

    write(fd_f, "Welcome, please login in order to use the app.\n",47);
    auth = authentification();

    if (auth) {
        write(fd_f, "Welcome User\n",13);
    } else {
        write(fd_f, "Bad password\n",13);
    }
    return;
}


int main() {
    Serve socket = Serve_Create();

    if(socket.Bind(&socket, "0.0.0.0", 1337) < 0){
        perror("Binding socket error :");
        exit(1);
    } else if (socket.Listen(&socket, serve, 5) < 0){
        perror("Listen error :");
        exit(1);
    }
    return 0;
}

The binary is compiled with both PIE and Stack canary and is served using the serve.c code

The serve.c code will not be explain here.

It will just serve the binary over a socket and make a fork of it to handle multiple connection at a time.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "serve.h"

int fd_f;

int authentification(void) {
    char buf[20];
    char passwd[16] = "";  // array to store the secret pass

    FILE *fp = fopen(".passwd", "r");
    fread(passwd, 1, 15, fp);
    fclose(fp);
    passwd[15] = '\0';

    write(fd_f, "Password :\n",11);
    read(fd_f, buf, 19);
    if (!strcmp(buf, passwd)) {
        return 1;
    } else {
        return 0;
    }
}

void admin(void){
    write(fd_f, "Congratulation\n", 15);
}

void serve(int fd_) {
    int auth;
    fd_f = fd_;

    write(fd_f, "Welcome, please login in order to use the app.\n",47);
    auth = authentification();

    if (auth) {
        write(fd_f, "Welcome User\n",13);
    } else {
        write(fd_f, "Bad password\n",13);
    }
    return;
}


int main() {
    Serve socket = Serve_Create();

    if(socket.Bind(&socket, "0.0.0.0", 1337) < 0){
        perror("Binding socket error :");
        exit(1);
    } else if (socket.Listen(&socket, serve, 5) < 0){
        perror("Listen error :");
        exit(1);
    }
    return 0;
}

The buffer overflow occur during the authentication function at line 19 :

read(fd_f, buf, 1024);

Exploitation

Using the stack reading technique is possible to retrieve the needed values and then reuse it and overwrite RIP to search gadgets.

Bropper can be used to do it

$ python3 bropper.py -t 127.0.0.1 -p 1337 --wait "Password :" --expected Bad --expected-stop Welcome -o dump

Exercice

If you want to try this exploit by yourself, you can pull this docker image :

docker pull thectfrecipes/pwn:brop

Deploy the image using the followed command :

docker run --name buffer_overflow_brop -it --rm -d -p 3000:3000 thectfrecipes/pwn:brop

Access to the web shell with your browser at the address : http://localhost:3000/

login: challenge
password: password

PreviousBlind Return Oriented Programming - BROP NextCall Oriented Programming - COP

Last updated 2 years ago

Source code

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "serve.h"

int fd_f;

int authentification(void) {
    char buf[20];
    char passwd[16] = "";  // array to store the secret pass

    FILE *fp = fopen(".passwd", "r");
    fread(passwd, 1, 15, fp);
    fclose(fp);
    passwd[15] = '\0';

    write(fd_f, "Password :\n",11);
    read(fd_f, buf, 1024);
    if (!strcmp(buf, passwd)) {
        return 1;
    } else {
        return 0;
    }
}

void admin(void){
    write(fd_f, "Congratulation\n", 15);
}

void serve(int fd_) {
    int auth;
    fd_f = fd_;

    write(fd_f, "Welcome, please login in order to use the app.\n",47);
    auth = authentification();

    if (auth) {
        write(fd_f, "Welcome User\n",13);
    } else {
        write(fd_f, "Bad password\n",13);
    }
    return;
}


int main() {
    Serve socket = Serve_Create();

    if(socket.Bind(&socket, "0.0.0.0", 1337) < 0){
        perror("Binding socket error :");
        exit(1);
    } else if (socket.Listen(&socket, serve, 5) < 0){
        perror("Listen error :");
        exit(1);
    }
    return 0;
}

The binary is compiled with both PIE and Stack canary and is served using the serve.c code

The serve.c code will not be explain here.

It will just serve the binary over a socket and make a fork of it to handle multiple connection at a time.

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

#include "serve.h"

int fd_f;

int authentification(void) {
    char buf[20];
    char passwd[16] = "";  // array to store the secret pass

    FILE *fp = fopen(".passwd", "r");
    fread(passwd, 1, 15, fp);
    fclose(fp);
    passwd[15] = '\0';

    write(fd_f, "Password :\n",11);
    read(fd_f, buf, 19);
    if (!strcmp(buf, passwd)) {
        return 1;
    } else {
        return 0;
    }
}

void admin(void){
    write(fd_f, "Congratulation\n", 15);
}

void serve(int fd_) {
    int auth;
    fd_f = fd_;

    write(fd_f, "Welcome, please login in order to use the app.\n",47);
    auth = authentification();

    if (auth) {
        write(fd_f, "Welcome User\n",13);
    } else {
        write(fd_f, "Bad password\n",13);
    }
    return;
}


int main() {
    Serve socket = Serve_Create();

    if(socket.Bind(&socket, "0.0.0.0", 1337) < 0){
        perror("Binding socket error :");
        exit(1);
    } else if (socket.Listen(&socket, serve, 5) < 0){
        perror("Listen error :");
        exit(1);
    }
    return 0;
}

The buffer overflow occur during the authentication function at line 19 :

read(fd_f, buf, 1024);

Exercice

If you want to try this exploit by yourself, you can pull this docker image :

docker pull thectfrecipes/pwn:brop

Deploy the image using the followed command :

docker run --name buffer_overflow_brop -it --rm -d -p 3000:3000 thectfrecipes/pwn:brop

Access to the web shell with your browser at the address : http://localhost:3000/

login: challenge
password: password