Bypass ASLR+NX Part 2









hi guys today we will continue in ways to bypass ASLR and NX if you dont know what means  please read 
Part 1 will will find way to control EIP  and in this part we will focus on another technique called Ret2eax.
before going to explain it we need to understand what EAX and what it's purpose in program.
EAX is general purpose register used in arithmetic calc and store results of  arithmetic  operations and function return value , like  C built in function   strcpy will save string pointer in EAX without assign it  EAX will save  pointer  to buffer .




we will take example to login system use strcmp to compare between two strings return 0 if  two strings are same or return 1 if not equal .




run it




simple program user enter password compare it using strcmp you notice that strcmp we compare it to 0 if condition True i.e return 0 will print "you Login in" else "Ops LOL" .

now we going to open program in gdb.




we disassemble main we find call to login let disassemble login



ok will see two breakpoints one in call strcmpt at address 0x08048436 and another on jne  at address 0x08048440  now we going to explain it  eax store pointer to string that store in stack and then made test eax,eax if both equal will return 0  will set    ZF=1 else  where compare is false  will set ZF=0 and we came to JNE is check ZF=0(when condition false will set ZF=0) if not equal will jump to execute from 0x08048454 this instructions will print "OPS LOL" i made it in Red (false) but when ZF=1 will continue to execute instructions  that will print "You Login in" i made it in Green. we can bypass it if we use wrong password  set breakpoint in test eax,eax and write wrong string like AAAA. we analysis stack  to figure out values.
you can see in local variable local EBP-0xd store value it's string 1234 that hardcode inside program after that load this string from EBP-0xd lea eax,[ebp-0xd] and then push eax in stack the second argument push in stack ebp+0x8 this parameter to string function after push two values then we call strcmp it perform compare and return value at EAX if EAX=0 at test eax,eax we will login 







set eax=0 in order to bypass password check









now this first part is to understand value that return from eax now we go to understand string pointer that save in EAX , think in strcmp like this cmp src,dest where src is "1234" that value hardcode in program and dest is argv (user value supply by user ) as we know dest=AAAA src="1234".
dest=dest-src (eax=eax-ebp+0x8) EAX also point to buffer.


EAX store 0xbffff647 it's pointer point to  string buffer  (AAAA)







Vulnerable program

now we going to our main program will go to exploit it but before that we have note this exploit work when function that return value have't command after it.











we will open program in gdb and disassemble main and vul functions and set same breakpoints 








dissemble vul function 


now we will but some strings to look at eax to figure out  EAX store pointer point to buffer  






let us examine EAX to find strings that store in EAX but why this string store in EAX because we use strcpy this return pointer to string as we explain it in begin. after we find where our input store now it's time to find way to call or jump to eax both redirect execution to string buffer,to make this exploit reliable we will add some nops before and after shellcode and finally address to call eax .

examine EAX.




stack layout looks like





payload structure 

NOPS+shellcode+NOPS+call_eax








we build test exploit our shellcode is \xcc interrupt instruction 



we execute interrupt instruction successfully now we can replace it with  our   shellcode 



Final exploit 







BOom we have shell








thanks for reading i see you in next write up in ASLR+NX series.











Comments

  1. studentFebruary 26, 2019 at 2:11 PM

    I tried exploiting the binary with the ret2eax method and i get

    0xbffff22c in ?? ()
    cannot find bounds of current function

    ReplyDelete

Post a Comment

Popular posts from this blog

Code injection

Image
Code injection hi guys am going to solve  PentesterLab Code injection  if you dont know about code injection it's one of big bugs that let hacker to execute codes in server i will give link explain all information about this bug now let us begin in  this  section include four task and how to get RCE  and execute php code . this first challenge let pwn it    pentesters  try to get error simple way to add double quotes  oh nice you can see it's use eval ,eval one of function in php that when you pass string it convert it to php code now we get error let try to understand how it work here if you see in second picture it's expecting ! and if you compare it with first one you can see !!! if you change name in parameter it's still add !!! to end  after reversing code  i can write simple code act like this  now we have simple code now let to try to fix error  if you add "." it fix error and
Read more

SECURECODE: 1 : OSWE Prep

Image
 SECURECODE: 1 : OSWE Prep SECURECODE: 1  it's OSWE Like machine which need to do some code reviwing and detect  vulnerabilities and chained together to gain final target which remote code execution (RCE).  VM:  SecureCode: 1 ~ VulnHub information about VM:  SecureCode1: an OSWE-like Machine | by Ahmed ElTijani | SUDOROOT | Medium   First we do some code review to detect vulnerabilities in source code  applications  http://192.168.122.112/source_code.zip. we go page under construction next we going to review directory structure. open http://192.168.122.112/login/index.php will redirect to login page. next will explore sql database dump which includes database structure and tables names which will help us to build queries to dump credentials from database. next will  import these sql databases backup in mysql  in order to  explore sql statment for this will use online solution  MySQL online - Test SQL queries (extendsclass.com)   which give up ability to interacting with databases.
Read more

hacky holidays h1 CTF

Image
hacky holidays  h1 CTF this year Hackerone hosted CTF it's amazing CTF i will   write write up for  interesting challenges  Swag Shop Get your Grinch Merch! Try and find a way to pull the Grinch's personal details from the online shop this challenge it's 100% real life which in order to get flag we must enumeration grinch profile. first we must enumeration target page and do some spider pages by using burpsuite spider     after spider target you notice api   endpoints that use in application we must FUZZ endpoint to find hidden endpoints using burpsuite intruder or any tools you  like.   you notice user  endpoint status code and response message  and sessions endpoint which response with  JWT Tokens  which will going to decode it and find information using  jwt io .  after decode jwt tokens we find one has user name value          now back to user endpoint which we need  fuzz parameters using burpsuite intruder. we notice we have different status code & response length
Read more