Tuesday, 20 September 2016

HOW TO DISABLE ASLR USING COMMAND LINE

     ASLR - Address space layout randomization
  
ASLR is used as  memory protection method to protect the program from being exploited using the buffer overflow attacks. It functions by randomizing the locations of executional objects in the memory. 

 You can get the value of the ASLR randomizer by using 
       ->     $ cat /proc/sys/kernel/randomize_va_space

The value will most probably be 2. Which means the Last two digits of a memory will be randomized. 
 eg :- suppose a certain object is in 0xdeadbeef . The next time the last two digits "ef"  will be different.

Hence to make the address randomization null you need to put zero in place of two.
       ->     $ echo 0 | sudo tee /proc /sys/kernel/randomize_va_space
Here sudo tee is used because sudo as certain restrictions while piping standard output to a certain file .


         HOW TO DISABLE CANARY AND RELRO WHILE COMPILING

There are certain flags which will help in disabling are
 -fno-stack-protector , -z,norelro

These can be used while compiling a program like 
  gcc -fno-stack-protector file.c -o a.out

Posted by at No comments:

Tuesday, 6 September 2016

ICECTF 2016 - DRUMPF BINARY

Binary overview:-
     The Binary has facility to book a suite, book  a room , delete booking and to print booking. The Aim is to change the flow of control to the flag function which obviously prints the flag. The program is protected by Canary, NX and RELRO is partially enabled. The program employs the use of Malloc() and free(). Finding the vulnerability would be a child's play for a experienced exploiter. The vulnerability is called Use after free vulnerability .

 Intro to Use After Free vulnerability:-
      To understand what the Use After Free vulnerability is one needs to understand what are the functions and how they are used wrongly which causes such a vulnerability to rise
  • Malloc() :-  void *malloc(size_t size)                                                         The function allocates the memory given to it and returns a pointer to the location where it is stored or NULL if it fails.
  • Free() :-  void free(void *ptr)                                                                     This function is used to deallocate the memory previously allocated by a calloc, malloc or realloc function. It doesn't return any value.              Certain things to Note here are :
    •  The Free functions doesn't clear the data which is allocated. It just makes that area available for storing data and new data overwrites the previous ones.
    • The pointer pointing to the location isn't deleted and will be reused for the next malloc() unless it is cleared by using *ptr=0. This is the vulnerability which is exploited in this method.
 Solution  :-
     The functions for booking a room and booking a suite seem a bit different.
on closer looking the function for booking a suite after decompilation using IDA pro.
    int book_suite()
{
  _DWORD *v0; // ebx@1
  char s; // [sp+1Ch] [bp-1Ch]@1
  int v3; // [sp+2Ch] [bp-Ch]@1

  v3 = *MK_FP(__GS__, 20);
  suite = malloc(264u);
  printf("Name: ");
  fflush(stdout);
  fgets(suite + 4, 256, stdin);
  *suite = print_name;
  printf("Suite number: ");
  fflush(stdout);
  fgets(&s, 16, stdin);
  v0 = suite;
  v0[65] = atoi(&s);
  puts("Booked a suite!");
  fflush(stdout);
  return *MK_FP(__GS__, 20) ^ v3;
}     
 The size of the suite is declared to be 264 bytes , and the name of the person is stored from the fourth to the 260th byte. *suite which gives the first four bytes of suite since it is a 32bit program is used to store the address of the function print_name. The Suite number is converted into an integer and stored in the last four bytes of the suite object. On successfully creating the object the function prints "Booked a suite!".

On examining the book_room function.
               int book_room()
{
  int *v0; // ebx@1
  char s; // [sp+1Ch] [bp-1Ch]@1
  int v3; // [sp+2Ch] [bp-Ch]@1

  v3 = *MK_FP(__GS__, 20);
  room = malloc(260u);
  printf("Name: ");
  fflush(stdout);
  fgets(room + 4, 256, stdin);
  printf("Room number: ");
  fflush(stdout);
  fgets(&s, 16, stdin);
  v0 = room;
  *v0 = atoi(&s);
  puts("Booked a room!");
  fflush(stdout);
  return *MK_FP(__GS__, 20) ^ v3;
}
The room object is created using 260 bytes and the first four bytes is used to store the room number and the rest is used to store the name.

