uCon 2009 – CTF Challenge Stack 02   Leave a comment

‘Sup guys…

After all that time giving excuses I finally got some time to finish this post. A few months ago someone threw a challenge in #dclabs, a stack overflow challenge from uCon 2009 with some interesting and curious details, let’s get down to business;

int main (int argc , char *argv[]) {
  if (argc != 2) {
    __print_sw_title(argv[0]);
    return ERRO;
  }

  if (__lets_play(argv[1])) {
    __create_tag(argv[0]);
    printf("\n +-+ Bang ! +-+ \n");
  } else {
    printf("\n Shut your ****** face, uncle *****! \n");
  }

  return OK;
}

...

int __lets_play (char *param) {
  int i = 0;
  char buffer[2];

  for(i = 0; i < strlen(param); i++) {
    if (i % 2)
      buffer[i] = param[rand() % strlen(param)];
    else
      buffer[i] = '\0';
  }

  if ((int) buffer < 0)
    return 0;

  return 1;
}

Before going into the refinements of this challenge that should be rand(), lets dig a small detail that sometimes make this challenge reckless.

Read the rest of this entry »

Posted August 11, 2012 by raph0x88 in Exploiting, Programming, Security

Pointer Subterfuge – Postmortem?   Leave a comment

  • Post Info:
    1. # Author: Flavio do Carmo Junior aka waKKu
      # URL: Author’s Webpage
      # Date: February 01, 2012
      # Category: Exploiting, Programming, Security

    As I said in my two last posts…

    I would be writing 3 quick and quite straightforward posts this week.
    All (partially) inspired by this video: http://www.youtube.com/watch?v=i2fhNVQPb5I (I am a C Programmer) and regarding to stack overflows.

    – 1) Signedness bug
    – 2) Widthness overflow
    – 3) Pointer Subterfuge

    Nothing new I suppose, however, as usual I look forward to demystifying them completely. Therefore, any doubts in any of these bugs, please feel free to comment, elaborate my explation or even curse me by my mistakes.
    All codes will be compiled using 32bits, just because I think it is easier to understand and be tested using VMs.

    Consequently, here is the third post.

    3) Pointer Subterfuge

    Overview
    – Pointer Subterfuge is a bit different from the other 2 posts. It is not actually a vulnerability as it is an exploitation “technique”. We usually call as pointer subterfuge when an attacker is overwriting a function pointer instead of a return address and, somehow, manages to get this function pointer called/executed.
    Let me show you some code:
    Read the rest of this entry »

    Posted February 1, 2012 by waKKu in Exploiting, Programming, Security

    Widthness Overflow – What? Where? How? Why?   Leave a comment

  • Post Info:
    1. # Author: Flavio do Carmo Junior aka waKKu
      # URL: Author’s Webpage
      # Date: January 28, 2012
      # Category: Assembly, Exploiting, Programming, Security

    As I said in my last post…

    I will be writing 3 quick and quite straightforward posts this week.
    All (partially) inspired by this video: http://www.youtube.com/watch?v=i2fhNVQPb5I (I am a C Programmer) and regarding to stack overflows.

    – 1) Signedness bug
    – 2) Widthness overflow
    – 3) Pointer Subterfuge

    Nothing new I suppose, however, as usual I look forward to demystifying them completely. Therefore, any doubts in any of these bugs, please feel free to comment, elaborate my explation or even curse me by my mistakes.
    All codes will be compiled using 32bits, just because I think it is easier to understand and be tested using VMs.

    2) Widthness Overflow

    Overview
    – Widthness overflow bugs are exactly what the name says. Very similar to signedness bugs seen on my last post.
    Imagine we have a field that must be small and controlable, skimp green as we are, we could declare a 1 byte variable (char) to save some space. The example is 1 byte long, although it could be any size of variable, as long as it is not the maximum size/width (otherwise would be impossible to overflow).

    Code Example:
    Read the rest of this entry »

    Posted January 28, 2012 by waKKu in Assembly, Exploiting, Programming, Security

    Signedness Bugs – What? Where? How? Why?   1 comment

  • Post Info:
    1. # Author: Flavio do Carmo Junior aka waKKu
      # URL: Author’s Webpage
      # Date: January 28, 2012
      # Category: Assembly, Exploiting, Programming, Security

    Hey guys, how are you doing? Hope everyone is OK.

    I will be writing 3 quick and quite straightforward posts this week.
    All (partially) inspired by this video: http://www.youtube.com/watch?v=i2fhNVQPb5I (I am a C Programmer) and regarding to stack overflows.

    – 1) Signedness bug
    – 2) Widthness overflow
    – 3) Pointer Subterfuge

    Nothing new I suppose, however, as usual I look forward to demystifying them completely. Therefore, any doubts in any of these bugs, please feel free to comment, elaborate my explation or even curse me by my mistakes.
    All codes will be compiled using 32bits, just because I think it is easier to understand and be tested using VMs.

