11 - Addis Ababa
There is no login function, everything is done in the main so we cannot smash the stack to control the execution. Our attack point is at 447C: here there is a call to printf for which we can forge a string format attack. Looking a few instructions ahead, we can see that, when calling the printf, at SP+2 there is the flag that is return by test_password_valid, so we need a way to modify it. Reading the specification of this printf, passing the "%n" token takes the argument as an address in which to write the number of characters already printed. Let's take a closer look to the stack:- SP+0: address of the format string (=SP+4)
- SP+2: flag (=0x00)
- SP+4: format string (=our input)
SP+2 (little endian) + %x%n
When printf is called, it will print 2 characters (those of SP+2), then it will parse %x and do nothing because SP+2 is 0x00 and finally, parsing %n, it will write 2 (the number of bytes printed) in the address specified in SP+4, that is in SP+2
12 - Novosibirsk
Similar to the previous one, but this time we cannot modify any flag to make it open the lock, so we go with a more radical change, that is we use the printf at 4476 to modify the code of conditional_unlock_door so that instead of calling interrupt 0x7e (check and open remotely) it calls interrupt 0x7f (open lock). This is done by modifying the instruction at 44c6 to make it push 0x7f.Input: c844 (addr of byte to change) + 125 rand bytes + "%n"
This will print 127 characters and then write 127 (0x7f) at 44c8
13 - Algeris
No more buffer overflow, this time we have to work with the heap. Trying some oversized username/password we can see that we have invalid access in the free function. Looking at the code we find a nice set of instructions: add #0xfffa, r15
...
mov @r15, r14
...
mov 0x2(r15), 0x2(r14)
where r15 contains the address of the memory block to free.
The data structure that occupies the 6 bytes before the block is the header, which contains a link to the previous block, a link to the next one, the size of the block and a bit which states if it is allocated or not.
If we can modify this header we can write 2 bytes in any location we want.
In our case this can be done because two blocks of 16 bytes each are allocated one next to the other, but there is no check in the length of the input, so feeding in a username that is 20 bytes long overwrites the two links in the header of the password memory block. To take advantage of this we will write a jmp 0x30 after the last move instruction, so that it will directly jump to unlock_door.
The username will be:
16 random bytes + addr_to_modify-2 + jmp 0x30 opcode
14 - Vladivostok
We have a new feature: ASLR. Again trying some manual fuzzing we see that a long password overwrites the return address, but the problem is how to find the address where to jump to. Inspecting a bit the code we see that the username is printed out using printf, maybe we can use some format string tricks. Infact feeding the username "%x%x" it prints out the address of printf. At this point, knowing that INT is at a offset of 0x182 from printf we can easily creating our malicious password:8 random bytes + (addr_printf + 0x182) + 2 random bytes + 7f00
15 - Bangalore
Again a new defense, this time DEP. Knowing that DEP is enabled we will surely have to use ROP (Return Oriented Programming). Moreover in this particular case there seems to be an implementation error, as there is no way for the code to unlock the door, whatever password you put it will always tell you it is wrong and then terminate; this means that we have to manually create the correct interrupt call and execute it. As always feeding a password of more than 16 bytes overwrites the return address of login.Summing up: ROP is our first way to direct execution, then we have to enable execution in the page containing our input, in which we have to put a manual INT 0x7f, and finally we have to jump on it.
Lets take a look at mark_page_executable:
44b6: 0312 push #0x0
44b8: 0e12 push r14
...
44be: 3240 0091 mov #0x9100, sr
44c2: b012 1000 call #0x10
It pushes on the stack 0x00 and the page number before the interrupting. What we will do is to set up the stack with 0x00 and our buffer's page number (0x3f) and jump after the push instructions.
Now we have to create our shellcode:
mov #0xff00, sr
call #0x10
These instructions are equivalent to INT 0x7f.
Finally our password will be:
shellcode (8 bytes) +
8 random bytes +
0x44ba (address in mark_page_executable) +
0x003f +
0x0000 (parameters of the function) +
0x3fee (address of the shellcode)
I have tried so many means to get professional hacking but none worked until I met Cryptocyberhacker@gmail.com who helped me to hack my man's cell phone. Just found out my man had kids with this woman from Tennessee with power of this great Cryptocyberhacker@gmail.com
ReplyDeleteyou too can get in touch with them via Cryptocyberhacker@gmail.com
i'm using this opportunity to recommend and and show my gratitude to the professional hacker Quadhacked@gmail.com .after being scammed by fakes in trying to hack my so called cheat of a husband , we were going through hard times almost before our divorce and my husband was always insecure and jealous , the hacker helped me hacked my husband and i was able to clone his phone successfully, granting me unlimited access to his mails, whatsapp and Facebook messenger, getting messages from 6 months past and even deleted messages and mails ,i was able to gather all the information and messages i needed. i was also able to recover all my lost funds also from the hackers that duped me before i contacted QUADHACKED. All thanks to QUADHACKED@GMAIL.COM . REACH OUT FOR VARIOUS HACKING EXPLOITS.