 In the delete booking function we find the vulnerablity we need to exploit.
int delete_booking()
{
  int v1; // [sp+1Ch] [bp-Ch]@1

  v1 = *MK_FP(__GS__, 20);
  if ( suite || room )
  {
    if ( suite )
    {
      free(suite);
      puts("Suite booking deleted!");
      fflush(stdout);
    }
    if ( room )
    {
      free(room);
      puts("Room booking deleted!");
      fflush(stdout);
    }
  }
  else
  {
    printf("No booking found!");
    fflush(stdout);  }
  return *MK_FP(__GS__, 20) ^ v1;
}   
After the free() the pointer isn't deleted which means we found our vulnerability .
So we know the location where the suite and room objects are kept. This is used to get the flag

On analysing the print booking function one can see that the first four bytes of the suite object which is suppossed to contain the address of the print name is being excecuted. This is the place where we need to have the adress of the flag function so that it gets excecuted.

int print_booking()
{
int v1; // [sp+1Ch] [bp-Ch]@1
v1 = *MK_FP(__GS__, 20);
if ( suite || room )
{
if ( suite )
{
(*suite)(suite + 4);
printf("Rooms number: %u\n", *(suite + 65));
fflush(stdout);
}
if ( room )
{
printf("Name: %s", room + 4);
printf("Rooms number: %u\n", *room);
fflush(stdout);
}
}
else
{
printf("No booking found!");
fflush(stdout);
}
return *MK_FP(__GS__, 20) ^ v1;
}

The only object which takes a input as the first five bytes is the room object there fore we need to excecute the suite statement while having a room object.

Steps to do to obtain the solution:
                                           book a suite providing theneccessary details and then delete it so that we will obtain the pointer to the location of the objects . Now proceed to book a room such that the room no which is the first four bytes will contain the address of the flag function. Now when you excecute the print booking function you excecute the flag function because now the print functon thinks that the object is a suite since the pointer points to the same location and the first four bytes get executed .

Posted by at No comments:

Sunday, 4 September 2016

RSA ENCRYPTION

RSA algorithm is used to encrypt data over the Internet by providing public keys for the data to different users.The RSA cryptosystem is the most widely-used public key cryptography algorithm in the world. It can be used to encrypt a message without the need to exchange a secret key separately.
             The algorithm is fully based on mathematics and is fairly simple to understand.

THE ALGORITHM:

  •  Two prime numbers p and q are generated.
  •  The Modulus N is found such that N=pq (N should be of required key length k)
  • phi= (p-1)*(q-1)
  • An Integer between 1 and phi is chosen to be the encryption key "e". This should be such that the HCF (e,phi) =1.
  • The Secret exponent "d" -> the decryption key is generated such that it follows 1 < d < phi  and that e*d (mod phi) =1   .
  • The message to be encrypted is converted to decimal and i represented by "M".
  • After encryption the cypher text is called "C". 
  • The public key given is (N,e)
  • Encryption is done according to the formula
                                 C=(M^e) mod (N)    --------------------------------------(1)
  • Decryption is done according to 
                                M=(C^d) mod (N)    ---------------------------------------(2)
  •  The encryption is said to be secure if the value of e is greater than 0x10001 or 65537.
  • k is usually 1024 , 2048

HOW TO DECRYPT:
  1. If only cypher-text C, modulus N and encryption key e is given. And e = 1
          If e=1 then the cypher-text C is the same numerical equivalent of the message cipher. One just needs to convert the Cypher-text back to text. This situation indicates failure of the Cypher and is a strict no-no case.

   2. If only cypher-text C, modulus N and decryption key d is given.
            This situation should only be dealt by the person for whom the message was intended any one else coming across this situation shows a complete failure of the usage of the encryption.

   3. If cypher-text C, modulus N, phi , decryption key d and encryption key e is given. And the numbers are big.
             The problem be solved using a simple python program which uses the equation (2) to solve the question. The code for the problem is given below with large numbers


