Skip to content

Latest commit

 

History

History
38 lines (37 loc) · 2.65 KB

README.md

File metadata and controls

38 lines (37 loc) · 2.65 KB
Raw

Reverse-and-Exploit-Development

ELF 32-bit Reversing
The logic example behind program in python:
1. try Create socket else "could not create socket".
2. Call to htons() - Host to Network short.
3. try Bind print "bind done" else "bind failed" to a port -> exit
4. listen for connection in while true - repeat itself "waiting for incoming connections"
5. try accept connections; print "connection accepted" except error - print "accept failed" -> exit
6. recv(1) 1 byte and store in memory.
7. if msg[0] == '\n': begin login process.
elif msg[0] == '\x0f': Send 'You are close'
else: Send 'Meh'
8. login process:
I. Calls get_string 3 times: heap allocates memory. strcpy the usernames to different heap allocated memory areas.
+ Prints the decimal value of the each username's prefix number with +0x01 to it's value.
II. Prints the vars it received from the msg (Need a NULL byte).
III.strcmp the usernames 3 times with 3 pre-defined usernames from the program in this order: 'root', 'root', 'toor'
IV. malloc is called with 0x40 as an argument.
V. memcpy "check\x00" to the the address malloc returned with size of 0x6, the size of "check" + NULL byte.
VI. OR return value of strcmp with '0x00'. saving result to EAX.
VII.Prints Success iteration X: %x ; %x = The result from OR (0 means success in strcmp. Otherwise, strcmp failed.
VIII.Frees all 4 allocated memory in the heap in reverse order. ; 'check' 'toor', 'root', and lastly the first 'root' in msg.
IX. CMP [EBP+return_value_of_strcmp], 0
-> if cmp is successful: Sets byte to AL
X. AL moves to EAX
XI. return from login to main.
9. EAX moves to stack-0x44 (it can be either 0x00 or 0x01)
10. cmp stack-0x44 with 0:
if stack-0x44 == 0: Jumps to sending 'failed' message reply.
if stack-0x44 != 0: jumps to sending 'successful' message reply.

Conclusion:
A program that demonstrates an authentication process.
A client will send a msg that will contain:
a character (msg[0])
kind of like an authentication token (represented as msg[0])
3 usernames with a prefix number before each one.
Between each usernames there should be a padding of 43 chars. Each username should end with NULL byte or else program will break and wont allow access.