Sunday, November 30, 2014

Git Commit with GPG Key

Preface

Creating a commit in Git is easy, it can be done by "git commit", and the author (name and email) is set by a parameter of this commit or by reading the setting from "~/.gitconfig"

Method 1: set the author in command parameter

$ git commit -am "bug fixed" --author="Author Name <email@address.com>"

Method 2: reading the user setting

$ git config --global user.name "Heron Yang"
$ git config --global user.email heron@heron.me
However, there's no way to guarantee the author is the person with right permission. So GPG is introduced here.

GPG Design Explain

It's also applying public-private key pair design like ssh-keygen. Normally, the author generates a pair of keys, which are public key and private key. It's okay for him to share out the public key, and that allows the other people to create encrypted content for this author by using the public key. However, no one can decrypt the content unless he or she has the private key.
So, by sharing the public and holding the private key on your machine allows the user to be recognised and certificated.

Git Command with GPG Key

Therefore, if we want to create a Git commit with certification, we should make Git work with GPG. Here's the steps (one should install GPG before starts):

A. Generate key pair

$ gpg --gen-key #few questions will pop up, lease your name/email/passphrase, and pick default for others

B. List generated keys

$ gpg --list-keys # list your keys
pub   2048R/xxxxxxxx 2014-11-30
uid       [ultimate] Heron Yang (genrate gpg) <heron.yang.tw@gmail.com>
sub   2048R/yyyyyyyy 2014-11-30
$ gpg --list-secret-keys # list private keys
...

C. Add your GPG into Git Config

Put your xxxxxxxx into Git configuration by doing:
$ git config --global user.signingkey xxxxxxxx

D. Commit and See if it works

Commit like this way:
$ git commit -S
Check log:
$ git log --show-signature
commit 252aa0dd0643d86df16b93b509a6a15b95xxxxxx
gpg: Signature made Sun Nov 30 13:52:57 2014 CST using RSA key ID xxxxxxxxgpg: Good signature from "Heron Yang (genrate gpg) <heron.yang.tw@gmail.com>" [ultimate]
Author: Heron Yang <heron.yang.tw@gmail.com>
Date:   Sun Nov 30 13:52:51 2014 +0800
    test gpg

Reference

Monday, November 17, 2014

Alphanumeric Shellcode of EXEC("/bin/sh") without binsh/BINSH Characters

Abstract

This is one of the CTF tasks from "Secure Programming" course in NCTU.

Problem

Input: a string with following restrictions
  • Alphabets and Numbers only, which means: [0-9], [a-z], and [A-Z]
  • No "binsh/BINSH" characters
This string will be executed as machine code on the target server, which we call shellcode. So, we can guess that the program looks like this:


Workable Shellcode

First, let's ignore the restrictions first. We may need a test code to execute "bin/sh" successfully for further steps. And here's is it:

Also, by referring to the system call document, what we learn that the registers should be set before calling "INT 0x80":

  • EAX: 0x0b
  • EBX: Address of "bin/sh" string
  • ECX, EDX: 0x00 (optional)

Try: msfencode

cat shellcode.txt | msfencode BufferRegister=ECX -i sc.bin -e x86/alpha_mixed -t python -b 'binshBINSH'
This piece of code should give out our solution. However, the encoder returns error saying that it can't find the solution.

Write It on My Own

Since the existing encoder can't solve this problem, we now have to solve it on our own. The things we know so far:

Issue 1: Storing Arbitrary Value on Stack

  • PUSH a small random value into the stack
  • POP to ECX
  • DEC ECX to the wanted value
  • PUSH ECX
For larger wanted value:
  • PUSH a small random value into the stack
  • POP to EAX
  • XOR EAX, <value> (this may need to be done twice to gain the wanted value)
  • PUSH EAX
Notice:
  • the value for XOR should be calculated manually
  • pick ECX for DEC/POP/PUSH instructions under our initial restrictions
  • pick EAX for XOR (0x35 opcode)

Issue 2: Storing Instructions on Stack

There are some instructions not accepted in our input shellcode, so we somehow generate the instructions as data and push them onto the stack. By having "-fno-stack-protector -z execstack" option while compiling in GCC, we can execute the pushed instructions later.

Issue 3: Move EIP to Stack

  • EIP is in the stack and pointing to the current shellcode
  • ESP is where our instructions ("POP EBX", "INT 0x80") is pushed on
It will be easy if we call a jump instruction to move the EIP to ESP, then our instructions will be executed. However, we only have o8 (8-bit immediately) jump instructions, which is not long enough to jump to ESP.
Therefore, I popped the stack in order to increase ESP in the begin of the shellcode.
  • POP ESP for many times: increase ESP value
  • make ESP locates after (and close to) the end of our shellcode
  • call a small 8-bit jump to our stack (where "POP EBX", "INT 0x80" locate)

Solution

Here's my solution:
XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJRYQj0X5JCCX5Ul00Pj0X5JRYY5U007PTj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJRX5CG005q800Pj0X5kOOOPPj0ZJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJJRXJJJJJJJJJJJDDDDDDDDDDDDu0

And, the details are in my Github repo.