ST

sailboat on Sat 26 Feb 2011

It felt so good getting this code to work on my computer. However I had a few inconsistencies. I am running ubuntu 10.10 with the 2.6.35-25 kernel. First off, I had to turn stack protection off when compiling, -fno-stack-protector

Also, when I went to get the address for system in libc, p system returned a 3 bit value instead of a 4bit value, on a limb, I only wrote 3 bits to exitAddr and systemAddr char arrays in the Ret2Libc. Other than that, SUCCESS!!!!!

Vivek-Ramachandran on Sat 26 Feb 2011

Awesome! I had chosen a much older platform to easily demonstrate these concepts but later realized most people might just want to try this out on the latest platforms by turning the protections off.

If you have the time, can you make a quick video of how you did this in Ubuntu 10? I will add that as the 10th video in this group with full credit to you. Only condition, it need to have voice in it and no rock music in the background :)

sailboat on Sat 26 Feb 2011

upon further testing, I realized that I did not get the example to completely run correctly, I realized that while the overflow worked, I had misrepresented some addresses and the instead of spawning a new shell, it just returned to the previous shell. I did not notice this because I did not have the ksh install and I told the system() command to launch /bin/bash. Long story short when bash spawns, it looks identical on my computer. HOWEVER, I discovered that the reason the injected code did not work was because I had 3bit addresses, therefore the last bit was either appended with a NOP or when I later attempted to correct the code, a 0x00 which terminates the string. Therefore the variable BUF is null terminated after the first address is overwritten. This means that the system command is executed but everything after that does not get overflowed on the stack because everything after the NULL is not placed in the buffer. This means that I am going to have to write some assembly code and place it in the 80 bytes of what we thought was unimportant data such that the code correctly appends 00's to the addresses of the system and exit functions as well as allow for reference to the myshell variable. I'm afraid this is a learning process for me so it might take me some time, but you better expect a detailed video with a working solution soon. :)

Vivek-Ramachandran on Sun 27 Feb 2011

I guess life is full of surprises :)

Sometimes, I feel it teaches one more when things do not work as desired.

So please, take your time and create a follow up video when you are done. I will post it with the series.

xplt on Thu 03 Mar 2011

Just correcting what sailboat said, it's not bits like you said "p system returned a 3 bit value instead of a 4bit value", it's byte. Just that. xP

I'm trying to do this on ubuntu 9.10, kernel 2.6.31-22, and I'm getting the same trouble. Some videos just didn't work because of the protections against stack, but when I figure it out, I contact here! =D

That's all. Vivek thank you for everything! Thank you for sharing your knowledge and experiences! You helped me A LOT to understand these things! I left a comment in every video, because I'm really grateful! Maybe some day we meet in some Black Hat or another conference! \o/

Thank you once more!
Best wishes!

xplt on Fri 04 Mar 2011

I went ahead like you did, but when I need to see the exactly address that is storing the "/bin/ksh", I get this:

(gdb) x/1s 0xbffffc79
0xbffffc79: "ll=/bin/ksh"
(gdb) x/1s 0xbffffc80
0xbffffc80: "/ksh"

I can't see! Please help me! =D

xplt on Fri 04 Mar 2011

I can't succeded doing on my Slackware 13.1 VM. In the last step, when I press 'Enter' to earn my new shell, it gaves segmentation fault... =/
I'm very sad! Because everything was working so good on slack! Can you help me?!
I review my code and everything is perfect, just one thing was odd. In the address of "Exit", in ret2libc.c, It looks like this: \x00\x4f\xe8\xb7, I had a null byte on the shellcode! Do you think that's because mine don't work?

H4TT1fn4TT on Sat 05 Mar 2011

And an other great collection. Can't wait to find out how to bypass the other types of protection.

Btw, Vivek. The book "The shellcoders handbook" that you recommended is it still up to date looking at the new types of security you discussed?

LiquidWorm on Sat 12 Mar 2011

Just to say hi and continue with the awesome videos. Explanations are very vividly and easy to understand. Thank you and continue this great contribution. Word is spread out here in Macedonia about these videos and ppl love them! Thanks again Vivek. Cheers ;)

M.Corleone on Sun 20 Mar 2011

I have a question, when I execute the GetEnvironmentVarAddr.c programm I get the address of my variable, but when I close my session and open it again,I get a different address of the same variable. Can anyone explain me why it is happening?
Thanks!

xplt on Mon 21 Mar 2011

M.Corleone this is happening because when you run any program, it's almost always allocate memory in a different place. It's not guaranteed that the address will be the same in another time, because depend of the process running on memory, and another things. You should study how the Operational System manage the memory and the process. I'd hope to be helpful.

