├── .gitignore ├── deps ├── entrypoint.sh └── challenge.xinetd ├── setup.sh ├── Makefile ├── README.md ├── src └── main.c └── Dockerfile /.gitignore: -------------------------------------------------------------------------------- 1 | play/ -------------------------------------------------------------------------------- /deps/entrypoint.sh: -------------------------------------------------------------------------------- 1 | #!/bin/sh 2 | 3 | /etc/init.d/xinetd start; 4 | trap : TERM INT; sleep infinity & wait 5 | -------------------------------------------------------------------------------- /setup.sh: -------------------------------------------------------------------------------- 1 | #!/bin/bash 2 | 3 | mkdir -p play 4 | docker build -t misfortune . 5 | docker run -v `pwd`/play:/bins misfortune bash -c 'cp misfortune /bins; cp /lib/x86_64-linux-gnu/libc.so.6 /bins' 6 | sudo chown $LOGNAME:$LOGNAME ./play/* 7 | chmod u+rwx ./play/* 8 | 9 | echo '[+] binary and libc are now in ./play folder :)' -------------------------------------------------------------------------------- /Makefile: -------------------------------------------------------------------------------- 1 | SOURCES=$(wildcard ./src/*.c) 2 | LDFLAGS:=-z relro -z now 3 | CFLAGS:=-Wall -no-pie -fno-stack-protector 4 | TARGET:=misfortune 5 | CC:=gcc 6 | 7 | .PHONY: all clean $(TARGET) 8 | 9 | all: $(TARGET) 10 | 11 | clean: 12 | rm -f $(TARGET) 13 | 14 | $(TARGET): $(SOURCES) 15 | $(CC) -o $(TARGET) $(CFLAGS) $(SOURCES) $(LDFLAGS) 16 | -------------------------------------------------------------------------------- /README.md: -------------------------------------------------------------------------------- 1 | # misfortune 2 | 3 | > John Hammond | Wednesday, April 12, 2023 4 | 5 | ----------------- 6 | 7 | 8 | `misfortune` - a small binary exploitation challenge to demonstrate a classic return2libc attack. 9 | 10 | You can build the docker image and pull down the binaries with: 11 | 12 | ``` 13 | ./setup.sh 14 | ``` 15 | 16 | This will ask for `sudo` permissions just to give your current user permissions to work easily work with the binary and libc file pulled out of the Docker container. -------------------------------------------------------------------------------- /deps/challenge.xinetd: -------------------------------------------------------------------------------- 1 | service challenge 2 | { 3 | disable = no 4 | socket_type = stream 5 | protocol = tcp 6 | wait = no 7 | user = root 8 | type = UNLISTED 9 | port = 9999 10 | bind = 0.0.0.0 11 | 12 | server = /usr/sbin/chroot 13 | server_args = --userspec=challenge:challenge /home/challenge ./misfortune 14 | 15 | # Logging 16 | log_type = FILE /var/log/challenge.log 17 | log_on_success = HOST PID 18 | log_on_failure = HOST 19 | } 20 | -------------------------------------------------------------------------------- /src/main.c: -------------------------------------------------------------------------------- 1 | #include 2 | #include 3 | #include 4 | #include 5 | #include 6 | 7 | __attribute__((constructor)) 8 | void setup(void) { 9 | setbuf(stdout, NULL); 10 | setbuf(stdin, NULL); 11 | } 12 | 13 | void sig_handler(int signum){ 14 | printf("Sorry, you took too long and I got impatient!"); 15 | exit(-1); 16 | } 17 | 18 | int main(int argc, char *argv[]){ 19 | 20 | printf("Hello fortune teller! Please tell me my fortune!\n"); 21 | 22 | signal(SIGALRM,sig_handler); // Register signal handler 23 | 24 | alarm(3); // Scheduled alarm after 2 seconds 25 | char buffer[32]; 26 | 27 | printf("> "); 28 | read(0, buffer, 0x100); 29 | 30 | return 0; 31 | } -------------------------------------------------------------------------------- /Dockerfile: -------------------------------------------------------------------------------- 1 | FROM ubuntu:18.04 2 | 3 | RUN apt-get update -y \ 4 | && apt-get install -y xinetd gcc build-essential \ 5 | && apt-get clean -y 6 | 7 | # Create challenge user 8 | RUN useradd -u 1000 -d /home/challenge -s /bin/bash challenge 9 | RUN mkdir /home/challenge 10 | 11 | # Poor man's pipe to docker logs 12 | RUN ln -sf /proc/1/fd/1 /var/log/challenge.log 13 | 14 | # Copy xinetd and other dependencies 15 | COPY deps/challenge.xinetd /etc/xinetd.d/challenge 16 | COPY deps/entrypoint.sh /entrypoint.sh 17 | 18 | RUN chmod 551 entrypoint.sh 19 | 20 | # Set up chroot 21 | RUN mkdir /home/challenge/usr 22 | RUN cp -R /lib* /home/challenge && \ 23 | cp -R /usr/lib* /home/challenge/usr 24 | 25 | RUN mkdir /home/challenge/dev && \ 26 | mknod /home/challenge/dev/null c 1 3 && \ 27 | mknod /home/challenge/dev/zero c 1 5 && \ 28 | mknod /home/challenge/dev/random c 1 8 && \ 29 | mknod /home/challenge/dev/urandom c 1 9 && \ 30 | chmod 666 /home/challenge/dev/* 31 | 32 | RUN mkdir /home/challenge/bin && \ 33 | mkdir /home/challenge/etc && \ 34 | mkdir /home/challenge/src && \ 35 | cp /bin/* /home/challenge/bin && \ 36 | cp /usr/bin/id /home/challenge/bin/id && \ 37 | cp /usr/bin/whoami /home/challenge/bin/whoami && \ 38 | cp /etc/shadow /home/challenge/etc && \ 39 | cp /etc/passwd /home/challenge/etc && \ 40 | rm /home/challenge/bin/rm 41 | 42 | # Set up challenge and flag 43 | WORKDIR /home/challenge 44 | 45 | COPY src/main.c /home/challenge/src 46 | COPY Makefile /home/challenge 47 | RUN make 48 | 49 | RUN chmod 111 misfortune 50 | 51 | RUN chown -R root:root /home/challenge 52 | 53 | CMD ["/entrypoint.sh"] 54 | 55 | EXPOSE 9999 56 | --------------------------------------------------------------------------------