Security Ripcord

Here is the latest exercise I worked on. This time I have taken the Hello World c-program I demonstrated in the Hello World – C to Assembly post and added a sleep to it. The sleep command paused the program long enough so that I was able to locate the memory allocated to the program and change the value of the output. Of course I would have liked to have figured out a way to detect the code involved with the program instead of the actual string to be output because this might not be known. But, I guess I am going to have to deal with this for now.

This first section will demonstrate the modifications that were made to the c-program to turn it into hello_sleep.c. I diffed the assembly file with the version from yesterday so that you and I could see the difference.

bt hello_sleep # cat hello_sleep.c
#include <stdio.h>
#include <unistd.h> //Required for sleep cmd

main(){

//Declare local variables
unsigned int sec = 300; // 5 Minutes

sleep(sec);
printf(“Hello World\n”);
return(0);
}
bt hello_sleep # ls
Makefile hello_sleep.c
bt hello_sleep # make hello_sleep.s
cc -S hello_sleep.c
bt hello_sleep # ls
Makefile hello_sleep.c hello_sleep.s
bt hello_sleep # cat hello_sleep.s
.file “hello_sleep.c”
.section .rodata
.LC0:
.string “Hello World\n”
.text
.globl main
.type main, @function
main:
pushl %ebp
movl %esp, %ebp
subl $8, %esp
andl $-16, %esp
movl $0, %eax
addl $15, %eax
addl $15, %eax
shrl $4, %eax
sall $4, %eax
subl %eax, %esp
movl $300, -4(%ebp)
subl $12, %esp
pushl -4(%ebp)
call sleep
addl $16, %esp
subl $12, %esp
pushl $.LC0
call printf
addl $16, %esp
movl $0, %eax
leave
ret
.size main, .-main
.section .note.GNU-stack,”",@progbits
.ident “GCC: (GNU) 3.4.6″
bt hello_sleep # diff hello_sleep.s ../hello/hello.s
1c1
< .file “hello_sleep.c”
—
> .file “hello.c”
19,23d18
< movl $300, -4(%ebp)
< subl $12, %esp
< pushl -4(%ebp)
< call sleep
< addl $16, %esp
bt hello_sleep # make
cc -c hello_sleep.c
cc hello_sleep.o -o hello_sleep.exe
bt hello_sleep # ls
Makefile hello_sleep.c hello_sleep.exe* hello_sleep.o hello_sleep.s
bt hello_sleep # ./hello_sleep.exe
Hello World
bt hello_sleep # ./hello_sleep.exe

While this was running I opened another terminal and went to work. Of course I had already set up my tools – VTrace which is now a part of VDB. I also installed the latest version of libdisassemble and disass-3 which @ just released today. I’ll leave the installation process to you this time. I have highlighted some key information and if you see a “<- NOTE: ” it is an added comment.

