forked from bitvijays/bitvijays.github.io
-
Notifications
You must be signed in to change notification settings - Fork 0
/
LFCReverseEngineering.html
454 lines (443 loc) · 18.5 KB
/
LFCReverseEngineering.html
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137
138
139
140
141
142
143
144
145
146
147
148
149
150
151
152
153
154
155
156
157
158
159
160
161
162
163
164
165
166
167
168
169
170
171
172
173
174
175
176
177
178
179
180
181
182
183
184
185
186
187
188
189
190
191
192
193
194
195
196
197
198
199
200
201
202
203
204
205
206
207
208
209
210
211
212
213
214
215
216
217
218
219
220
221
222
223
224
225
226
227
228
229
230
231
232
233
234
235
236
237
238
239
240
241
242
243
244
245
246
247
248
249
250
251
252
253
254
255
256
257
258
259
260
261
262
263
264
265
266
267
268
269
270
271
272
273
274
275
276
277
278
279
280
281
282
283
284
285
286
287
288
289
290
291
292
293
294
295
296
297
298
299
300
301
302
303
304
305
306
307
308
309
310
311
312
313
314
315
316
317
318
319
320
321
322
323
324
325
326
327
328
329
330
331
332
333
334
335
336
337
338
339
340
341
342
343
344
345
346
347
348
349
350
351
352
353
354
355
356
357
358
359
360
361
362
363
364
365
366
367
368
369
370
371
372
373
374
375
376
377
378
379
380
381
382
383
384
385
386
387
388
389
390
391
392
393
394
395
396
397
398
399
400
401
402
403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422
423
424
425
426
427
428
429
430
431
432
433
434
435
436
437
438
439
440
441
442
443
444
445
446
447
448
449
450
451
452
453
454
<!doctype html>
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="X-UA-Compatible" content="IE=Edge" />
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" /><script type="text/javascript">
var _gaq = _gaq || [];
_gaq.push(['_setAccount', 'UA-92365403-1']);
_gaq.push(['_trackPageview']);
(function() {
var ga = document.createElement('script'); ga.type = 'text/javascript'; ga.async = true;
ga.src = ('https:' == document.location.protocol ? 'https://ssl' : 'http://www') + '.google-analytics.com/ga.js';
var s = document.getElementsByTagName('script')[0]; s.parentNode.insertBefore(ga, s);
})();
</script>
<title>Learning from the CTF : Reverse Engineering — tech.bitvijays.com</title>
<link rel="stylesheet" href="_static/bizstyle.css" type="text/css" />
<link rel="stylesheet" href="_static/pygments.css" type="text/css" />
<script type="text/javascript" id="documentation_options" data-url_root="./" src="_static/documentation_options.js"></script>
<script type="text/javascript" src="_static/jquery.js"></script>
<script type="text/javascript" src="_static/underscore.js"></script>
<script type="text/javascript" src="_static/doctools.js"></script>
<script type="text/javascript" src="_static/bizstyle.js"></script>
<link rel="search" title="Search" href="search.html" />
<meta name="viewport" content="width=device-width,initial-scale=1.0">
<!--[if lt IE 9]>
<script type="text/javascript" src="_static/css3-mediaqueries.js"></script>
<![endif]-->
</head><body>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="nav-item nav-item-0"><a href="index.html">tech.bitvijays.com</a> »</li>
</ul>
</div>
<div class="sphinxsidebar" role="navigation" aria-label="main navigation">
<div class="sphinxsidebarwrapper">
<h3><a href="index.html">Table Of Contents</a></h3>
<ul>
<li><a class="reference internal" href="#">Learning from the CTF : Reverse Engineering</a><ul>
<li><a class="reference internal" href="#ida">IDA</a></li>
</ul>
</li>
<li><a class="reference internal" href="#appendix-i-assembly-basics">Appendix-I Assembly Basics</a><ul>
<li><a class="reference internal" href="#assembly-program">Assembly Program</a><ul>
<li><a class="reference internal" href="#data-section">Data Section</a></li>
<li><a class="reference internal" href="#bss-section">BSS Section</a></li>
<li><a class="reference internal" href="#text-section">Text Section</a></li>
<li><a class="reference internal" href="#comments">Comments</a></li>
<li><a class="reference internal" href="#assembly-language-statements">Assembly Language Statements</a></li>
</ul>
</li>
<li><a class="reference internal" href="#jump-statements">Jump Statements</a></li>
</ul>
</li>
</ul>
<h3>This Page</h3>
<ul class="this-page-menu">
<li><a href="_sources/LFCReverseEngineering.rst.txt"
rel="nofollow">Show Source</a></li>
