App - System

mardi 24 avril 2018, 01:25  #1
App - System : ARM -Remote- Basic Stackoverflow
jam
jam
  • 99 posts

Hi all,

Although the challenge should be an easy one, it is in fact not an easy shot. I tried several ways. The challenge randomize the address layout of the given buffer and i could manage to disable this feature locally. but for now i do not have an idea how it could be done remotely. (without brute forcing).

I tried to understand my own c-written code in arm debugger and i have seen the stack smash under control of stack protector. I have also this one disabled locally. After then, i launched my code and i was able to flow the behavior of it by sending at the end of the string an arbitrary address and it worked.

I have filled up a buffer with shell code (/bin/sh) and after all with nonsense data at the end the address of shell code. It says illegal instruction. As i did before it was not a sort of 0x000xyxyx address it is like 0xbexyxyxx and i was not able to control it even locally. There is something i have not seen so far, but anyway.

There is something more, the randomized address volume could be brute forced as i said before, there are only 16^4 possibilities, but there is written brute force is not needed. I could even locally not get the success to run my shell code, how to manage it remotely.. I think i have enough for tonight.

The clue is to guess the count of arbitrary string. Ex. if buffer is 10 bytes long it could mean there are more bytes to be able to get into smashing the stack.

Thx for reading,

I am also ready to help you further if you need to. pm or mail me.

mardi 24 avril 2018, 21:39  #2
App - System : ARM -Remote- Basic Stackoverflow
jam
jam
  • 99 posts

hi all,

i could manage the shell code and pointed upon my code. Unfortunately there is a sexy problem. The requested input is writing characters or reading it from file. The output is as known the hex bytes. What i mean is the following one : If there is a 0x0a in your code, it will jump down and enter the code. I tried other shell codes but with no luck : illegal instruction. Next time i will try harder and test my own generated code without a 0x0a. I hope it will work.
I guess the entry point could be a problem, which means if the function is at 0x0021 then the IP should be 0x0022. Whatever ...

Kissy kissy
so long,

Nouvelle réponse Nouvelle réponse   Nouveau sujet Nouveau sujet