    1) Signedness Bug

    Overview
    – Signedness bugs are those bugs related to miscalculations during coding process. Sometimes we decide to “save” bytes whilst coding and don’t have a full understading of what really happens under the hood.

    Code Example:
    Read the rest of this entry »

    Posted January 28, 2012 by waKKu in Assembly, Exploiting, Programming, Security

    Non-eXec Stack – Analysis   4 comments

  • Post Info:
    1. # Author: Flavio do Carmo Junior aka waKKu
      # URL: Author’s Webpage
      # Date: November 25, 2011
      # Category: Assembly, Exploiting, Programming, Security

    Hi folks… Long time no see, huh?

    Yeah, Aussie life has kept me quite busy, however, if you live in Sydney you know that the weather has not been friendly lately…

    Enough of BS, let’s see what matters.

    I was following a thread in one of those maillists, and someone said that he was having difficult to see how Non-eXecutable Stack works properly, so I will try to illustrate it here.

    First of all, we need to separate things. There are two things that are usually mistaken by the same.
    Executable Space Protection: The PTE (Page Table Entry) is a set of control bits at the begining of each page (1 page = 4096 bytes), responsible to control things such as readable, writeable, user or supervisor, present or not, physical address, etc. At this moment, there was no eXecutable bit, therefore a readable page was also considered eXecutable. Those guys from PaX are always trying to make the world more secure and then they came with a solution to protect some memory areas from execution. However, the only alternative was a control by memory segment, what was cool but not perfect. This technique is based on highest address execution, where you can set the highest address which can be executable, but the start point is always the same. Therefore, if your application needs execution at 0xbeefdead address, it will need to mark everything from the 0x08048000 up to 0xbeefdead.

    Hardware Bit: With the introduction of 64bits CPUs the word size doubled, allowing enough space to add a new bit, eXecutable bit, within the PTE. The 63rd bit (Most Significant Bit) was chosen to control eXectuable/Not eXecutable page. At this time, guys from PaX and other implementations (Red Hat Exec-Shield, for instance), improved their control to a page level in 64bits CPUs. The RH exec-shield patch was merged into the kernel 2.6.8 (IIRC) mainstream and now Linux has native Executable Space Protection for x86_64. Nevertheless,
    Read the rest of this entry »

    Posted November 24, 2011 by waKKu in Assembly, Exploiting, Programming, Security

    Linux x86 Shellcoding – 104   2 comments

  • Post Info:
    1. # Author: Flavio do Carmo Junior aka waKKu
      # URL: Author’s Webpage
      # Date: April 29, 2011
      # Category: Assembly, Exploiting, Programming, Security, Shellcoding

    Me again ;)…

    This is our 4th article in serie “Linux x86 Shellcoding”, I strongly advise you check others three if you still didn’t.

    Well, this post ended up much bigger than I expected but I hope you can follow and enjoy it.

    1. Introduction
    What’s our objective today?
    — Instead of write assembly instruction directly in memory we’ll inject carefully computed hexadecimal values within ASCII codes range that once executed will decode into our REAL shellcode. After we decode this new shellcode we still need to jump to its position and execute it.

    2. Planning – Phase 1
    Read the rest of this entry »

    Posted April 29, 2011 by waKKu in Assembly, Exploiting, Programming, Security, Shellcoding

    Linux x86 Shellcoding – 103   Leave a comment

  • Post Info:
    1. # Author: Flavio do Carmo Junior aka waKKu
      # URL: Author’s Webpage
      # Date: April 29, 2011
      # Category: Assembly, Exploiting, Programming, Security, Shellcoding

    Namaste…

    This is our 3rd article in serie “Linux x86 Shellcodes”, I strongly advise you check others two if you still didn’t.

    Today we’ve a new and interesting challenge, a much more elaborated shellcode…

    1. Introduction
    As I promised in our last talk, today we’ll use “CALL + POP” technique to put strings onto stack.
    Assembly is going to be a bit more “complex”, but not too much.

    Shellcode Objective: Create a new user with root powers (uid = 0) into the system.

    Considerations:
    – Linux stores its users and password in /etc/passwd file*
    – Password is generated using crypt(3) and MD5-based hash.
    – We need to append a new “customized” line in this file, using assembly.
    * Linux will only use /etc/shadow file if the password field into /etc/passwd is “x”, if the password hash is already available Linux authenticate it directly.

    man 5 passwd
    Read the rest of this entry »

    Posted April 29, 2011 by waKKu in Assembly, Exploiting, Programming, Security, Shellcoding

    Follow

    Get every new post delivered to your Inbox.