[adam@localhost code]$ ./secret
Usage: ./secret password
[adam@localhost code]$ ./secret abc123
ERROR: Incorrect password
[adam@localhost code]$
Well crap. What to do. Lets have a look at the functions called:
[adam@localhost code]$ nm -D secret
w __gmon_start__
U __libc_start_main
U printf
U puts
U strlen
U strncmp
If only we knew what parameters were being passed to strncmp!.. Oh wait this is a tutorial:
Creating our own strncmp:
[adam@localhost code]$ cat load_me_first.c
#include <stdio.h>
#include <stdlib.h>
int strncmp(const char *cs, const char *ct, size_t count){
printf("[ Non-offical strncmp hit ]\n"
"\tcs = %s\n"
"\tct = %s\n",
cs, ct);
exit(0);
}
Compiling the object:
[adam@localhost code]$ gcc -shared -o load_me_first.so -fPIC load_me_first.c
[adam@localhost code]$ ls -la *.so
-rwxrwxr-x. 1 adam adam 8065 Nov 10 22:58 load_me_first.so
And finally calling using LD_PRELOAD:
[adam@localhost code]$ LD_PRELOAD=./load_me_first.so ./secret "if only this was the password"
[ Non-offical strncmp hit ]
cs = qwerty
ct = if only this was the password
[adam@localhost code]$
Whayy. We can see that the user password is being compared against "qwerty", we would have never been able to brute that!
[adam@localhost code]$ ./secret qwerty
)\ (__)
/ \ (oo)
~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
Cow trying out for a part
in the new JAWS movie
(p.s. This is not the answer for Don't forget to return!)
No comments:
Post a Comment