<li><a href="https://github.com/bitvijays/bitvijays.github.io-sphinx/blob/master/docs/LFCReverseEngineering.rst"
rel="nofollow">Show on GitHub</a></li>
<li><a href="https://github.com/bitvijays/bitvijays.github.io-sphinx/edit/master/docs/LFCReverseEngineering.rst"
rel="nofollow">Edit on GitHub</a></li>
</ul>
<div id="searchbox" style="display: none" role="search">
<h3>Quick search</h3>
<div class="searchformwrapper">
<form class="search" action="search.html" method="get">
<input type="text" name="q" />
<input type="submit" value="Go" />
<input type="hidden" name="check_keywords" value="yes" />
<input type="hidden" name="area" value="default" />
</form>
</div>
</div>
<script type="text/javascript">$('#searchbox').show(0);</script>
</div>
</div>
<div class="document">
<div class="documentwrapper">
<div class="bodywrapper">
<div class="body" role="main">
<div class="section" id="learning-from-the-ctf-reverse-engineering">
<h1>Learning from the CTF : Reverse Engineering<a class="headerlink" href="#learning-from-the-ctf-reverse-engineering" title="Permalink to this headline">¶</a></h1>
<p>This post lists the learnings from the CTF while doing Reverse Engineering.</p>
<p>If we are provided with a binary to reverse engineer, for example asking for password.</p>
<ul class="simple">
<li>file: The first step is to run file command on the binary which would tell us whether it is 32/64 bit or statically/dynamically linked etc.</li>
</ul>
<blockquote>
<div><div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>bitvijays@kali:~/Desktop/CTF/31C3$ file cfy
cfy: ELF <span class="m">64</span>-bit LSB executable, x86-64, version <span class="m">1</span> <span class="o">(</span>SYSV<span class="o">)</span>, dynamically linked <span class="o">(</span>uses shared libs<span class="o">)</span>, <span class="k">for</span> GNU/Linux <span class="m">2</span>.6.24, BuildID<span class="o">[</span>sha1<span class="o">]=</span>0x9bc623f046535fba50a2124909fb871e5daf198e, not stripped
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>The second step could be running strings or “hexdump -C” on it, specially in the case of very simple re challenges like asking for password and stored in an array.</li>
</ul>
<blockquote>
<div><div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>bitvijays@kali:~$ strings check
/lib/ld-linux.so.2
D$,1
D$%secrf
D$<span class="o">)</span>et
D$ love
T$,e3
<span class="o">[</span>^_<span class="o">]</span>
password:
/bin/sh
Wrong password, Good Bye ...
<span class="p">;</span>*2$<span class="s2">"</span>
</pre></div>
</div>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>hexdump -C check <span class="p">|</span> more
<span class="m">00000540</span> <span class="m">31</span> c0 c7 <span class="m">44</span> <span class="m">24</span> <span class="m">18</span> <span class="m">73</span> <span class="m">65</span> <span class="m">78</span> <span class="m">00</span> c7 <span class="m">44</span> <span class="m">24</span> <span class="m">25</span> <span class="m">73</span> <span class="m">65</span> <span class="p">|</span><span class="m">1</span>..D$.sec..D$%se<span class="p">|</span>
<span class="m">00000550</span> <span class="m">63</span> <span class="m">72</span> <span class="m">66</span> c7 <span class="m">44</span> <span class="m">24</span> <span class="m">29</span> <span class="m">65</span> <span class="m">74</span> c6 <span class="m">44</span> <span class="m">24</span> 2b <span class="m">00</span> c7 <span class="m">44</span> <span class="p">|</span>crf.D$<span class="o">)</span>et.D$+..D<span class="p">|</span>
<span class="m">00000560</span> <span class="m">24</span> 1c <span class="m">67</span> 6f <span class="m">64</span> <span class="m">00</span> c7 <span class="m">44</span> <span class="m">24</span> <span class="m">20</span> 6c 6f <span class="m">76</span> <span class="m">65</span> c6 <span class="m">44</span> <span class="p">|</span>$.god..D$ love.D<span class="p">|</span>
</pre></div>
</div>
</div></blockquote>
<ul class="simple">
<li>The next step could be running strace or ltrace on the binary. strace: trace system calls and signals ltrace: A library call tracer</li>
<li>GDB Commands:</li>
</ul>
<blockquote>
<div><div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>info file: Tell us about the entry points:
info functions: Tell us about the functions in the binary.
