Vortex 12

Continuing the previous post about solving vortex 0-11[1]. I just had some time to solve this one too.

1: solving overthewrite

level12

Exploit this level knowing that the stack is not executable. You must login to vortex.labs.overthewire.org to complete this level..

So we get the binary and we find.

This creates a thread running safecode(), then setresgid, setresuid, and runs the unsafecode(). Safecode loops for ever, prints, flush stdout, sleeps, and runs in a level13 priv. Unsafecode is a bufferover flow function, and runs in level12. So we want level13 thus we target the second thread, but we have a problem here. That stack is not executable which will complicate things. So we search for a ROP. We target libc.so.6 in vortex box. Since I don't have access to procfs it will be a little different to find libc. We dbg vortex12 break at __libc_start_main then libc base is the address in debugger minus the offset we find objdump ... | grep libc_start_main... Anyway we dump a list of rop gadgets and start searching and we find a bunch of useful ones. First what I'm trying to do using ROP is the following :

Let's talk a little bit more about how this is going to happen. So we need to set up sys_mprotect by using ebx,ecx,edx registers. So we need to find gadgets that can for example pop ebx, pop edx. I couldn't find something that pops ecx, or xchg ecx,r32 so I had to do some magic to set it to 4096. ebx points to the controlled_stack&~(4096-1) but that will let it contain zeros, so we need to do controlled_stack&~(4096) and then find a gadget that dec ebx to set it to correct value otherwise mprotect will fail with -EINVAL. For edx I found a gadget that zeros it then inc it until it becomes 0x07 which is PROT_{READ|WRITE|EXEC}. Finally we use a gadget that does int 0x80 then we have our executable stack. After that we jump to the executable stack execution (still in thread_1) a code that sets fflush@got to a place in this new executable stack so thread 2 goes there. Then after overwriting fflush@got we loop thread 1 forever ^^/ just to be nice. At this point thread 2 will jump there and execute our shellcode and everyone is happy.

Here's the code that sets fflush@got

and the exploit

You can clean up the code a lil bit it contains some useless stuff from some expirements. Anyway...

Proxied content from gemini://0x80.org/gemlog/2014-08-02-vortex-12.gmi.
Get a proper gemini browser and visit!

Gemini request details:

Original URL
gemini://0x80.org/gemlog/2014-08-02-vortex-12.gmi
Status code
20
Meta
text/gemini;lang=en-US