Tuesday, September 13, 2016

Learning with DVRF - Step 12 - Stack buffer overflow - Phase 1

Now that we have a good understanding of MIPS assembly, let’s work on the challenges within the DVRF project. The first challenge to examine and beat is the stack buffer overflow challenge. This is blog post 12 of x in the learning with DVRF project series.

The seminal background information for smashing the stack would be with Aleph One’s paper, “Smashing The Stack For Fun And Profit” from Phrack published in 1996. It is highly recommended reading:

http://phrack.org/issues/49/14.html

A second but also important piece of background information comes from Corelanc0der’s “Exploit writing tutorial part 1: Stack Based Overflows”. This is also highly recommended for you to review:

https://www.corelan.be/index.php/2009/07/19/exploit-writing-tutorial-part-1-stack-based-overflows/

The entire series for his exploit writing tutorial is excellent material. There’s a lot of material, but well worth the time and effort put into reading.

With some good background knowledge covered, we will approach this challenge with the following phases:

Phase 1 - Run it to see how it works
Phase 2 - Run floss/strings - Initial static analysis
Phase 3 - Examine it with readelf/objdump - More static analysis
Phase 4 - Examine it with gdb/pwndbg - Dynamic analysis Phase 5 - Exploit it


Phase 1 - Run it to see how it works:

  1. Log into the VM

  2. Open up a Terminal

  3. Browse to the squashfs directory. In Terminal, type in:

    cd

    cd /home/andy/Downloads/DVRF-master/Firmware/_DVRF_v03.bin.extracted/squashfs-root/



  4. The first challenge to tackle is the stack buffer overflow program called “stack_bof_01” in the pwnable/Intro folder. To run this challenge, we need to have Qemu run it in an emulated environment. Let's run the challenge and see what happens. In Terminal, type in:

    sudo chroot . ./qemu-mipsel-static pwnable/Intro/stack_bof_01



  5. It does not appear much happens without additional input to the program as it expects at least one argument

  6. Let’s give it an argument as the help text recommends. Let’s add in 7 “A”s as an argument to the program. In Terminal, type in:

    sudo chroot . ./qemu-mipsel-static pwnable/Intro/stack_bof_01 AAAAAAA



  7. Nope. This does not appear to be what we need to do. On to phase 2!

Posted by

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)