M.Corleone on Mon 21 Mar 2011

xplt ,thanks for your answer.

xplt on Mon 21 Mar 2011

You're welcome! If you need something, I'll try to help! =D
Cheers! o/

Alexander on Tue 12 Apr 2011

"(gdb) x/1s 0xbffffc79
0xbffffc79: "ll=/bin/ksh"
(gdb) x/1s 0xbffffc80
0xbffffc80: "/ksh"

I can't see! Please help me! =D"





I had this problem to, the way I fixed it is by changing the name of the local variable. Changing it to myshelll instead of myshell I got it to work:

0xbffff84d: "myshelll=/bin/sh"
(gdb) x /1s 0xbffff84f
0xbffff84f: "shelll=/bin/sh"
(gdb) x /1s 0xbffff850
0xbffff850: "helll=/bin/sh"
(gdb) x /1s 0xbffff854
0xbffff854: "l=/bin/sh"
(gdb) x /1s 0xbffff855
0xbffff855: "=/bin/sh"
(gdb) x /1s 0xbffff856
0xbffff856: "/bin/sh"




Also Vivek, thanks for these great videos!

rails345 on Sun 12 Jun 2011

Thanks, I've very much enjoyed this series.

I'm also wondering if the future video on how to circumvent ASLR protection, discussed in this video, has been included elsewhere?

3ntropy on Sat 18 Jun 2011

Thank you vivek for your tutorials and hard work. I am really enjoying even though I done them before, but I learnt more. Can you make some video on Canary Attacks, I hardly could exploit the basic buffer with canary, but with a hint, that I knew what was the canary string.

J on Tue 05 Jul 2011

Very good video. I think you should make a video on bypassing both ASLR and NX at the same time. Most operating systems have both installed by default, and no tutorial has taught how to bypass both.

rK on Thu 08 Sep 2011

hi why does one need to create a sep env variable for "/bin/ksh". Why cant we just store it in a string as done in the previous examples

estenole on Thu 15 Sep 2011

No, because it you store the value on a string on the stack, the NX protection will forbid you to execute code stores on stack frame.

Im been trying the example but found a problem, my system and exit memory directions ends on 00, so the Ret2lib string gets corrupted and i end up with a buffer full or crap.

If i made the same steps changin both exit and systems memory locations to end on ff, i can print the stack while debugging exploitme2 and see the buffer correctly loaded.

How can i get rid of this problem ?

Vivek this videos are great !!!!!
Thank you !!

t0ph4tter on Wed 19 Oct 2011

I have been having the same problem, estenole. The null bytes in my system and exit addresses will not let this program work. I'd really appreciate if anyone has some insight as to how to get around this.

Thanks for the videos regardless. They are excellent!

prasanna78 on Wed 14 Dec 2011

Really excellent awesome amazing videos sir..super rocking performance.. and we need more videos like this sir....

Patcher on Wed 21 Dec 2011

(gdb) x/1s 0xbfe5a800
0xbfe5a800: <Address 0xbfe5a800="" out="" of="" bounds="">

any help

BTW amazing video..!!!

Patcher on Wed 21 Dec 2011

^^ i am trying to locate the address of myshell

Patcher on Wed 21 Dec 2011

test

Patcher on Wed 21 Dec 2011

<script>
document.write("test");
</script>

Patcher on Wed 21 Dec 2011

now its displaying just empty strings at the address of myshell

kingasmk on Mon 16 Jan 2012

Great series Vivek ,
but i have problem

this is the output
(gdb) p system
$1 = {<text variable,="" no="" debug="" info="">} 0x168950 <system>
the address is starting with 0x00
which means null termiator when adding it to my enviroment variable
how can i solve it?

NicoDividido on Tue 14 Feb 2012

There is whole procedure [ASCII armor bypass + return to plt] explained here:
http://dl.packetstormsecurity.net/papers/attack/lewt4-bypass.pdf
I couldn't make it work yet

NicoDividido on Wed 22 Feb 2012

FYI: This is still doable with latest debian squeeze [Disabling ASLR of course]. This document helped a lot: http://www.exploit-db.com/download_pdf/17131, remember the adress of exit can not contain a single null byte, in my case I had to use exit+4. Thanks Vivek for your efforts!

knowname on Fri 13 Apr 2012

Linux desktop 2.6.32-38-generic
2012 i686 GNU/Linux
Ubuntu 10.04.4 LTS

worked almost!
in the last step i got the message:
"stack smashing detected.. "
guess i´ll have to turn this off as well.