Logo
RSS Feed

Reverse

Overview

The idea of a buffer overflow attack is quite simple, though the implementation might initially be difficult to digest. I am exploring this notion and visualising it in this article.

Mechanics

Imagine you have a job you don’t really like (I think most of us have had such an experience at least once in our life 😒). And also, imagine that you are being highly underpaid. Your job is simple and ridiculous: place rabbits πŸ‡ into one set of boxes and foxes 🦊 - into another. You happen to have 6 boxes πŸ“¦πŸ“¦πŸ“¦πŸ“¦πŸ“¦πŸ“¦ for foxes 🦊 and 4 πŸ“¦πŸ“¦πŸ“¦πŸ“¦ for rabbits πŸ‡. However, you were given 4 rabbits πŸ‡πŸ‡πŸ‡πŸ‡ and 7 foxes 🦊🦊🦊🦊🦊🦊🦊. So, one fox 🦊 doesn’t have its fox box πŸ“¦. However, there are also rabbit πŸ‡ boxes πŸ“¦ right nearby. So, even though you were explicitly told not to place foxes into rabbit boxes and vice versa since you don’t give a shit, you put a fox into a rabbit fox. What happens? One can only guess… πŸ€”. Long story short: the fox eats the rabbit, and now you have 7 foxes and only 3 rabbits πŸ‡. Alas! If only you’d followed the manual πŸ“–…. Most likely, one would get fired after such a mistake, but we can’t fire the compiler, so that would happen if the developer was not using a memory-safe language or wasn’t careful enough. Now, to the technicalities.

Binary Vulnerabilities And Exploits

In this article I will collect common binary vulnerability (expept for the bufferoverflow which has its own dedicated article) … .

Apple Mach-O

Binary info

otool

Using otool we can get general info about the Mach-O file:


otool -h [app_name]

> Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
 0xfeedfacf 16777228          0  0x00           2   115      11384 0x00218085

Quick refernce on the meaning:

32-bit (ARMv6, ARMv7) – 0xFEEDFACE 64-bit – 0xFEEDFACF Universal binaries – 0xCAFEBABE

robin2

nm

nm WindTail/Final_Presentation.app/Contents/MacOS/usrnode - view the APIs used. SMLoginItemSetEnabled - Wardle, Patrick. The Art of Mac Malware (p. 25). No Starch Press. Kindle Edition.

Apple Mach-O

Binary info

otool

Using otool we can get general info about the Mach-O file:


otool -h [app_name]

> Mach header
      magic cputype cpusubtype  caps    filetype ncmds sizeofcmds      flags
 0xfeedfacf 16777228          0  0x00           2   115      11384 0x00218085

Quick refernce on the meaning:

32-bit (ARMv6, ARMv7) – 0xFEEDFACE 64-bit – 0xFEEDFACF Universal binaries – 0xCAFEBABE

robin2

nm

nm WindTail/Final_Presentation.app/Contents/MacOS/usrnode - view the APIs used. SMLoginItemSetEnabled - Wardle, Patrick. The Art of Mac Malware (p. 25). No Starch Press. Kindle Edition.

Exploit Development

Process

Steps Overview

  1. Fuzz and fins unusual behaviour
  2. Detect any possibility to overwrite crucial parts:
    1. EIP
    2. SEH
    3. Acces violations/invalid memory addresses
    4. etc
  3. Hijack Execution
  4. Eliminate bad characters
  5. Write PoC, spawning a reverse or bind shell, RAT or move to other systems.

Bad Characters

All characters from 0 to 255 (decimal) represented in a hex format like this: /0x00/0x01....

πŸ“• RTFM

msf-pattern_create -l 1400
echo "POST"$(mapstr) | nc -nv 127.0.0.1:8080
msf-pattern_offset -q <part of mapstr in EIP>

http://docs.pwntools.com/en/stable/index.html and an example of use - https://www.megabeets.net/a-journey-into-radare-2-part-2/.

Proccess Memory Layout

Intro

At the very beginning of my career I found it hard to grasp the notion of memory layout and stack. Even when I read about it several times, it didn’t feel solid. That’s why I drew drew and drew. Because my mind prefers pictures, analogies, metaphors and examples! So, I’ve made that. May be someone finds it useful.

Picture

memoryLayoutC

Metaphor and Analogy

I was thinking about a good metaphor, but that was the extent of my imagination… Let’s say some weirdo (let’s call him Gargaralian) is piling up all the boring books he has 📚 under the table because the appartment is too small and the luxury of having a bookcase is not an option available for him. Besides, the table is a little loose, so that pile of books could be like the fifth leg. Something like that:

Compilation and Linking πŸ”—

In this article I am trying to reasearch compilation and linking process.

Terms

.cpp - is a human-readable file written in any programming language. In this example it’s a file written in C++. An example of this file (meaningless for simplicity sake):

#include <iostream>
using namespace std;

int main()
{
    int a, b, c; 
    return 0;
}

.obj, .coff - binary file with its own structure. 1 file of source code (*.cpp) is compiled into 1 .obj or .coff file. Consists of sections, symbol table (name and current location of variable or function that can be referenced by other object files), relocation table (addresses referenced in this file that the linker must adjust when it knows the final memory layout) and debug info. A header that says where in the files the sections below are located  A (concatenated) text segment, which contains all the source code (with some missing addresses)  A (concatenated) data segment (which combines all data and the bss segments)

Exploit Development Env

This is about … .

The Lord of the Apple: The Return of the iPhone

πŸ“† 22/08/2021 , Sunday, ☁️

πŸ•° 11:21 AM.

It was a cloudy Sunday morning. I was sleeping peacefully till 8:45 AM when my daughter started crawling all over me and my husband asking wether I am awake already… . Well, now I am, darling, many thanks πŸ€¦πŸ»β€β™€οΈ! After having a delicious breakfast (eggplants with home-made tomato sauce, yummy πŸ˜‹) and getting the kitchen back to the clean state (it’s very hard to keep it that way), I’ve decided to finally repair my little old fellow iPhone 7. Several weeks ago I went on vocation to Cyprus and broke the rare camera glass and the screen as well, because I somehow managed to drop the phone on the pavement 3 ❗️times! To be honest, these were not the first times when my iPhone met some surface harder than my palm, so it’s a miracle this had not happened before.

To Carry Out MockInv'estigation. Part 2

πŸ“† 16/06/2021 , Wednesday

πŸ•° 09:21 PM.

I had a 7-day license of Magnet AXIOM and I’ve decided to try this tool and compare it with others that I had. In 2021 May-June Magnet held a great event of a great value - Magnet SUMMIT with lots of very useful webinars and workshops. One of them was a case study using Magnet. I am going to follow these steps and study another way to solve a crime.