This post details a walkthrough on how to create a Metasploit module for level01 of the Fusion exploit exercise at https://exploit-exercises.com. This level uses the same code with the same bug as level00. For intial setup and bug analysis see the previous walkthrough. This level adds in system ASLR for the stack, heap, etc.
Inspecting the crash
The exploit steps in level00 were:
Control the value of eip
Find the payload in memory
Point eip at the payload
The third step above is no longer reliable because the payload is stored on the stack and each time the program executes the location of the stack changes. The difficultly is finding a way to reliably locate the payload. Below is a module similar to the proof of concept developed for level00 that will cause the pogram to crash. The time of the crash is the ideal time to inspect memory because this state will be consistent each time, though exact addresses will change.
Note: If the module below is confusing please browse the level00 walkthrough
The above module will send two Metasploit patterns. The pattern_find command will detail where these patterns are in memory, register that hold part of the pattern, and registers that points to part of a pattern. This output will display what registers are under attacker control.
Note: Thepattern_findandpattern_offsetare custom commands which can be found here
The attacker can control the value of eip from the bytes at offset 139 into the path buffer. The esp register points to offset 143 in the path buffer and the esi register points to offset 0 the second pattern. In level00 the second pattern is where is the payload was sent, assuming the payload will be transmitted in the same way, esi points to the start of the payload.
Which way to jump
Using the jmp reg technique an attacker can execute instructions at an address specified by a register. Since the attacker controls the data that esp and esi points at, they can execute arbitrary instructions using either a jmp esp or jmp esi instruction.
First try the esi register because it points directly at the payload. The level01 binary is not compiled as position indepedent code causing all the instructions to have static addresses. The attacker can rely on these memory addresses for instructions, such as the jmp esi. ROPGadget by Jonathan Salwan is a tool to find desirable sets of instructions, or gadgets.
Use ROPGadget to find all jmp instructions:
No jmp instructions for esi. Instead try finding a call instruction instead:
No call instructions either… In hopes of moving the value of esi to another register find all gadgets that involve esi:
None of these gadgets seem to allow moving the value to another register… Fortunately there is a jmp esp gadget at address 0x08049f4f. The esp register will direct execution to the data in the path buffer that is not large enough for the payload, but we can put a jmp esi instruction there.
Load eip with the address for a jmp esp instruction
The jmp esp will cause data in the path buffer to execute
The path buffer will contain a jmp esi instruction
The jmp esi will execute the payload
Jump jump away
Load address 0x08049f4f in eip,
Attach gdb, set a breakpoint on the 0x08049f4f address, and send the exploit
Confirmed we are hitting the jmp esp gadget and that esp points to the string of ‘B’s.
Replace the ‘B’s with a jmp esi. Metasploit comes with a library to convert instructions to opcodes named Metasm. Replace the payload with breakpoints to confirm execution.
Attach gdb, reload the module, and send the exploit:
Confirmed we have hit the payload! Replace the breakpoints with a Metasploit payload
Send the exploit!
Success! Meterpreter shell and the puzzle is solved.