Archive for April 2011

Linux x86 Shellcoding – 104   2 comments

  • Post Info:
    1. # Author: Flavio do Carmo Junior aka waKKu
      # URL: Author’s Webpage
      # Date: April 29, 2011
      # Category: Assembly, Exploiting, Programming, Security, Shellcoding

    Me again ;)…

    This is our 4th article in serie “Linux x86 Shellcoding”, I strongly advise you check others three if you still didn’t.

    Well, this post ended up much bigger than I expected but I hope you can follow and enjoy it.

    1. Introduction
    What’s our objective today?
    — Instead of write assembly instruction directly in memory we’ll inject carefully computed hexadecimal values within ASCII codes range that once executed will decode into our REAL shellcode. After we decode this new shellcode we still need to jump to its position and execute it.

    2. Planning – Phase 1
    Read the rest of this entry »

    Advertisements

    Posted April 29, 2011 by waKKu in Assembly, Exploiting, Programming, Security, Shellcoding

    Linux x86 Shellcoding – 103   Leave a comment

  • Post Info:
    1. # Author: Flavio do Carmo Junior aka waKKu
      # URL: Author’s Webpage
      # Date: April 29, 2011
      # Category: Assembly, Exploiting, Programming, Security, Shellcoding

    Namaste…

    This is our 3rd article in serie “Linux x86 Shellcodes”, I strongly advise you check others two if you still didn’t.

    Today we’ve a new and interesting challenge, a much more elaborated shellcode…

    1. Introduction
    As I promised in our last talk, today we’ll use “CALL + POP” technique to put strings onto stack.
    Assembly is going to be a bit more “complex”, but not too much.

    Shellcode Objective: Create a new user with root powers (uid = 0) into the system.

    Considerations:
    – Linux stores its users and password in /etc/passwd file*
    – Password is generated using crypt(3) and MD5-based hash.
    – We need to append a new “customized” line in this file, using assembly.
    * Linux will only use /etc/shadow file if the password field into /etc/passwd is “x”, if the password hash is already available Linux authenticate it directly.

    man 5 passwd
    Read the rest of this entry »

    Posted April 29, 2011 by waKKu in Assembly, Exploiting, Programming, Security, Shellcoding

    Linux x86 Shellcoding – 102   5 comments

  • Post Info:
    1. # Author: Flavio do Carmo Junior aka waKKu
      # URL: Author’s Webpage
      # Date: April 29, 2011
      # Category: Assembly, Exploiting, Programming, Security

    Hi again…

    The objective for our shellcode today is execute the following syscall:
    execve(‘/bin/bash’, [ ‘/bin/bash’, 0x00 ], [ 0x00 ])

    1. Intelligence Gathering

    We are going to consider 0x00, 0x0d and 0x0a as bad chars.

    A. Our syscall specification:
    man 2 execve

    SYNOPSIS
    #include <unistd.h>

    int execve(const char *filename, char *const argv[],
    char *const envp[]);

    DESCRIPTION
    execve() executes the program pointed to by filename. filename must be either a binary executable, or a script starting with a line of the form “#! interpreter [arg]”. In the latter case, the interpreter must be a valid pathname for an executable which is not itself a script, which will be invoked as interpreter [arg] filename.

    argv is an array of argument strings passed to the new program. envp is an array of strings, conventionally of the form key=value, which are passed as environment to the new program. Both argv and envp must be terminated by a null pointer. The argument vector and environment can be accessed by the called program’s main function, when it is defined as int main(int argc, char *argv[], char *envp[]).
    […]

    Then we have:
    Read the rest of this entry »

    Posted April 29, 2011 by waKKu in Assembly, Exploiting, Programming, Security, Shellcoding

    Linux x86 Shellcoding – 101   3 comments

  • Post Info:
    1. # Author: Flavio do Carmo Junior aka waKKu
      # URL: Author’s Webpage
      # Date: April 16, 2011
      # Category: Assembly, Exploiting, Programming, Security, Shellcoding

    Hi everyone…

    Some days ago we were chatting at #dclabs channel about this blog and people asked for some posts about shellcoding
    Well, I’m not an expert in this subject but I’ll try to write all I know and sometimes we’ll be learning together, writing and reading these posts ;).
    Nowadays is pretty unusual when we really need to write our own shellcode, we can always go to MetaSploit Framework and grab a fresh one there, well written, reliable and even encoded. Well, where is the fun of it, huh?… I like to know where everything is and why, I promise that on the end of our saga you’ll be able to understand every detail about shellcoding and write your own shellcode, able to exploit a vulnerability that before was not exploitable using metasploit shellcodes.

    1. Introduction
    First of all, what is ShellCode?
    Read the rest of this entry »

    Posted April 16, 2011 by waKKu in Assembly, Exploiting, Programming, Security, Shellcoding

    Stack Overflows: EIP Overwrite – A different approach…   2 comments

  • Post Info:
    1. # Author: Flavio do Carmo Junior aka waKKu
      # URL: Author’s Webpage
      # Date: April 06, 2011
      # Category: Exploiting, Programming, Security

    Today my pal tuxtrack at #dclabs (irc.freenode.net) asked me some help to understand Stack Overflow (more precisely EIP Overwrite part)…
    As I know him (and part of his knowledge), I decided to take a different approach from usual “blah, blah, blah” about C, strcpy() and stack.
    Possibly it could be useful to anyone else, so I’m posting it:

    Before our journey inside gdb, lemme explain some details:

    First question:
    — Why are we seeing instructions like this:
    0x08048383 : mov %eax,0x4(%esp)
    0x0804838a : mov %eax,(%esp)
    – instead of usual:
    push %eax
    (Some instructions to set a new value for %eax)
    push %eax
    ???????

    Answer: Well, at each “push” instruction, what really happens is a cycle of instructions similar to:
    movl %eax, (%esp)
    sub $-4, %esp

    Thus we can easily see that it is SLOWER than a single “movl” instruction using a referenced address, like this one:
    0x08048383 : mov %eax,0x4(%esp)

    Reason for this is GCC optimizations, we could use some specific options while compiling the program to generate the old “push” style…
    But the real world nowadays is optimization, so I thought better to work with it.

    Second Question:
    — Why did you tell “Call pushes the current value of EIP + 5 bytes (eip == own CALL instruction address)?

    Answer:
    – EIP at moment CALL is being executed, obviously, points to the own address of CALL instruction. This CALL instruction has 5 bytes (when pointing execution flow to another memory address (label), 1 byte for CALL mnemonic + 4 to memory address being called), therefore the address right after the CALL instruction is exactly “Address of CALL” + 5 bytes.

    <shinku> CALL isn’t ALWAYS 5 bytes long ;P (Translated IRC talk)
    — True, when using call with, for example, a register it has a different size:
    0: ff d0 call *%eax
    More about CALL instruction: http://home.comcast.net/~fbui/intel_c.html#call
    Obviously, in this case, the pushed address would be CURRENT_EIP + CALL_LENGTH…

    And I talk a bit more about it below.

    Finally, the code and comments trying to explain this “technique”:
    Read the rest of this entry »

    Posted April 6, 2011 by waKKu in Exploiting, Programming, Security