</pre></div>
</div>
</div></blockquote>
<div class="section" id="ida">
<h2>IDA<a class="headerlink" href="#ida" title="Permalink to this headline">¶</a></h2>
<ul class="simple">
<li>Search strings in IDA: Enter the “strings window” by either press shift+F12 or go to View > Open Subviews > Strings in the toolbar.</li>
</ul>
</div>
</div>
<div class="section" id="appendix-i-assembly-basics">
<h1>Appendix-I Assembly Basics<a class="headerlink" href="#appendix-i-assembly-basics" title="Permalink to this headline">¶</a></h1>
<div class="section" id="assembly-program">
<h2>Assembly Program<a class="headerlink" href="#assembly-program" title="Permalink to this headline">¶</a></h2>
<p>An assembly program can be divided into three sections</p>
<ul class="simple">
<li>The data section,</li>
<li>The bss section, and</li>
<li>The text section</li>
</ul>
<div class="section" id="data-section">
<h3>Data Section<a class="headerlink" href="#data-section" title="Permalink to this headline">¶</a></h3>
<ul class="simple">
<li>Used for declaring initialized data or constants.</li>
<li>Doesn’t change at runtime</li>
<li>Can declare various constant values, filenames or buffer sizes.</li>
</ul>
<p>Syntax</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>section.data
</pre></div>
</div>
</div>
<div class="section" id="bss-section">
<h3>BSS Section<a class="headerlink" href="#bss-section" title="Permalink to this headline">¶</a></h3>
<ul class="simple">
<li>Used for declaring variables</li>
</ul>
<p>Syntax</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>section.bss
</pre></div>
</div>
</div>
<div class="section" id="text-section">
<h3>Text Section<a class="headerlink" href="#text-section" title="Permalink to this headline">¶</a></h3>
<ul class="simple">
<li>Used for keeping the actual code.</li>
<li>Must begin with the declaration global _start which tells the kernel where the program execution begins.</li>
</ul>
<p>Syntax</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>section.text
global _start
_start:
</pre></div>
</div>
</div>
<div class="section" id="comments">
<h3>Comments<a class="headerlink" href="#comments" title="Permalink to this headline">¶</a></h3>
<p>Assembly language comment begins with a semicolon (;). It may contain any printable character including blank. It can appear on a line by itself, like −</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>; This program displays a message on screen
</pre></div>
</div>
<p>or, on the same line along with an instruction, like</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>add eax, ebx ; adds ebx to eax
</pre></div>
</div>
</div>
<div class="section" id="assembly-language-statements">
<h3>Assembly Language Statements<a class="headerlink" href="#assembly-language-statements" title="Permalink to this headline">¶</a></h3>
<p>Assembly language programs consist of three types of statements</p>
<ul class="simple">
<li>Executable instructions or instructions tells the processor what to do. Each instruction consists of an operation code (opcode). Each executable instruction generates one machine language instruction.</li>
<li>Assembler directives or pseudo-ops tell the assembler about the various aspects of the assembly process. These are non-executable and do not generate machine language instructions.</li>
<li>Macros are basically a text substitution mechanism.</li>
</ul>
<p>Syntax</p>
<p>Entered one statement per line with the following format</p>
