lord's easy linux crackme
http://www.crackmes.de/ have a large set of crackmes fully available for practise purposes.
Here is "easy linux crackme" by lord, explained various methods of cracking them:
Objdump of program:
Using it to compare actual gid with 57005 (0xdead)
The lazy and nasty, create false group:
Replacing the opcodes of cmp instruction
The loader C code:
The loader code:
Posted at BinaryCell
Here is "easy linux crackme" by lord, explained various methods of cracking them:
Objdump of program:
$ objdump -d blah blah: file format elf32-i386 Disassembly of section .text: 08048094 <.text>: 8048094: 31 c0 xor %eax,%eax 8048096: b8 2f 00 00 00 mov $0x2f,%eax 804809b: cd 80 int $0x80 804809d: 3d ad de 00 00 cmp $0xdead,%eax 80480a2: 75 16 jne 0x80480ba 80480a4: b8 04 00 00 00 mov $0x4,%eax 80480a9: bb 01 00 00 00 mov $0x1,%ebx 80480ae: b9 c4 90 04 08 mov $0x80490c4,%ecx 80480b3: ba 06 00 00 00 mov $0x6,%edx 80480b8: cd 80 int $0x80 80480ba: 31 c0 xor %eax,%eax 80480bc: 40 inc %eax 80480bd: 31 db xor %ebx,%ebx 80480bf: cd 80 int $0x80The file syscall_table_32.S (/usr/src/linux/arch/x86/kernel/syscall_table_32.S) contains all syscalls, searching for 0x2f we found the "getgid" syscall.
Using it to compare actual gid with 57005 (0xdead)
The lazy and nasty, create false group:
# echo "blah:x:57005:myusername" > /etc/group $ ./blah Okej!Simply ugly, patch the binary:
Replacing the opcodes of cmp instruction
$ echo -n -e \\x90\\x90 > patch $ dd if=patch of=blah bs=1 seek=162 conv=notruncThe code looks like this:
$ objdump -d blah blah: file format elf32-i386 Disassembly of section .text: 08048094 <.text>: 8048094: 31 c0 xor %eax,%eax 8048096: b8 2f 00 00 00 mov $0x2f,%eax 804809b: cd 80 int $0x80 804809d: 3d ad de 00 00 cmp $0xdead,%eax 80480a2: 90 nop 80480a3: 90 nop 80480a4: b8 04 00 00 00 mov $0x4,%eax 80480a9: bb 01 00 00 00 mov $0x1,%ebx 80480ae: b9 c4 90 04 08 mov $0x80490c4,%ecx 80480b3: ba 06 00 00 00 mov $0x6,%edx 80480b8: cd 80 int $0x80 80480ba: 31 c0 xor %eax,%eax 80480bc: 40 inc %eax 80480bd: 31 db xor %ebx,%ebx 80480bf: cd 80 int $0x80Running after patching with any group:
$ ./blah Okej!The good path, the loader:
The loader C code:
#include <stdio.h>
#include <stdlib.h>
#include <sys/types.h>
#include <unistd.h>
int main(int argc, char *argv[])
{
int mygid = getgid();
printf("real gid: %i\n", mygid);
printf("modifying mi gid...\n");
setgid(57005);
printf("actual gid: %i\n", getgid());
printf("try to run the bin...\n");
execve("./blah", NULL, NULL);
setgid(mygid);
printf("mi gid: %i\n", getgid());
return EXIT_SUCCESS;
}
And running:$ sudo ./shit [sudo] password for user: real gid: 0 modifying mi gid... actual gid: 57005 try to run the bin... Okej!The beautiful way, ptracer:
The loader code:
#include <sys/ptrace.h>
#include <sys/types.h>
#include <sys/wait.h>
#include <unistd.h>
#include <sys/user.h>
#include <errno.h>
#include <sys/reg.h>
#include <stdio.h>
int main()
{ pid_t child;
long rc;
struct user_regs_struct regs;
child = fork();
if(child == 0) {
ptrace(PTRACE_TRACEME, 0, NULL, NULL);
execve("blah", NULL, NULL);
}
else {
wait(NULL);
rc = ptrace(PTRACE_SYSCALL, child, NULL, NULL);
while(1)
{
wait(NULL);
rc = ptrace(PTRACE_GETREGS, child, 0, ®s);
if ( rc == -1 )
{
break;
}
if ( regs.orig_eax == 0x2f )
{
printf("We gotcha!\n");
ptrace(PTRACE_POKEDATA, child, regs.eip+1, getgid());
rc = ptrace(PTRACE_CONT, child, NULL, NULL);
}
}
}
return 0;
}
And running:$ ./shit We gotcha! Okej!
Posted at BinaryCell
Comments
Post a Comment