Here’s my try at Level1 from Bas’ ROP-Primer box.
You can download it on http://www.vulnhub.com. They also have great educational materials related to infosec.
It’s a remote service that is a simple file storage system. It has a handle_conn() function that is vulnerable to an overflow.
I’ve made a two staged exploit that reads in input, the command we want to execute, then stack-pivots to the vulnerable function. After that we send our second stage that executes system() with our previously sent command.
In order to build this exploit I used Peda, a good Plugin for GDB especially for exploit development. But you could also use ropshell.com or the python version.
So with this exploit we can easily execute any command under the owners privileges.
I think the directory ‘/home/level1’ on the remote machine is supposed to have the privileges ‘rwxrwx–x’, so we have to manually change it, otherwise we cannot execute anything.
I think he has fixed this issue in the version 0.2 from Vulnhub.
Since the netcat version installed on the box is the openbsd version, we do not have the “-e” option.
Because of this, we have to pipe the flag into netcat and let it listen for any incoming connections.
Then we just connect with our machine and redirect the output into a file.
The command we execute is ‘cat flag |nc -l 9191’
Then at our own machine we execute ‘nc XX.XX.XX.XX 9191 > flag’
My exploit code does this automatically so you don’t have to change anything, except the IP of the remote machine.
I’ve thoroughly commented the code, so with some experience you should be able to understand what’s happening.
If you don’t have any experience, I would recommend this Primer on return-oriented-programming. Otherwise you can always read corelans tutorials on his webpage.
The Exploit code itself is here.
I created a page where I recommend some books which will give you a good introduction into Software Security, so you can also have a look at that if you want to.