N =43210326036290106251088810298667915702007744567467854988107937233622821671752930583378558808381197036542903396534337305723496107154050324953536530993744267386008120658910242143992656773360792182698142273761182047011119261779988377408208858109503177413194541524543447827777831409903664749520527375514748678462101261445039900408999429969510786960471887158957679337190091527913340383310225813322177657695256994315048270952315001100548949554323965404643005206732777361386623591544461533797263652780595639288158892122219626720481472616420118039436680647298714768071797941290307081010086729667552569828323354008441335674251

e =65537

c =37209877026138824302301697292319328185824059912506644719041273895972747926698556612194455367172368277268883774102719113194850674012999971337550561061697826458468363574428378679179721672530515881761949297613967812683948622068020382771205609975220407119022966600675469044732891210789248284410739482876937857726026431593283960162298707892143970513804892248370427455318472402011536095802255121284911517882268092785246985981687913310965628793178703498961617628661113277249071490584774764571170891391355080033791745662119139170834529306548644716069025161989103880671580075279656495472299747401794635781847901588156099495017

phiN = 43210326036290106251088810298667915702007744567467854988107937233622821671752930583378558808381197036542903396534337305723496107154050324953536530993744267386008120658910242143992656773360792182698142273761182047011119261779988377408208858109503177413194541524543447827777831409903664749520527375514748678461684001179681025836243272641520046001108394411608315423967170123709569701951917513847951924936347574671212789694222728087028519090194131250999358518159691864169187723815719657688598576820104123456547706995794001020837756695923476582226622677087727699446323459489485731800382017980557710365098279949382831681952

d=36745622940545343875759976434157197886755506358760982257308567037006074391719705315666781200065625116203199598633622026070492775743618607966652393996419663853350085914252797887742782661594880295499227386075929594641556658033207382848075073319786244161193801795105901007640174254798831863226544268004149920625395925259715625248417078457317167458592444532825039828013768181860349705192246622240475711133444054985367520564542488697167606480838294747710396401026533820191299116891186474240520253953309474166963956334430798860084072450328931700881244717326902973061667440442315315084591766881188371668945135391290476758145

m = hex(pow(c, d, N)).rstrip("L") #the third argument is mod with the first raised to the second
print m
 

   The program will give you a insight into how large numbers are used and how python solves them easily.


this are the few types of RSA that can be cracked the rest cannot be cracked easily by anyone . Bruteforcing can take a long time.
Posted by at No comments:

Thursday, 11 August 2016

HOW TO HACK INTO UBUNTU

PREREQUISITES:-

  1. The user name used in the computer 
  2. A basic knowledge of English (Yeah that's it!!!!) 
STEPS:

  1. Switch on the computer. Press either Shift or Escape to get to the grub shell.(It depends on the computer and varies as per the model and on the fact that if you have dual booted or not)
  2. Once you get the grub menu. Click on the Advanced Ubuntu Settings in the menu.
  3. In the Advanced Settings Menu you will see lot of options such as normal boot, recovery mode with various versions. Click on the recovery mode  option.
  4. After It reads all the File Systems for errors. It shows a menu where llot of options like resume noormal boot are displayed. Click on the one saying Root shell access.
  5. You will get a shell. Now type " ls /home"
  6. Type passwd username (substitute username with username in the computer)
  7. you will get a command to input your new UNIX password. Type it in. confirm the password.
  8. Once it says password changed successfully. type Reboot .
  9. Enter into the system using the new password.
ISSUES

If after typing the password you get a message saying password not authenicted just type in " mount -rw -o remount / "
and lo behold you get permissions to write in the drive. 
Posted by at No comments:

Monday, 8 August 2016

PYTHON MODULE :- REGULAR EXPRESSIONS MODULE

IMPORTING THE MODULE
  import re

ABOUT THE MODULE 
 It provides regular expressions matching that provided in Perl . It is used to perform actions on stings mainly. Certain special characters are offered new meanings in this module

 THE split() FUNCTION 
  it is used to split strings with multiple delimiters unlike the usual split function. 
    SYNTAX:-
   result=re.split(<delimiters> ,<>,<>,<buffer>,maxsplit=0,flags=0)
    REPORT:-
  The split() has the ability to split strings at points where it finds patterns (delimiters).It stores the result in form of a list.
for removing all characters other than alphanumeric, the METACHARACTER \w  is used . 
>>> re.split(r'[^\w]', 'toto"t"o/t!')
['toto', 't', 'o', 't', '']



SOME EXAMPLES 
>>> re.split('\W+', 'Words, words, words.')
['Words', 'words', 'words', '']
>>> re.split('(\W+)', 'Words, words, words.')
['Words', ', ', 'words', ', ', 'words', '.', '']
>>> re.split('\W+', 'Words, words, words.', 1)
['Words', 'words, words.']
>>> re.split('[a-f]+', '0a3B9', flags=re.IGNORECASE)
['0', '3', '9']
 


Posted by at No comments:

