App - System

mardi 18 février 2020, 06:23  #1
App - System - Advanced Buffer Overflow
novitoll
  • 5 posts

This works normal on my local Windows machine via Debugger, via PE32 executable, however on the remote machine via SSH the filename is not reachable if it’s not in CWD of ch73.exe. So not working.

Could anyone verify that it’s working with no extra symlinking and other tricks ? Just put your malicious file to /tmp, /var/tmp directory and execute it with wrapper — and it should work ? Cygwin really confuses. I even encoded all bad chars like CRLF, NULL — still same. But on local — it works fine !

This is 2nd challenge from Ech0 that does not work for me on remote side, either not properly constructed ! I tried to contact him via message, but root-me messenger does not work neither :(((((((((((((((

https://www.root-me.org/en/Challenges/App-System/PE32-Advanced-stack-buffer-overflow

mardi 18 février 2020, 10:20  #2
App - System - Advanced Buffer Overflow
Th1b4ud
  • 910 posts

I asked him to come and see you.

mardi 18 février 2020, 12:56  #3
App - System - Advanced Buffer Overflow
novitoll
  • 5 posts

Thanks, for this Advanced BOF, I popped CMD shell via SEH overwrite (hopefully no spoiler), but seems SEH is not working properly via Cygwin. So not working on remote

mercredi 19 février 2020, 13:25  #4
App - System - Advanced Buffer Overflow
Liquiid
  • 2 posts

Hello,

I am facing the same issue. Local exploit is working but I can’t even read the crafted file using the wrapper.sh provided for this chall.

Could someone explain to me how to make this chall work ?

Thank you

vendredi 21 février 2020, 08:07  #5
App - System - Advanced Buffer Overflow
Ech0
  • 236 posts

Hello,

Please use Windows path :

./wrapper.sh "C :\cygwin64\tmp\test"

Sorry if it was confusing, but it will be the same for all challenges under Cygwin environment.
Just remember :
/ = C :\cygwin64\
/tmp = C :\cygwin64\tmp

In case of any doubt, you can check by yourself the corresponding Windows path by calling cmd.exe :

app-systeme-ch73@challenge05:~$ cd /tmp/
app-systeme-ch73@challenge05:/tmp$ cmd.exe
Microsoft Windows [Version 10.0.17763.737]
(c) 2018 Microsoft Corporation. All rights reserved.
C:\cygwin64\tmp>
vendredi 21 février 2020, 17:09  #6
App - System - Advanced Buffer Overflow
Liquiid
  • 2 posts

Hello,

Thank you, this helped me to try my payload.

I’m facing another known issue now. gdb.exe in version 8.1 is configured for x86_x64 and using breakpoint on mingw32 compiled binary is crashing.

gdb : unknown target exception 0x4000001f at 0x401829

See this link for more info :
https://stackoverflow.com/questions/40923437/gdb-unknown-target-exception

mardi 25 février 2020, 16:23  #7
App - System - Advanced Buffer Overflow
1dl3
  • 4 posts

hi ...
I’m a little bit surprise by this challenge ...
it works fine on my station, without DEP ...

when i try it on the server, via radare2, i correctly jump to my shellcode, but DEP prevent exec .....
that’s ok ... but do i really need to go trough a ROP chain to change memory protect via VirtualProtect () ?
i mean, for 25 points .... it seems a bit over complicated no ?

did i miss something ?

btw : cool challenge ...

mardi 25 février 2020, 22:26  #8
App - System - Advanced Buffer Overflow
Ech0
  • 236 posts

Stack is not executable.

lundi 2 mars 2020, 16:49  #9
App - System - Advanced Buffer Overflow
1dl3
  • 4 posts

ok ...
after a few tweaks ....

now i can pop a shell via :
cd /tmp/
/challenge/app-systeme/ch73/ch73.exe ropp (<== ropp is my file with [Th1b4ud : spoil])

BUT, with wrapper.sh ..... nothing happen .... i mean strictly nothing ....
i’m a little bit confused with this cygwin conf ..

i mean, the challenge is to do a buffer overflow ...right ? with some improvement ....
not fighting with cygwin ...

any tips ... welcome !

thanks ...

jeudi 26 mars 2020, 08:09  #10
App - System - Advanced Buffer Overflow
shelli
  • 1 posts

Some hints for everyone who is fighting with the odd cygwin64 environment :

- use radare2.exe to debug on the remote machine.
- just ignore the 64bit libraries
- if your exploit is working in radare most addresses should work with ./ch73.exe and ./wrapper.sh as well.
- /wrapper.sh does not return anything if it just crashes. If you successfully open a shell you will see something.

Hope this keeps some people from skipping this task as its method of exploitation is quite nice...