Thứ Tư, 7 tháng 9, 2011

Chuyển nhà

Hiện tại, trang chủ của BkitSec chuyển sang bkitsec.wordpress.com thay vì trang chủ này.
Người đăng: vào lúc Không có nhận xét nào:

Thứ Ba, 16 tháng 8, 2011

Defcon 19 Gold 



# file gold

gold: ELF 32-bit LSB executable, Intel 80386, version 1 (FreeBSD), dynamically linked (uses shared libs), for FreeBSD 8.2, stripped


Binary co the download tu day

Binary chay 1 dich vu lang nghe o port 2069 va cho ket noi toi, voi moi ket noi chuong trinh se tao 1 process de thao tac voi tung client, ve co ban binary nay la mot game nho. Khi ket noi toi port 2069 chung ta co : 
haha

hihi

hhe


char *a;

char *b;

char *c;

nc localhost 2069

You are in a brown sad room (2,2,2)

You can see:sledge, gold

Possible exits:nowhere

You are carrying:nothing

_north _south _east _west _up _down _get d_rop _arm _hit e_xchange _Quit


Phan xu li nay trong binary: 


while ( !(unsigned __int8)calcVal1(intArr2) )

{

if ( v5 )

  goto LABEL_13;

if ( (unsigned __int8)calcVal1(intArr3) )

{

if ( !buff512 )

{

send3(fd, "You can't see anything around you\n");

send3(fd, "_north _south _east _west _up _down _get d_rop _arm _hit e_xchange _Quit\n> \n");

buff512 = (char *)malloc(512u);

if ( read1(fd, (int)buff512, 512, '\n') > 0 )

buff512[512] = 0;

}

}

startGame(fd);

v5 = playGame(fd);

}

v6 = 0;

send3(

fd,

"At the end you reached the goal room! I don't know\nif you enjoyed the trip, nor if you've found what you\nwas searching for... I only hope you know better

how\nto curse now!!\n\n");

if ( holdItem )

{

v7 = 0;

do

{

v8 = playerItems[v7++] == 3;

v6 += v8;

}

while ( v7 != holdItem );

}

send3(fd, "You earned %d pieces of gold\n\n", v6);

LABEL_13:

endGame();



Trong StartGame: 
send3(sockfd, "You can see:");

itemCarry[0] = 4;

if ( unk_804D440[3 * current[2]] == current[0] && unk_804D444[3 * current[2]] == current[1] )

{

resetGameItems(currentStatus->itemList, (int)¤tStatus->itemRemain, 2);

v12 = 3 * current[2];

unk_804D440[3 * current[2]] = -1;

unk_804D444[v12] = -1;

}

v1 = currentStatus;

if ( currentStatus->itemRemain )

{

if ( currentStatus->itemRemain > 0 )

{

v2 = 0;

do

{

v3 = gameOutput[v1->itemList[v2] + 10];

if ( !v3 )

v3 = (int)buff512;

send3(sockfd, "%s", v3);

v4 = currentStatus;

if ( currentStatus->itemRemain - 1 > v2 )

{

send3(sockfd, ", ");

v4 = currentStatus;

}

if ( v2 == 6 * v2 / 6 )

itemCarry[0] += v2 > 0;

++v2;

v1 = v4;

}

while ( v4->itemRemain > v2 );

}

}

else

{

send3(sockfd, "nothing");

}

v5 = 7;

if ( itemCarry[0] > 5 )

v5 = itemCarry[0] + 1;

itemCarry[0] = v5;

i = 0;

v7 = 0;

send3(sockfd, "\nPossible exits:");

do

{

if ( currentStatus->direction[i] )

{

++v7;

send3(sockfd, "%s ", *(_DWORD *)&strDirection[4 * i]);

}

++i;

}

while ( i != 6 );

if ( !v7 )

send3(sockfd, "nowhere");

itemCarry[0] += 2;

v8 = 0;

v9 = 0;

send3(sockfd, "\nYou are carrying:");

if ( holdItem )

{

do

{

while ( 1 )

{

v10 = gameOutput[playerItems[v8] + 10];

if ( !v10 )

v10 = (int)buff512;

send3(sockfd, "%s", v10);

if ( holdItem - 1 > v9 )

break;

++v8;

v9 = v8;

if ( holdItem <= v8 )           goto LABEL_28;       }       ++v8;       v9 = v8;       send3(sockfd, ", ");     }     while ( holdItem > v8 );

}

else

{

send3(sockfd, "nothing");

}

LABEL_28:

itemCarry[0] += 2;

send3(sockfd, "\n_north _south _east _west _up _down _get d_rop _arm _hit e_xchange _Quit");

return send3(sockfd, "\n> \n");

}


Va PlayGame: 

signed int __cdecl playGame(int fd)

{

BYTE *choose; // eax@1

BYTE *choose1; // edi@1

int numItem_; // ebx@2

signed int j; // ecx@3

int v5; // eax@4

char *v7; // ebx@13

char *v8; // eax@13

ItemInfo *v9; // esi@13

int indexDir; // eax@13

int *currenStatus_; // esi@19

int i; // ebx@21

int v13; // eax@23

int dir; // [sp+18h] [bp-10h]@13



while ( 2 )