Sunday, 7 August 2016

FORMAT STRINGS 

NOTES:- 

  • ASCII string to control representation of variable
  • Variadic functions:- accept variable no of arguments
    • printf()
    •  fprintf()
  • format specifiers are given to format the output
    • %s,%d,%x are all common format specifiers 
  •  THEORY : When a variadic function accepts only one input buffer, we supply  the buffer with a format specifier which makes it look above it inthe stack for the arguments needed this causes the program to print information it never meant to print , which in a sense is a kind of error which can be exploited.
  •  
  • Numbers can also be give before the specifier to format the no of bytes of the output like
    • %5s
    • %10d
  • Direct parameter access
    • These can be used to access the reuired parameter directly.
    • syntax :: %5$d
  •  Using Direct parameter access requires the use of python mostly 
    • Using Python for printing the fifth address in the stack                                      python -c 'print "AAAA.%5$x"'| ./filename 
    • Using Python for program with command line arguments                                 ./filename $( python -c 'print "AAAA.%5$x"')       
  •  
Posted by at No comments:

Friday, 5 August 2016

How to SSH between two computers


step 1: install openssh severs and library using the command 
       sudo apt-get install openssh-server openssh-client 

step 2:  start an ssh server 
     sudo systemctl start ssh  #this is for ubuntu 16.04
    sudo service ssh start #other linux systems


SETTING UP THE SERVER (optional)

 step 3:  back up the config file in the ssh folder {~/etc/ssh}
    sudo cp /etc/ssh/sshd_config{,.bak}

step 4:open this an editor
 sudo nano /etc/ssh/sshd_config
   leave most of the things in this file. Certain things that can be done using this file is :
  • changing the port used for connection
  • check on the public and private keys
  • change the time for which u can log in
      

Posted by at No comments:

Wednesday, 27 July 2016

                     MBEC

lab1B

Report:-

On opening the file in IDA we see that in the main function a random value is passed to [esp+4] and that it calls a function test().

On viewing the test function we see that it is in fact a switch statement which depends on the difference between the value at [esp+4] and the input. 

On looking at the differences  between the default case and the other cases we find that the thing is there is a rand() in the default case. All cases then redirect to a decrypt function.

rand() :-  It returns a pseudo-random number in the range of 0 to RAND_MAX. Where RAND_MAX is a constant whose default value may vary between implementations but it is granted to be at least 32767.

Looking at the disassembly of the decrypt function you see that the letters a-z are stored in the stack and checks if the top value in the stack is zero. Then the strlen() gives the of a string which seems to be generated by the function.

Then the function proceeds to move into a loop in which [ebp-40] acts as the counter for the loop when the counter reaches the string length it exits the loop.

In the loop each of the characters is Xored with [ebp+8] which has the value of the argument of the function. While doing dynamic analysis it is seen that the string is almost the same each time. Then it seems that the final result is compared to the offset "Congratulations!".

Then if they are the same you proceed to get shell. Which is in fact the flag!!. 

Since xor is a reversible function when you xor the required output with the character converted you get the hex value 0x12 which is actually 18 in decimal.

So what you need to do is to give a input which is 18 less than the number passed in the main function.

 

Posted by at No comments:

Saturday, 23 July 2016


    MBEC - lab01/lab1A
 
Difficulty level: hard
 
Report:   On loading the binary in IDA one can see that in the main() there is a interesting  function called the auth().
     
 Auth() :-

  The function has a strcspn() at the beginning.

    strcspn() :- compares two string given as input and returns the position of the first character of string 1 which has a character of string 2 .         

   then it has a strlen() func. which stores the length of the string in eax. The function then checks if the length is greater than 5, if not then you lose.

 After that it runs a ptrace() function.

    ptrace() :- It checks all the processes the system runs and and returns  a value acording to the program being run.

This function is used to detect if GDB is being run and the program is debugged dynamically. It quits if it finds such processes happening.To bypass this security feature one can put a break point on the jump statement. And change the value of eax to something else , this does not affect the rest of the program as the value of eax is changed in the next statement itself.
The next node takes the fourth letter of the username and xors it with 4919 and adds a no to it. ebp-20 acts as the counter for the loops coming once it is greater than 6 it quits the loop.While in the loop the first node checks if the ACSII value of each of the letters of the username is greater than 31. Upon which the control moves to the next node. It takes each letter of the username then xors it with the value at ebp-16 ( which seems to be almost same for different inputs).


 
Posted by at No comments:
Subscribe to: Comments (Atom)