bt dev # python <- NOTE: Time to learn Python
Python 2.4.3 (#1, Apr 3 2006, 14:02:53)
[GCC 3.4.6] on linux2
Type “help”, “copyright”, “credits” or “license” for more information.
>>> import vtrace <- NOTE: Pull in the VTrace functions and objects
>>> tr = vtrace.getTrace() <- NOTE: Create an object that will do the work
>>> tr.ps() <- NOTE: Output the process list. This could be scripted for future dynamic results.
[(1, 'init [3] ‘), (1008, ‘/sbin/udevd –daemon ‘), (2178, ‘/usr/sbin/syslogd ‘), (2181, ‘/usr/sbin/klogd -c 3 -x ‘), (2198, ‘/sbin/dhcpcd -d -t 10 eth0 ‘), (2227, ‘/usr/sbin/cupsd ‘), (2238, ‘/usr/sbin/crond -l10 ‘), (2274, ‘/usr/sbin/gpm -m /dev/mouse -t ps2 ‘), (2543, ‘/bin/bash /usr/bin/fstab-update –daemon ‘), (2841, ‘-bash ‘), (2842, ‘/sbin/agetty 38400 tty2 linux ‘), (2843, ‘/sbin/agetty 38400 tty3 linux ‘), (2844, ‘/sbin/agetty 38400 tty4 linux ‘), (2845, ‘/sbin/agetty 38400 tty5 linux ‘), (2846, ‘/sbin/agetty 38400 tty6 linux ‘), (2884, ‘/bin/sh /usr/X11R6/bin/startx ‘), (2902, ‘/usr/X11R6/bin/xinit /usr/X11R6/lib/X11/xinit/xinitrc — -auth /root/.serverauth.2884 ‘), (2903, ‘X :0 -auth /root/.serverauth.2884 ‘), (2919, ‘/bin/sh /usr/X11R6/lib/X11/xinit/xinitrc ‘), (2923, ‘/bin/sh /opt/kde/bin/startkde ‘), (2957, ‘kdeinit Running… ‘), (2962, ‘dcopserver [kdeinit] –nosid ‘), (2964, ‘klauncher [kdeinit] –new-startup ‘), (2966, ‘kded [kdeinit] –new-startup ‘), (2975, ‘kwrapper ksmserver ‘), (2977, ‘ksmserver [kdeinit] ‘), (2978, ‘kwin [kdeinit] -session 10736c6178000117232847800000030170000_1208991555_703768′), (2980, ‘kdesktop [kdeinit] ‘), (2984, ‘kicker [kdeinit] ‘), (2987, ‘kio_file [kdeinit] file /tmp/ksocket-root/klauncherPvcYNb.slave-socket /tmp/ksocket-root/kdesktopnUuTnb.slave-socket’), (2991, ‘kxkb [kdeinit] ‘), (2995, ‘artsd -F 10 -S 4096 -a alsa -m artsmessage -c drkonqi -l 3 -f ‘), (2999, ‘kaccess [kdeinit] ‘), (3002, ‘krandrtray -session 10736c6178000117232848400000030170007_1208991555_690824 ‘), (3006, ‘kmix [kdeinit] -session 10736c6178000117232848400000030170008_1208991555_687965′), (3007, ‘konsole [kdeinit] -session 10627400000120899154700000029640010_1208991555_692031 –ls’), (3011, ‘knotify [kdeinit] ‘), (3012, ‘konsole [kdeinit] –ls ‘), (3016, ‘konsole [kdeinit] –ls ‘), (3017, ‘-bash ‘), (3027, ‘-bash ‘), (3044, ‘-bash ‘), (3125, ‘/bin/sh /usr/bin/firefox ‘), (3137, ‘/bin/sh /opt/firefox/run-mozilla.sh /opt/firefox/firefox-bin ‘), (3142, ‘/opt/firefox/firefox-bin ‘), (3159, ‘/usr/local/libexec/gconfd-2 14 ‘), (21770, ‘/usr/bin/python /usr/bin/pydoc vtrace ‘), (21776, ‘less ‘), (22462, ‘./hello_sleep.exe ‘), (22936, ‘python ‘), (23047, ’sleep 1 ‘)]
>>> tr.attach(22462) <- NOTE: Attach to the running process. It is sleeping so be very quite.
>>> tr.searchMemory(‘Hello’) <- NOTE: Search the memory for, well, Hello
[134513956L, 134518052L] <- NOTE: Those are the memory addresses in decimal form. The “L” means that it is a long integer.
>>> tr.readMemory(134513956L,14) <- NOTE: Read the memory location
‘Hello World\n\x00\x00′
>>> tr.readMemory(134518052L,14)
‘Hello World\n\x00\x00′
>>> tr.writeMemory(134513956L,’h4k3d’) <- NOTE: Change the memory location
>>> tr.writeMemory(134518052L,’h4k3d’)
>>> tr.readMemory(134513956L,14) <- NOTE: Check your work
‘h4k3d World\n\x00\x00′
>>> tr.readMemory(134518052L,14)
‘h4k3d World\n\x00\x00′
>>> tr.detach() <- NOTE: Step away very quitely

>>>
bt dev #

Did you wake it? No??…Good. Now just sit back and wait for it. It will wake up on its own. You actually have to wait the full amount of time. The method I used above blocks the process from running once VTrace attaches to the process. I believe that it can be done without blocking but that is for another time. Ohhhhh, here is the return value. I’ll include a few of previous lines that I have already shown so you can remember where we were at.

bt hello_sleep # make
cc -c hello_sleep.c
cc hello_sleep.o -o hello_sleep.exe
bt hello_sleep # ls
Makefile hello_sleep.c hello_sleep.exe* hello_sleep.o hello_sleep.s
bt hello_sleep # ./hello_sleep.exe
Hello World
bt hello_sleep # ./hello_sleep.exe
h4k3d World
bt hello_sleep #

Sweet!!!

Go forth and do good things,

Don C. Weber

@, atlas, libdisassemble, disass-3, python, c, programming, memory, Security Ripcord, Hello World

This work is licensed under a Creative Commons Attribution-NonCommercial-ShareAlike 3.0 Unported.

You can follow any responses to this entry through the RSS 2.0 feed. You can leave a response, or trackback from your own site.