<div class="highlight-None notranslate"><div class="highlight"><pre><span></span>[label] mnemonic [operands] [;comment]
</pre></div>
</div>
<p>The fields in the square brackets are optional. A basic instruction has two parts,</p>
<ul class="simple">
<li>the first one is the name of the instruction (or the mnemonic), which is to be executed, and</li>
<li>the second are the operands or the parameters of the command.</li>
</ul>
</div>
</div>
<div class="section" id="jump-statements">
<h2>Jump Statements<a class="headerlink" href="#jump-statements" title="Permalink to this headline">¶</a></h2>
<p>Signedness doesn’t matter.</p>
<table border="1" class="docutils">
<colgroup>
<col width="11%" />
<col width="42%" />
<col width="18%" />
<col width="28%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Instr</th>
<th class="head">Description</th>
<th class="head">signed-ness</th>
<th class="head">Flags</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>JO</td>
<td>Jump if overflow</td>
<td> </td>
<td>OF = 1</td>
</tr>
<tr class="row-odd"><td>JNO</td>
<td>Jump if not overflow</td>
<td> </td>
<td>OF = 0</td>
</tr>
<tr class="row-even"><td>JS</td>
<td>Jump if sign</td>
<td> </td>
<td>SF = 1</td>
</tr>
<tr class="row-odd"><td>JNS</td>
<td>Jump if not sign</td>
<td> </td>
<td>SF = 0</td>
</tr>
<tr class="row-even"><td>JE/
JZ</td>
<td>Jump if equal
Jump if zero</td>
<td> </td>
<td>ZF = 1</td>
</tr>
<tr class="row-odd"><td>JNE/
JNZ</td>
<td>Jump if not equal
Jump if not zero</td>
<td> </td>
<td>ZF = 0</td>
</tr>
<tr class="row-even"><td>JP/
JPE</td>
<td>Jump if parity
Jump if parity even</td>
<td> </td>
<td>PF = 1</td>
</tr>
<tr class="row-odd"><td>JNP/
JPO</td>
<td>Jump if no parity
Jump if parity odd</td>
<td> </td>
<td>PF = 0</td>
</tr>
<tr class="row-even"><td>JCXZ/
JECXZ</td>
<td>Jump if CX is zero
Jump if ECX is zero</td>
<td> </td>
<td>CX = 0
ECX = 0</td>
</tr>
</tbody>
</table>
<p>Unsigned Ones</p>
<table border="1" class="docutils">
<colgroup>
<col width="11%" />
<col width="42%" />
<col width="18%" />
<col width="28%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Instr</th>
<th class="head">Description</th>
<th class="head">signed-ness</th>
<th class="head">Flags</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>JB/
JNAE/
JC</td>
<td>Jump if below
Jump if not above or equal
Jump if carry</td>
<td>unsigned</td>
<td>CF = 1</td>
</tr>
<tr class="row-odd"><td>JNB/
JAE/
JNC</td>
<td>Jump if not below
Jump if above or equal
Jump if not carry</td>
<td>unsigned</td>
<td>CF = 0</td>
</tr>
<tr class="row-even"><td>JBE/
JNA</td>
<td>Jump if below or equal
Jump if not above</td>
<td>unsigned</td>
<td>CF = 1 or ZF = 1</td>
</tr>
<tr class="row-odd"><td>JA/
JNBE</td>
<td>Jump if above
Jump if not below or equal</td>
<td>unsigned</td>
<td>CF = 0 and ZF = 0</td>
</tr>
</tbody>
</table>
<p>Signed Ones</p>
<table border="1" class="docutils">
<colgroup>
<col width="11%" />
<col width="42%" />
<col width="18%" />
<col width="28%" />
</colgroup>
<thead valign="bottom">
<tr class="row-odd"><th class="head">Instr</th>
<th class="head">Description</th>
<th class="head">signed-ness</th>
<th class="head">Flags</th>
</tr>
</thead>
<tbody valign="top">
<tr class="row-even"><td>JL/
JNGE</td>
<td>Jump if less
Jump if not greater or equal</td>
<td>signed</td>
<td>SF <> OF</td>
</tr>
<tr class="row-odd"><td>JGE/
JNL</td>
<td>Jump if greater or equal
Jump if not less</td>
<td>signed</td>
<td>SF = OF</td>
</tr>
<tr class="row-even"><td>JLE/
JNG</td>
<td>Jump if less or equal
