Bypass ASLR+NX Part 2









hi guys today we will continue in ways to bypass ASLR and NX if you dont know what means  please read 
Part 1 will will find way to control EIP  and in this part we will focus on another technique called Ret2eax.
before going to explain it we need to understand what EAX and what it's purpose in program.
EAX is general purpose register used in arithmetic calc and store results of  arithmetic  operations and function return value , like  C built in function   strcpy will save string pointer in EAX without assign it  EAX will save  pointer  to buffer .




we will take example to login system use strcmp to compare between two strings return 0 if  two strings are same or return 1 if not equal .




run it




simple program user enter password compare it using strcmp you notice that strcmp we compare it to 0 if condition True i.e return 0 will print "you Login in" else "Ops LOL" .

now we going to open program in gdb.




we disassemble main we find call to login let disassemble login



ok will see two breakpoints one in call strcmpt at address 0x08048436 and another on jne  at address 0x08048440  now we going to explain it  eax store pointer to string that store in stack and then made test eax,eax if both equal will return 0  will set    ZF=1 else  where compare is false  will set ZF=0 and we came to JNE is check ZF=0(when condition false will set ZF=0) if not equal will jump to execute from 0x08048454 this instructions will print "OPS LOL" i made it in Red (false) but when ZF=1 will continue to execute instructions  that will print "You Login in" i made it in Green. we can bypass it if we use wrong password  set breakpoint in test eax,eax and write wrong string like AAAA. we analysis stack  to figure out values.
you can see in local variable local EBP-0xd store value it's string 1234 that hardcode inside program after that load this string from EBP-0xd lea eax,[ebp-0xd] and then push eax in stack the second argument push in stack ebp+0x8 this parameter to string function after push two values then we call strcmp it perform compare and return value at EAX if EAX=0 at test eax,eax we will login 







set eax=0 in order to bypass password check









now this first part is to understand value that return from eax now we go to understand string pointer that save in EAX , think in strcmp like this cmp src,dest where src is "1234" that value hardcode in program and dest is argv (user value supply by user ) as we know dest=AAAA src="1234".
dest=dest-src (eax=eax-ebp+0x8) EAX also point to buffer.


EAX store 0xbffff647 it's pointer point to  string buffer  (AAAA)







Vulnerable program

now we going to our main program will go to exploit it but before that we have note this exploit work when function that return value have't command after it.











we will open program in gdb and disassemble main and vul functions and set same breakpoints 








dissemble vul function 


now we will but some strings to look at eax to figure out  EAX store pointer point to buffer  






let us examine EAX to find strings that store in EAX but why this string store in EAX because we use strcpy this return pointer to string as we explain it in begin. after we find where our input store now it's time to find way to call or jump to eax both redirect execution to string buffer,to make this exploit reliable we will add some nops before and after shellcode and finally address to call eax .

examine EAX.




stack layout looks like





payload structure 

NOPS+shellcode+NOPS+call_eax








we build test exploit our shellcode is \xcc interrupt instruction 



we execute interrupt instruction successfully now we can replace it with  our   shellcode 



Final exploit 







BOom we have shell








thanks for reading i see you in next write up in ASLR+NX series.











Comments

  1. studentFebruary 26, 2019 at 2:11 PM

    I tried exploiting the binary with the ret2eax method and i get

    0xbffff22c in ?? ()
    cannot find bounds of current function

    ReplyDelete

Post a Comment

Popular posts from this blog

hacky holidays h1 CTF

Image
hacky holidays  h1 CTF this year Hackerone hosted CTF it's amazing CTF i will   write write up for  interesting challenges  Swag Shop Get your Grinch Merch! Try and find a way to pull the Grinch's personal details from the online shop this challenge it's 100% real life which in order to get flag we must enumeration grinch profile. first we must enumeration target page and do some spider pages by using burpsuite spider     after spider target you notice api   endpoints that use in application we must FUZZ endpoint to find hidden endpoints using burpsuite intruder or any tools you  like.   you notice user  endpoint status code and response message  and sessions endpoint which response with  JWT Tokens  which will going to decode it and find information using  jwt io .  after decode jwt tokens we find one has user name value          now back to user endpoint which we nee...
Read more

SECURECODE: 1 : OSWE Prep

Image
 SECURECODE: 1 : OSWE Prep SECURECODE: 1  it's OSWE Like machine which need to do some code reviwing and detect  vulnerabilities and chained together to gain final target which remote code execution (RCE).  VM:  SecureCode: 1 ~ VulnHub information about VM:  SecureCode1: an OSWE-like Machine | by Ahmed ElTijani | SUDOROOT | Medium   First we do some code review to detect vulnerabilities in source code  applications  http://192.168.122.112/source_code.zip. we go page under construction next we going to review directory structure. open http://192.168.122.112/login/index.php will redirect to login page. next will explore sql database dump which includes database structure and tables names which will help us to build queries to dump credentials from database. next will  import these sql databases backup in mysql  in order to  explore sql statment for this will use online solution  MySQL online - Test SQL queries (ext...
Read more

python input vulnerability

Image
python input vulnerability hi guys today i will show you how little mistake in write code can lead to expose data or RCE on sever . as we know python has function that take input from user can save it in variable . in python 2.x version we find input function   and it built-in function input in module __builtin__  let check what mean this method by using help(input) it 's  equivalent to eval(raw_input) ok raw_input it's another function take input from user but in input function it's add eval as we know eval it  function evaluates a string of text which is passed as its parameter, accepting possible second argument for the global values to use during evaluation. let make quick demo  and if we enter number it will display it but what if we enter 2+4 it will display 6 because it's use eval as part of input function as we see above from here we can use  __builtin__  module to get  som...
Read more