{

choose = recv_1byte(fd);

choose1 = choose;

switch ( choose )

{

default:

continue;

case 'x':

numItem_ = holdItem;

if ( holdItem > 1u )

{

j = 1;

do

{

 v5 = playerItems[j];

 playerItems[j] = gameItems[j];

 gameItems[j++] = v5;

}

while ( j != numItem_ );

}

return 0;

case 'r':

if ( (unsigned __int8)dropItem(fd) )

return 0;

continue;

case 'h':

if ( hit(fd) )

return 0;

continue;

case 'g':

if ( currentStatus->itemRemain )

{

if ( getItem(fd) )

 return 0;

}

else

{

send3(fd, "there's nothing I can get\n");

}

continue;

case 'd':

case 'e':

case 'n':

case 's':

case 'u':

case 'w':

v7 = direction;

v8 = strchr(direction, (int)choose);

v9 = currentStatus;

indexDir = v8 - v7;

dir = indexDir;

if ( !currentStatus->direction[indexDir] )// EndMap

{

send3(fd, "can't go %s\n", *(_DWORD *)&strDirection[4 * indexDir]);

continue;

}

if ( holdItem )

{

if ( choose1 != (BYTE *)'u' && choose1 != (BYTE *)'d' )

 goto LABEL_17;

if ( gameItems[holdItem] == 2 )

 goto LABEL_35;

send3(fd, "Hm, I need to use a ladder...\n");

continue;

}

if ( choose1 == (BYTE *)'u' || choose1 == (BYTE *)'d' )

{

LABEL_35:

dropItem(fd);

v9 = currentStatus;

}

LABEL_17:

LOBYTE(v9[1].direction[1]) = 1;

current[0] += Map1[3 * dir];

current[1] += Map2[3 * dir];

current[2] += Map3[3 * dir];

currentStatus = (ItemInfo *)v9->direction[dir];

return 0;

case 'b':

ddtek_backdoor(fd, 0);

continue;

case 'X':

currenStatus_ = (int *)currentStatus;

if ( currentStatus->itemRemain > 1 && currentStatus->itemRemain - 1 > 0 )

{

for ( i = 0; ; ++i )

{

 v13 = currenStatus_[i + 6];

 currenStatus_[i + 6] = currenStatus_[i + 7];

 currenStatus_[i + 7] = v13;

 if ( currenStatus_[26] - 1 <= i + 1 )               break;           }         }         return 0;       case 'Q':         send3(fd, "quit");         return 1;       case 'a':         if ( (unsigned __int8)Arm(fd) )           return 0;         continue;     }   } }



O day voi moi su lua chon cua nguoi choi, chuong trinh se thuc hien 1 function de xu li: gia su nguoi choi chon 'x' : 

bool __cdecl getItem(int a1)

{

int indexItem; // ecx@1

ItemInfo *status; // edx@2

int avai; // eax@2

int t; // eax@3

bool result; // eax@4



indexItem = holdItem;

if ( holdItem == 25 )

{

send3(a1, "You are carrying too much!\n");

result = 0;

}

else

{

status = currentStatus;

avai = currentStatus->itemRemain;

if ( avai > 0 )

{

t = avai - 1;

currentStatus->itemRemain = t;

playerItems[indexItem] = status->itemList[t];

holdItem = indexItem + 1;

}

result = 1;

}

return result;

}


truong hop 'b' chinh la thong so de goi ddtek_backdoor
Truong hop nguoi choi chon 'a' (Arm): 

int __cdecl Arm(int a1)

{

int item; // eax@2

int result; // eax@6

char buff[512]; // [sp+10h] [bp-208h]@10



if ( holdItem )

{

item = playerItems[holdItem - 1];

if ( item == 4 )

{

send3(a1, "Sledge already armed and ready to fire!\n");

result = 0;

}

else

{

if ( item == 1 )

{

playerItems[holdItem - 1] = 4;          // set to Armed

result = 1;

}

else

{

send3(a1, "I can't arm ");

if ( gameOutput[gameItems[holdItem] + 10] )

{

send3(a1, (const char *)gameOutput[gameItems[holdItem] + 10]);

}

else

{

snprintf(buff, 0x200u, buff512);

send3(a1, buff);

}

send3(a1, "\n");

result = 0;

}

}

}

else

{

send3(a1, "What should I arm?!\n");

result = 0;

}

return result;

}



O dong:
snprintf(buff, 0x200u, buff512);
la mot loi format string va loi nay chi duoc goi len khi nguoi hoi co > 0 item ( holdItem > 0), trang thai cua item khac 4 ( tuc la chua dc Armed), va khong the arm dc.
Tren day la phan doan cua minh sau khi RE xong, tiep theo minh se debug va viet 1 cai exploit hoan chinh cho no :)
Người đăng: vào lúc Không có nhận xét nào:
Đăng ký: Nhận xét (Atom)