Jump if not greater</td>
<td>signed</td>
<td>ZF = 1 or SF <> OF</td>
</tr>
<tr class="row-odd"><td>JG/
JNLE</td>
<td>Jump if greater
Jump if not less or equal</td>
<td>signed</td>
<td>ZF = 0 and SF = OF</td>
</tr>
</tbody>
</table>
<ul class="simple">
<li>Consider a binary which is setuid and used to read files.</li>
</ul>
<blockquote>
<div><div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>leviathan2@melinda:~$ ./printfile
*** File Printer ***
Usage: ./printfile filename
leviathan2@melinda:~$ ls -la
-r-sr-x--- <span class="m">1</span> leviathan3 leviathan2 <span class="m">7498</span> Nov <span class="m">14</span> <span class="m">10</span>:32 printfile
</pre></div>
</div>
<p>We need to read</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>leviathan2@melinda:~$ ls -l /etc/leviathan_pass/leviathan3
-r-------- <span class="m">1</span> leviathan3 leviathan3 <span class="m">11</span> Nov <span class="m">14</span> <span class="m">10</span>:32 /etc/leviathan_pass/leviathan3
</pre></div>
</div>
<p>Let’s see the ltrace of the binary while accessing a file which we are allowed to read</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>leviathan2@melinda:~$ ltrace ./printfile /etc/leviathan_pass/leviathan2
__libc_start_main<span class="o">(</span>0x804852d, <span class="m">2</span>, 0xffffd774, 0x8048600 <unfinished ...>
access<span class="o">(</span><span class="s2">"/etc/leviathan_pass/leviathan2"</span>, <span class="m">4</span><span class="o">)</span> <span class="o">=</span> <span class="m">0</span>
snprintf<span class="o">(</span><span class="s2">"/bin/cat /etc/leviathan_pass/lev"</span>..., <span class="m">511</span>, <span class="s2">"/bin/cat %s"</span>, <span class="s2">"/etc/leviathan_pass/leviathan2"</span><span class="o">)</span> <span class="o">=</span> <span class="m">39</span>
system<span class="o">(</span><span class="s2">"/bin/cat /etc/leviathan_pass/lev"</span>...ougahZi8Ta
<no <span class="k">return</span> ...>
--- SIGCHLD <span class="o">(</span>Child exited<span class="o">)</span> ---
<... system resumed> <span class="o">)</span> <span class="o">=</span> <span class="m">0</span>
+++ exited <span class="o">(</span>status <span class="m">0</span><span class="o">)</span> +++
</pre></div>
</div>
<p>So it’s a matter of tricking access(), if the call to access() succeeds then it calls system(“cat file”), so if pass the argument printfile / etc/issue, then it works. We can get around it by using a space in our file name. Eg: touch foobar. then we create a symlink to the password file and call it foo. ln -s /etc/leviathanpass/leviathan3 foo</p>
<div class="highlight-bash notranslate"><div class="highlight"><pre><span></span>leviathan2@melinda:~$ mkdir /tmp/levi
leviathan2@melinda:~$ <span class="nb">cd</span> /tmp/levi
leviathan2@melinda:/tmp/levi$ ls
leviathan2@melinda:/tmp/levi$ ln -s /etc/leviathan_pass/leviathan3 ./foo
leviathan2@melinda:/tmp/levi$ touch foo<span class="se">\ </span>bar
leviathan2@melinda:/tmp/levi$ ~/printfile foo<span class="se">\ </span>bar
Ahdiemoo1j
/bin/cat: bar: No such file or directory
</pre></div>
</div>
</div></blockquote>
</div>
</div>
</div>
</div>
</div>
<div class="clearer"></div>
</div>
<div class="related" role="navigation" aria-label="related navigation">
<h3>Navigation</h3>
<ul>
<li class="nav-item nav-item-0"><a href="index.html">tech.bitvijays.com</a> »</li>
</ul>
</div>
<div class="footer" role="contentinfo">
© Copyright 2017, Vijay Kumar.
</div>
</body>
</html>