24 January 2010

lord's easy linux crackme

http://www.crackmes.de/ have a large set of crackmes fully available for practise purposes.

Here is "easy linux crackme" by lord, explained various methods of cracking them:

Objdump of program:
$ objdump -d blah
blah:     file format elf32-i386
Disassembly of section .text:
08048094 <.text>:
 8048094:       31 c0                   xor    %eax,%eax
 8048096:       b8 2f 00 00 00          mov    $0x2f,%eax
 804809b:       cd 80                   int    $0x80
 804809d:       3d ad de 00 00          cmp    $0xdead,%eax
 80480a2:       75 16                   jne    0x80480ba
 80480a4:       b8 04 00 00 00          mov    $0x4,%eax
 80480a9:       bb 01 00 00 00          mov    $0x1,%ebx
 80480ae:       b9 c4 90 04 08          mov    $0x80490c4,%ecx
 80480b3:       ba 06 00 00 00          mov    $0x6,%edx
 80480b8:       cd 80                   int    $0x80
 80480ba:       31 c0                   xor    %eax,%eax
 80480bc:       40                      inc    %eax
 80480bd:       31 db                   xor    %ebx,%ebx
 80480bf:       cd 80                   int    $0x80
The file syscall_table_32.S (/usr/src/linux/arch/x86/kernel/syscall_table_32.S) contains all syscalls, searching for 0x2f we found the "getgid" syscall.

Using it to compare actual gid with 57005 (0xdead)

The lazy and nasty, create false group:
# echo "blah:x:57005:myusername" > /etc/group
$ ./blah
Okej!
Simply ugly, patch the binary:
Replacing the opcodes of cmp instruction
$ echo -n -e \\x90\\x90 > patch
$ dd if=patch of=blah bs=1 seek=162 conv=notrunc
The code looks like this:
$ objdump -d blah
blah:     file format elf32-i386
Disassembly of section .text:
08048094 <.text>:
 8048094:    31 c0                    xor    %eax,%eax
 8048096:    b8 2f 00 00 00           mov    $0x2f,%eax
 804809b:    cd 80                    int    $0x80
 804809d:    3d ad de 00 00           cmp    $0xdead,%eax
 80480a2:    90                       nop
 80480a3:    90                       nop
 80480a4:    b8 04 00 00 00           mov    $0x4,%eax
 80480a9:    bb 01 00 00 00           mov    $0x1,%ebx
 80480ae:    b9 c4 90 04 08           mov    $0x80490c4,%ecx
 80480b3:    ba 06 00 00 00           mov    $0x6,%edx
 80480b8:    cd 80                    int    $0x80
 80480ba:    31 c0                    xor    %eax,%eax
 80480bc:    40                       inc    %eax
 80480bd:    31 db                    xor    %ebx,%ebx
 80480bf:    cd 80                    int    $0x80
Running after patching with any group:
$ ./blah
Okej!
The good path, the loader:
The loader C code:
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
 
int main(int argc, char *argv[])
{
    int mygid = getgid();
 
    printf("real gid: %i\n", mygid);
    printf("modifying mi gid...\n");
    setgid(57005);
    printf("actual gid: %i\n", getgid());
    printf("try to run the bin...\n");
    execve("./blah", NULL, NULL);
    setgid(mygid);
    printf("mi gid: %i\n", getgid());
    return EXIT_SUCCESS;
}
And running:
$ sudo ./shit
[sudo] password for user:
real gid: 0
modifying mi gid...
actual gid: 57005
try to run the bin...
Okej!
The beautiful way, ptracer:
The loader code:
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <sys/user.h>
#include <errno.h>
#include <sys/reg.h>
#include <stdio.h>
 
int main()
{   pid_t child;
    long rc;
    struct user_regs_struct regs;
    child = fork();
    if(child == 0) {
        ptrace(PTRACE_TRACEME, 0, NULL, NULL);
    execve("blah", NULL, NULL);
    }
    else {
    wait(NULL);
    rc = ptrace(PTRACE_SYSCALL, child, NULL, NULL);
    while(1)
    {
        wait(NULL);
        rc = ptrace(PTRACE_GETREGS, child, 0, &regs);
        if ( rc == -1 )
        {
            break;
        }
        if ( regs.orig_eax == 0x2f )
        {
            printf("We gotcha!\n");
            ptrace(PTRACE_POKEDATA, child, regs.eip+1, getgid());
            rc = ptrace(PTRACE_CONT, child, NULL, NULL);
        }
    }
    }
    return 0;
}
And running:
$ ./shit 
We gotcha!
Okej!

Posted at BinaryCell

No comments:

Post a Comment


Disclaimer: In no event shall the blog owner, be liable for any damages, including without limitation, special, indirect or consequential damages, or any damages, whatsoever resulting from access or use, or inability to access or use this Website or arising out of any materials, information, qualifications or recommendations on this Website.