DeleteCYBER.LORD1010@gmail.com is truly legit!…he did job for me a few days ago and i must say it was amazing, he hacked into my wife’s phone without her noticing a thing, and i had access to all her social media activities including her mails and text messages and was also able to manipulate them. So yes it is confirmed! CYBER.LORD1010@gmail.com is legit and the best.
ReplyDeleteThank you CYBER.LORD1010@gmail.com ! the work you did on my Husband accounts was simply phenomenal! and i ain't talking about just Facebook ;) turns out he shows you valid proof before payment. Hey if you ever need to get into your spouse's account, improve credit points, clear criminal records,tax, protection from spyware or simply have a score to settle, is your goto !completely secure and fast!! CYBER.LORD1010@gmail.com
ReplyDelete
ReplyDeleteCONTACT US FOR ALL KINDS OF HACKING JOB @ chauphampham42@gmail.com We offer professional hacking services , we offer the following services;
-University grades changing
-Bank accounts hack
-Erase criminal records hack
-Facebook hack
-Twitters hack
-email accounts hack
-Grade Changes hack
-Website crashed hack
-server crashed hack
-Skype hack
-Databases hack
-Word Press Blogs hack
-Individual computers hack
Control devices remotely hack
-Burner Numbers hack
-Verified Paypal Accounts hack
-Any social media account hack
-Android & iPhone Hack
-Text message interception hack
-email interception hack
-Untraceable Ip etc.
Contact us at chauphampham42@gmail.com or text or call (601) 357-3187 for more inquiry..
Track Calls log and Spy Call Recording.
Monitoring SMS text messages remotely.
Cell phone GPS location tracking. Spy on Whatsapp Messages.
Free Update and 100% Undetectable.
Track BBM messages and Line messages. Track Internet Browsing History and Read phone Access Address Book, totally worth your money, please no time wasters, he won't under any circumstances work for free, you can reach him by email chauphampham42@gmail.com or add on Hangout or call on (601) 357-3187 and text
If you are looking for a professional hacker to provide hacking solutions on (Wizardbrixton AT Gmail.com )
Delete-Social media hacks
-Company Email hacks
-Phone hacks
-Email hack: Gmail, AOL, Yahoo mail, Proton-mail etc,
-Mobile phone (call and text message Hacking are available also)
-ATM hack,
-Account hack
-Spy on a cheating Husband/wife
-Retrieval of lost documents
-School result upgrading
-Bitcoin recovering
-Hack into bitcoin with large coins
-Binary option funds recovery and lot more, search no further.
I fully recommend you to contact him he will help you recovered all data you have lost on a phone and helped in tracking the phone till you got the proof of lost , contact him ( Wizardbrixton@gmail.com) Whatsapps : (+1- /807-23 ) 4-0428
If you are looking for a professional hacker to provide hacking solutions on (Wizardbrixton AT Gmail.com )
ReplyDelete-Social media hacks
-Company Email hacks
-Phone hacks
-Email hack: Gmail, AOL, Yahoo mail, Proton-mail etc,
-Mobile phone (call and text message Hacking are available also)
-ATM hack,
-Account hack
-Spy on a cheating Husband/wife
-Retrieval of lost documents
-School result upgrading
-Bitcoin recovering
-Hack into bitcoin with large coins
-Binary option funds recovery and lot more, search no further.
I fully recommend you to contact him he will help you recovered all data you have lost on a phone and helped in tracking the phone till you got the proof of lost , contact him ( Wizardbrixton@gmail.com) Whatsapps : (+1- /807-23 ) 4-0428
Hello, my name is Evans from the United Kingdom am here to give a testimonial on how I meet one of the best Hacker so far on my incredible moment of pain I lost a huge amount of money to a fake investor, I invested 105,000 USD to this investment company with my belief that I will have a huge return when it was time for me to get my return they company no longer pick my calls or reply to my email I was so devasted that my sister saw my pain and sad sorrow she have no choice than to introduce me to this great hacker called Wizard wilson . I tell him everything about my situation and he asked for the company email address and the mobile number he promises to help me retrieval my funds if I will be able to cooperate and give him the vital information needed less than 24 hours he was able to give me the necessary details about the company and how he will get my funds back without the company approval. Contact him: wizardwilsonsoftware (@) Yahoo.com his whatsapp number (+1) 807,700,3319. I was very happy when he recovered all my funds and gave me 2% of the profit the company could have given to me . so I promise to make him go viral for everyone to contact him in different aspects of hacking software program in your life he proves the best in his job CONTACT HIM: wizardwilsonsoftware (@) Yahoo.com his whatsapp number +1(321) 621_1089
ReplyDelete